Legal Issues

advertisement
Legal Issues
Drama in Soviet Court.
Post-Stalin (1955). Painted
by Solodovnikov. Oil on
Canvas, 110 x 130 cm.
Computer Forensics
COEN 152/252
Issues of Evidence
An information is admissible in court if it is
 Relevant
 Its probative value outweighs its prejudicial effect.
Issues of Evidence
 Best Evidence Rule
The legal doctrine that an original piece of evidence,
particularly a document, is superior to a copy. If the original
is available, a copy will not be allowed as evidence in a trial.
Issues of Evidence
 Foundation

Context for Information
 Hearsay
 Statement made not by declarant while testifying at the trial or
hearing, offered in evidence to prove the truth of the matter
asserted
 In general not admissable
 Chain of Custody

Establishes trustworthiness of evidence by preventing tampering
Stipulation: Agreement between parties or concession by one party in
a judicial proceeding.
Hearsay
 Rule 801. Definitions That Apply to This Article;
Exclusions from Hearsay
 (a) Statement. “Statement” means a person’s oral assertion,
written assertion, or nonverbal conduct, if the person intended it
as an assertion.
 (b) Declarant. “Declarant” means the person who made the
statement.
 (c) Hearsay. “Hearsay” means a statement that:
(1) the declarant does not make while testifying at the current
trial or hearing; and
(2) a party offers in evidence to prove the truth of the matter
asserted in the statement.
Exceptions to Hearsay
 Admission against interest:
 out-of-court statements contrary to penal or pecuniary interest,
including those found on a computer.
 Business Records
 Made in the normal course of business.
 Relied on by the business.
 Made at or near the occurrence of the act the record purports
to record.
 Offered through a competent witness, either the custodian of
the record or another who can testify to those issues.
Exceptions to Hearsay
 Official government records
 Must be properly kept.
 Writing about an event close to its occurrence used to
refresh a witnesses memory.
 “Learned treatise”
 Judgments in other cases
 Spontaneous excited utterance
Exceptions to Hearsay
 Contemporaneous statement which explains the a




person’s state of mind at the time of an event.
A statement which explains a person’s future intentions
if that state of mind is in question.
Prior testimony
A declaration of the opposing party which was contrary
to their best interest if the parity is not available at trial.
Dying declaration by a person who believes (s) is dying.
http://dictionary.law.com/
Exceptions to Hearsay
 A statement made about one’s mental set, feeling, pain, or
health if the person is not available
 A statement about one’s own will when the person is not
available
 Other exception at the judge’s discretion based on the
reliability of the testimony.
http://dictionary.law.com/
Exceptions to Hearsay Rule
 Relevant for computer-based evidence
 Records of regularly conducted activity
 Absence of entry in records kept in accordance with
the provisions of paragraph (6)
Nature of “Computer Evidence”
 Computer Evidence falls under
 Computer-generated evidence
 Logs, file-system, …
 Computer-stored evidence
 Email, photo, …
 Both need additional evidence for evaluation




Does file-system show signs of tempering
Is the file-system reliable
When was the photo taken
Was the clock on the camera off
Nature of Computer Evidence
 Nonhearsay: Records created by a process that does not
involve a human assertion
 Telephone toll records
 Cell tower logs
 Embedded GPS data
 ATM records
 Web server logs
 There is no assertion made by a human being, at best, a
commando
Nature of Computer Evidence
 Mixed Hearsay and Nonhearsay
 Combination of hearsay and nonhearsay
 Email containing header information and content
 Documents created by a human being, but with creation date from file
system
Nature of Computer Evidence
 Nonhearsay records:
 Are not human statements
 Result from a program designed to process information
 Either: There is no person involved
 Or: The human conduct is non-assertive
 Issue is Authentication
 Is the computer equipment and software functioning
Nature of Computer Evidence
 While computer evidence often falls under the business
record exception for hearsay,
 Mostly is nonhearsay
 The real question is authentication
 Does the evidence says what it purports to say?
