Hey, glad you like the piece I wrote. A few thoughts. First, if the question is what strategy a lawyer should take to try to make sure logs etc. are admitted, a good strategy in federal court is first to try to have the records admitted under the business records exception. In my experience, judges just expect it, and as long as no one makes a fuss, they'll admit the records. Practically speaking, you just want the records *in*, and you don't care what theory a judge buys as to why it should be admitted. If the court wants to admit the records under the business records exception, then by all means, let them. The only problem comes up when records are not kept "in the course of a regularly conducted business activity." Example: sysadmin sees an intrusion and uses some commands to generate logs about the intrusion. The sysadmin has never actually used the commands before-- for some reason, the particular logging is unusual. Now imagine that the government (in a criminal case) or the victim (in a civil case) offers the logs as evidence in court. If the logs are offered under the business records exception, the defense can counter that the logs were not kept in the ordinary course of business, and should be ruled inadmissible. "Your honor," he will say, "this logging had never been performed before, and it was not the ordinary practice of the victim to keep such logs." In such a case, the court could rule that the evidence could *not* be admitted under the business records exception. The trouble is, there's absolutely no reason why whether computer logs are kept in the ordinary course of business should matter to their admissibility. In the hearsay context, the "ordinary course of business" helps assure that the person who took the records wasn't fudging to produce a record that could help the party offering the document. People have an incentive to play it straight when they keep the records in the "ordinary course of business." However, computers don't fudge-- unlike people, they just do whatever they're instructed to do. So a function that is used correctly should produce accurate results. What matters is whether the function works, and was used correctly, not whether it was used in the ordinary course of business. As I see it, these are questions of authentication, not hearsay. Here's a practical approach: when you want a court to admit documents that are in fact kept in the ordinary course of business, try to admit them as business records. When not, try to admit them as business records, but then be ready to argue that actually there's no hearsay at all, and that the proper question is authenticity, not hearsay. Orin Orin S. Kerr Associate Professor George Washington University Law School okerrat_private _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 16:00:30 PST