Monday, August 23, 2010

Chat Logs, Authentication and the Best Evidence Rule

I’ve done several posts on authenticating online communications, including one that deal with authenticating text messages and with a hearsay challenge to the admissibility of such messages. This post is about a recent case from Indiana in which the admissibility of chat logs was challenged on the basis that they weren’t properly authenticated and/or violated the best evidence rule.


The case is Stearman v. State, 2010 WL 3159827 (Indiana Court of Appeals 2010). The opinion we're going to analyze resulted from Brian Stearman’s appealing his conviction for child solicitation in violation of Indiana Code § 35-42-4-6(c)(1), which makes it a crime for someone who’s at least 21 years old to solicit a child who is between 14 and 16 years old for sexual intercourse.


This is how Stearman came to be charged with child solicitation:


On July 12, 2007, Noblesville Police Detective Charles Widner was in an online chat room, working undercover as part of the Child Exploitation Task Force. . . . Widner utilized Yahoo Instant Messenger with the profile name: sadams858. He also had a picture on the profile of a young female. [Stearman] initiated a conversation with Widner with an `instant message’ of you are cute’. Widner responded with `thanks ... asl? [age, sex, location?]’. [Stearman] replied, `i'm brian, in fishers. 36, single...with pic and Widner identified himself as Sandy, a fifteen-year-old girl from Fishers. [Stearman] continued his communication with `Sandy’ [the text of which is omitted here].


Widner recorded the entire chat by using `copy and paste’ from the `instant message box as it appear[ed],’ saved it to a Word document, and saved that document in a folder The document includes the screen names, time of each message, and all instant messages Widner used this method instead of the instant messenger archive because Yahoo Instant Messenger does not record the initial contact.


The next morning, Defendant initiated contact again with `Sandy’ . . . . [the text of that chat is also omitted here but in it Stearman arranged to meet “her” and another girl at a nearby location in a few minutes]. Widner used the same procedure as the day before to record the chat He then obtained [Stearman’s] information from the BMV, and with other detectives, went to the apartment complex. [Stearman] `was . . . apprehended before he exited the apartment complex’. . . .


Widner obtained a search warrant for [Stearman’s] residence . . . and seized nine computers Widner performed an `onsite preview’ of the computers at the police station and found Yahoo Instant Messenger on two computers . Detective Kimm examined the two computers and found the Yahoo archive chat from July 13 between [Stearman] and Widner.


Brief of Appellee, Stearman v. State, 2010 WL 3000342. (I omitted the substance of the chats (a) because I’m sure you can imagine what they said and (b) because they’d made this post way, way too long if I included them.) As I noted above, Stearman was charged with child solicitation, convicted by a jury and appealed. Stearman v. State, supra.


Prior to trial, Stearman filed a motion in limine to bar admission of the Word document memorializing the chat, claiming `Detective Widner had the ability to save the chat, in a Yahoo archive, but apparently failed to do so.’ . . . . Stearman claimed that because `the State has failed to save the [electronically stored information] in [its] original form, it is impossible for the State to authenticate the documents as required by Rule 901 of the Indiana Rules of Evidence. Stearman also claimed that because the chat was `pasted into a different format,’ its admission into evidence would violate the `best evidence’ rule. Following a hearing, the trial court denied Stearman's motion in limine.


Stearman v. State, supra. During Stearman’s trial Widner testified that


State's Exhibit 2 is the `chat log from July 12, 2007.’ He verified that the exhibit is `a true and accurate and full and complete copy of the exact chat that [he] had with’ [Stearman]. Widner further testified that State's Exhibit 4 is the chat log from July 13, 2007,’ and is `a complete and accurate copy of the full chat log.’ Widner explained that he attempted to retrieve the chats from the archive in the computer, but the instant messenger program was removed, and `it took off the archive chats with it as well.’


Stearman v. State, supra.


The Indiana Court of Appeals first addressed Stearman’s argument that the chat logs had not been properly authenticated. As I’ve explained in earlier posts, each U.S. state and the federal judicial system has its own rules of evidence, each of which will impose some requirement that evidence be “authenticated” in order to be admissible. Rule 901(a) of the Federal Rules of Evidence says the “requirement of authentication . . . as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims” it to be. Rule 901(b) gives some examples of how evidence can be authenticated, i.e., testimony by someone who can identify it; an expert’s comparing it with “specimens which have been authenticated;” distinctive characteristics; public records; or any other method prescribed by law. The rule at issue in the Stearman case was Indiana’s version of Federal Rule 901(a).


In addressing this issue, the Court of Appeals noted that under Indiana law,


authentication is established by evidence that is sufficient to support a finding that the matter in question is what the proponent claims it is. Indiana Evidence Rule 901(a). This requirement is satisfied by `[t]estimony of a witness with knowledge that a matter is what it is claimed to be.’ Indiana Evidence Rule 901(b). Absolute proof of authenticity is not required. Fry v. State, 885 N.E.2d 742 (Indiana Court of Appeals 2008). Thus, when the evidence establishes a reasonable probability that an item is what it is claimed to be, the item is admissible. Thomas v. State, 734 N.E.2d 572 (Indiana Supreme Court 2000).