 We get back to authentication when we talk about expert
witnessing
Proper Care of Evidence
 Evidence collected by the state needs to be protected from
fraud.
 This lays a burden on the state to provably preserve the
evidence.
 Chain of custody.
Breach of Chain of Custody
 Not every breach makes the item inadmissible.
 Not necessary to have the best security against tampering.
 Government agents are assumed to be trustworthy.
 But
Chain of Custody
 Seized device is put in an Evidence Locker.
 Typically a closet safeguarded against intrusion.
 Records allow reconstruction of who had physical control
over the device.
Chain of Custody
 Working on the original. A forensic examination that is done
directly on the original disk drive will make it difficult to
argue that the evidence could not have been tampered with.
Much better to make a “true copy” and examine the true
copy.
 Proof that it is a true copy.
Best Evidence Rule
 Copies are worse than originals, therefore they are not
admissible unless the original has been destroyed.
 Does not apply to various computer outputs.
Best Evidence Rule
Except as otherwise provided by statute, no evidence other
than the original of a writing is admissible to prove the
content of a writing. This section shall be known and may be
cited as the best evidence rule.
California Rules of Evidence 1500.
Best Evidence Rule
Exceptions:
 Printed representations of computer information and computer
programs.
 Printed representations of images stored on video or digital media.
 Secondary evidence of writings that have been lost or destroyed
without fraudulent intent of the proponent of the evidence.
 Secondary evidence of unavailable writings.
 Secondary evidence of writings an opponent has, but fails to produce
as requested.
 Secondary evidence of collateral writings that would be inexpedient to
produce.
Best Evidence Rule
Exceptions:
 Secondary evidence of writings recorded in public records, if the record or an
attested or certified copy is made evidence of the writing by statue.
 Secondary evidence of voluminous writings.
 Copies of writings that were produced at the hearing and made available to the other
side.
 Certain official records and certified copies of writings in official custody.
 Photographic copies made as business records.
 Photographic copies of documents lost or destroyed, if properly certified.
 Copies of business records produced in compliance with Sections 1560-1561.
Future
 The law argues by analogy.
 Justice takes (eventually) account of technology.
 Digital storage has qualitative properties that make it
fundamentally different from writings.
 Ease of alteration.
 Possibility of completely accurate copy & transmission.
 Current law is still based on the case of manual copy.
 If the problems are big enough, either precedent will
change or statutes will make the proper exceptions.
Acquisition of Evidence
 Distinction between government agents and private citizens.
 Illegal actions by private citizens can yield admissible evidence
and lead to their punishment.
 If a sworn law officer violates an amendment, the gained
evidence is usually suppressed, but the officer is protected by
sovereign immunity.
Sovereign Immunity
 A sovereign or a government cannot commit a legal wrong
and is immune from civil suit or criminal prosecution.
Prosecutorial Immunity
 Judges, legislators, prosecutors enjoy qualified or unqualified
immunity.
 Property of the role, not the person.
 I.e. a prosecutor’s immunity depends on whether they are
acting in a prosecutorial role, an investigative role, etc.
Prosecutorial Immunity
 Jean v. Collins
 police officers have absolute immunity for failure to turn over
exculpatory material over to a criminal defendant, because they
are performing a prosecutorial task.
 They have qualified immunity for not turning over the
exculpatory material over to the prosecutor.
 Law enforcement officers do not enjoy sovereign
immunity for willfully violating civil rights.
Electronic Communications Privacy Act
("ECPA"), Title III
 Extends protection against wiretapping to communications
between computers
 Know the exceptions
 Know the consequences of violating the title
Electronic Communications Privacy Act
("ECPA"), Title III
 A person acting under the color of law can intercept
electronic communication where such a person is party to
the communication or one of the parties of the
communication have given prior consent to such
interception.
