Criminal Conviction Overturned Due to Failure to Authenticate Social Media Evidence

Law Journal for webUnder our ongoing effort to monitor legal developments concerning social media evidence, we again searched online legal databases of state and federal court decisions across the United States — this time to identify the number of cases in January 2017 where evidence from social networking sites played a meaningful role in the litigation. The initial search returned over 2,000 results. That is far too many to review manually, but through random sampling to eliminate duplicates and de minimis entries — defined as cases with merely cursory or passing mentions of social media sites — we counted over 1,200 cases accessible through Westlaw and/or Google Scholar for January 2017.

And as only a very small number of cases — approximately one percent of all filed cases — involve a published decision or brief that we can access online, it is safe to assume that tens of thousands more cases involved social media evidence during this time period. Additionally, these cases do not reflect the presumably many hundreds of thousands of more instances where social media evidence was relevant to a corporate or law enforcement investigation yet did not evolve into actual litigation. Even so, this limited survey is an important metric establishing the ubiquitous nature of social media evidence, its unequivocal and compelling importance, and the necessity of best practices technology to search and collect this data for litigation and compliance requirements. There is no question that nearly every criminal investigation and civil litigation matter involves at least some social media and internet-based evidence.

The following are a brief synopsis of five notable cases from the survey:

Brown v. State, (Ga: Supreme Court, January 23, 2017). In this case, the prosecution presented key evidence from a variety of social media sources, including a “cropped screenshot” from a YouTube video, several incriminating Facebook postings and a copy of a photograph downloaded from a Twitter account. The items were admitted into evidence and the defendant was convicted on all counts. However, a motion for new trial was brought on the basis of challenging the authenticity of the social media evidence introduced as screen shots. The court overturned the conviction on one of the counts (count of criminal gang activity). The Georgia Supreme Court upheld that ruling but determined that improper authentication was a harmless error as to the remaining counts that Defendant was also convicted on.

State v. Kolanowski, (Wash: Court of Appeals, January 30, 2017).  In another case involving the failure to authenticate social media evidence, a criminal defendant unsuccessfully sought to admit a screenshot of Facebook evidence that he maintained would have served as critical impeachment against the prosecutions’ main witness.  During pretrial motions, the State sought to exclude Facebook records that lacked foundation, and the defendant sought to admit a March 2015 screenshot of what purported to be a 2:49 a.m., February 8, 2014 Facebook post. The authenticity of that screenshot was successfully contested. It is apparent from the record that various metadata and other circumstantial evidence was not available (which could have been collected using best practices technology) that very well may have served to establish a proper evidentiary foundation.

ZAMUDIO-SOTO v. BAYER HealthCARE PHARMACEUTICALS INC. (US Dist. Ct, ND California, January 27, 2017). In this matter, a major product liability claim was barred on statute of limitation grounds based exclusively on the Plaintiff’s comments on her Facebook post.  Plaintiff’s Facebook comments drew a connection to her injury and the alleged defective product in question, and was posted on May 26, 2011, more than two years prior to her filing suit against Bayer. The court determined that Plaintiff’s Facebook post started the clock for her to bring her claim within the two year statute of limitations period. However, as she did not file her suit until January 2015, the court ultimately barred her action.

Jacobus v. Trump, (NY Supreme Court, January 9, 2017) This high-profile libel case is notable in that the claim against then-candidate Donald Trump was exclusively based upon social media evidence in the form of two separate tweets. Plaintiff Jacobus is a Republican political consultant and frequent commentator on television news channels and other media outlets, who was contacted by the Donald Trump campaign to potentially serve as a key staff member. After several meetings, Plaintiff ultimately did not join the campaign, based upon what she asserts was a mutual decision.  A few months later, Jocobus appeared on CNN where she made some comments that were critical of Trump. In response, Trump tweeted:  “@cherijacobus begged us for a job. We said no and she went hostile. A real dummy!”  A day later, on February 3, 2016, Plaintiff’s then lawyer sent Trump a cease and desist letter. Two days after that, Trump posted the following tweet about Plaintiff: “Really dumb @CheriJacobus. Begged my people for a job. Turned her down twice and she went hostile. Major loser, zero credibility!” Ultimately the court construed Trump’s comments to be “hyperbolic” opinion, based upon subjective perception of events, and thus did not constitute defamation under the law, and thereby dismissed Jacobus’s claim.

