Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal Privacy Laws How can government obtain emails and network account logs from ISPs? How can government obtain emails and network account logs.

Similar presentations


Presentation on theme: "Federal Privacy Laws How can government obtain emails and network account logs from ISPs? How can government obtain emails and network account logs."— Presentation transcript:

1

2

3 Federal Privacy Laws How can government obtain s and network account logs from ISPs? How can government obtain s and network account logs from ISPs? When does the government need to obtain a search warrant as opposed to a 2703(d) order or a subpoena? When does the government need to obtain a search warrant as opposed to a 2703(d) order or a subpoena? When can providers disclose s and records to the government voluntarily? When can providers disclose s and records to the government voluntarily? What remedies will courts impose when ECPA violated? What remedies will courts impose when ECPA violated?

4 Federal Privacy Laws ECPA - The Electronic Communications Privacy Act (18 U.S.C et seq) ECPA - The Electronic Communications Privacy Act (18 U.S.C et seq) PPA - The Privacy Protection Act (42 U.S.C. 2000a) PPA - The Privacy Protection Act (42 U.S.C. 2000a) CCPA - The Cable Communications Policy Act (47 U.S.C. 251 et seq) CCPA - The Cable Communications Policy Act (47 U.S.C. 251 et seq)

5

6 Why do I care? ECPA – No suppression remedy ECPA – No suppression remedy Civil damages, but you lose your job! PPA – No suppression remedy PPA – No suppression remedy Civil damages. Law enforcement officers may be held personally liable ! Civil damages. Law enforcement officers may be held personally liable !

7 Why do I care? ECPA – No suppression remedy ECPA – No suppression remedy Civil damages, but you lose your job! PPA – No suppression remedy PPA – No suppression remedy Civil damages. Law enforcement officers may be held personally liable ! Civil damages. Law enforcement officers may be held personally liable !

8 ECPA Extends wiretap laws to electronic communications Extends wiretap laws to electronic communications Regulates how investigators can obtain stored , account records or subscriber information from network service providers; IPSs, phone co.s, cell phone providers, and satellite services. Regulates how investigators can obtain stored , account records or subscriber information from network service providers; IPSs, phone co.s, cell phone providers, and satellite services.

9 ECPA ECPA seeks to provide certain privacy rights to network account holders by offering varying degrees of legal protection depending on the perceived value of the privacy interest involved ECPA seeks to provide certain privacy rights to network account holders by offering varying degrees of legal protection depending on the perceived value of the privacy interest involved

10 ECPA What type of info is being sought? What type of info is being sought? Basic subscriber info? Transactional records? Content in electronic storage? How can you get it? How can you get it?Subpoena? 2703(d) Order? Search warrant?

11 Basic Subscriber Information Gives you only Gives you only name & address name & address local and LD telephone toll billing records local and LD telephone toll billing records telephone number or other account identifier (such as username or screen name) telephone number or other account identifier (such as username or screen name) length & type of service provided length & type of service provided Can get IP number & dates/times for IRC Can get IP number & dates/times for IRC Can be obtained through subpoena Can be obtained through subpoena Do not subpoena all customer records Do not subpoena all customer records

12 Transactional Records Not content & not basic subscriber Not content & not basic subscriber § 2703(c)(1)(B) § 2703(c)(1)(B) Everything in between Everything in between financial information (e.g., credit card) financial information (e.g., credit card) audit trails/logs audit trails/logs web sites visited web sites visited identities of correspondents identities of correspondents cell site data from cellular/PCS carriers cell site data from cellular/PCS carriers Obtainable with § 2703(d) court order Obtainable with § 2703(d) court order

13 What are contents? Any information concerning the substance, purport, or meaning of that communication.Any information concerning the substance, purport, or meaning of that communication. Attached wp files Attached wp files Attached picture files Attached picture files Subject headers of s Subject headers of s