Stearman v. State, supra. The court then rejected Stearman’s first argument:


Detective Widner testified that the entire online conversation he participated in was copied onto a Word document and saved in a folder. And, as noted above, the exhibits admitted at trial were the printouts of the chat that were saved to the file folder. Detective Widner knew that the printed conversation is what it was claimed to be. Thus, we conclude that Detective Widner validly authenticated the exhibits pursuant to the requirements of Indiana Evidence Rule 901(b)(1).


Stearman v. State, supra.


The Court of Appeals then addressed Stearman’s best evidence rule argument. As I’ve noted in earlier posts, the best evidence rule dates back at least to the 18th century, when copies of documents were usually made by hand, i.e., were hand-written. As Wikipedia explains, the premise of the rule is that the “best” – I,e., most likely to be accurate – evidence was the original, since errors (or fraud) might creep into a copy.


Stearman argued that “the printouts of the online chat failed to satisfy the requirements of the best evidence rule” because “the chat log was `not the original, but instead is merely a copy pasted into a different format’”. Stearman v. State, supra. The Court of Appeals began its analysis of his argument by noting that under Indiana’s version of the rule – which is codified in Indiana Rule of Evidence 10002 – to “prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by statute.” Stearman v. State, supra. The court also noted, however, that “in the context of information stored in a computer, `any printout or other output readable by sight, shown to reflect the date accurately is an “original”’”. Stearman v. State, supra (quoting Indiana Rule of Evidence 1001(3).


The Court of Appeals then rejected Stearman’s claim that admitting the chat logs had violated the best evidence rule:


[T]he recorded online conversation was saved in a Word document and stored in a folder. The document identifies the screen names, the time of each message, and the content of all instant messages. And Widner testified that the printouts accurately reflected those conversations. Thus, because the computer printouts constitute `originals’ in accordance with [Indiana Evidence Rule 1001] we conclude that the requirements of the best evidence rule were satisfied. . . .


[W]e also note that an original is not required if the original has been lost or destroyed `unless the proponent lost or destroyed [the original] in bad faith.’ [Indiana Evidence Rule 1004(1)]. Here, the evidence showed that although Detective Widner attempted to retrieve the chats from the archive in his computer, the instant messenger program was removed, and `it took off the archive charts with it as well.’ Hence, the instant message conversations no longer existed, and the only recording of that information is the copy Widner saved. Stearman has made no showing that Widner acted in bad faith when he saved the conversations by copying them into a Word document file rather than by saving the Yahoo! Instant Messenger archive. Thus, even if we concluded solely for the sake of argument that the computer printouts were not `originals,’ they were nonetheless admissible.


Stearman v. State, supra. The Court of Appeals consequently affirmed Stearman’s conviction and, in so doing, upheld the sentence imposed by the trial court: three years of incarceration with 180 days executed and two-and-one-half years suspended with two years on probation.” Stearman v. State, supra.


5 comments:

eye5600 said...

If I was on the jury, I'd wonder how much credit to give the testimony of such an incompetent policeman. If you are supposed to be an investigator of computer crimes, I'd expect to see a little more expertise.

There is software available that is used to covertly record all the activity on a PC. It's used, e.g. for management to see if an employee is misusing his work computer. It's not too different from software parents might use to monitor a child's use of the internet. There's got to be a law enforcement version tailored to the specific task of recording evidence of these chat room stings.

Anonymous said...

In light of all the crime lab scandals all across the nation (with lab techs faking blood tests and the like), how can electronic 'evidence' be trusted when it is so easy to fake? "I want to buy you some ice cream" turns into "Let's meet and have sex" and there is no way for a defendant to say otherwise.

I don't really mind these kinds of stings so much since they serve a purpose in culling the gene pool of idiots (after all, who tries to meet strange people online and then go have sex with them?). But in something important or more widespread I can see some serious problems. For a cop to fake chat logs it only takes himself and no one will know.

Don't know if you have heard about the huge FBI investigation into hundreds of agents who cheated on a test (an open book one at that!), but how can you really trust the cops anymore? If you're going to cheat on an open-book test, what's to stop you from cheating on something more serious?

http://www.huffingtonpost.com/2010/07/28/fbi-cheating-scandal-just_n_661744.html

TeleSign Matt said...

Your post underscores the need for a better means of identifying a site user, criminal or not. Most sites which lend themselves to the activities mentioned in your post are subject to these loopholes. I've been working with a company called TeleSign, that has been a pioneer in the domain of website security and authentication. Their technology provides detailed information from users whether originating at a computer or VOIP and even a pre-paid mobile phone. I would suggest that you contact them for their perspective and see if their solutions may assist from a legal perspective. www.telesign.com.

Respectfully,

TelSign Matt

Anonymous said...

Moral of the story: Courts and Judges will only listen to Cops and Detectives.

Why? Judges don't have any technical and they don't want to waste time and money by calling computer forensics expert(s). So why keep piling up cases. Just ridiculous

I've studied computer forensics and examined few hundred hard drives (for evidences) for fortune 500 corporations. Copy/pasting chat log and using as evidence shouldn't be used to convict someone.

Anonymous said...

To the nay-sayers above: If the solicitation had been made in person and the only evidence was the officer's testimony, would you automatically throw the case out? If not, then why are you arguing that the officer's testimony is insufficient here when it is supplemented by some contemporaneously captured notes?