|
 Digital evidence (ie, documents, images
and data transmitted or stored in electronic format) is
the product of years of information technology development,
and there are a variety of technological strategies now
available to enhance its reliability and security. The application
of legal principles to e-commerce, however, is in a state
of relative immaturity. The challenge facing the largely
non-technical US legal system is to develop a predictable
body of digital evidence law that builds on traditional
paper-based concepts by adding practical interfaces between
law and the tools of information technology. This will require
a continuing process of effective communication, education
and collaboration between professionals in both fields.
This article considers existing US legal
principles and procedures as they apply to e-evidence, and
offers an insight into some of the technological issues
at play.
Some
traditional concepts
Section 901(a) of the Federal Rules of Evidence (FRE) provides:
"General Provision.
The requirement of authentication or identification as
a condition precedent to admissibility is satisfied by
evidence sufficient to support a finding that the matter
in question is what its proponent claims."
One illustration of authentication or
identification under FRE Section 901(b)(9) is "evidence
describing a process or system used to produce a result
and showing that the process or system produces an accurate
result".
An important exception to the rule that
hearsay testimony is generally inadmissible as evidence
(FRE Section 802) is the business-records exception under
FRE Section 803(6), which states in part:
"Records of regularly
conducted activity. A memorandum, report, record or data
compilation, in any form, of acts, events, conditions,
opinions or diagnoses, made at or near the time by, or
from information transmitted by, a person with knowledge,
if kept in the course of a regularly conducted business
activity, and if it was the regular practice of that business
activity to make the memorandum, report, record or data
compilation, [...], unless the source of information or
the method or circumstances of preparation indicate lack
of trustworthiness. The term 'business' as used in this
paragraph includes business, institution, association,
profession, occupation, and calling of every kind, whether
or not conducted for profit."
Authentication of
identity
The federal Electronic Signatures in Global and National Commerce
Act (ESIGN) and the Uniform Electronic Transactions Act have succeeded
in removing most of the traditional barriers to the enforceability
of electronic contracts. The problem is that, in the absence
of agreement as to a specific security procedure, the technology-neutral
approach of both acts has provided little practical guidance
on how the efficacy of a particular security procedure or
attribution method can be demonstrated, and what weight
should be given to the method of authenticating digital
evidence under FRE 901(a).
If there is no practical method of authenticating
the identity of a digital signatory, a dispute over the
authenticity of digital evidence could leave the fact finder
with no reasonable basis on which to make a decision. Recent
experience with the MS Blaster and Sobig.F worms has demonstrated
that without additional security controls, a sender's email
address can be easily spoofed (for an example of this, see
NY attorney general settles charges with spoofing
spammer). More trustworthy authentication of digital
evidence is needed to justify its admission into evidence.
Technical
controls
E-commerce communication between a user and a merchant website
is commonly secured by secure sockets layer (SSL) technology.
SSL allows a user to confirm the authenticity of the website,
and create a secure 'communications pipe' between him/herself
and the site for the duration of that session only. With
confidentiality thus assured, the user authenticates his/her
identity to the website by revealing a secret password that
the website compares with its database of passwords.
This method of authenticating a user's
identity is problematic because:
- knowledge of the password is shared
by both the user and the website, so it is difficult to
assign responsibility if the secret is compromised;
- the password must be communicated
in advance to both sides by a secure channel;
- if stored in the website's database
as a raw password, it may be vulnerable to hackers;(1)
and
- it is frequently too
easy to ask for a new password if it is forgotten.
Public-key infrastructure (PKI) is a
cryptographic identity authentication technology that is
stronger than the use of a password via SSL(2)
because it does not rely on the sharing of secret knowledge.
Instead of using only a single key (ie, the password, which
is used to both lock and unlock), PKI splits the key into
two related parts. Sender and recipient each have a key
pair - a public key that is accessible to the world in a
public directory, and a private key that is kept secret.
If the sender of a message wants to authenticate his/her
identity, he/she uses the private key to digitally sign
it. The recipient obtains the sender's public key from the
relevant directory, which is used to authenticate his/her
identity because he/she is the only person with control
over the unique corresponding private key. The recipient
can be certain that the public key is not that of an impostor
if a trusted third-party certification authority such as
VeriSign or
an enterprise-sponsored PKI has previously validated the
sender's identity and issued a digital certificate binding
his/her identity to the public key. The technical and legal
extent of such assurance is usually specified in certification
authority documents such as certificate policies, certification
practice statements and related user agreements (see American Bar Association Information Security
Committee's (ABAISC) Digital Signature Guidelines and PKI Assessment Guidelines).
