If you’re an attorney, a paralegal, an investigator, a law enforcement officer, or even if you just watch a lot of legal dramas on television, you’re likely familiar with the term “chain of custody”.

Essentially, maintaining a “chain of custody” means validating how evidence has been gathered, tracked, and preserved prior to being entered into a case. In both civil and criminal litigation, maintaining a clear chain of custody is critical to the admission of key evidence.

The Evolution of Digital Evidence and the Social Media Age

Chain of custody and evidence authentication standards for tangible, material forms of evidence are well-established. However, what is legally required to preserve a clear chain of readily authenticated digital evidence is often less clear and only relatively recently subject to established processes.

Chain of custody for digital evidence gets even more confusing when social media evidence is at issue. And it's Without question, social media evidence will continue to play an a role in the legal world.

How pivotal?

SOURCE: https://datareportal.com/social-media-users

Consider these social media usage statistics:

• There are 4.5 billion social media users, expected to grow to 5.85 billion users by 2027.
• 62.3% of the world's population is on social media
• 8.4 new users sign up on social media every second
• Estimates show people spend roughly 15% of their waking lives using social media.
• Facebook has 3 billion monthly active users
• Instagram has 2 billion monthly active users

That’s an incredible amount of content, not to mention the vast amounts of content being shared via other social media sites like Twitter, WhatsApp, SnapChat, Pinterest and more.

SOURCE: https://datareportal.com/social-media-users

PRESERVATION, AUTHENTICATION, AND CHAIN OF CUSTODY ISSUES

Understandably, with the rapid proliferation of digital evidence and social media in particular, some confusion exists as to what is required to properly authenticate social media evidence that is collected, and how to preserve the chain of custody during the collection process in a way that ensures the evidence will ultimately be admissible in court.

Duty to Preserve

The law is clear that potential evidence found on social media platforms is subject to the same duty to preserve as other types of electronically stored information.

The duty to preserve is triggered when a party reasonably foresees that evidence may be relevant to issues in litigation. In those instances, a party has a duty to preserve all evidence in a party’s “possession, custody, or control,” and we know that generally, evidence is considered to be within a party’s “control” when the party has the legal authority and practical ability to access it.

Moreover, we know that preservation of social media evidence is so important that the consequences of failing to preserve can be severe.

Indeed, our courts have made clear that both counsel and client may be subject to sanctions for a failure to preserve relevant evidence.

Failure to Preserve Social Media Evidence

In Lester v. Allied Concrete Co., No. CL08-150 (Va. Cir. Ct. Sept. 01, 2011), aff’d, No. 120074 (Va. Ct. App. Jan. 10, 2013), that is exactly what happened, when the court sanctioned both the plaintiff and his counsel based, in large part, on its determination that they had engaged in Spoliation of social media evidence.

The lawyer instructed his paralegal to make sure the plaintiff “cleaned up” his Facebook page, and the paralegal helped the plaintiff to deactivate his page and delete potentially unfavourable pictures from his account.

Although the pictures were later recovered by forensic experts, the court determined that sanctions were justified based on the misconduct.

Authenticating Evidence

The law is also clear that beyond the duty to preserve evidence, a party must ensure that the evidence is able to be properly authenticated.

Certainly, a large part of proper authentication is establishing a clear chain of custody.

Where more tangible forms of evidence are concerned, particularly in criminal cases, police officers gather the evidence, store it, tag it, and anyone needing access must sign it in and out. In that way, tangible evidence can be tracked, and parties are able to verify that it has not been altered or tampered with in any way.

Failure to Authenticate Social Media Evidence

In Commonwealth v. Banas, the State attempted to introduce a screenshot of a Facebook post into evidence. The Massachusetts appellate court ruled that the screenshot alone could not prove anything—without further information or circumstantial  evidence, it was impossible to know whether the Facebook evidence was authentic.

In making this ruling, the court adhered to the opinion found in Commonwealth Vs. Purdy (discussed in our previous blog post), which stated that:

“evidence that . . . originates from an e-mail or a social networking Web site such as Facebook or MySpace that bears the defendant’s name is not sufficient alone to authenticate the electronic communication as having been authored or sent by the defendant.”

What Does Chain of Custody Mean In the Digital Age?

In the digital age, all of this can become more complicated, and as evidence collection evolves, our understanding of best practices must evolve along with it.

As we all know, without the right protections, digital files can be easily deleted, edited, altered, and even fabricated entirely.

This makes documenting a digital chain of custody all the more important, as a compromised chain of custody can result in the dismissal of critical evidence, which can lead to losing a case that might otherwise have easily been won.

All an opposing attorney needs to do is raise concerns about potential tampering with or tainting of evidence, and you may find yourself facing an uphill battle.

