Digital Evidence




Digital Evidence

by Dr Allison Stanfield (presented to the College of Law’s 2017 Technology and the Law Intensive)

Introduction

Since the advent of the personal computer in 1976, a whole new paradigm in the way in which information is created and exchanged, has evolved.  As Paul notes, ‘the modern electronic file lives not as an artefact one can hold in one’s hand, but as pure information that can be reordered at will’.[1]

The internet is a world-wide network of computers that can ‘talk to’ each other using communication protocols such as TCP/IP (transmission protocol/Internet protocols).  Email and social media are now becoming the default method of communication, notwithstanding that evidentially, social media content is complex.  Cloud computing, where an individual or organisation ‘rents’ computer space from a cloud provider, is rapidly becoming an accepted method of data storage.  Cloud computing can raise questions about ownership of data, the maintenance of integrity, the protection of privacy and jurisdictional issues, since many cloud providers can have servers located outside of Australia.

Electronic evidence is completely different to paper, yet rules developed over centuries are being applied to this unique form of evidence.

What is digital evidence?

Digital evidence can either be ‘documentary’ or ‘real’.  Documentary evidence is by itself, hearsay, and requires a witness to tender the document and testify as to its contents.  Conversely, real evidence is evidence that ‘speaks of itself’, rather than evidence of what someone said.[2]  Many electronic documents will comprise an element of each.

Prior to the advent of computers, the most common form of document was paper, although cases have recognised that a document does not necessarily need to have paper as a medium of proof, [3] and a document can inscribed on stone, marble, clay or even metal’.[4]

Uniform Evidence Acts

The Commonwealth enacted the Evidence Act 1995 (Cth),[5] which has subsequently been enacted in, New South Wales,[6] Victoria,[7] Tasmania,[8] the Australian Capital Territory[9] and the Northern Territory[10] (the Uniform Evidence Acts).  The other states have their own Evidence Acts.[11]

The existing definition of ‘document’ in the Uniform Evidence Act, is broad enough to include documents created and stored on all forms of electronic media.  An analysis of case law in Australia demonstrates that information contained on electronic media is included in the broad definition of document in the Uniform Evidence Act.[12]  However, with respect, the courts do not appear to distinguish the fundamental difference between paper and electronic documents.

Electronic Documents as Evidence

There are vast differences between paper evidence and electronic evidence, and to highlight these differences, it is essential to understand how electronic evidence is created and stored and ultimately retrieved for later use.  These differences are of import when examining how the rules of evidence have been, and should be, applied to electronic evidence.  As Judge David Harvey notes, an electronic file does not exist in itself, in that it does not exist independently from the process in which it was created.[13]

Electronic evidence, compared with paper evidence, is unique.[14]  It is comprised of three elements, namely:

  1. The storage medium upon which data is stored as binary code;
  2. Software which is used to interpret the binary code; and
  3. Content.

While paper has been used for centuries, storage medium and software have only recently been used to create and store documentary evidence.

Electronic evidence is created on a computer system.  The main components of a computer system include hardware and software.  Hardware includes the physical components such as the hard disk drive, the keyboard and mouse, the display system and so on.  The computer also contains a processor, or central processing unit which contains a number of electrical circuits on silicon chips.  Further, the computer will contain a storage device, onto which binary data is written and stored, with storage governed by random access memory (RAM), or similar.

Software on computer systems is broken down into operating software and application software.  Operating software is the software that essentially runs the computer, commonly known as the operating system.  This includes software such as Microsoft Windows, Apple Macintosh and Linux. Application software is software that allows the user to create content, which in turn, is saved onto the computer’s hard drive.  Such application software can include Microsoft Office applications (Word, Excel, PowerPoint, Outlook etc).