Johnson v. ABF Freight System, Inc. US Dist. Court, MD Florida, January 27, 2017. This opinion is based upon a motion to compel discovery of the Plaintiff’s Facebook account. The Defendant asserted that Plaintiff’s Facebook account would be relevant to his damages claims arising out of a serious personal injury claim. The Court granted the motion to compel, but limited the production of the Facebook account to a certain date range and also only information that related to his employment and business activities and efforts to gain employment.

There is no question that the volume of cases involving social media evidence is increasing on a monthly basis. In addition to case law, another metric reflecting the industry’s standardization of social media evidence collection is the sheer volume of sophisticated customers that have now adopted X1 Social Discovery. Nearly 500 eDiscovery and computer forensics services firms have at least one paid copy of X1 Social Discovery. I cannot think of a single service provider in the eDiscovery space that performs at least some ESI collection services that does not have at least one paid X1 Social license. Social media evidence collection is now a standard practice in many law enforcement matters as well. So, if you are one of the minority of digital investigative or eDiscovery professionals who have not adopted X1 Social Discovery, please contact us for a demo today.

Leave a comment

Filed under Uncategorized

Judge Facciola Addresses Impact of New Federal Rule of Evidence 902(14)

john_m-_facciola

As part of our continuing coverage and analysis of Federal Rule of Evidence 902(14), we are highlighting a  very notable Law Review article now available online, penned by Hon. Judge John Facciola as lead author, in the Georgetown Law Technology Review: Law of the Foal: Careful Steps Towards Digital Competence in Proposed Rules 902(13) and 902(14). U.S Magistrate Judge Facciola (Ret), who is now a Georgetown law professor, is well known for his many important and insightful court opinions involving eDiscovery issues when he was on the bench. So his analysis on Rules 902(13) (14), which exclusively address electronic evidence, will be influential.

To review, FRE 902(14) is a very important new rule, which provides that electronic data recovered “by a process of digital identification” is to be self-authenticating, thereby not routinely necessitating the trial testimony of a forensic or technical expert where best practices are employed, as certified through a written affidavit by a “qualified person.” This rule will have a significant impact on computer forensics and eDiscovery collection practices when it goes into effect later this year. A detailed discussion of Rule 902(14) can be found here.

A key takeaway from the Georgetown Law Technology article is that Facciola believes 902(14) will have a very positive impact by mainstreaming and standardizing electronic evidence collection practices and the supporting technology among the courts and attorneys. Facciola notes: “The proposed Rules will likely reduce litigation costs spent authenticating information, and help foster judicial efficiency and familiarity with technology. Authentication using hash values will allow courts and lawyers to focus on more pressing issues, and will provide courts with the assurance that presented digital evidence is, in fact, what it purports to be.”

Further to this point, Facciola notes that the written certifications provided by eDiscovery and computer forensics practitioners under Rule 902(14) “could illuminate for the court the underlying forensic science that will explain why the evidence being offered can be trusted and relied upon. This is, of course, a welcome alternative to lawyers and courts looking everywhere except the technological basis to determine the authenticity of an email or a Facebook entry.”

The article contains a detailed discussion of hashing as a process of digital identification, which Judge Facciola identifies as a very important process to fulfill the requirements of the Rule: “Hashing provides exactly the proof that Rule 902 requires: that the document is what the attorney states that it is.”

In one regard, Judge Facciola believes the goal of the new Rule is modest, but the Judge is addressing the overall admission of the electronic evidence at hand, including other potential evidentiary objections related to its content, such as hearsay, relevance, and other matters that are generally beyond the scope of a forensic collection and examination. From the perspective of eDiscovery and computer forensics collection practices however, the article confirms that the impact will be very significant and widespread across the practice.

Most of all, Judge Facciola  predicts a meaningful intangible impact from the rule as judges and lawyers will surely become much more familiar with computer forensic technology, which will lead to more widespread adaption and more rapid development in the law in this area:

“[T]he technology properly understood can lead to further advances in creating new rules that will deal with the other issues of authenticity that are based on a forensic evaluation of how computers operate, and create vitally useful information. Forensic technology may answer quickly whether a particular computer produced this electronically stored information because data created by the system itself can answer that question indubitably in particular case.”