14 Section 2703(d) Orders Articulable facts order Articulable facts order specific and articulable facts showing that there are reasonable grounds to believe that [the requested records] are relevant and material to an ongoing criminal investigation specific and articulable facts showing that there are reasonable grounds to believe that [the requested records] are relevant and material to an ongoing criminal investigation Higher standard than a subpoena, lower than probable cause Higher standard than a subpoena, lower than probable cause ECPA permits service outside state of issuing district ECPA permits service outside state of issuing district

15 Opened Do you need a search warrant? Do you need a search warrant? Subpoena – served with prior notice Subpoena – served with prior notice 2703(d) Order – served with notice to subscriber 2703(d) Order – served with notice to subscriber Search warrant – no notice to subscriber Search warrant – no notice to subscriber Other stored electronic communications in electronic storage more than 180 days (unopened ) Other stored electronic communications in electronic storage more than 180 days (unopened )

16 Notification Investigators can delay notice for up to 90 days to avoid: Investigators can delay notice for up to 90 days to avoid: flight from prosecution flight from prosecution destruction of or tampering with evidence destruction of or tampering with evidence intimidation of potential witnesses intimidation of potential witnesses seriously jeopardizing an investigation seriously jeopardizing an investigation (§ 2705) (§ 2705) 2703(d) Application and Orders will contain a request for delayed notice – must state why 2703(d) Application and Orders will contain a request for delayed notice – must state why Can extend delay additional 90 days Can extend delay additional 90 days

17 Unopened > 180 days If unopened and in storage for less than 180 days, use search warrant (§ 2703(a)) If unopened and in storage for less than 180 days, use search warrant (§ 2703(a)) Warrant operates like a subpoena Warrant operates like a subpoena No notice required No notice required Except 9 th Circuit Except 9 th Circuit

18 Preservation Request A provider of wire or electronic communication service or a remote computing service, upon request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process. A provider of wire or electronic communication service or a remote computing service, upon request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.

19 Voluntary Disclosure Can you accept information voluntarily disclosed by ISP? Can you accept information voluntarily disclosed by ISP? Providers may monitor and intercept real time communications for purposes of maintaining and protecting their equipment. Providers may monitor and intercept real time communications for purposes of maintaining and protecting their equipment. Is the ISP required to disclose such info? Is the ISP required to disclose such info?

20 Privacy Protection Act [I]t shall be unlawful... to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or similar form of public communication...[I]t shall be unlawful... to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or similar form of public communication... Prohibits use of a search warrant for such materials Prohibits use of a search warrant for such materials 42 USC 2000aa 42 USC 2000aa

21 Privacy Protection Act Provides additional protection to media from law enforcement searches Provides additional protection to media from law enforcement searches Response to US Supreme Court decision Zurcher v. Stanford Daily, 436 U.S. 547(1978) Response to US Supreme Court decision Zurcher v. Stanford Daily, 436 U.S. 547(1978) Newspaper sued saying LE search violated First Amendment rights of paper Newspaper sued saying LE search violated First Amendment rights of paper

22 Basic PPA Rule Act requires law enforcement to rely on cooperation from Media Act requires law enforcement to rely on cooperation from Media Must use a subpoena Must use a subpoena Less intrusive means to obtaining evidence Less intrusive means to obtaining evidence Offers better protection to innocent parties Offers better protection to innocent parties

23 Exceptions Contraband or fruits or instrumentalities of a crime Contraband or fruits or instrumentalities of a crime Immediate seizure of materials necessary to prevent death or serious bodily injury Immediate seizure of materials necessary to prevent death or serious bodily injury Probable cause that person possessing such material has committed or is committing a criminal offense Probable cause that person possessing such material has committed or is committing a criminal offense Except if mere possession offense Except if mere possession offense Except child pornography Except child pornography

24 Who is Protected? Bulletin boards Bulletin boards Web pages Web pages TV stations TV stations Authors Authors Publishers of any medium whose intent is to publish information to the public Publishers of any medium whose intent is to publish information to the public Includes publishers of legal pornography Includes publishers of legal pornography

25 Commingled Evidence What do you do when both protected material under PPA and contraband are found on same hard drive? What do you do when both protected material under PPA and contraband are found on same hard drive? Can you take computer? Can you take computer? Once you realize that you have protected material what do you do? Once you realize that you have protected material what do you do? Do you have an affirmative duty to return protected material? Do you have an affirmative duty to return protected material?