Electronic Communications Privacy Act
("ECPA"), Title III
"A person not acting under color of law" is also allowed to
intercept an "electronic communication" where "such
person is a party to the communication, or one of the parties
to the communication has given prior consent to such
interception."
The consent can be implicit, e.g. by using a computer protected
with login banners.
ECPA Title III Concerns
Title III also permits providers of a communication service,
including an electronic communication service, the right to
intercept communications as a "necessary incident to the
rendition of his service" or to protect "the rights or property
of the provider of that service."
ECPA Title III Concerns
Two exceptions to the last rule:
 If there is no actual damage, then the right to monitor does
not exist.
 The government is not allow to do the monitoring, but they
can profit from monitoring.
Fourth Amendment
The right of people to be secure in their persons, houses,
papers, and effects, against unreasonable searches and
seizures, shall not be violated, and no warrants shall issue,
but upon probable cause, supported by oath or affirmation,
and particularly describing the place to be searched, and the
persons or things to be seized.
Fourth Amendment
 Computer Storage = Closed Container such as a briefcase
 With Warrant:
 Limits to warrant because of privilege or additional protection.
 Without Warrant
 Expectation of Privacy
Fourth Amendment
 No expectation of privacy
 Public display
 Material in some else’s hands
 Consent by co-owner or authorized person
 Exigent circumstances
 Plain view exception
 Lawful arrest
Very difficult and interesting case law.
Fourth Amendment
 Fundamental question:
 Does the individual enjoy a reasonable expectation of privacy in
electronic information stored within a storage device.
 Courts equate storage devices to “closed container”
Fourth Amendment
 Reasonable Expectation of Privacy and Third Party
Possession
 Difference between data in transit (usually need warrant) and
data received by third party.
 Received by third party: Can owner reasonably expect privacy:
 Bank account information that account holders divulge to the bank.
Fourth Amendment
 Fourth Amendment does not apply to private searches.
 Private party cannot act as government agents:
 Repairman discovers many file names indicating child pornography, opens
those, discovers child pornography, and informs LE.
 LE can repeat the original private search, but not exceed it.
Fourth Amendment
 Searches using innovative technology applied to ordinary
devices might need a warrant:
 Kyllo v. United States
 Supreme Court held that the warrantless use of a thermal imager to
reveal the relative amount of heat released from the various rooms of a
suspect's home was a search that violated the Fourth Amendment.
Fourth Amendment
 Exceptions to the Warrant Requirement
 Consent
 Government carries burden of proof that the consent was voluntary.
 Scope of consent depends on the facts of each case.
 E.g.: does consent to search premises includes consent of storage devices
found there.
Fourth Amendment
 Exceptions to the Warrant Requirement
 Exigent Circumstances
 “would cause a reasonable person to believe that entry . . . was necessary to
prevent physical harm to the officers or other persons, the destruction of
relevant evidence, the escape of the suspect, or some other consequence
improperly frustrating legitimate law enforcement efforts.”
 Arises in computer cases because some electronic evidence is volatile.
 Reasons for exigent circumstances limit the scope of the search.
Fourth Amendment
 Exceptions to the Warrant Requirement
 Plain View
 Agent must in lawful position to observe and access the evidence and its
incriminating character must be immediately apparent.
 E.g.: LE agent makes search of hard drive, comes upon evidence of an
unrelated crime while conducting the search.
 Search Incident to a Lawful Arrest
 Search incident to arrest must be reasonable
Strip searches are usually not reasonable.
 Inventory searches are reasonable.
o But that should not support a search through seized computer files.

Fourth Amendment
 Exceptions to the Warrant Requirement
 Border Searches
 “Routine searches” do not require a warrant:
United States Customs Agents learned that William Roberts, a suspect believed to
be carrying computerized images of child pornography, was scheduled to fly from
Houston, Texas to Paris, France on a particular day. On the day of the flight, the
agents set up an inspection area in the jetway at the Houston airport with the sole
purpose of searching Roberts. Roberts arrived at the inspection area and was told
by the agents that they were searching for "currency" and "high technology or other
data" that could not be exported legally. Id. at 681. After the agents searched
Roberts' property and found a laptop computer and six Zip diskettes, Roberts agreed
to sign a consent form permitting the agents to search his property. A subsequent
search revealed several thousand images of child pornography.
Fourth Amendment
 Workplace Searches
 O'Connor Supreme Court Decision:
 the legality of warrantless workplace searches depends on often-subtle
factual distinctions such as whether the workplace is public sector or
private sector, whether employment policies exist that authorize a search,
and whether the search is work-related.
Fourth Amendment
 Workplace Searches
 Typical:
 A fellow employee who has equal control over a computer can consent to
its search.
 Employers and supervisors who have authority over a computer can
consent to its search.
 HELPFUL: An employment policy stating that the employer retains
authority over its computers and networks.
Fourth Amendment
 Multiple warrants might be needed in network searches.
 No-knock warrants:
 As a general matter, agents must announce their presence and
authority prior to executing a search warrant.
 Sneak-and-Peek Warrants
 "surreptitious entry warrants"
Privacy Protection Act
 Protects publishers against government searches of material
that is acquired for publication
 Reaction to the Daily Stanfordian case
 Internet publishing allows much private computer material
to fall under the PPA protection
Privacy Protection Act
 Subject to certain exceptions, the PPA makes it unlawful for a
government officer "to search for or seize" materials when
 (a) the materials are "work product materials" prepared, produced, authored, or
created "in anticipation of communicating such materials to the public," 42
U.S.C. § 2000aa-7(b)(1);
 (b) the materials include "mental impressions, conclusions, or theories" of its
creator, 42 U.S.C. § 2000aa-7(b)(3); and
 (c) the materials are possessed for the purpose of communicating the material to
the public by a person "reasonably believed to have a purpose to disseminate to
the public" some form of "public communication.“
 OR
Privacy Protection Act
 Subject to certain exceptions, the PPA makes it unlawful for a
government officer "to search for or seize" materials when
 (a) the materials are "work product materials" prepared, produced, authored, or
created "in anticipation of communicating such materials to the public," 42
U.S.C. § 2000aa-7(b)(1);
 (b) the materials include "mental impressions, conclusions, or theories" of its
creator, 42 U.S.C. § 2000aa-7(b)(3); and
 (c) the materials are possessed for the purpose of communicating the material to
the public by a person "reasonably believed to have a purpose to disseminate to
the public" some form of "public communication.“
Privacy Protection Act
 Subject to certain exceptions, the PPA makes it unlawful for a
government officer "to search for or seize" materials when
 the materials are "documentary materials" that contain
"information,"
 (b) the materials are possessed by a person "in connection with a
purpose to disseminate to the public" some form of "public
communication."
Privacy Protection Act
 Exceptions
 the only materials searched for or seized are contraband, instrumentalities, or
fruits of crime
 2) there is reason to believe that the immediate seizure of such materials is
necessary to prevent death or serious bodily injury
 3) there is probable cause to believe that the person possessing such materials has
committed or is committing the criminal offense to which the materials relate (an
exception which is itself subject to several exceptions),
 4) in a search for or seizure of "documentary materials" as defined by § 2000aa7(a), a subpoena has proven inadequate or there is reason to believe that a
subpoena would not result in the production of the materials.
Privacy Protection Act
 Was not intended for web journalism that raises questions of
who is a journalist and what constitutes publication.
Electronic Communications Privacy Act
 Protects third party data against law enforcement seizes
 E.g. internet provider.
Electronic Communications Privacy Act
 Steve Jackson Games, Inc. v. Secret Service
Steve Jackson Games, Inc. ("SJG") was primarily a publisher of role-playing games,
but it also operated a network of thirteen computers that provided its customers with
e-mail, published information about SJG products, and stored drafts of upcoming
publications. Believing that the system administrator of SJG's computers had stored
evidence of crimes, the Secret Service obtained a warrant and seized two of the
thirteen computers connected to SJG's network, in addition to other materials. The
Secret Service did not know that SJG's computers contained publishing materials
until the day after the search. However, the Secret Service did not return the
computers it seized until months later. At no time did the Secret Service believe that
SJG itself was involved in the crime under investigation.