We definitely agree, and in terms of supporting technology to enable compliance with Rule 902(14) and any future related legal developments, X1 Distributed Discovery for enterprise collections and X1 Social Discovery for social media and website collections are geared toward providing such quick and unequivocal answers to questions of ESI authenticity.

Leave a comment

Filed under eDiscovery

Federal Evidence Rule 902(14) is Immediately Applicable for ESI Collections

X1 and Reed Smith recently hosted a timely webinar on new Federal Rule of Evidence 902(14) and its expected impact on eDiscovery and computer forensics collection practices. Reed Smith senior partner and eDiscovery practice chair David Cohen led the discussion, providing a substantive and detailed discussion on the new rule, including its nuances and expected practice impact. FRE 902(14) provides that electronic data recovered “by a process of digital identification” is to be self-authenticating, thereby not routinely necessitating the trial testimony of a forensic or technical expert where best practices are employed, as certified through a written affidavit by a “qualified person.” A detailed discussion of Rule 902(14) can be found here.

The webinar, which also provides a detailed overview of the rule, features excellent analysis and insight from David Cohen on how he anticipates the new rule will be applied. In fact, the key takeaway from the webinar is that while FRE 902(14) technically goes into effect on December 1, 2017, Cohen correctly noted that ESI collected in a Rule 902(14) compliant manner any time prior to the rule’s effective date can be subject to the new rule’s provisions once the rule goes into effect. This is important, because digital evidence is routinely collected well in advance of trial. Electronic evidence that an examiner collects today may not be actually introduced at trial until one year or more from now, so practitioners need to understand and account for Rule 902(14) immediately.

Cohen believes that FRE 902(14) will be widely applied and will overall increase the utilization of eDiscovery and computer forensics practitioners. This is because the rule provides a streamlined and very efficient process to establish a foundation for ESI collected in a Rule 902(14) manner. This will increase predictability by eliminating surprise challenges, and will encourage, instead of discourage, the use of forensics and eDiscovery practitioners by allowing written certifications in the place of expensive and burdensome in-person trial testimony. Cohen also noted that while most cases do not proceed to trial, a much higher percentage involve dispositive court motions (such as a motion for summary judgment in civil actions) and he expects FRE 902(14) to be widely used in support of such motions.

I have covered eDiscovery and computer forensics law for over 15 years, and in my opinion, FRE 902(14) is the single most important legal development directly impacting ESI collection practices to date. All eDiscovery and computer forensics professionals have a professional responsibility to keep current with key legal and technological developments in the field. There is no question FRE 902(14) is such a development, and all those involved in ESI preservation and collection from both a technical, legal and managerial perspective need to be fully briefed on the law.

Viewing the video recording of the webinar is a good start, and it can be accessed here.

1 Comment

Filed under Uncategorized

New Federal Rule of Evidence to Directly Impact Computer Forensics and eDiscovery Preservation Best Practices

At X1, an essential component of our mission is to develop and support exceptional technology for collecting electronic evidence to meet eDiscovery, investigative and compliance requirements. It is also our goal to keep you abreast of important developments in the industry that could ultimately impact collection strategies in the future and, consequently, your business.  To that end, I recently learned about a crucial new legal development scheduled to take place on December 1, 2017, which we believe will have a very significant impact on the practices of our customers and partners.

In a nutshell, the new development is a significant planned amendment to Federal Rule of Evidence 902 that will go into effect one year from now. This amendment, in the form of new subsection (14), is anticipated by the legal community to significantly impact eDiscovery and computer forensics software and its use by establishing that electronic data recovered “by a process of digfederalrulesofevidence-188x300_flat2ital identification” is to be self-authenticating, thereby not routinely necessitating the trial testimony of a forensic or technical expert where best practices are employed, as certified through a written affidavit by a “qualified person.” Notably, the accompanying official Advisory Committee notes specifically reference the importance of both generating “hash values” and verifying them post-collection as a means to meet this standard for self-authentication. This digital identification and verification process can only be achieved with purpose-built computer forensics or eDiscovery collection and preservation tools.

Rule 902, in its current form, enumerates a variety of documents that are presumed to be self-authenticating without other evidence of authenticity. These include public records and other government documents, notarized documents, newspapers and periodicals, and records kept in the ordinary course of business. New subpart (14) will now include electronic data collected via a process of digital identification as a key addition to this important rule.