26 Cell Phones THE CLOCK IS TICKING!! THE CLOCK IS TICKING!! EVERY SECOND YOU WAIT TO COLLECT EVIDENCE, THE MORE YOU LOSE!! EVERY SECOND YOU WAIT TO COLLECT EVIDENCE, THE MORE YOU LOSE!!

27 Cell Phones Once you get the phone number: Once you get the phone number: Call the carrier ask whether the number was active and billable on their network during the time in question. Call the carrier ask whether the number was active and billable on their network during the time in question. That one phone call will save hours That one phone call will save hours

28 Cell Phones If so, send preservation letter. If so, send preservation letter. Follow up call to insure receipt. Follow up call to insure receipt. Search Warrant to carrier. Search Warrant to carrier.

29 Cell Phones Search warrant for the following: Search warrant for the following: Billing Records Billing Records Carrier Key Carrier Key CDRS CDRS Cell-Site information Cell-Site information

30 Billing Records Records the customer receives from carrier. Records the customer receives from carrier. BR show ONLY completed and billable calls BR show ONLY completed and billable calls BR show ONLY date, time, duration and number called or received from. BR show ONLY date, time, duration and number called or received from. BR are incomplete for your investigation!! BR are incomplete for your investigation!!

31 Carrier Key Must specifically request to receive Must specifically request to receive Provides acronyms, and any special instructions for interpreting their records. Provides acronyms, and any special instructions for interpreting their records.

32 Call Detail Records Have to specifically ask for these. Have to specifically ask for these. WAY more information. WAY more information. Date, time, duration, number called, calling party, call reference code, text, data, cell- site, sector. Date, time, duration, number called, calling party, call reference code, text, data, cell- site, sector. Not all carriers give all this info. Not all carriers give all this info.

33

34 Search Warrants Include text messages and MMS including all numbers sent to and received from, date, time, duration and all content related to each message Include text messages and MMS including all numbers sent to and received from, date, time, duration and all content related to each message Portingremember a number that starts on AT&T can move to another service. Portingremember a number that starts on AT&T can move to another service. Tracfonea booster phone. When sending search warrant, ask for Notes and Footnotes. Notes and Footnotes will tell you where device purchased, where payments were made and how. Tracfonea booster phone. When sending search warrant, ask for Notes and Footnotes. Notes and Footnotes will tell you where device purchased, where payments were made and how. Booster phonesgenerally operated by Sprint/Nextel Booster phonesgenerally operated by Sprint/Nextel

35 CELL TOWER DUMP All activity on a particular cell-site for a specific time All activity on a particular cell-site for a specific time TIME SENSITIVE!! TIME SENSITIVE!! Each carrier has their own network of Cell- Sites Each carrier has their own network of Cell- Sites Need Carrier Key Need Carrier Key

36 TOWER DUMP Recommended verbiage: Recommended verbiage: Requesting a Tower Dump from all cell sites in the immediate area of (address or lat/long of your incident) that would support any and all communication including but not limited to calls, text messaging, data, walkie-talkie, push to talk… Requesting a Tower Dump from all cell sites in the immediate area of (address or lat/long of your incident) that would support any and all communication including but not limited to calls, text messaging, data, walkie-talkie, push to talk…

37 Tower Dump ATT90 days only 75$ per cell site 2 week turnaround ATT90 days only 75$ per cell site 2 week turnaround Metro6 mos $50/site 2 weeks Metro6 mos $50/site 2 weeks Sprint/Nextel/Boost up to 24 months 0-50$ 2 weeks--- special verbiageany tower in the area that would support communication… that way you get all three Sprint/Nextel/Boost up to 24 months 0-50$ 2 weeks--- special verbiageany tower in the area that would support communication… that way you get all three Tmobile6 mos $100/per 2 weeks NO exigency Tmobile6 mos $100/per 2 weeks NO exigency Verizon 90 days no charge 2 weeks Verizon 90 days no charge 2 weeks

