Federal Rules of Evidence 902 (FRE 902) generally outlines evidence that can be described as “self-authenticating”, meaning they don’t require extrinsic evidence of authenticity in order to be admitted. Some examples of self-authenticating documents are public records that are signed and sealed, newspapers and certified copies of government documents. Often times, trial attorneys rely on FRE 902 for the authentication of evidence that is crucial to their cases. In order for digital evidence to be introduced in court, the source of this electronic evidence (also known as electronically stored information or ESI, for short) must be verified, a process known as authentication. The FRE 902 Amendments go into effect December 2017.
The FRE 902 amendments seek to clarify and streamline the acceptable authentication methods for system-generated electronic records and for data copied from storage media thus making it easier to authenticate ESI evidence. Later we will discuss the impacts of the amendments, but first let’s briefly review and define them.
The FRE 902 Amendments
“(13) Certified Records Generated by an Electronic Process or System. A record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent must also meet the notice requirements of Rule 902(11).”
Here an electronic process or system can mean any IT system, for example, an email system.
“(14) Certified Data Copied from an Electronic Device, Storage Medium, or File. Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12).”
Here an electronic device could be a phone or a laptop, for example. A storage medium could be a thumb drive, a CD or a computer hard drive.
It is Important to note that both of these additions require notice per Rule 902 (11) or Rule 902 (12), which stipulates, among other things, that the certification be produced to opposing parties for inspection, thus opening the door for a possible certification/authentication challenge.
Implications for the Production of ESI
The FRE 902 amendments will have broad implications on the processes that data custodians and attorneys follow when producing potentially relevant ESI evidence for legal matters. Chad Main, attorney and the founder of Percipient, a legal technology company, defines data custodians in lay terms as, “a witness (or potential witness) with control of relevant evidence.” He provides the following example: Assume in a products liability case an employee authored the “smoking gun” research document and saved the document on his or her computer. The employee is the “custodian” of the document because he or she has control of it. However, the data custodian is not always the owner of the data. The data custodian can also be a system administrator or IT department within an organization.
Risks of Self-Collection
One of the biggest impacts will affect the practice known as custodian “self-collection.” Self-collection occurs when the data collection is performed by custodian of the potentially relevant data, rather than independent and qualified third party. The problem with self-collection is that it takes place without the expertise or means to authenticate the data being collected. Guidance software, creator of EnCase, has identified the following eight areas of risk of self collection when the employee/individual completing the collection…
- has a potential self-interest and intentionally deletes, omits or modifies the ESI.
- has a potential self-interest and properly preserves the ESI, but opposing counsel discredits the collection based on the self interest.
- is too busy and uninterested in the case and ignores the preservation instructions.
- completes the preservation in a haphazard manner and accidentally omits relevant ESI.
- does not understand how to properly preserve relevant ESI and accidentally deletes or modifies the evidence.
- moves the ESI to another folder causing changes to important file system metadata.
- misinterprets the preservation instructions and omits relevant ESI.
- moves the data to a central location, thereby destroying the context of the document in regards to where it was originally stored.
Application of the FRE 902 Amendments
Properly applying FRE 902 (14) will now involve using specialized digital forensic tools that support authentication methods, such as the practice known as digital hashing. Digital hashing produces a digital “fingerprint” of a chunk of data such as a file or even the contents of an entire hard drive. For example, the simple action of changing the letter “O” to the the number “0” within a file stored on a hard drive, changes the hash for the entire hard drive.
Digital forensics experts routinely use hashing methods to verify that copies of digital evidence match the original data from which the copies are made, i.e. their hashes or “fingerprints” match. The figure shows an example of a hashing algorithm called Message Digest 5 or MD5, which produces a 32-character alpha-numeric fingerprint for a file, email or entire hard drive.
Self-collection has always been inherently risky because it provides a ripe opportunity for challenges. The new FRE 902 amendments place more focus on how ESI is collected and authenticated than ever before. Amendment FRE 902(14), in particular, draws a bright red line by requiring that the digital evidence be verified by a “Qualified person”. To drive home the point, the committee notes even go as far as to spell out that digital verification techniques, such as the hashing techniques discussed above, must now be used to verify digital evidence.
The impact of these amendments, especially considering the rapid volume in which data is created, should not be ignored. Experts predict that the FRE amendments, while aiming to clarify and support proper certification of digital evidence, will also provide a foundation for parties to more readily challenge the admission of digital evidence in court. To mitigate or even bypass these challenges altogether, parties presenting digital evidence would be wise to ensure that all ESI evidence is certified either by having qualified digital forensic technicians perform the preservation and collection of the ESI or by setting up reliable systems that utilize built-in, tested digital verification methods when copying digital evidence.