Basic PKI has two potential security
weaknesses, each of which can be mitigated. First, the certification
authority may improperly validate the identity of a person
applying for a certificate so that an impostor is issued
a certificate containing the sender's name. This risk can
be reduced by using a registration authority or a PKI enterprise
model, whereby a company controls the certification of its
employees (eg, at Johnson & Johnson).
A second potential weakness is the possibility
that an impostor might gain control of a sender's private
key, allowing the impostor to spoof the sender's identity.
This risk can be reduced by installing the sender's private
key and cryptographic software on a smart card or token
that the sender physically removes from his/her computer
when not in use. In addition, a secret password protects
the use of the card/token, and a biometric identifier (eg,
fingerprint or retinal scan) can be added for so-called
'three-factor' private key security.
There is no such thing as perfect security,
even with robust authentication technology such as PKI.
Accordingly, when it comes to assessing e-evidence, the
ideal binary concept of technical non-repudiation is less
useful than the more analogue approach of 'legal non-repudiation',
which is defined under Section 1.20 of the ABAISC Digital
Signature Guidelines as "strong and substantial evidence
of the identity of the signer [...] sufficient to prevent
a party from successfully denying the origin, submission
or delivery of the message".
Evidentiary
presumptions
Generally, in both the paper-based and electronic world,
the person who is the proponent of a piece of evidence has
the burden of proof with regard to that evidence. In this
context, such a burden means both the production burden
(ie, the burden of presenting new evidence in support of
an allegation to avoid its dismissal) and the risk of non-persuasion
(ie, the burden of convincing the fact finder by a preponderance
of the evidence).
The Utah Digital Signature Act, the UN Draft Model Law on Electronic Signatures
and the Report of the UN Working Group on Electronic Commerce
(37th Session), among others, all reverse the production
burden and create a rebuttable presumption that "a digital
signature verified by reference to the public key listed
in a valid certificate is the digital signature of the subscriber
listed in that certificate".(3)
However, it is generally recognized that this special status
for the technology-specific PKI digital signature under
the Utah act is pre-empted by express technology-neutral
language in ESIGN and is no longer effective within the
United States.
The effect is to require the proponent
of a digital signature to carry the production burden with
sufficient evidence of authentication of identity. At least
in the early cases, this is likely to require expert testimony
in the fields of mathematics and cryptography under the
US case of Daubert (which dealt
with expert scientific testimony)
and network and software engineering under Kumho Tire
(expert technical engineering
testimony). With effective coordination between trial attorney
and qualified expert, PKI seems to offer strong technological
inferences that can meet this production burden in support
of identity authentication, without relying on legislative
presumptions.
Authentication of
content
The second type of information authentication
relates to the content of an electronic document, sometimes
referred to as 'document integrity'. Such authentication
demonstrates that the document has not been modified. Examples
where this may be important include website clickwrap agreements,
employee benefit summaries held in company intranets, and
the Food and Drug Administration's 21 CFR Part 11 governing electronic records
in the new drug application process.
PKI digital signatures used to authenticate
identity also deliver the additional feature of content
authentication, because a one-way hash of the entire digital
document is associated with the digital signature and verified
at the same time as the digital signature. A 'hash' or 'hash
value' is a calculated cryptographic representation of each
and every character in a document in a short string, such
that (i) the calculation always reproduces the identical
string for the same document, and (ii) it is extremely difficult
to derive the document from knowledge of the hash only.
A comparison of the sender's hash of the document with the
recipient's hash of the same document creates a powerful
inference that it has not been modified since the time it
was signed.
Yet authentication of content by digital
signature has two weaknesses. First, since the digital signature
is key-based, the content's authentication is also key-based
and therefore subject to the same potential weaknesses as
above: misidentification of the user when issuing the certificate,
and compromise of the user's private key. Moreover, the
owner of the private key can modify the content of any records
he/she controls and then digitally resign them. However,
such weaknesses are avoided by linking the hash of the document
to a secure time-date stamp that is keyless and cannot be
manipulated to move backward through time.
Authentication of
time and chronology
Robust digital evidence may be needed
to demonstrate when an event happened, or that two events
occurred in a certain chronological order. Recent examples
include (i) indictments based on allegations that certain
hedge funds and intermediaries have been investing in related
mutual funds after the closing hour at pre-closing sale
prices, and (ii) tampering with racetrack software at a
Delaware track to include bets on races that had finished.
Establishing chronology is also important when establishing
whether a PKI digital signature occurred before the expiration
or revocation of related certificates.