Amended Rule 902, in pertinent part, reads as follows:

Rule 902. Evidence That Is Self-Authenticating
The following items of evidence are self-authenticating; they require no extrinsic evidence of authenticity in order to be admitted:
* * *
(14) Certified Data Copied from an Electronic Device, Storage Medium, or File.
Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12).

The reference to the “certification requirements of Rule 902(11) or (12)” is a process by which a proponent seeking to introduce electronic data into evidence must present a certification in the form of a written affidavit that would be sufficient to establish authenticity were that information provided by a witness at trial. This affidavit must be provided by a “qualified person,” which generally would be a computer forensics, eDiscovery or information technology practitioner, who collected the evidence and can attest to the requisite process of digital identification utilized.

In applying Rule 902(14), the courts will heavily rely on the accompanying Judicial Conference Advisory Committee notes, which provide guidance and insight concerning the intent of the laws and how they should be applied. The Advisory Committee notes are published alongside the statute and are essentially considered an extension of the rule. The second paragraph of committee note to Rule 902(14) states, in its entirety, as follows:

“Today, data copied from electronic devices, storage media, and electronic files are ordinarily authenticated by ‘hash value.’ A hash value is a number that is often represented as a sequence of characters and is produced by an algorithm based upon the digital contents of a drive, medium, or file. If the hash values for the original and copy are different, then the copy is not identical to the original. If the hash values for the original and copy are the same, it is highly improbable that the original and copy are not identical. Thus, identical hash values for the original and copy reliably attest to the fact that they are exact duplicates. This amendment allows self-authentication by a certification of a qualified person that she checked the hash value of the proffered item and that it was identical to the original. The rule is flexible enough to allow certifications through processes other than comparison of hash value, including by other reliable means of identification provided by future technology.”

The Advisory Committee notes further state that Rule 902(14) is designed to streamline the admission of electronic evidence where its foundation is not at issue, while providing a notice procedure where “the parties can determine in advance of trial whether a real challenge to authenticity will be made, and can then plan accordingly.” While this rule provides that properly certified electronic data is now afforded a strong presumption of authenticity, the opponent may still lodge an objection, but the opponent now has the burden to overcome that presumption.  Additionally, the opponent remains free to object to admissibility on other grounds, such as relevance or hearsay.

Significant Impact Expected

While Rule 902(14) applies to the Federal Courts, the Rules of Evidence for most states either mirror or closely resemble the Federal Rules of Evidence, and it is thus expected that most if not all 50 states will soon adapt this amendment.

Rule 902(14) will most certainly and significantly impact computer forensics and eDiscovery practitioners by reinforcing best practices. The written certification required by Rule 902(14) must be provided by a “qualified person” who utilized best practices for the collection, preservation and verification of the digital evidence sought to be admitted. At the same time, this rule will in effect call into question electronic evidence collection methods that do not enable a defensible “digital identification” and verification process. In fact, the Advisory Committee notes specifically reference the importance of computer forensics experts, noting that a “challenge to the authenticity of electronic evidence may require technical information about the system or process at issue, including possibly retaining a forensic technical expert.”

In the eDiscovery context, I have previously highlighted the perils of both custodian self-collection for enterprise ESI collection and “print screen” methods for social media and website preservation. Rule 902(14) should provide the final nail in the coffin for those practices. For instance, if key social media evidence is collected through manual print screen, which is not a “process of digital identification” under Rule 902(14), then not only will the proponent of that evidence fail to take advantage of the efficiencies and cost-savings provided by the rule, they will also invite heightened scrutiny for not preserving the evidence utilizing best practices. The same is true for custodian self-collection in the enterprise. Many emails and other electronic documents preserved and disclosed by the producing party are often favorable to their case.  Without best practices utilized for enterprise data collection, such as with X1 Distributed Discovery, that information may not be deemed self-authenticating under this new rule.

In the law enforcement field, untrained patrol officers or field investigators are too often collecting electronic evidence in a manual and haphazard fashion, without utilizing the right tools that qualify as a “process of digital identification.” So for an example, if an untrained investigator collects a web page via the computer’s print screen process, that printout will not be deemed to be self-authenticating under Rule 902(14), and will face significant evidentiary hurdles compared to a properly collected web page via a solution such as X1 Social Discovery.