Some working groups have spent some time defining the main differences between paper and electronic documents, a more prominent group being The Sedona Conference Working Group on Best Practices for Electronic Document Retention and Production[15] (‘the Sedona Conference’).  The Sedona Conference confirms that there are a number of key differences between paper and electronic documents, which include: (a) metadata, (b) volume and duplicability, (c) persistence, (d) dynamic, changeable content, (e) environment dependence and obsolescence and (f) dispersion and searchability.[16]

Metadata is a key point of difference, as often metadata contained in an electronic document, cannot be seen when the document is printed, and this metadata may contain crucial evidence.  Courts have recognised that electronic records that are printed and retained, rather than being retained in their electronic format, are ‘dismembered’ documents.[17]

In Australia, there seems to be a general assumption that a ‘CD-Rom’ or a ‘hard drive’ is a document, simply because it is an electronic device, rather than a recognition that the storage medium and the content are separate, yet bound to one another.  In England and Wales, and in the United States of America, the case law regarding electronic evidence appears inconsistent.  Conversely, the courts in Canada, do appear to recognise the difference between content and storage media.

Admissibility

Chapter 3 of the Uniform Evidence Acts sets out the rules surrounding the admissibility of evidence, and the notes to Chapter 3 set out a series of questions.  The first questions, is whether the evidence is relevant; if not, then the evidence is not admissible.  The second, is whether the evidence is hearsay.

With respect to electronic evidence, when the Evidence Act 1995 (Cth) was enacted, computers were only just starting to be used in business; they were not ubiquitous like they are today.  So in 1995, the admissibility of electronic evidence has largely rested upon whether a computer was functioning correctly or not, and the rebuttable presumptions contained in the Uniform Evidence Acts ss 146 and 147 do allow for such presumptions to be rebutted should it be shown that the computer was malfunctioning at the time the evidence was created.  However, these presumptions do not look at the security around the computer system to determine if it is robust enough to confirm that the evidence taken from the system is what it purports to be.  The foundations upon which these presumptions have been built, fail to take into account that it is much easier to change electronic evidence without detection, than it ever was in the hard copy world.  Further, the author of the document may not even be aware that changes have been made.  The Hearsay Rule, which was developed by the courts to ensure that out of court statements did not make their way into evidence as truth of the assertions made in those statements, has not been subject to more stringent testing as a result of this new form of evidence.  Indeed, it is perhaps easier to admit hearsay than it ever has been.

Business Records

The common law Business Records Exception is now embodied in the Uniform Evidence Acts s 69.

The Business Records Exception arose on the presumption that records created by employees in the course of their employment were generally accurate, certainly far more accurate than human memory.  Further, the Business Record Exception was built around the practice where an employee would update a hard copy record, such as a ledger or other hard copy book, and enter records consecutively.  With electronic business records that are created and stored in computer systems, this is no longer the case.  Business records are created and stored in any number of software programs, and are accessible and updated by any number of employees, in disparate locations.  While it is true that such records, as long as they are kept in the ordinary course of business, and are far more reliable than a witnesses’ memory, it is submitted that, in addition to the evidence itself, it should be demonstrated that there is a reasonable level of security around the computer system itself, in order to show that the evidence is authentic.

Of course, the premise behind the Business Records Exception that records created in the ordinary course of business are likely to be more correct than relying on a witness’s memory of an event that might have occurred years previously, is a sound one.  Otherwise, much court time would be taken up by a party having to prove how every single document was created.  However, the rules under which such evidence is admitted, need to be backed up by an understanding of how electronic evidence is created and stored, and not simply apply old rules that were developed around paper evidence.

With electronic evidence created as part of a computer system within a business, generally, one person cannot give evidence as to the creation and content of that electronic evidence.  Paul[18], in particular, uses the example of a contract in a word processing format stored on a computer network within a company comprising 1,500 employees.  Although a senior manager can attest to the content of the contract which may have been drafted several years’ previously, with the manager’s input, the manager cannot testify to the exact wording of any specific section of the contract without reference to it, nor can the manager testify to the systems used to store, backup up, audit and generally the integrity of the document.  How can the manager affirm that the document was not accessed by one of the other 1,500 employees?  Unless the manager is also the IT administrator, and that all of the required security elements are in place, the manager has no knowledge as to the integrity of the document.  Similarly, if an employee enters records into a database, it is submitted that that employee cannot also then verify that the database record itself has not been changed since the entry was made.

