Federal Privacy Laws
 How can government obtain emails and network
account logs from ISP’s?
 When does the government need to obtain a search
warrant as opposed to a 2703(d) order or a
subpoena?
 When can providers disclose emails and records to
the government voluntarily?
 What remedies will courts impose when ECPA
violated?
Federal Privacy Laws
 ECPA - The Electronic
Communications Privacy Act (18
U.S.C. 2510 et seq)
 PPA - The Privacy Protection Act (42
U.S.C. 2000a)
 CCPA - The Cable Communications
Policy Act (47 U.S.C. 251 et seq)
Why do I care?
 ECPA – No suppression remedy
Civil damages, but you lose your job!
 PPA – No suppression remedy
Civil damages. Law enforcement officers
may be held personally liable !
Why do I care?
 ECPA – No suppression remedy
Civil damages, but you lose your job!
 PPA – No suppression remedy
Civil damages. Law enforcement officers
may be held personally liable !
ECPA
 Extends wiretap laws to electronic
communications
 Regulates how investigators can obtain
stored e-mail, account records or
subscriber information from network
service providers; IPS’s, phone co.’s, cell
phone providers, and satellite services.
ECPA
 ECPA seeks to provide certain privacy
rights to network account holders by
offering varying degrees of legal
protection depending on the perceived
value of the privacy interest involved
ECPA
 What type of info is being sought?
Basic subscriber info?
Transactional records?
Content in electronic storage?
 How can you get it?
Subpoena?
2703(d) Order?
Search warrant?
Basic Subscriber Information
 Gives you only
 name & address
 local and LD telephone toll billing records
 telephone number or other account
identifier (such as username or “screen
name”)
 length & type of service provided
 Can get IP number & dates/times for IRC
 Can be obtained through subpoena
 Do not subpoena “all customer records”
Transactional Records
 Not content & not basic subscriber
 § 2703(c)(1)(B)
 Everything in between
 financial information (e.g., credit card)
 audit trails/logs
 web sites visited
 identities of e-mail correspondents
 cell site data from cellular/PCS carriers
 Obtainable with § 2703(d) court order
What are “contents”?
 “Any information concerning the
substance, purport, or meaning of
that communication.”
 Attached wp files
 Attached picture files
 Subject headers of e-mails
Section 2703(d) Orders
 Articulable facts order
 “specific and articulable facts showing
that there are reasonable grounds to
believe that [the requested records] are
relevant and material to an ongoing
criminal investigation”
 Higher standard than a subpoena, lower
than probable cause
 ECPA permits service outside state of
issuing district
Opened e-mail
 Do you need a search warrant?
 Subpoena – served with prior notice
 2703(d) Order – served with notice to subscriber
 Search warrant – no notice to subscriber
 Other stored electronic communications in
“electronic storage” more than 180 days
(unopened e-mail)
Notification
 Investigators can delay notice for up to 90 days
to avoid:
 flight from prosecution
 destruction of or tampering with evidence
 intimidation of potential witnesses
 seriously jeopardizing an investigation
 (§ 2705)
 2703(d) Application and Orders will contain a
request for delayed notice – must state why
 Can extend delay additional 90 days
Unopened e-mail > 180 days
 If unopened and in storage for less than
180 days, use search warrant (§ 2703(a))
 Warrant operates like a subpoena
 No notice required
 Except 9th Circuit
Preservation Request
 A provider of wire or electronic communication
service or a remote computing service, upon
request of a governmental entity, shall take all
necessary steps to preserve records and other
evidence in its possession pending the issuance of
a court order or other process.
Voluntary Disclosure
 Can you accept information voluntarily disclosed by
ISP?
 Providers may monitor and intercept real time
communications for purposes of maintaining and
protecting their equipment.
 Is the ISP required to disclose such info?
Privacy Protection Act
“[I]t shall be unlawful . . . to search for or seize
any work product materials possessed by a
person reasonably believed to have a
purpose to disseminate to the public a
newspaper, book, broadcast, or similar form
of public communication . . .”
