At 11:04 PM 12/11/2002 , Tina Bird wrote: ><much discussion cut for brevity, not for lack of interest> > >On Wed, 11 Dec 2002, Tom Perrine wrote: > > > [Hey! Erin! Where are you?] > > >Okay, Tom, you include your local lawyer, I'll include mine ;-), who >authored my favorite discussion of the use of computer data in court. >Group, meet Professor Orin Kerr. Okay, I'm stepping up to the chopping block.......... First off, this is a great thread and rather than pull a point-counterpoint, I'd suggest referencing an article I wrote that deals with the subject: http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally.html (III.B.2., most notably). As for Professor Kerr's article, I read it when it first came out and it is indeed an extremely insightful article...... I'll try to address some of the issues/questions by reiterating some of what I put forth in the aforementioned article as it pertains to judicial approaches to reconciling the reliability of digital evidence (logs, in this case) and the problem with hearsay and the business records exception to digital evidence (logs, specifically): The threshold for authenticating computer-derived evidence is ambiguous and largely only superficially addressed by some courts. Some recommend a higher standard than that applied to photographs, whereas others give judicial notice to the authenticity of computer-derived evidence under F.R.E. 901(b)(9), which governs authentication of evidence describing a process or system. To date, much computer-derived data have gained admission upon a foundational showing that the computer process or system produces accurate results when used and operated properly and that it was so employed when the evidence was generated. Federal Rule of Evidence 901 affords a presumption of authenticity to evidence such as x-rays, photographs, tape recordings, computer-generated records or scientific surveys produced by an automated process that is shown to render accurate results. This presumption of reliability has been commonly extended to software performing data storage, collection or retrieval functions. Consequently, a majority of the cases considering the admissibility of such evidence have done so in the context of computerized business records that are maintained or prepared by electronic computing equipment. I advocate, however, that it is dangerous to immunize certain computer records from the hearsay rule by likening them to the product of a mechanical process that cannot produce hearsay. It would be persuasive to argue that computer logs, for example, are merely the "tangible result of the computer's internal operations" that do not rely on human observations or reports, and are made contemporaneously with the capturing of data. Another standard to which courts have subjected computer-derived evidence is the evidentiary prohibition against hearsay. It is generally accepted that computer programs violate the hearsay rule because they contain out-of-court statements by declarants (computer operators, programmers, data entry personnel) and are offered to prove the truth of the matter asserted. Nonetheless, federal courts have applied the business records exception (F.R.E. 803(6)) to a wide variety of computer-based information and there is an abundance of case law allowing the introduction of computer-based records under this exception. Alternatively, proponents of computer-derived evidence have bypassed hearsay exception hurdles by convincing the court that such evidence constitutes a product of a device performing pre-programmed tasks on admissible data input, as with a radar gun or a calculator. Computerized printouts of phone traces, for example, were not hearsay in one case because they did not rely on the assistance, observations, or reports of a human declarant; the report of phone traces was contemporaneous with the placement of the calls; and the printouts were "merely the tangible result of the computer's internal operations." As with authentication and F.R.E. 702 (reliability) standards, the depth of inquiry and threshold of proof needed to establish computer-derived evidence as a business record are not always clear. One of the earlier cases to address this issue, for example, held computer records inadmissible as business records because of an insufficient foundation. The testimony of a record keeper for the telephone company was insufficient to establish a proper foundation of "trouble recorder cards" at issue because no complete and comprehensive explanation of either their method of preparation or their meaning was provided. This was despite the facts that the witness testified to having direct supervision and control of all the company's records, and that the cards were business records made in the ordinary course of business at or about the times and dates indicated on the cards. Unlike phone trace records and calculators, however, the software producing logs (and log data) is programmed to capture and process data deemed to be relevant to its programmed function from many computers over a network. Questions about how complete the data capture is and how the logging software decides what should be captured and processed can only be done by examining the underlying source. To admit such evidence without uncovering the assumptions that underlie its function would invite the resolution of claims based on less than a modicum of reliable evidence. As for applying these legal standards and principles to the myriad of digital scenarios, somehow I trust that there will be no shortage of issues raised by this group ... looking forward to the dialogue....... Erin Erin Kenneally, M.F.S., J.D. Forensic Analyst University of California San Diego San Diego Supercomputer Center Pacific Institute for Computer Security 9500 Gilman Dr., La Jolla, CA 92093-0505 Phone: (858) 822-0991 http://security.sdsc.edu Fax: (858) 534-5077 >Orin, we're having a little chat about using computer logs in court. > > > System logs are "hearsay" which is admitted under the "business > > records exception". So there is at least a well--understood legal > > methid to get them in. But, once you've got the logs in evidence, > > THEN the fun begins. That's where each sides' expert witnesses > > display dueling interpretations of what the logs actually mean. > > >http://www.usdoj.gov/criminal/cybercrime/usamarch2001_4.htm > >"Computer Records and the Federal Rules of Evidence" > >in which Orin differentiates computer data consisting of stuff that humans >composed that happens to be stored on computers, from computer data >generated without human intervention (after the program was written). he >discusses the whole hearsay argument; we've discussed it on the list >before, and i'm a little too backed up at the moment to recount it. but >the article is >>fabulous<< and i heartily recommend it to anyone who's >interested in the case law regarding those annoying little bits of data >that we all know and love. _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 11:44:30 PST