Evidence produced by machines

The Uniform Evidence Acts s 146 creates a rebuttable presumption that, where a party tenders a document or thing that has been produced by a process or device, if the device or process is one that, if properly used, ordinarily produces a particular outcome, then in producing the document or thing on this occasion, the device or process has produced that outcome.  For example, where a scanner has made an image copy of the document then it would not be necessary to call evidence to prove that the scanner was working properly when it was used to create an image of the document.  The Uniform Evidence Acts s 147 provides a similar rebuttable presumption where documents are produced by processes, machines and other devices in the course of business.[19]

The presumption in Uniform Evidence Acts s 146 is rebutted when a party raises sufficient evidence to raise doubt about the presumption.  Where evidence raises a doubt, it ‘does not need to be of the same quality of the same probative strength as evidence that is required to satisfy the civil standard’.[20]

Reliability of machines and devices is one issue, reliability of evidence created as part of a computer system, is another.  This leads to the question as to whether the presumptions in Uniform Evidence Acts ss 146 and 147 can continue to apply to computer generated evidence.

Devices such as traffic lights, watches and speedometers have been presumed to work properly,[21] however with computers and computer-like devices, they are arguably more unreliable due to problems with software, including ‘bugs’. [22]  Mason[23] points out that whenever software is amended, the risk of defects increases and it is generally not until software is used in the ‘real world’ that defects are identified.  Further, software is subject to vulnerabilities which means hackers and professional thieves can exploit such vulnerabilities, and often these activities can go undetected.[24]  Mason[25] concludes that the presumption of reliability, especially for software, is fraught with problems and the reality is that the party contesting the presumption will rarely be in a position to offer substantial evidence to substantiate any challenge because the party facing the challenge will generally be in full control of the computer or computer systems that are the subject of the challenge.[26]

Not only are changes in software problematic, it is the dynamic nature of computer-generated evidence itself that may cause issues.  For example, the software application that displays a document, albeit working correctly, may change the metadata of the file, but not necessarily change the content itself.  The type of device upon which the data are stored may affect the evidence, for example, the differences between a mainframe computer and PC, and information stored on an organisation’s network and in the Cloud.[27]

The rationale behind the rebuttable presumptions in Uniform Evidence Acts ss 147 and 147 are sound, otherwise courts would be unnecessarily laden with the need to have voluminous amounts of evidence tendered in order to get documentary evidence admitted.  However, are the rebuttable presumptions too wide?  Should there a more strict test apply when considering evidence being tendered from computer systems, and if so, what should that test encompass?

Authentication

Before a document, including a business record, is admitted in evidence, it is necessary that there should be an evidentiary basis for finding that it is what it purports to be.[28]  Ordinarily, documents are not taken to prove themselves, although there are exceptions such as public registers and certified documents.[29]

Authenticity of an electronic document can be called into question by challenging the provenance of the document, that is, that the proponent has not provided sufficient evidence to show how the electronic evidence came into existence.  This can include:

  1. A claim that the records were altered, manipulated or damaged between creation and tender in court;
  2. That the reliability of computer program is in question; or
  3. The identity of the author is in question.[30]

Commentators such as Paul,[31] suggest that the foundational requirement for authentication of electronic evidence has largely deteriorated into a ‘trivial showing’, and his argument largely centres on the reliability of information that is created and stored within a computer system.  Paul argues that due to the unique nature of electronic evidence, if one cannot show that the information was created and stored within a reliable system, the chain of custody necessary to show that a document is authentic is lost.[32]

Similarly in Canada, Chasse[33] argues that counsel and courts are simply ignoring the issues posed by electronic evidence, resulting in the consequence that electronic evidence is admitted without any form of effective authentication.[34]

In New Zealand, Judge David Harvey notes, an electronic file does not exist in itself, in that it does not exist independently from the process in which it was created.[35]

In Australia, the cases that examine authentication of documentary evidence have generated a lengthy debate on whether a document can authenticate itself, or whether other factors must be taken into account.  Comments made by Bryson J in NAB v Rusu[36] were the subject of criticism by Stephen Odgers SC [37]and in subsequent cases.[38]  However, ultimately, Austin J in ASIC v Rich [39]concluded that authentication cannot be achieved solely by drawing meaning from the document where there is no other evidence to indicate provenance.  In ASIC v Rich, documents that were printed out from a file server and which seem to be reports generated from an accounting software system, were authenticated and admitted into evidence.  Austin J then considered what weight to give to these documents.  However, with respect, these cases tend to miss the point.