• Prohibits use of a search warrant for such
materials
 42 USC 2000aa
Privacy Protection Act
 Provides additional protection to media from law
enforcement searches
 Response to US Supreme Court decision Zurcher v.
Stanford Daily, 436 U.S. 547(1978)
 Newspaper sued saying LE search violated First
Amendment rights of paper
Basic PPA Rule
 Act requires law enforcement to rely on
cooperation from Media
 Must use a subpoena
 Less intrusive means to obtaining
evidence
 Offers better protection to innocent
parties
Exceptions
 Contraband or fruits or instrumentalities of a
crime
 Immediate seizure of materials necessary to
prevent death or serious bodily injury
 Probable cause that person possessing such
material has committed or is committing a
criminal offense
 Except if mere possession offense
 Except child pornography
Who is Protected?
 Bulletin boards
 Web pages
 TV stations
 Authors
 Publishers of any medium whose intent is to
publish information to the public
 Includes publishers of legal pornography
Commingled Evidence
 What do you do when both protected material
under PPA and contraband are found on same
hard drive?
 Can you take computer?
 Once you realize that you have protected material
what do you do?
 Do you have an affirmative duty to return
protected material?
Cell Phones
 THE CLOCK IS TICKING!!
 EVERY SECOND YOU WAIT TO
COLLECT EVIDENCE, THE MORE YOU
LOSE!!
Cell Phones
 Once you get the phone number:
 Call the carrier ask whether the number was
active and billable on their network during
the time in question.
 That one phone call will save hours
Cell Phones
 If so, send preservation letter.
 Follow up call to insure receipt.
 Search Warrant to carrier.
Cell Phones
 Search warrant for the following:
 Billing Records
 Carrier Key
 CDR’S
 Cell-Site information
Billing Records
 Records the customer receives from carrier.
 BR show ONLY completed and billable calls
 BR show ONLY date, time, duration and
number called or received from.
 BR are incomplete for your investigation!!
Carrier Key
 Must specifically request to receive
 Provides acronyms, and any special
instructions for interpreting their
records.
Call Detail Records
 Have to specifically ask for these.
 WAY more information.
 Date, time, duration, number called, calling
party, call reference code, text, data, cellsite, sector.
 Not all carriers give all this info.
Search Warrants
 Include “text messages and MMS including all numbers sent
to and received from, date, time, duration and all content
related to each message”
 Porting—remember a number that starts on AT&T can move
to another service.
 Tracfone—a booster phone. When sending search warrant,
ask for “Notes and Footnotes.” Notes and Footnotes will
tell you where device purchased, where payments were
made and how.
 Booster phones—generally operated by Sprint/Nextel
CELL TOWER DUMP
 All activity on a particular cell-site for a specific
time
 TIME SENSITIVE!!
 Each carrier has their own network of Cell-
Sites
 Need “Carrier Key”
TOWER DUMP
 Recommended verbiage:
 “Requesting a “Tower Dump” from all cell sites
in the immediate area of (address or lat/long of
your incident) that would support any and all
communication including but not limited to
calls, text messaging, data, walkie-talkie, push
to talk…”
Tower Dump
 ATT—90 days only 75$ per cell site 2 week turnaround
 Metro—6 mos $50/site 2 weeks
 Sprint/Nextel/Boost up to 24 months 0-50$ 2 weeks---
special verbiage—”any tower in the area that would
support communication…” that way you get all three
 Tmobile—6 mos $100/per 2 weeks NO exigency
 Verizon 90 days no charge 2 weeks
Electronic Evidence
Writings/Documents
Documents Give me a RASH
Relevance
Authenticity
Secondary Evidence/Best Evidence
Hearsay
Computer Evidence
 3 Types
 1. Those records generated by process
 2. Those records generated by persons
 3. Commingled
Evidence Developed by Process
 Remember the definition
 Statement or assertion or non verbal
conduct
 Of a PERSON
 If not by a person, NOT hearsay
Examples
 GPS data
 Log in records from ISP
 Cell Tower data
 Pin entries
 Telephone toll records
 Phone numbers called
 Email header info
 Ip tracing
 Electronic banking
 U. S. v. Bellomo 176 F.3d
580
Not Hearsay
 IP address is automatically generated by computer
hosting newsgroup. No statement by person, thus not
hearsay.