So what is required to preserve the chain of custody for electronically stored information, and how can you ensure that the evidence you are collecting meets those standards?

What is Required to Preserve Chain of Custody for Digital Evidence?

With respect to electronic evidence, the Electronic Discovery Reference Model offers this definition of “chain of custody”:

"All information on a file’s travels from its original creation version to its final production version. A detailed account of the location of each document/file from the beginning of a project until the end. A sound chain of custody verifies that you have not altered information either in the copying process or during analysis."

As we know from Federal Rule of Evidence 901, the standard legal definition of “authentic” evidence is evidence that is what it purports to be.

With respect to digital evidence, this means that authentic documents and objects are genuine, not counterfeit or manipulated.

Thus, establishing a valid chain of custody means being able to show where the evidence has been, who has touched it, and its condition at all times, in order to establish that there has been no alteration.

With respect to web pages and social media accounts, this means that you need to establish:

1. When the record was originally produced.
2. That the record is an accurate recording of the webpage in question.
3. That the record was not subject to alteration from the time it was collected until the time it is presented in court.

THE EVOLUTION OF DIGITAL EVIDENCE

Fortunately, as the use of digital evidence gathered in legal cases has evolved, the Federal Rules of Evidence have evolved as well.

An unfortunate truth is that many attorneys currently practicing law have failed to evolve along with it.

Many attorneys remain stuck in the past, using antiquated, costly, and unnecessary methods of preserving and authenticating their data. Methods like taking and printing screenshots, calling in outside witnesses, and gathering affidavit after affidavit to attempt to prove authenticity are outdated, inefficient, and less effective than ideal.

As types of evidence and evidentiary rules evolve, practice methods must evolve too.

Upon recognition that digital evidence is here to stay, the Federal Rules of Evidence  were amended effective December 1, 2017 to make it easier to authenticate data from electronic sources. These new rules describe a process for authenticating records “generated by an electronic process or system”.

Such records include, for example, a printout from a webpage, or a document retrieved from files stored in a personal computer. The rules also provide for using a “process of digital identification” such as hash values to authenticate that electronic data is what it purports to be.

According to the American Bar Association:

"When there is no dispute as to authenticity of ESI, 902(13) and (14) should help achieve the laudable goal of reducing the expense of litigation. Rather than present live testimony of a foundation witness, the proponent establishes authenticity under 902(13) and (14) by presenting a certification containing information that would be sufficient to establish authenticity if the information were provided by testimony at a hearing or trial."

So what does this mean, from a practical standpoint?

Imagine that you have a case heading to trial in a couple of months. Among your intended exhibits are several copies of Facebook pages with content that you believe will be extremely helpful to your client’s case. You know they need to be readily authenticated to be admitted, and you also know that the judge assigned to your case is fairly skeptical about digital evidence due to the fact that it can easily be altered or manipulated.

If opposing counsel won’t stipulate that the web pages are authentic, what would you do?

Prior to December of 2017, finding a witness to testify to the authenticity of the evidence would have likely been the choice most in line with what the evidentiary rules required. That is no longer true today.

Digital Capture Technology for Mitigating Chain of Custody Risks

You want to support your cases and claims with the strongest evidence possible. You want it to be thoroughly organized, captured at the moment you need it, sufficiently authenticated, and collected with a clear chain of custody established, so that it can be admitted for its intended purpose.

So when you are looking for digital evidence capture technology that can mitigate chain of custody risks, consider the following:

• Can it authenticate the evidence and prove it is untampered with?
• Can it automatically collect metadata from the capture?
• Can it provide digital signatures or SHA-256 hash values?
• Can it hide the investigator's identity?
• Can it capture what is necessary on-demand?
• How long will it take to generate the evidence?
• Is the data stored locally on your private computer/network or on the cloud?
• Will the data remain under your complete control?
• Is the data captured in context?
• Does the capture include embedded videos or links?
• Can the data be exported in a readable, native format?

A Note on Secure Storage and The Danger of Third-Party Interference

If you want to ensure a clean, sound, strong chain of custody, you need to know exactly where your evidence is, and what’s happening to it.

Our recommendation is to store on your local machine or the network ONLY so there is never any concern about remotely storing preservations on third-party systems where they may be subject to tampering or corruption.

When the evidence isn’t stored under your complete control, it can be difficult to rebut an argument that it has remained untampered with, as required under the law.

While some third-party service providers may suggest storing your data on the cloud or even their own hardware is a safer option, the truth of the matter is simple – you can’t control what you can’t control.

You can’t verify for certain that the digital information of which you are voluntarily relinquishing control has been handled, stored, and forensically verified exactly as you want it to be in every situation. Imagine involving a big IT infrastructure company in a chain of custody matter - it’s not pretty.

Final Thoughts

Digital evidence, especially from social media, is unavoidable.