The required precision of a time-stamp
may vary between applications. The racetrack software and
trading cases might require precise timing (ie, fractions
of seconds or minutes), while authentication of the time
when digital signatures were created might only require
granularity based on days.
A time-date stamp on a document is hearsay,
normally excluded from evidence unless an exception applies.
A possible hearsay-exemption and trustworthiness spectrum
for a time-date stamp is illustrated as follows:
- A consumer can alter the time-date
stamp on his/her computer easily. If there is no regularly
conducted 'business', as under FRE 803(6), then the business-records
exception might not be available.
- A professional such as a lawyer or
a doctor can also alter his/her own time-date stamp, but
a regular practice of maintaining dates might at least
be able to be demonstrated as part of the regular practice
of the business.
- Compartmentalization of control within
a company such that the information systems staff rather
than individual users are in exclusive control of the
time-date stamps would increase the chance of applying
the exemption.
- A trusted third party
(eg, Surety or Timecertain) could deliver a time-date feed
to an impenetrable black box, using a process that can
be demonstrated to be beyond the control of the party
that controls the documents themselves.
Confidentiality
Increasingly there is a legal need to
demonstrate that a system provides sufficient confidentiality
to protect the privacy of personal data. Examples include
the Final Security Rule under the Health Information Portability and Accountability
Act, which recognizes that security needs a reasonable
risk assessment process that considers authentication and
confidentiality, plus additional issues such as continued
availability of service. California's SB 1386 (see California law makes companies liable for hacked
databases) and the pending federal Notification of
Risk to Personal Data Act (introduced as S 1350 in June
by US Senator Feinstein) both require companies holding
personally identifiable information about consumers to notify
them immediately if something occurs that may compromise
the privacy of such information.
Once data has been compromised, proving
that confidentiality and reasonable security requirements
have been maintained will be difficult for a number of reasons,
including because (i) once the information is released,
it is impossible to retrieve (ie, closing the barn door
after the horse has bolted), and (ii) damage does not always
occur immediately after the compromise - it may simply be
postponed.
This is an area where risk assessment
and the balancing of burden versus benefit must be developed
(as per the famous words of Judge Learned Hand in US v Carroll Towing Company
(159 F2d 169 1947)).
Discovery
The foremost example of defensive use of evidence
is the obligation of a litigating party or a person under
subpoena to respond to discovery requests and produce relevant
non-privileged evidence in his/her possession, including
digital documents. An auditing firm will also typically
demand to examine digital evidence in the possession of
its client as a condition of issuing its opinion as to the
financial statements.
A major theme of the defensive handling
of digital evidence in response to discovery is the cost
of litigation support, a potentially huge issue because
of the bewildering variety of formats and staggering volume
of digital material. Major issues have developed in the
courts as to the responsibility for sharing and shifting
costs (see New York court sets new test for e-discovery requests),
and litigation support capability.
Electronic record retention policies
are increasingly posing problems, as corporations and their
attorneys consider whether it is better to adopt short deadlines
for destroying all electronic documents or retain everything.
The dilemma is entwined with the cost issue, but also involves
potential exposure to spoliation arguments for selective
deletion and the failure to preserve metadata associated
with electronic records. In some situations there is no
legal discretion or permission to dispose of any electronic
documents whatsoever.
Despite the diverse formats of electronic
document typically kept by corporations, there are advantages
to converting all formats to some kind of a uniform database
in order to enable efficient searching. Preservation of
an auditable chain of electronic document conversion as
well as a chain of custody of metadata may also be critical
to rebut any charge of spoliation.(4)
Section 404 of the Sarbanes-Oxley Act, by requiring top management
certification of adequate internal controls and procedures
for financial reporting, has served to accelerate the priority
of many of these issues on the agenda of publicly held corporations.
Charles R Merrill,
McCarter & English LLP, Newark
Endnotes
(1) This vulnerability is commonly mitigated by storing
something uniquely derived from it, such as its hash value,
which the database can compare to a hash value freshly derived
from the password entered upon login. See explanation below.
(2) In fact, SSL itself uses PKI - the
website proves its identity to the user's browser by digitally
signing a 'challenge' sent to it by the browser, and the
browser confirms the identity by checking the signature
on the challenge.
(3) The European Union has a PKI rule
supporting the admissibility of digital signatures into
evidence, without reversing the normal production burden.
See Section C.4.4, ABAISC PKI Assessment Guidelines.
(4) See Evidenceexchange for a discussion of the preservation
of an auditable chain of conversions to PDF format, using
secure time-date stamping for content and time authentication. |