38 Electronic Evidence Writings/Documents Documents Give me a RASH RelevanceAuthenticity Secondary Evidence/Best Evidence Hearsay

39 Computer Evidence 3 Types 3 Types 1. Those records generated by process 1. Those records generated by process 2. Those records generated by persons 2. Those records generated by persons 3. Commingled 3. Commingled

40 Evidence Developed by Process Remember the definition Remember the definition Statement or assertion or non verbal conduct Statement or assertion or non verbal conduct Of a PERSON Of a PERSON If not by a person, NOT hearsay If not by a person, NOT hearsay

41 Examples GPS data Cell Tower data Telephone toll records header info Ip tracing Electronic banking Log in records from ISP Pin entries Phone numbers called U. S. v. Bellomo 176 F.3d 580

42 Not Hearsay IP address is automatically generated by computer hosting newsgroup. No statement by person, thus not hearsay. IP address is automatically generated by computer hosting newsgroup. No statement by person, thus not hearsay. U. S. v. Hamilton 413 F. 3d 1138 U. S. v. Hamilton 413 F. 3d 1138

43 Examples Persons (Hearsay) Personal letter Personal letter Memo Memo Bookkeeping records Bookkeeping records Records of business transactions inputted by persons Records of business transactions inputted by persons

44 Hearsay Records 803(6). Business Records not for litigation 803(6). Business Records not for litigation 902(11) Certification 902(11) Certification 803(8) Police Computer Records 803(8) Police Computer Records Computer Chat logs may include admissions. 801(d)(2) witnesses side of conversation gives context to Ds. U.S. v. Burt 496 F.3d 733 Computer Chat logs may include admissions. 801(d)(2) witnesses side of conversation gives context to Ds. U.S. v. Burt 496 F.3d D(2)(e) co conspirator Statements 801D(2)(e) co conspirator Statements

45 Bullcoming v. New Mexico Computer generated records MAY violate Confrontation Clause. Computer generated records MAY violate Confrontation Clause. If the computer record is dependent upon human conduct that must be testified to to make the record valid, that witness must testify. If the computer record is dependent upon human conduct that must be testified to to make the record valid, that witness must testify.

46 Examples Mixed content and header content and header File with both written data and creation, access and modified dates File with both written data and creation, access and modified dates Chat logs that id participants with dates and times Chat logs that id participants with dates and times Spreadsheets Spreadsheets

47 Foundation 901(a) Lowest standard in law 901(a) Lowest standard in law Computer records are judged by same standard Computer records are judged by same standard 901(b)(4) Distinctive characteristics 901(b)(4) Distinctive characteristics 901(b) (9) Describing a process 901(b) (9) Describing a process 902 Self Authentication 902 Self Authentication 902(8) Acknowledged Docs s, texts, chats 902(8) Acknowledged Docs s, texts, chats

48 Foundation Ultimately just has to be person who has knowledge that a matter is what it is claimed to be. Ultimately just has to be person who has knowledge that a matter is what it is claimed to be. 901(b)(4) Distinctive characteristics of include symbol, addresses with the persons name connected to the , and peoples name on To and From or signature line. U.S. v. Siddiqui 235 F.3d (b)(4) Distinctive characteristics of include symbol, addresses with the persons name connected to the , and peoples name on To and From or signature line. U.S. v. Siddiqui 235 F.3d 1318

49

50 Objection IP Address Objection hearsay!Objection hearsay! Hearsay is an out of court statement by a PERSON NOT HEARSAY--Admissible with authentication headers Security logs Billing records Hash value/date and time stamps

51 The Objections You get the local AOL Security Officer to testify to records: (1) Your honor, this person is only a security guard without any formal background or training. Shes not qualified to testify to the records systems. (1) Your honor, this person is only a security guard without any formal background or training. Shes not qualified to testify to the records systems. (2) All she knows is what she sees on the screen. She doesnt know anything about how the hardware and software run. So shes incompetent to testify about the mode of preparation. (2) All she knows is what she sees on the screen. She doesnt know anything about how the hardware and software run. So shes incompetent to testify about the mode of preparation. (3) She only learned what she learned from talking to others. Her testimony is based on hearsay and objectionable. (3) She only learned what she learned from talking to others. Her testimony is based on hearsay and objectionable. Your response: Oh %&*&!!! I have a RASH! Your response: Oh %&*&!!! I have a RASH!

