In what might be the most high-profile seizure ever of a smartphone in Canada, police obtained a court order and travelled to the United States earlier this year to extract information from the iPhone of a friend of Toronto Mayor Rob Ford. Toronto police were unable to analyze the device allegedly belonging to Alexander “Sandro” Lisi “because they did not have the current forensic tools to extract information from the phone,” stated a sworn affidavit by an officer in the investigation dubbed Project Brazen 2.
An assistance order was granted by an Ontario judge compelling Apple Inc. to extract data from the phone, including photos, videos, text messages, and call logs. The phone was kept sealed and a Toronto police officer flew to California to meet with Apple’s “law enforcement compliance team.” He returned with extracted data placed on an external hard drive.
Lisi is facing extortion charges in connection with alleged attempts to recover a video of Ford smoking crack cocaine and the data from the phone, which police say they did not view before obtaining the court order, is part of the ongoing investigation.
In the Lisi case, the process was much more public but everyday across the country, there are seizures of electronic devices by police without such extensive efforts to extract data and maintain a chain of custody to ensure the information is authentic and admissible. The information seized can range from text messages to pictures to social media postings and the amount of data can be overwhelming. A single gigabyte on a smart phone can store over 100,000 e-mails (without attachments) or nearly 65,000 pages of word processing files. More than 56 per cent of Canadians use a smartphone, according to a study released by Google last summer. There were nearly 20 million Canadian users on Facebook in 2013 and seven million LinkedIn accounts, according to industry data.
All of these devices and social media sites provide opportunities for the storing of information or posting of utterances that could ultimately be used in court. As a result, many defence lawyers say it is important not only to challenge the admissibility of electronic information, but to ensure the Crown has taken the necessary steps to prove authenticity of the data, well beyond a printout of what was captured.
To do that, lawyers must research the technologies behind smartphones, social media sites, and areas such as cloud computing, suggests Michael Naughton, a defence lawyer with Thomas & Naughton PC in Detroit. “It is important to have a strong knowledge of the breadth of what is stored,” says Naughton, who presented a paper on challenging the authenticity of electronic information on smartphones at a Law Society of Upper Canada forensics conference in Toronto earlier this year. “You need to know the lingo, know the technology,” he says. That view is echoed by Ricardo Federico, a Toronto defence lawyer and co-chairman of the conference. “The more I know about electronic evidence, the more I can do for my client,” says Federico, who believes retaining an expert in these areas is often essential.
During his presentation, Naughton took out his smartphone to take a picture of those attending his panel and then outlined some of the metadata (data about data), captured by the device. “It showed my orientation, facing southeast,” says Naughton. Unless the function is disabled, GPS information about the location of a photo, text message, or tweet posted from a smartphone to a web site is uploaded there as well. The sheer amount of personal information that might be disclosed inadvertently from a smartphone has resulted in some educational institutions such as Yale University to issue public warnings and provide online explanations on how to disable the “geo-tagging” function.
Just because information or data is obtained electronically does not necessarily mean its accuracy or reliability should be accepted when presented in court, says Naughton. “The presumption of integrity should not be automatic. The further you are from the original source that created the document, the more problems you have,” he says.
Where the information is stored may also affect whether its authenticity can be proven in court. If the data is on a cloud service provider, then it is not “forensics friendly” according to a research paper published last fall by two computer scientists at the University of Alabama at Birmingham. Ragib Hasan and Shams Zawoad noted in the traditional seizure of a hard drive from an individual’s personal computer, investigators have “full control” over the data. Cloud servers contain files from many users — referred to as “multi-tenant” — and have different rules about how the data is stored, creating chain of custody problems, stated the research paper, which was supported in part by a grant from the U.S. Department of Homeland Security.
Even software used to collect digital evidence should not always be accepted as reliable, says Sebastian Fischmeister, a computer science professor at the University of Waterloo. “The computer that you use crashes, the phone that you use crashes — society is used to software being defective. So if you are in the courtroom and you have a piece of evidence and it is created by software, you have to make sure that it is performing,” says Fischmeister.
When courts are deciding on the reliability of digital evidence, it is important “to avoid drawing the same inferences that might be more appropriate” with traditional evidence, says Michael Mulligan, a defence lawyer in Victoria, B.C., who has training in computer forensics. “There will often be vast quantities of data stored on devices that a person physically possessing the device would be unaware of and incapable of accessing by ordinary means,” says Mulligan. “Often this will amount to an analysis of circumstantial evidence such as time data that can, by other means, be tied to a particular person,” adds Mulligan, who cautions against simply relying on user account names or the physical location of a device.