While the courts need to seek the truth, a fundamental point in ASIC v Rich was that the evidence appeared to have been generated within a computer software package.  No evidence was given about how that software package worked and its track record for reliability, who had access to it, who entered data and who ostensibly could have entered data without authorisation.  No evidence was given as to where the system was stored and the security around the system.  As to the reports that were generated and found on the I:\ drive, no evidence was given around how these reports were generated; they just seem to have been produced from the I:\ Drive, without any evidence of their provenance.  With the greatest of respect, to simply say their provenance is the file server itself, fundamentally shows a complete lack of understanding of how such systems work.  This highlights the need for evidence to be produced showing the whole context in which electronic evidence is generated, stored, retrieved and produced.

In England and Wales and in the United States of America, the case law also tends to look at authentication of evidence on a case by case basis, and the legislative provisions go some way towards providing guidance.  However, it is submitted that Canada is the first jurisdiction to properly acknowledge the difference with electronic evidence, compared with paper evidence, and offer some sort of guidance on how to properly authenticate such evidence by examining the reliability of the system in which the evidence was created.

In Canada, Uniform Electronic Evidence Act (Can), s 3 provides that ‘the person seeking to introduce an electronic record [in any legal proceeding] has the burden of proving its authenticity by evidence capable of supporting a finding that the electronic record is what the person claims it to be.’  Canada is also a common law jurisdiction, so the rules of evidence that have developed in Canada originated in England, in the same way as Australia’s rules of evidence developed.  The Uniform Electronic Evidence Act (Can) does permit parties to adduce evidence as to ‘the integrity of the electronic documents system by or in which the electronic document was recorded or stored’.  There are several presumptions to show proof of integrity including (a) proof that the storage medium was operating properly; (b) proof that the document was recorded or stored or recorded and stored by an adverse party; and (c) proof that the document was recorded or stored in the ordinary course of business by a party outside the litigation.  The provisions also allow for evidence to be provided of current standards, procedures and practices with regard to the integrity of the recording or storing system.   Such evidence can go to the integrity of the electronic document system, but also to ‘determining under any rule of law whether an electronic document is admissible’ and could be used as a source of evidence of the ‘reliability’ of a document for hearsay purposes.  Industry standards may be used to show evidence maintains integrity, although such standards are not binding on the court, they will be persuasive.

Authentication of Business Records

It is the Business Records Exception that is most subject to scrutiny when examining the authentication of electronic evidence.  This is because generally, the witness tendering the evidence is not the person who created the evidence.  A court needs to be assured that from the time the record was created, to the time it is tendered in court, the record was kept reasonably secure, and that the evidence was not at undue risk of tampering.  It is submitted that a witness attesting as to the records of a business should also be in a position to know how and where the records are stored, and be responsible for their safe custody, and if they are not, suggest another witness who is able to attest to this.  Otherwise, the authenticity of the evidence may be open to challenge.

The concept of the Business Records Exception should not change.  The principles around the rule are to ensure evidence can be admitted if there is no challenge to it.

The Uniform Evidence Act requires amendment to reflect that electronic evidence is created as part of a computer system.  A witness should be required to give evidence demonstrating that the computer system in which the records were created were reasonably secure so that, there is little risk that the records were altered between the time of creation and the admission the of evidence in court.

The Canadian Evidence Act goes some way towards this.  The Uniform Electronic Evidence Act 1998 (Can) s 5, is re-stated below:

  1. In the absence of evidence to the contrary, the integrity of the electronic records system in which an electronic record is recorded or stored is presumed [in any legal proceeding]:
  • by evidence that supports a finding that at all material times the computer system or other similar device was operating properly or, if it was not, the fact of its not operating properly did not affect the integrity of the electronic record, and there are no other reasonable grounds to doubt the integrity of the electronic records system;
  • if it is established that the electronic record was recorded or stored by a party to the proceedings who is adverse in interest to the party seeking to introduce it; or
  • if it is established that the electronic record was recorded or stored in the usual and ordinary course of business by a person who is not a party to the proceedings and who did not record or store it under the control of the party seeking to introduce the record.