 U. S. v. Hamilton 413 F. 3d 1138
Examples Persons (Hearsay)
 Personal letter
 Memo
 Bookkeeping records
 Records of business transactions inputted
by persons
Hearsay Records
 803(6). Business Records not for litigation
 902(11) Certification
 803(8) Police Computer Records
 Computer Chat logs may include
admissions. 801(d)(2) witnesses side of
conversation gives context to D’s. U.S. v. Burt 496
F.3d 733
 801D(2)(e) co conspirator Statements
Bullcoming v. New Mexico
 Computer generated records MAY violate
Confrontation Clause.
 If the computer record is dependent upon
human conduct that must be testified to to
make the record valid, that witness must
testify.
Examples Mixed
 Email content and header
 File with both written data and creation,
access and modified dates
 Chat logs that id participants with dates
and times
 Spreadsheets
Foundation
 901(a) Lowest standard in law
 Computer records are judged by same standard
 901(b)(4) Distinctive characteristics
 901(b) (9) Describing a process
 902 Self Authentication
 902(8) Acknowledged Docs—emails, texts, chats
Foundation
 Ultimately just has to be person who “has knowledge that
a matter is what it is claimed to be.”
 901(b)(4) Distinctive characteristics of email include the
“@” symbol, email addresses with the person’s name
connected to the email, and people’s name on To and
From or signature line. U.S. v. Siddiqui 235 F.3d 1318
Objection IP Address
“Objection hearsay!”
Hearsay is an out of court statement by a PERSON
NOT HEARSAY--Admissible with authentication
E-mail headers
Security logs
Billing records
Hash value/date and time stamps
The Objections
You get the local AOL Security Officer to testify to
records:
 (1) “Your honor, this person is only a security guard
without any formal background or training. She’s not
qualified to testify to the records systems.”
 (2) “All she knows is what she sees on the screen. She
doesn’t know anything about how the hardware and
software run. So she’s incompetent to testify about
the mode of preparation.”
 (3) “She only learned what she learned from talking
to others. Her testimony is based on hearsay and
objectionable.”

Your response: “Oh %&*&!!! I have a RASH!
The Objections
As to the Identifying information:
 (6) “How do we know that these entries were made at
or near the time of the event? All we have are these
computer entries!”
 (7) “This is a print-out of the database, not the
database itself. How do we know the print-out is
accurate? You know those crazy printers.”
 (8) “This witness didn’t gather the record. She only
brought it to court.”.
The Objections
As to the Internet Tracing:
(9) “What do we really know about the Internet? It’s
just a collection of wires. How do we know this WhoIs service is accurate? Maybe there are hundreds of
domain names and hundreds of e-mail accounts that
are the same as this.”
(10) “It would take an expert to tell us about the
Internet. This cop is no expert, just a flat foot with a
laptop.”
The Objections
As to the ISP e-mail account:
(11) “This is more information that is unreliable. The source
isn’t the company, it’s the person who opened the
account. It’s not a business record.”
The Objections
As to all of the information:

(12) “Who put the numbers on the machines? The
computer. It’s the declarant. I should have the right to
cross-examine the computer itself.”
The Objections

(13) “Where’s the custodian? I have
an absolute right to cross-examine
the custodian!”
ICAC Training & Technical
Assistance Program
The Objections
 “They cannot show that the electronic
record has not bedn tampered with or
changed, so there is no authenticity.”