52 The Objections As to the Identifying information: (6) How do we know that these entries were made at or near the time of the event? All we have are these computer entries! (6) How do we know that these entries were made at or near the time of the event? All we have are these computer entries! (7) This is a print-out of the database, not the database itself. How do we know the print-out is accurate? You know those crazy printers. (7) This is a print-out of the database, not the database itself. How do we know the print-out is accurate? You know those crazy printers. (8) This witness didnt gather the record. She only brought it to court.. (8) This witness didnt gather the record. She only brought it to court..

53 The Objections As to the Internet Tracing: (9) What do we really know about the Internet? Its just a collection of wires. How do we know this Who- Is service is accurate? Maybe there are hundreds of domain names and hundreds of accounts that are the same as this. (10) It would take an expert to tell us about the Internet. This cop is no expert, just a flat foot with a laptop.

54 The Objections As to the ISP account: (11) This is more information that is unreliable. The source isnt the company, its the person who opened the account. Its not a business record.

55 The Objections As to all of the information: (12) Who put the numbers on the machines? The computer. Its the declarant. I should have the right to cross-examine the computer itself. (12) Who put the numbers on the machines? The computer. Its the declarant. I should have the right to cross-examine the computer itself.

56 ICAC Training & Technical Assistance Program The Objections (13) Wheres the custodian? I have an absolute right to cross-examine the custodian! (13) Wheres the custodian? I have an absolute right to cross-examine the custodian!

57 The Objections They cannot show that the electronic record has not bedn tampered with or changed, so there is no authenticity. They cannot show that the electronic record has not bedn tampered with or changed, so there is no authenticity.

58 The Objections The possibility of alteration is not sufficient to exclude electronic evidence. As with paper documents, the mere possibility of alteration is not sufficient to exclude electronic evidence. It is a weight, not admissibility issue. The possibility of alteration is not sufficient to exclude electronic evidence. As with paper documents, the mere possibility of alteration is not sufficient to exclude electronic evidence. It is a weight, not admissibility issue. U.S. v. Bonallo 858 F.2d 1427 (9 th ) U.S. v. Bonallo 858 F.2d 1427 (9 th )

59 Objections We dont know who actually sent this /was on this chat etc. We dont know who actually sent this /was on this chat etc.

60 Objections Circumstantial evidence establishes authorship. addresses, IP addresses, signature blocks and content can get past authenticity. U.S. v. Simpson 152 F.3d 1241 Circumstantial evidence establishes authorship. addresses, IP addresses, signature blocks and content can get past authenticity. U.S. v. Simpson 152 F.3d 1241

61 Website Authentication Printouts of website are not self authenticating. U.S. v. Jackson 208 F. 3d 633 Printouts of website are not self authenticating. U.S. v. Jackson 208 F. 3d 633 Need to call someone who is familiar with the site or viewed it contemporaneously to your crime. Need to call someone who is familiar with the site or viewed it contemporaneously to your crime.

62 ICAC Training & Technical Assistance Program The Objections AOL responds to subpoena duces tecum by copies of identifying information and billing records They also send , along with an FRE 902(11) declaration. But there is no custodian present. Admissible?

63 ICAC Training & Technical Assistance Program Relevance 401 Simple

64 ICAC Training & Technical Assistance Program Authentication 803(6) Report/Record/data compilation 902 Self Authentication Do you recognize Court Exhibit # 1? What is it? Where did it come from?