Also being added to Federal Rule of Evidence 902 is subpart (13), which provides that “a record generated by an electronic process or system that produces an accurate result” is similarly self-authenticating. This subpart will also have a beneficial impact on the computer forensics and eDiscovery field, but to a lesser degree than subpart (14). I will be addressing Rule 902(13) in a future post. The public comment period on amendments (13) and (14) is now closed and the Judicial Conference of the United States has issued its final approval. The amendments are currently under review by the US Supreme Court. If the Supreme Court approves these amendments as expected, they will become effective on December 1, 2017 absent Congressional intervention.

To learn more about this Rule 902(14) and other related topics, we’d like to invite you to watch this 45 minute webinar discussion led by David Cohen, Partner and Chair of Records & eDiscovery Group at Reed Smith LLP. The 45 minute webinar includes a Q&A following the discussion. We look forward to your participation.

Watch now > 

Leave a comment

Filed under Authentication, Best Practices, eDiscovery, eDiscovery & Compliance, Enterprise eDiscovery, Information Governance, Social Media Investigations

Effective Information Governance Requires Effective Enterprise Technology

Information governance is the compilation of policies, processes, and controls enforced and executed with effective technology to manage electronically stored information throughout the enterprise. Leading IT industry research firm Gartner states that “the goal of information governance is to ensure compliance with laws and regulations, mitigate risks and protect the confidentiality of sensitive company and customer data.” A strong, proactive information governance strategy that strikes the balance between under-retention and over-retention of information can provide dramatic cost savings while significantly reducing risk.

However, while policies, procedures and documentation are important, information governance programs are ultimately hollow without consistent, operational execution and enforcement. CIOs and legal and compliance executives often aspire to implement information governance programs like defensible deletion, data migration, and data audits to detect risks and remediate non-compliance. However, without an actual and scalable technology platform to effectuate these goals, those aspirations remain just that. For instance, recent IDG research suggests that approximately 70% of information stored by companies is “dark data” that is in the form of unstructured, distributed data that can pose significant legal and operational risk and cost.

To date, organizations have employed limited technical approaches to try and execute on their information governance initiatives, enduring many struggles. For instance, software agent-based crawling methods are commonly attempted and can cause repeated high user computer resources utilization for each search initiated and network bandwidth limitations being pushed to the limits rendering the approach ineffective. So being able to search and audit across at least several hundred distributed end points in a repeatable and quick fashion is effectively impossible under this approach.

Another tactic attempted by some CIOs to attempt to address this daunting challenge is to periodically migrate disparate data from around the global enterprise into a central location. The execution of this strategy will still leave the end user’s computer needing to be scanned as there is never a moment when all users in the enterprise have just finished this process with no new data created. That means now that both the central repository and the end-points will need to be searched and increasing the complexity and management of the job. Boiling the ocean through data migration and centralization is extremely expensive, highly disruptive, and frankly unworkable as it never removes the need to conduct constant local computer searching, again through problematic crawling methods.

What has always been needed is gaining immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and return results within minutes instead of days or weeks. None of the other approaches outlined above come close to meeting this requirement and in fact actually perpetuate information governance failures.

X1 Distributed Discovery (X1DD) represents a unique approach, by enabling enterprises to quickly and easily search across multiple distributed endpoints and data servers from a central location.  Legal and compliance teams can easily perform unified complex searches across both unstructured content and metadata, obtaining statistical insight into the data in minutes, instead of days or weeks. With X1DD, organizations can also automatically migrate, collect, or take other action on the data as a result of the search parameters.  Built on our award-winning and patented X1 Search technology, X1DD is the first product to offer true and massively scalable distributed searching that is executed in its entirety on the end-node computers for data audits across an organization. This game-changing capability vastly reduces costs while greatly mitigating risk and disruption to operations.

X1DD operates on-demand where your data currently resides — on desktops, laptops, servers, or even the Cloud — without disruption to business operations and without requiring extensive or complex hardware configurations. Beyond enterprise eDiscovery and information governance functionality, organizations offer employees at the same time, the award-winning X1 Search, improving productivity while effectuating that all too illusive actual compliance with information governance programs.

1 Comment

Filed under Best Practices, eDiscovery & Compliance, Information Governance, Information Management, Records Management, SharePoint, X1 Search 8