The Objections
 The possibility of alteration is not sufficient to exclude
electronic evidence. As with paper documents, the mere
possibility of alteration is not sufficient to exclude
electronic evidence. It is a weight, not admissibility issue.
 U.S. v. Bonallo 858 F.2d 1427 (9th)
Objections
 “We don’t know who actually sent this
email/was on this chat etc.”
Objections
 Circumstantial evidence establishes
authorship. Email addresses, IP addresses,
signature blocks and content can get past
authenticity. U.S. v. Simpson 152 F.3d 1241
Website Authentication
 Printouts of website are not self authenticating. U.S. v.
Jackson 208 F. 3d 633
 Need to call someone who is familiar with the site or
viewed it contemporaneously to your crime.
The Objections
AOL responds to subpoena duces tecum by
copies of identifying information and billing
records
They also send e-mail, along with an FRE
902(11) declaration.
But there is no custodian present.
Admissible?
ICAC Training & Technical
Assistance Program
Relevance
401 Simple
ICAC Training & Technical
Assistance Program
Authentication
803(6)
Report/Record/data compilation
902 Self Authentication
“Do you recognize Court Exhibit # 1?”
“What is it?”
“Where did it come from?”
ICAC Training & Technical
Assistance Program
The Basic § 803(6) Requirements
The writing was made in the regular course of business.
The writing was made at or near the time of the act,
condition, or event
The custodian or other representative testifies to its
identity and mode of preparation; and
The sources of information and method and time of
preparation were such as to indicate its trustworthiness.
No Crawford implications
ICAC Training & Technical
Assistance Program
The Object of the Exercise
. . . Is to show how the computer generated records satisfy all four
of these requirements.
OR – alternatively
How the computer generated document is authenticated as a
document and relevant as such without reference to its hearsay
content.
ICAC Training & Technical
Assistance Program
Practice Point
Write a trial brief on these issues
The defense will focus on “the perils of unknown
information.”
Court is uncomfortable with electronic evidence.
Acquaint the Court with the issues and authorities before
you start.
ICAC Training & Technical
Assistance Program
The Forest Before the Trees – the Right
Metaphor
FRE 104 foundation is not rigid or formalistic.
Could a reasonable jury find by a preponderance of
the evidence
It is NOT a checklist, each item of which must be
marked off before the item is admitted
The Right Metaphor is topics in a theme, each of
which must be addressed in the showing
ICAC Training & Technical
Assistance Program
The Forest Before the Trees – Weight v.
Admissibility
Case authority repeatedly emphasizes reliability is NOT
the same as infallibility.
A business record may be trustworthy and still be found to
contain errors.
ICAC Training & Technical
Assistance Program
The Forest Before the Trees – The
Fundamental Authority
People v. Lugashi (1988), 205 Cal. App 3rd 632
Case involved the use of stolen credit card numbers to post
phony sales transactions.
Wells Fargo Bank was the victim.
The transactions were posted by telephone.
Proof of the records involved a description of Wells Fargo’s
entire data processing system, which involved transfers
from phone records to magnetic tape, dump to computer,
software processing, etc.
ICAC Training & Technical
Assistance Program
The Forest Before the Trees – The
Fundamental Authority (con’t.)
The witness providing the foundational
showing was a Loss Prevention Offc.
LPO knew the system and case cold, but
lacked any formal computer training
Foundation was attacked on appeal.
Case affirmed with great language.
ICAC Training & Technical
Assistance Program
The Objections Revisited

“Your honor, this person is only a security guard without
any formal background or training. She’s not qualified to
testify to the records systems.”
Response – anyone who knows the system can serve as
an adequate company representative. Do not have to
have written the computer program
U.S. v. Salgado 250 F3d. 438
ICAC Training & Technical
Assistance Program
The Objections Revisited
(2) “All she knows is what she sees on the screen. She doesn’t
know anything about how the hardware and software run. So
she’s incompetent to testify about the mode of preparation”
Response –Don’t need an expert.