65 ICAC Training & Technical Assistance Program The Basic § 803(6) Requirements The writing was made in the regular course of business. The writing was made at or near the time of the act, condition, or event The custodian or other representative testifies to its identity and mode of preparation; and The sources of information and method and time of preparation were such as to indicate its trustworthiness. No Crawford implications

66 ICAC Training & Technical Assistance Program The Object of the Exercise... Is to show how the computer generated records satisfy all four of these requirements. OR – alternatively How the computer generated document is authenticated as a document and relevant as such without reference to its hearsay content.

67 ICAC Training & Technical Assistance Program Practice Point Write a trial brief on these issues The defense will focus on the perils of unknown information. Court is uncomfortable with electronic evidence. Acquaint the Court with the issues and authorities before you start.

68 ICAC Training & Technical Assistance Program The Forest Before the Trees – the Right Metaphor FRE 104 foundation is not rigid or formalistic. Could a reasonable jury find by a preponderance of the evidence It is NOT a checklist, each item of which must be marked off before the item is admitted The Right Metaphor is topics in a theme, each of which must be addressed in the showing

69 ICAC Training & Technical Assistance Program The Forest Before the Trees – Weight v. Admissibility Case authority repeatedly emphasizes reliability is NOT the same as infallibility. A business record may be trustworthy and still be found to contain errors.

70 ICAC Training & Technical Assistance Program The Forest Before the Trees – The Fundamental Authority People v. Lugashi (1988), 205 Cal. App 3 rd 632 Case involved the use of stolen credit card numbers to post phony sales transactions. Wells Fargo Bank was the victim. The transactions were posted by telephone. Proof of the records involved a description of Wells Fargos entire data processing system, which involved transfers from phone records to magnetic tape, dump to computer, software processing, etc.

71 ICAC Training & Technical Assistance Program The Forest Before the Trees – The Fundamental Authority (cont.) The witness providing the foundational showing was a Loss Prevention Offc. LPO knew the system and case cold, but lacked any formal computer training Foundation was attacked on appeal. Case affirmed with great language.

72 ICAC Training & Technical Assistance Program The Objections Revisited Your honor, this person is only a security guard without any formal background or training. Shes not qualified to testify to the records systems.Your honor, this person is only a security guard without any formal background or training. Shes not qualified to testify to the records systems. Response – anyone who knows the system can serve as an adequate company representative. Do not have to have written the computer program U.S. v. Salgado 250 F3d. 438

73 ICAC Training & Technical Assistance Program The Objections Revisited (2) All she knows is what she sees on the screen. She doesnt know anything about how the hardware and software run. So shes incompetent to testify about the mode of preparation (2) All she knows is what she sees on the screen. She doesnt know anything about how the hardware and software run. So shes incompetent to testify about the mode of preparation Response –Dont need an expert. A person who generally understands the system's operation and possesses sufficient knowledge and skill to properly use the system and explain the resultant data is a qualified witness. Lugashi.

74 ICAC Training & Technical Assistance Program The Objections Revisited (3) She only learned what she learned from talking to others. Her testimony is based on hearsay and objectionable. Response – This objection has been considered and dismissed. Most people have learned what they learned listening to others.

75 ICAC Training & Technical Assistance Program A Final Comment on the Hearsay Objection The point of §1271/803(6) is to eliminate the necessity of calling multiple witnesses for one transaction. The object of Evidence Code section 1271/803(6) is to eliminate the calling of each witness involved in preparation of the record and substitute the record of the transaction instead [cit. omit]. County of Sonoma v. Grant W. (1986), 187 Cal. App. 3d 1439 at Accord, People v. Matthews (1991) 229 Cal. App. 3 rd 930 at 940 – and of course Lugashi

76 ICAC Training & Technical Assistance Program The Objections Revisited (Internet Trace) (10) It would take an expert to tell us about the Internet. This cop is no expert, just a flat foot with a laptop.(10) It would take an expert to tell us about the Internet. This cop is no expert, just a flat foot with a laptop. Response – Evidence Code §702 indicates the specialized knowledge of an expert can be based on `skill, experience, and training as well as education. Query whether basic `Internetology requires anything more than lay opinion these days. 701 It almost certainly will not in the near future.