Section 5(c) is particularly relevant in this day and age, where many electronic records are stored with third party providers, such as Cloud providers.  This means a party cannot simply say they are not their records simply because the storage of the records has been outsourced.

The Uniform Electronic Evidence Act 1998 (Can) contains definitions of ‘data’, ‘electronic record’ and ‘electronic records system’.  It is submitted that the definitions contained in that legislation are much more reflective of the unique nature of electronic evidence, than any of the definitions currently contained in the Australian Uniform Evidence Acts.

To reiterate these provisions of the Uniform Electronic Evidence Act 1998 (Can), they are:

  • ‘Data’ means representations, in any form, of information or concepts.
  • ‘Electronic Record’ means data that is recorded or stored on any medium in or by a computer system or other similar device, that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data.
  • ‘Electronic Records System’ includes the computer system or other similar device by or in which data is recorded or stored, and any procedures related to the recording and storage of electronic records.

The definitions contained within the Australian Uniform Evidence Acts should be extended to cover electronic documents and records.  Definitions should be included that are similar to those contained in the Uniform Electronic Evidence Act 1998 (Can).  If definitions of ‘data’, ‘electronic record’ and ‘electronic records system’ are included in the Uniform Evidence Acts, this will go a long way to recognising that electronic documents are stored and created as part of a computer system.

Interestingly, neither the Evidence Act 1985 (Can), nor the Uniform Electronic Evidence Act 1998 (Can) contain a definition of ‘document’.  The former Act does define ‘record’ as it pertains to business records, as including the whole or any part of any book, document, paper, card, tape or other thing on or in which information is written, recorded, stored or reproduced.

However,  the Uniform Evidence Acts should be amended to widen the meaning of ‘document’ to specifically include electronic documents, rather than simply containing the imprecise, and rather confusing, current definition.

Best Practice

Archive bodies such as the National Archives and the various State government archive bodies, along with libraries, have issued guidelines on the preservation of electronic records.  There are also standards in place, such as HB171-2003 Guidelines for the Management of IT Evidence, which outline standards for the preservation of evidence and the obligation to provide records which includes:

  • Understand regulatory, administrative and best-practice obligations to produce, retain and provide records;
  • Understand the steps that can be taken to maximise the evidentiary weighting of records and the implications of not doing so; and
  • Understand regulatory constraints to the retention and provision of records.

The archiving procedures for electronic records are very different to archiving procedures for hard copy records. Even digitising hard copy records is a relatively straightforward process compared with archiving existing electronic records.  Standards for record keeping are set out in AS ISO 15489.1. Further, AS/NZS ISO/IEC 17799:2001 Information technology sets out a code of practice for information security management.  It provides that information classification requires organisations to develop an information classification scheme that indicates the need, priorities and degree of protection and label electronic records accordingly. An organisation’s information classification and labelling scheme must include an assessment of the potential evidentiary significance of electronic records.

The biggest challenge facing archival of electronic records is the emulation of the software long after it has been de-commissioned.  Organisations often need to de-commission software for a number of reasons.  For instance, commonly software licence fees may be prohibitively expensive to keep in place if an enterprise decision has been made to move to other software for its business functions.  The software vendor may have gone out of business or may no longer provide support and maintenance for the software.  In these circumstances, the organisation must archive its data in such a way that the software generated reports can be replicated.  This is difficult to do without the original software in place. There are still no standards in place which allow for information to be extracted from databases and placed into a non-proprietary format for long term archival.  Even if such standards were in place, the fact the information was created from a proprietary format in the first place, means that the proprietary software would need to be the subject of examination to prove that the software produced the reports correctly.

Conclusion

Electronic evidence is now common place, however, our Uniform Evidence Acts were enacted just as computer technology was being introduced to both personal and business practice.  Accordingly, it is time that the definitions and evidentiary requirements contained within the Uniform Evidence Acts were updated to reflect the way in which computer generated evidence is produced.

 

[1] George L. Paul, Foundations of Digital Evidence (American Bar Association, 2008), 48.

[2] R v Penney (2002) 163 CCC (3d) 329 at [35] and [41].

[3] R v Daye [1908] 2 KB 333, 340.