A person who generally understands the system's operation and
possesses sufficient knowledge and skill to properly use the
system and explain the resultant data is a qualified witness.
Lugashi.
ICAC Training & Technical
Assistance Program
The Objections Revisited
(3) “She only learned what she learned from talking to
others. Her testimony is based on hearsay and
objectionable.”
Response – This objection has been considered and
dismissed. Most people have learned what they learned
listening to others.
ICAC Training & Technical
Assistance Program
A Final Comment on the Hearsay
Objection
The point of §1271/803(6) is to eliminate the necessity of
calling multiple witnesses for one transaction.
“The object of Evidence Code section 1271/803(6) is to
eliminate the calling of each witness involved in
preparation of the record and substitute the record of the
transaction instead [cit. omit].” County of Sonoma v. Grant
W. (1986), 187 Cal. App. 3d 1439 at 1451. Accord, People v.
Matthews (1991) 229 Cal. App. 3rd 930 at 940 – and of
course Lugashi
ICAC Training & Technical
Assistance Program
The Objections Revisited (Internet
Trace)
“(10) It would take an expert to tell us about the Internet. This
cop is no expert, just a flat foot with a laptop.”
Response – Evidence Code §702 indicates the specialized
knowledge of an expert can be based on `skill, experience, and
training’ as well as education.
Query whether basic `Internetology’ requires anything more
than lay opinion these days. 701
It almost certainly will not in the near future.
ICAC Training & Technical
Assistance Program
The Objections Revisited (internet
Trace)
“What do we really know about the Internet? It’s
just a collection of wires. How do we know this
Who-Is service is accurate? Maybe there are
hundreds of domain names and hundreds of email accounts that are the same as this.”
Response – no case law this time, but there is a
dead on statute
Evidence Code §803(17) – the “phone book”
exception
ICAC Training & Technical
Assistance Program
Evidence Code §803(17)
Evidence of a statement, other than an opinion,
contained in a tabulation, list, directory,
register, or other published compilation is not
made inadmissible by the hearsay rule if the
compilation is generally used and relied upon
by persons in particular occupations.
Dead on to the directories of business and TSP
sites maintained by Network Solutions, Who Is,
Sam Spade, and so on.
Literally the same as the phone book
ICAC Training & Technical
Assistance Program
Pushing the Envelope (Practice Tip)
What is Today’s Expertise is Tomorrow’s Common Knowledge
Remind the Judge that there was a time when the operations of
the telephone, television, radio, and so forth, were esoteric and
the subject of expertise. Although some of these still are, the
basics are not and jurors follow them easily.
Most foundational matter with respect to computer operations
are very basic and increasingly understood as a matter of
everyday experience.
The threshold showing of reliability thus becomes easier to
make, as it has with other technology.
ICAC Training & Technical
Assistance Program
The Objections Revisited (E-Mail
Account)
“(11) This is more information that is unreliable. The
source isn’t the company, it’s the person who opened the
account. It’s not a business record.”
Response – the document is being admitted not as the
record of an `act, condition, or event’, but as a document,
i.e, the account information on the account just happens
to be the personal information of the defendant.
Ascertainable from the `face’ of the document, as it were.
The record is thus subject to the liberal authentication
procedures of Evidence Code §901/ 902
ICAC Training & Technical
Assistance Program
The Objections Revisited
(12) “Who put the numbers on the machines? The
computer. It’s the declarant. I should have the
right to cross-examine the computer itself.”
Response – as farcical as this sounds, the
objection has been made in practice.
People v. Hawkins (2002) 98 Cal. App 3d. 1428 is
dispositive. `Mechanical’ computer functions are
proved up by showing that the machine was
working properly.
ICAC Training & Technical
Assistance Program
The Objections Revisited
(Absence of Custodian)
 (13) “Where’s the custodian? I have an absolute right to





cross-examine the custodian!”