77 ICAC Training & Technical Assistance Program The Objections Revisited (internet Trace) What do we really know about the Internet? Its just a collection of wires. How do we know this Who-Is service is accurate? Maybe there are hundreds of domain names and hundreds of e- mail accounts that are the same as this.What do we really know about the Internet? Its just a collection of wires. How do we know this Who-Is service is accurate? Maybe there are hundreds of domain names and hundreds of e- mail accounts that are the same as this. Response – no case law this time, but there is a dead on statute Evidence Code §803(17) – the phone book exception

78 ICAC Training & Technical Assistance Program Evidence Code §803(17) Evidence of a statement, other than an opinion, contained in a tabulation, list, directory, register, or other published compilation is not made inadmissible by the hearsay rule if the compilation is generally used and relied upon by persons in particular occupations. Dead on to the directories of business and TSP sites maintained by Network Solutions, Who Is, Sam Spade, and so on. Literally the same as the phone book

79 ICAC Training & Technical Assistance Program Pushing the Envelope (Practice Tip) What is Todays Expertise is Tomorrows Common Knowledge Remind the Judge that there was a time when the operations of the telephone, television, radio, and so forth, were esoteric and the subject of expertise. Although some of these still are, the basics are not and jurors follow them easily. Most foundational matter with respect to computer operations are very basic and increasingly understood as a matter of everyday experience. The threshold showing of reliability thus becomes easier to make, as it has with other technology.

80 ICAC Training & Technical Assistance Program The Objections Revisited ( Account) (11) This is more information that is unreliable. The source isnt the company, its the person who opened the account. Its not a business record.(11) This is more information that is unreliable. The source isnt the company, its the person who opened the account. Its not a business record. Response – the document is being admitted not as the record of an `act, condition, or event, but as a document, i.e, the account information on the account just happens to be the personal information of the defendant. Ascertainable from the `face of the document, as it were. The record is thus subject to the liberal authentication procedures of Evidence Code §901/ 902

81 ICAC Training & Technical Assistance Program The Objections Revisited (12) Who put the numbers on the machines? The computer. Its the declarant. I should have the right to cross-examine the computer itself. Response – as farcical as this sounds, the objection has been made in practice. People v. Hawkins (2002) 98 Cal. App 3d is dispositive. `Mechanical computer functions are proved up by showing that the machine was working properly.

82 ICAC Training & Technical Assistance Program The Objections Revisited (Absence of Custodian) (13) Wheres the custodian? I have an absolute right to cross-examine the custodian! (13) Wheres the custodian? I have an absolute right to cross-examine the custodian! Response: Does he? Really? Think about it Response: Does he? Really? Think about it He has no statutory right, because Evidence C. 803(6) §902(11) provides that the affidavit is sufficient He has no statutory right, because Evidence C. 803(6) §902(11) provides that the affidavit is sufficient So he must be talking about a Constitutional right. So he must be talking about a Constitutional right. Does the right to confront and cross-examine witnesses really extend to bare bones foundational showings provided by affidavit? Does the right to confront and cross-examine witnesses really extend to bare bones foundational showings provided by affidavit? Crawford says no. Crawford says no.

83 ICAC Training & Technical Assistance Program The Objections Revisited (Absence of Custodian) However, if this seems a bit too audacious to you: (1) All Evidence C. §803(6) requires is an authorized representative. (1) All Evidence C. §803(6) requires is an authorized representative. (2) If the hotel is a national chain, use a local (2) If the hotel is a national chain, use a local (3) If not, it almost certainly uses the services of an accounting firm with national affiliations. (3) If not, it almost certainly uses the services of an accounting firm with national affiliations. (4) A member of the local branch of the accounting firm who has familiarized him- or herself with accounting practices, should do fine. (4) A member of the local branch of the accounting firm who has familiarized him- or herself with accounting practices, should do fine.