In the midst of rapid technological change and staggering increases in the amount of stored electronic data, the case law in this area in Canada and the U.S. is often still preoccupied with the authentication and reliability of sometimes juvenile postings on social media.
In Parker v. State of Delaware, the Delaware Supreme Court compared the “Maryland approach” to social media posts and the “Texas approach” to the evidence. Facebook postings related to a physical confrontation between two women over a mutual love interest were admitted by the Delaware court in its decision issued in February. It preferred the decisions of the courts in Texas that “any type” of circumstantial evidence a jury could “reasonably find” were authentic, was sufficient to admit the Facebook comments. The test in Maryland requires significant computer forensic evidence as well as information obtained from the social networking site. A Court of Queen’s Bench judge in New Brunswick concluded earlier this year in R. v. Nde Soh that screen captures of Facebook conversations and the testimony of the complainant was sufficient to admit the postings as electronic documents and as an exception to the hearsay rule.
As there are more challenges to social media evidence, especially in civil litigation and the exploding e-discovery field, a simple screen grab and testimony in court may not suffice. John Patzakis, a lawyer and chief executive officer of X1 Discovery Inc. in Pasadena, Calif., says it is essential for there to be “best practices” around searching for, collecting, and preserving social media evidence.
Every posting on Twitter for example has several unique pieces of metadata information associated with it. “Together this tells a very compelling story about the evidence itself,” says Patzakis, whose company’s clients in Canada include law enforcement agencies. Simple printouts of computer screens or social media conversations are no more than a snapshot. “So much metadata will be missing from a screen shot,” he explains.
Police are also becoming more aware of how to make use of social media evidence for criminal investigations, says Patzakis, who cites the Stanley Cup riots in Vancouver in 2011 as an example. The circumstantial evidence, such as metadata, around the social media evidence is what makes it easier to authenticate for a court, he adds.
Ultimately, whether it is a high-profile case involving the seizure of a mobile device or an obscure proceeding in a local courtroom, the legal tests still involve the application of the traditional rules of evidence, says Graham Underwood, co-author of Electronic Evidence in Canada and a Crown counsel with the civil branch of the B.C. Ministry of Justice. The type of supporting evidence needed to authenticate digital information depends on its purpose in the court proceeding. “It is very contextual. You have to look at what this information is going to be used for. Why is it being tendered?” asks Underwood.
An assistance order was granted by an Ontario judge compelling Apple Inc. to extract data from the phone, including photos, videos, text messages, and call logs. The phone was kept sealed and a Toronto police officer flew to California to meet with Apple’s “law enforcement compliance team.” He returned with extracted data placed on an external hard drive.
Lisi is facing extortion charges in connection with alleged attempts to recover a video of Ford smoking crack cocaine and the data from the phone, which police say they did not view before obtaining the court order, is part of the ongoing investigation.
In the Lisi case, the process was much more public but everyday across the country, there are seizures of electronic devices by police without such extensive efforts to extract data and maintain a chain of custody to ensure the information is authentic and admissible. The information seized can range from text messages to pictures to social media postings and the amount of data can be overwhelming. A single gigabyte on a smart phone can store over 100,000 e-mails (without attachments) or nearly 65,000 pages of word processing files. More than 56 per cent of Canadians use a smartphone, according to a study released by Google last summer. There were nearly 20 million Canadian users on Facebook in 2013 and seven million LinkedIn accounts, according to industry data.
All of these devices and social media sites provide opportunities for the storing of information or posting of utterances that could ultimately be used in court. As a result, many defence lawyers say it is important not only to challenge the admissibility of electronic information, but to ensure the Crown has taken the necessary steps to prove authenticity of the data, well beyond a printout of what was captured.
To do that, lawyers must research the technologies behind smartphones, social media sites, and areas such as cloud computing, suggests Michael Naughton, a defence lawyer with Thomas & Naughton PC in Detroit. “It is important to have a strong knowledge of the breadth of what is stored,” says Naughton, who presented a paper on challenging the authenticity of electronic information on smartphones at a Law Society of Upper Canada forensics conference in Toronto earlier this year. “You need to know the lingo, know the technology,” he says. That view is echoed by Ricardo Federico, a Toronto defence lawyer and co-chairman of the conference. “The more I know about electronic evidence, the more I can do for my client,” says Federico, who believes retaining an expert in these areas is often essential.