Electronic Communications Privacy Act
 In Steve Jackson Games, the district court held the Secret
Service liable under ECPA after it seized, reviewed, and (in
some cases) deleted stored electronic communications seized
pursuant to a valid search warrant.
Pen/Trap Statute (amended 2001)
 Authorizes installation of pen-registers and trap-and-trace
devices.
 Pen register only records dialing, routing, and address information
for electronic outgoing communications.
 Trap-and-Trace: same for incoming communications.
 Court order for pen/trap device requires only a statement by the
investigator that the information is likely to be relevant to a criminal
investigation.
USA Patriot Act (2001)
 Contains “sneak and peek” authority
 Delayed notification of physical searches for up to 90 days.
 Already norm in wiretap cases.
 Dalia v. U.S. 1979:
o Feds implanted a hidden microphone pursuant to a search warrant.
o Notification was delayed until surveillance was ended.
 Allows installation of electronic surveillance devices authorized for
the whole U.S.
 important for working with IP providers.
 Gives immunity to persons providing technical assistance.
Legally Privileged Documents
 Need to prevent ongoing investigation from using legally
privileged documents.
 Medical records.
 Attorney-client communications.
 Priest-penitent communications.
Case Law
 Kleiner vs. Burns, 2000
 Defendant only produced limited correspondence in the
original discovery request.
 Court imposed sanctions and enjoined defendant to try harder
 Rowe Entm’t Inc. v. William Morris Agency, Inc. (2002)
 Distribution of Costs of Discovery
 Zubulake v. UBS Warburg (2003)
 Standard gender discrimination case
 Court revisited costs of discovery
Case Law
 Alexander v. FBI (1998)
 Limits large-scale digital discovery to targeted and
appropriately worded searches of backed up and archived e-mail
messages
 Crown Life Ins. v. Craig Ltd (1993)
 Sanctions imposed for precluding evidence and failure to
comply with court order
 Brand Name Prescription Drug Antitrust Litigation
(1995)
 Early case about burden of discovery
 Simon Prop. Group vs. mySimon Inc.
 Discovery extends to recoverable, but deleted files
Case Law
 Santiago v. Miles (1988)
 Raw computer information is obtainable under discovery: special tool was
created for extraction of data for the court.
 Anti-Monopoly Inc. v. Hasbro, Inc (1995)
 Not only hard copies, but also electronic documents are discoverable
 Playboy Ent. v. Welles (1999)
 Burden of cost factors is only limitation to discovery requests for copying
and examining a hard drive for emails
 People v. Hawkins (2002)
 Importance of time in computers.
 Allowed printout of computer access times.
 Proper functioning of computer clock relevant to case.
Case Law
 U.S. v. Allen (1997)
 “Merely raising the possibility of tampering is insufficient to render evidence inadmissible”
 U.S. v. Bonallo (1988)
 “The fact that it is possible to alter data contained in a computer is plainly insufficient to establish
untrustworthiness”
 Arizona v.Yougblood (1988)
 Requires defendant to demonstrate that the police acted in bad faith in failing to preserve the
evidence.
 Easaly, McCaleb & Assoc. v. Perry (1994)
 Deleted but recoverable files are discoverable
 RKI, Inc. v. Grimes (2001)
 Defendant was fined after defendant conducted a disk defrag before discovery in order to destroy
evidence
 State v. Cook (2002)
 Upheld admissibility of bit stream analysis after export testimony on imaging process, authenticity
methods, and possibility of tampering
 V Cable, Inc. v. Budnick (2001)
 Evidence collection by private agency is trustworthy under rule 803(6)
Download