84 ICAC Training & Technical Assistance Program Common Areas for Digital Evidence Warrants Subscriber account info InterNIC/WhoIS Sources of Evidence Web pages IRC/Chat Computer Forensic Exams File structure Recovery of deleted files Recovery of text and images Our Approach What you get How to get it admitted How to present it Working with Your Forensic Examiner

85 ICAC Training & Technical Assistance Program Evidence Code Section 1001(3)-(4) Printed Representation of Computer Information A printed representation of computer information or a computer program is presumed to be accurate The presumption is rebuttable If rebutted by evidence, accuracy must be established by a preponderance of the evidence

86 ICAC Training & Technical Assistance Program Authentication/Best Evidence Now what? EC Secondary Evidence Rule Content of a writing may be proved by otherwise admissible secondary evidence Content of a writing may be proved by otherwise admissible secondary evidence Unless a genuine question is raised as to the authenticity of the original or unfair to admit the copy

87 ICAC Training & Technical Assistance Program A printed representation of images stored on video or digital media is presumed accurate The presumption is rebuttable If rebutted by evidence, accuracy must be proven by a preponderance of the evidence Evidence Code Section 1001(3)(4); 1003 Printed Representation of Images Stored on Video or Digital Medium

88 ICAC Training & Technical Assistance Program Oral testimony is admissible if: The writing is excessive and would consume court time The writing is excessive and would consume court time Evidence sought is general result of whole Evidence sought is general result of whole Can use charts, summaries, diagrams Consider using for: Log files Log files Summary of files or applications on examined drive Summary of files or applications on examined drive Web browsing history Web browsing history Timeline for who was home when access to files occurred Timeline for who was home when access to files occurred Admissibility of Oral Evidence Rule 1006

89 ICAC Training & Technical Assistance Program ISP Warrant Results Subscriber Account Information Account History LogsFormat Letter from ISP summarizing results Letter from ISP summarizing results Computer generated printout Computer generated printout

90 ICAC Training & Technical Assistance Program Admissibility of ISP Warrant Return Authentication Authentication Hearsay Hearsay Presentation Presentation

91 ICAC Training & Technical Assistance Program Hearsay and ISP Warrant Return How to we get the warrant results admitted? Business records Where is your custodian? Where is your custodian?SDT Do the records still exist? Do the records still exist? Computer-generated record not hearsay? Basis for expert opinion * Evidence not actually admitted * Evidence not actually admitted Safe practice - Immediately follow warrant with SDT

92 ICAC Training & Technical Assistance Program Authentication Evidence sufficient to show what you claim it is (EC 901) Have receiving officer authenticate warrant return Originators testimony not necessary - EC 903 Originators testimony not necessary - EC 903 Received in response to communication to author - EC 901(b)(4) Received in response to communication to author - EC 901(b)(4) Content - EC 901(b)(4) Content - EC 901(b)(4) EASY- 902(11) with Sw return EASY- 902(11) with Sw return

93 ICAC Training & Technical Assistance Program IRC/Chat Room Conversations Authentication? Officer/victim who preserved text Officer/victim who preserved text Forensic examiner who recovered text Forensic examiner who recovered text Must establish ID of suspects screen name Must establish ID of suspects screen nameHearsay? Non Hearsay: Motive, ID, intent, state of mind Non Hearsay: Motive, ID, intent, state of mind EC 801(d)(2)(a) - Statement of a Party EC 801(d)(2)(a) - Statement of a Party EC 801(d)(2)(e)- Co-Conspirator Statements EC 801(d)(2)(e)- Co-Conspirator Statements EC 801(d)(1)(a) - Prior Inconsistent Statement EC 801(d)(1)(a) - Prior Inconsistent Statement EC - Past Recollection Recorded EC - Past Recollection Recorded


Download ppt "Federal Privacy Laws How can government obtain emails and network account logs from ISPs? How can government obtain emails and network account logs."

Similar presentations


Ads by Google