During his presentation, Naughton took out his smartphone to take a picture of those attending his panel and then outlined some of the metadata (data about data), captured by the device. “It showed my orientation, facing southeast,” says Naughton. Unless the function is disabled, GPS information about the location of a photo, text message, or tweet posted from a smartphone to a web site is uploaded there as well. The sheer amount of personal information that might be disclosed inadvertently from a smartphone has resulted in some educational institutions such as Yale University to issue public warnings and provide online explanations on how to disable the “geo-tagging” function.
Just because information or data is obtained electronically does not necessarily mean its accuracy or reliability should be accepted when presented in court, says Naughton. “The presumption of integrity should not be automatic. The further you are from the original source that created the document, the more problems you have,” he says.
Where the information is stored may also affect whether its authenticity can be proven in court. If the data is on a cloud service provider, then it is not “forensics friendly” according to a research paper published last fall by two computer scientists at the University of Alabama at Birmingham. Ragib Hasan and Shams Zawoad noted in the traditional seizure of a hard drive from an individual’s personal computer, investigators have “full control” over the data. Cloud servers contain files from many users — referred to as “multi-tenant” — and have different rules about how the data is stored, creating chain of custody problems, stated the research paper, which was supported in part by a grant from the U.S. Department of Homeland Security.
Even software used to collect digital evidence should not always be accepted as reliable, says Sebastian Fischmeister, a computer science professor at the University of Waterloo. “The computer that you use crashes, the phone that you use crashes — society is used to software being defective. So if you are in the courtroom and you have a piece of evidence and it is created by software, you have to make sure that it is performing,” says Fischmeister.
When courts are deciding on the reliability of digital evidence, it is important “to avoid drawing the same inferences that might be more appropriate” with traditional evidence, says Michael Mulligan, a defence lawyer in Victoria, B.C., who has training in computer forensics. “There will often be vast quantities of data stored on devices that a person physically possessing the device would be unaware of and incapable of accessing by ordinary means,” says Mulligan. “Often this will amount to an analysis of circumstantial evidence such as time data that can, by other means, be tied to a particular person,” adds Mulligan, who cautions against simply relying on user account names or the physical location of a device.
In the midst of rapid technological change and staggering increases in the amount of stored electronic data, the case law in this area in Canada and the U.S. is often still preoccupied with the authentication and reliability of sometimes juvenile postings on social media.
In Parker v. State of Delaware, the Delaware Supreme Court compared the “Maryland approach” to social media posts and the “Texas approach” to the evidence. Facebook postings related to a physical confrontation between two women over a mutual love interest were admitted by the Delaware court in its decision issued in February. It preferred the decisions of the courts in Texas that “any type” of circumstantial evidence a jury could “reasonably find” were authentic, was sufficient to admit the Facebook comments. The test in Maryland requires significant computer forensic evidence as well as information obtained from the social networking site. A Court of Queen’s Bench judge in New Brunswick concluded earlier this year in R. v. Nde Soh that screen captures of Facebook conversations and the testimony of the complainant was sufficient to admit the postings as electronic documents and as an exception to the hearsay rule.
As there are more challenges to social media evidence, especially in civil litigation and the exploding e-discovery field, a simple screen grab and testimony in court may not suffice. John Patzakis, a lawyer and chief executive officer of X1 Discovery Inc. in Pasadena, Calif., says it is essential for there to be “best practices” around searching for, collecting, and preserving social media evidence.
Every posting on Twitter for example has several unique pieces of metadata information associated with it. “Together this tells a very compelling story about the evidence itself,” says Patzakis, whose company’s clients in Canada include law enforcement agencies. Simple printouts of computer screens or social media conversations are no more than a snapshot. “So much metadata will be missing from a screen shot,” he explains.
Police are also becoming more aware of how to make use of social media evidence for criminal investigations, says Patzakis, who cites the Stanley Cup riots in Vancouver in 2011 as an example. The circumstantial evidence, such as metadata, around the social media evidence is what makes it easier to authenticate for a court, he adds.
Ultimately, whether it is a high-profile case involving the seizure of a mobile device or an obscure proceeding in a local courtroom, the legal tests still involve the application of the traditional rules of evidence, says Graham Underwood, co-author of Electronic Evidence in Canada and a Crown counsel with the civil branch of the B.C. Ministry of Justice. The type of supporting evidence needed to authenticate digital information depends on its purpose in the court proceeding. “It is very contextual. You have to look at what this information is going to be used for. Why is it being tendered?” asks Underwood.