Response: Does he? Really? Think about it
He has no statutory right, because Evidence C. 803(6)
§902(11) provides that the affidavit is sufficient
So he must be talking about a Constitutional right.
Does the right to confront and cross-examine witnesses
really extend to bare bones foundational showings
provided by affidavit?
Crawford says no.
ICAC Training & Technical
Assistance Program
The Objections Revisited
(Absence of Custodian)
However, if this seems a bit too audacious to you:
 (1) All Evidence C. §803(6) requires is an authorized
representative.
 (2) If the hotel is a national chain, use a local
 (3) If not, it almost certainly uses the services of an
accounting firm with national affiliations.
 (4) A member of the local branch of the accounting firm
who has familiarized him- or herself with accounting
practices, should do fine.
ICAC Training & Technical
Assistance Program
Common Areas for Digital Evidence
Warrants
 Subscriber account info
 InterNIC/WhoIS
Sources of Evidence
 Web pages
 IRC/Chat
Computer Forensic Exams
Our Approach
 What you get
 How to get it admitted
 How to present it
Working with Your Forensic
Examiner
 File structure
 Recovery of deleted files
 Recovery of text and images
ICAC Training & Technical
Assistance Program
Evidence Code Section 1001(3)-(4)
Printed Representation of Computer Information
A printed representation of computer
information or a computer program is presumed
to be accurate
The presumption is rebuttable
If rebutted by evidence, accuracy must be
established by a preponderance of the evidence
ICAC Training & Technical
Assistance Program
Authentication/Best Evidence
Now what?
EC 1003 - Secondary Evidence Rule
 Content of a writing may be proved by otherwise
admissible secondary evidence
Unless a genuine question is raised as to the
authenticity of the original
or unfair to admit the copy
ICAC Training & Technical
Assistance Program
Evidence Code Section
1001(3)(4);
1003
Printed Representation of Images Stored on Video or
Digital Medium
A printed representation of images stored on video or digital
media is presumed accurate
The presumption is rebuttable
If rebutted by evidence, accuracy must be proven by a
preponderance of the evidence
ICAC Training & Technical
Assistance Program
Admissibility of Oral Evidence
Rule 1006
Oral testimony is admissible if:
 The writing is excessive and would consume court
time
 Evidence sought is general result of whole
Can use charts, summaries, diagrams
Consider using for:
 Log files
 Summary of files or applications on examined drive
 Web browsing history
 Timeline for who was home when access to files occurred
ICAC Training & Technical
Assistance Program
ISP Warrant Results
Subscriber Account Information
Account History
Logs
Format
 Letter from ISP summarizing results
 Computer generated printout
ICAC Training & Technical
Assistance Program
Admissibility of ISP Warrant Return
Authentication
Hearsay
Presentation
ICAC Training & Technical
Assistance Program
Hearsay and ISP Warrant Return
How to we get the warrant results admitted?
Business records
Where is your custodian?
SDT
Do the records still exist?
Computer-generated record not hearsay?
Basis for expert opinion
* Evidence not actually admitted
Safe practice - Immediately follow warrant with SDT
ICAC Training & Technical
Assistance Program
Authentication
Evidence sufficient to show what you claim it is
(EC 901)
Have receiving officer authenticate warrant
return
 Originator’s testimony not necessary - EC 903
 Received in response to communication to author EC 901(b)(4)
 Content - EC 901(b)(4)
 EASY-902(11) with Sw return
ICAC Training & Technical
Assistance Program
IRC/Chat Room Conversations
Authentication?
 Officer/victim who preserved text
 Forensic examiner who recovered text
 Must establish ID of suspect’s screen name
Hearsay?
 Non Hearsay: Motive, ID, intent, state of mind
 EC 801(d)(2)(a) - Statement of a Party
 EC 801(d)(2)(e)- Co-Conspirator Statements
 EC 801(d)(1)(a) - Prior Inconsistent Statement
 EC - Past Recollection Recorded
ICAC Training & Technical
Assistance Program