Clarifying Legal Ideas from Technology Certifications — Part II (Authentication and Chain of Custody)

In our first installment we covered the Best Evidence rule. Now let’s look at authentication and chain of custody.

First, the usual admonitions:

1. Code is law, at least for the exam. If you want to pass the exam, study what the relevant texts and trainers tell you about these ideas. Trainers, or edutainers like my favorite, Adam Gordon, know what the exam authors expect as the answer. For the exam, what Adam tells you is the right answer. In fact, I’d suggest not reading this series until you have passed the exam.
2. Different jurisdictions have different rules, and the rules change all the time, so you will never have it 100% right.
3. Lawyers and judges speak less technology than technologists speak law. There are a lot of square pegs, round holes, and large mallets involved in fitting this stuff together.

Now we’re ready for a classic filmic example of authentication:

From My Cousin Vinny (1992) (first :39 seconds only. Warning: Profanity and violence from :40 on. Use headphones!):

Vinny authenticates money roll. Profanity and violence begin at the 40 second mark. Use headphones!

In the video, Vinny is confronted by J.T., with whom he has made an interesting $200 bet. Vinny being a trained cynic doubts that J.T. has the money, and being a trained cynic, takes a literal “money talks, bullsh*t walks” approach. J.T. holds up a money roll, claiming it’s his $200 stakes, and Vinny asks the right question: “how do I know that’s not a bunch of ones with a 20 wrapped around it.” This is exactly the question that authentication seeks to answer.

As Federal Rule of Evidence (FRE) 901 puts it, “To satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is.” (Emphasis added.) In other words, how do we know that the hard drive that’s being offered into evidence:

1. Is actually a hard drive; and
2. Is the same hard drive that you took from the defendant’s laptop?

What’s the burden of proof? I know what you’re thinking, “beyond a reasonable doubt!” No! That’s the burden of proof convicting a defendant in a criminal trial. That’s now what we’re working with here.

First of all, while we’re using a lot of criminal trial examples, the rules of evidence apply in other kinds of cases — civil and administrative, for example — in those cases, nothing has to be proved beyond a reasonable doubt — in most cases, the burden of proof is much the much lower “preponderance of the evidence” standard, which translates to “more likely than not.”

Second, those standards are what lawyers call burdens of persuasion the jury has to decide that the prosecution proved its entire case beyond a reasonable doubt; or in a civil case, the plaintiff proved its version of the case was more likely than not the right one. A jury only needs to believe the plaintiff’s story is 51% likely in a civil case.

Third, questions of admissibility of evidence are called “preliminary questions of fact” under FRE 104, “ The court must decide any preliminary question about whether a witness is qualified, a privilege exists, or evidence is admissible. In so deciding, the court is not bound by evidence rules, except those on privilege.” In Bourjaily v. United States, the Supreme Court held that the preponderance of the evidence standard is the one courts should apply to preliminary questions. In most cases, the judge only decides whether a reasonable jury would find that the preliminary facts were proven by a preponderance of the evidence, which is a very low threshold.

How does authentication work? Rule 901, quoted above, gives the basics, and it (usually) really is that simple! Just about any evidence that would help a judge conclude that the money roll is what we claim it is should work.

But is it really that simple? No legal thing is. If the thing you are authenticating includes words (an email, a document, an audio recording, a picture of a person using sign language) it could be subject to the hearsay rule and, in a criminal case, to the defendants right to confrontation. We’ll talk about those next time. For now, just remember authenticating a record doesn’t mean I can use it for whatever I want.

The rules of evidence codify lots of methods that are either pretty obvious or have been worked out over the history of trials. Let’s take a quick look.

Bootstrapping (self-authentication) vs. Manual (witness-based). The rules give us shortcuts for a lot of common kinds of evidence. They are identified in FRE 902. Before we dig into those rules, though, let’s be clear: If my evidence doesn’t get a shortcut under Rule 902, that only means I’ll need to produce a witness to satisfy the requirements of Rule 901 — it almost never means the evidence isn’t admissible.

Some of the handy and uncontroversial self-authentication rules include: public records and documents that have been signed, sealed, and/or certified in various ways, newspapers and periodicals, trade inscriptions (a common example is the “made in” inscription on a firearm), documents that been acknowledged in front of a notary public, and commercial paper (checks and money orders).

Next come a few that can apply to digital evidence: Records of regularly conducted activity. If your business sells software and records information about its sales, the rule permits them to be authenticated by a certification made by someone who knows about them, if they give advance notice to the other party.

And finally the most recent additions, and the ones most relevant to digital evidence: Records produced by an electronic process or system that produces accurate results (with certification and notice requirements like those described above) and data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification. While it’s a little silly to use “authenticated” in a rule that supposed to tell us how to “authenticate,” and technology distinguishes “identification” from “authentication,” see rule 3 above. Nevertheless, we get what they’re trying to say. Examples of this kind of authentication include hashing and digital signatures.

As I mentioned, failing to meet a self-authentication requirement does not mean your evidence can’t be authenticated. It means you need to produce a witness in court to authenticate it. There are also some other ways to avoid producing a witness in court for this, but we’ll skip those for now.

Old School Authentication. If you can’t use the self-authentication rules, how do you authenticate your evidence. Rule 901 explains the easiest and most common way. Have someone who knows testify that it is what you say it is. There was an example of this in our previous installment:

P: Very well . . . Mr. Gordon, I’m showing you what’s been tagged as Prosecution Exhibit A. Do you recognize it?

G: Yes.

P: Can you tell us what it is?

G: Yes (snickers because he’s literally answered the question).

P: Well, what is it?

G: It’s a forensic image that I created of the hard drive that contained the access logs.

This is a pretty common way. Rule 901 gives some other interesting examples that we’ll skip for space, but one more bears mentioning: “Evidence describing a process or system and showing that it produces an accurate result.” Testimony about how logging works and that it produces accurate results should authenticate the logs, if you can’t self-authenticate them.

Ok. What about chain of custody? Chain of custody is not as decisive as you might think. It shows up in all of the crime shows and movies, and even major trials like O.J. Simpson’s murder trial. Don’t get me wrong, it still results in acquittals and reversed convictions. There are some great articles that discuss at length the relationship between FRE 901 and the chain of custody requirements and the specifics of the chain of custody rule and procedures. I’ll just summarize:

1. Chain of custody is usually required in cases where evidence is physical and fungible (drugs and blood evidence are the most common examples) or is tested (even if I’m convinced that you collected white powder from the defendant’s pocket, you still have to convince me it’s the same evidence that the lab tested);
2. Chain of custody applies more often and more significantly in criminal cases;
3. A broken chain doesn’t usually mean the evidence is inadmissible, in many cases the incomplete chain merely makes the evidence less valuable; and
4. Despite 1–3, it’s crucial to follow he chain of custody requirements that apply to whatever you are doing. Failing to do so can still cause damage to cases and to your career.
5. Chain of custody is an important control that allows auditing and accountability and prevents or deters tampering, theft, and destruction of evidence.