[4] Ibid.

[5] Which commenced on 18 April 1995.

[6] Evidence Act 1995 (NSW), which commenced on 1 September 1995.

[7] Evidence Act 2008 (Vic), which commenced on 1 January 2010.

[8] Evidence Act 2001 (Tas), which commenced on 17 December 2001.

[9] Evidence Act 2011 (ACT), which commenced on 1 March 2012.

[10] Evidence (National Uniform Legislation) Act (NT), which commenced on 1 January 2013.

[11] Evidence Act 1929 (SA), Evidence Act 1977 (Qld) and Evidence Act 1906 (WA).

[12] Sony Music Entertainment (Australia) Ltd & Ors v University of Tasmania & Ors (2003) 198 ALR 367; Jacques Nominees Pty Ltd v National Mutual Trustees Pty Ltd (2000) V ConvR, 58-547; GT Corporation v Amare [2007] VSC 123 (25 May 2007).

[13] Judge David Harvey, Collisions in the Digital Paradigm:  Legal Rules and New Technologies, 3rd Annual New Zealand Law & Technology Conference, 18 March 2015.

[14] In Innovative Health Group Inc. v Calgary Health Region 2008 ABCA 219 (CanLII), Conrad JA noted that ‘[a] computer hard drive is a computer disc, with a large storage capacity, upon which information is stored. It is, however, a mixed storage facility that contains such things as program files, metadata, and enabling software that allows the computer to run and to interpret the encoded data’, [33].

[15] The Sedona Conference, Electronic Document Retention and Production, Working Group 1 (2002).

[16] The Sedona Principles Best Practices Recommendations and Principles Addressing Electronic Document Production (2nd ed: 2007), at <http://www.thesedonaconference.org> .

[17] Armstrong v Executive Office of the President 1 F.3d 1274 (D.C. Circuit Court of Appeals 1993).

[18] George L. Paul, Foundations of Digital Evidence (American Bar Association, 2008).

[19] Evidence Act 1995 (Cth) ss 146,147.

[20] North Sydney Leagues’ Club Limited v Synergy Protection Agency Pty Limited (2012) 83 NSWLR 710, 60 (Beazley JA, Macfarlan and Whealy JJA agreeing).

[21] Stephen Mason (ed), Electronic Evidence (LexisNexis Butterworths, 3rd ed, 2012), [5.02] citing Tingle Jacobs & Co v Kennedy [1964] 1 All ER 888.

[22] Ibid [5.07].

[23] Ibid.

[24] Ibid [5.13] to [5.17].

[25] Ibid.

[26] Ibid [5.37].

[27] Lee Andrew Bygrave, The Meaning of ‘Data’ and Similar Concepts – An Issue of Growing Legal Importance, In Cecilia Magnusson Sjöberg & Peter Wahlgren (ed.) Festskrift till Peter Seipel (Norstedts Juridik AB 2006) 117 – 126.

[28] National Australia Bank Ltd v Rusu (1999) 47 NSWLR 309, 312 (Bryson J).

[29] Ibid.

[30] Nobel Resources SA v Gross [2009] EWHC 1435 (Comm).

[31] George L. Paul, Foundations of Digital Evidence (American Bar Association, 2008).

[32] Ibid.

[33] Ken Chasse, ‘Electronic Records as Documentary Evidence’ (2007) Canadian Journal of Law and Technology, 141.

[34] Ibid.

[35] Judge David Harvey, Collisions in the Digital Paradigm:  Legal Rules and New Technologies, 3rd Annual New Zealand Law & Technology Conference, 18 March 2015.

[36] National Australia Bank Ltd v Rusu (1999) 47 NSWLR 309.

[37] Stephen Odgers, Uniform Evidence Law (Thomson Reuters, Australia, 6th ed, 2004) 183.

[38] Lee v Minister for Immigration & Multicultural & Indigenous Affairs [2002] FCAFC 305 (4 October 2002); O’Meara v Dominican Fathers [2003] ACTCA 24 (5 December 2003); Albrighton v Royal Price Alfred Hospital (1980) 2 NSWLR 542.

[39] ASIC v Rich (2005) 216 ALR 320.

© 2017 Allison Stanfield