Wednesday, December 17, 2008

Chain of Custody in Remote Computer Searches

Last week, I did a post on the European Union’s proposal to let police officers conduct remote searches of computers, presumably by using Trojan horse programs. In that post, I talked about what would be needed for such searches to be lawful under our 4th Amendment, i.e., what might be involved in getting a Trojan horse warrant.

This post – which may be pretty short – is about another issue remote searches would almost certainly raise: the issue of authenticating evidence allegedly obtained by using a Trojan horse program on a suspect’s computer.

As I explained in a post I did earlier this year, one of the things the prosecution (or the defense, when the defense is trying to introduce evidence) has to do in order to be able to get an item into evidence is to “authenticate” it, i.e., to show it is what it purports to be. Rule 901 of the Federal Rules of Evidence addresses this requirement (every state has a similar rule of evidence or statutory provision).

Rule 901(a) says that the “requirement of authentication . . . as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.” Rule 901 also gives a number of examples of how evidence can be authenticated, two of which could be relevant in this context: Testimony by a “witness with knowledge” that “a matter is what it is claimed to be”; distinctive characteristics of the item. Rule 901(b)(1) & 901(b)(4).


A Minnesota court recently gave what I consider to be a really lucid explanation of the authentication requirement and how it can be satisfied. The case is State v. Kottom, 2008 WL 4977337 (Minnesota Court of Appeals 2008). Mr. Kottom (who I can tell I do not like at all) was charged with unlawfully buying and selling wild animals and several charges related to his unlawful use of traps to ensnare wild animals. One of the items of evidence against him was a videotape taken by a surveillance camera at the scene of one of his crimes.

On appeal, he argued that the trial court erred in admitting the video, claiming “the state failed to authenticate the evidence and did not establish the chain of custody.” State v. Kottom, supra. The court of appeals explained the requirements for lawfully admitting the videotape:
Authentication is a condition precedent to admissibility. . . . `If, upon consideration of the evidence as a whole, the court determines that [it] is sufficient to support a finding by a reasonable juror that the matter in question is what its proponent claims, the evidence will be admitted.’ State v. Hager, 325 N.W.2d 43, 44 (Minn.1982). When evidence is not unique or readily identifiable, the integrity . . . of the evidence must be authenticated by establishing the chain of custody. `Chain-of-custody authentication requires testimony of continuous possession by each individual having possession, together with testimony by each that the object remained in substantially the same condition during its presence in his possession.’ . . . In order to establish a valid chain of custody, the state must reasonably demonstrate that the evidence offered is the same as that seized and it is in substantially the same condition at the time of trial as it was at the time of seizure.
State v. Kottom, supra. The court noted that the proponent of the evidence does not have to negate “all possibility of tampering or substitution, but rather only [show] that it is reasonably probable that tampering or substitution did not occur.” State v. Kottom, supra. And like many other courts, this court noted that inferences concerning tampering or substitution “may well affect the weight of the evidence accorded it by the factfinder”. State v. Kottom, supra.

The state used the first alternative cited in Federal Rule of Evidence 901 to establish the chain of custody for the videotape in this case:
[Officer] Stage testified that he and two other officers set up the video camera and viewed the tape. . . . One of the officers, Lieutenant Michael Ramstorf, testified that several days after the case began, he left his position and handed off all evidence to Lieutenant Gregory Payton. Ramstorf testified that the videotape was kept in an evidence locker in his office until he gave it to Payton. Payton testified that the videotape was kept in an evidence locker, which is a gun safe that only he had access to. The officers' testimony established the authenticity and the chain of custody of the evidence. Therefore, the district court did not abuse its discretion in admitting the evidence.
State v. Kottom, supra. The same procedure is used, and works, when the evidence is, say, a gun or a computer or hard copy documents or most anything else that qualifies as evidence.

This procedure is used, and also works, when the evidence is a seized hard drive or an image taken of a hard drive . . . because in either instance, you have the kind of public evidence collection that occurred in the Kottom case or in every case that’s arisen until recently (or, maybe, that has arisen unless and until law enforcement really gets into the business of using remote Trojan horse searches of computers).

On the one hand, you could argue that it should work equally well for remote computer searches since the officers who run the Trojan horse program can explain what they did (maybe keep a log of what they did with it?) and then use either or both of those to show the chain of custody. This alternative would be the virtual analog of officers’ going into a house, searching the house for, say, a stolen handgun, finding the handgun and seizing it; the chain of custody would be their testimony as to how they found the gun, followed by their testimony and any available documentation showing how and where it was stored after they got it. For the chain of custody to be valid, they need to show – as the officers showed in the Kottom case – that there were no breaks in the chain, i.e., that the evidence was in their possession from the moment they seized it until it’s offered into evidence.

The problem I can see with this scenario is that the defense can point out – absent the officers’ generating some kind of detailed, absolutely unimpeachable log of everything they did – that this search was purely virtual and therefore invisible to any outside observers. I can see a defense attorney arguing that the officers who conducted the remote Trojan horse search of a computer – especially a computer that was part of a large network in a business or school – actually or potentially erred in ways that make the evidence inadmissible. The defense could argue, for example, that the officers got the wrong computer in the networked scenario; the defense could also argue that the officers tampered with (created or altered data) the evidence they claim to have found by using the Trojan horse program or substituted evidence that was actually taken from another computer for what was found on the suspect’s computer.

Not being technologically adept, I don’t know how easy it would be to generate a log or other real-time, detailed record that could establish the virtual chain of custody in this kind of situation. Even if it is possible to do something like that, though, I suspect defense attorneys could use the residual alternative the Kottom court noted to their advantage. That is, I suspect they might have some success arguing to the jury that the evidence cannot be trusted because – unlike the Kottom video secured in an evidence locker and gun safe – its provenance is simply too uncertain.

No comments: