Sponsored by Page Vault.
Records of webpages, like any Electronically Stored Evidence (ESI), are easily altered. Lucy L. Thomson, Chair of the ABA Section of Science & Technology Law, emphasizes that traditional foundations for computer records may no longer be adequate to address the complexities of modern information systems from which electronic evidence is generated—because digital information may be created easily and without any verifiable record of who did so, and it can be changed, often without detection.
In order to establish that records of webpages are authentic, attorneys should maintain and document the digital chain of custody of such records as much as possible. Maintaining a digital chain of custody for records of webpages is particularly important because webpages themselves may be easily changed or deleted. In such cases, the record made by the investigator may be the only record of how that page appeared at a given time and cannot be authenticated by corroboration in case of dispute.
In this paper, we look at what the digital chain of custody is for webpage evidence, why maintaining and documenting a digital chain of custody for records of webpages is important, and how legal professionals can best do this.
What is the digital chain of custody for webpage evidence?
Chain of custody is the record of preservation of evidence from collection to presentation in court. The goal of properly maintaining and documenting chain of custody is to show that the evidence presented to the court is the same as what was originally collected, and that the evidence was preserved without tampering or alteration.
Webpages are easily changed or deleted, and webpage evidence is often very difficult to subpoena. Therefore, when evidence appears on the web, an accurate record of that evidence at that point in time should be made. Properly maintained and documented chain of custody for such a record establishes that it accurately reflects what appeared on the date and time stated by showing that (1) when it was originally produced, it accurately recorded the web page in question, and that (2) the record was not subject to alteration from the point of collection until presentation in court.
Why does the digital chain of custody for webpage evidence matter?
Ease of altering webpage evidence
Electronic evidence, and in particular a web page, is especially easy to alter. Webpage evidence is susceptible to alteration at any point in the chain of custody. (1) User-operated software or malware can alter the content provided to a user’s browser before it is displayed so that what is displayed in the browser is not the original content provided by the webpage server for display. (2) After being downloaded and displayed in a browser, a webpage can be easily manipulated by changing the page’s source coding within the individual browser—a relatively simple task requiring only the most basic knowledge of “html” code. The altered page may then be recorded with a screenshot or by printing from the browser. Detection of such alterations in these first two instances given only a printout of the altered page may be impossible. (3) Finally, records of webpages may be altered after the point of collection with photo editing tools, or parts of those records may be deleted.
Interested parties part of the chain of custody
Individual parties to a litigation sometimes make their own screenshots and present them to their attorneys to bolster their case. By doing so, the interested parties become part of the chain of custody. While it is preferable for their attorney or a trusted third party to make the record of the webpage, the attorney or expert may not have immediate access to the page in question, and the page may have disappeared by the time the attorney or third party is contacted.
For cases where the client is in the best position to gather the evidence, e.g. the client is being sporadically threatened on social media, but the threatening party removes the posts soon afterward, the best option may be software that allows the client to capture webpages while removing the client from the chain of custody.
Dangers of deleted pages
Because webpages can easily (and intentionally) be deleted or hidden from public access, an attorney’s record of a webpage may be the only record of crucial evidence that had appeared on the web.
A page stored on a web server can be deleted or edited: real dangers of spoliation exist for webpage evidence. For example, in Lester v. Allied Concrete (Va. Ct. App, 2013), plaintiff’s counsel advised plaintiff to “clean up” his Facebook page in response to a discovery request by deleting photographs and deactivating the account. In such cases, an opposing party may require proof that spoliated material was indeed on the web at a specific time in the past to prove spoliation.
Subpoenas served by private parties to providers of social media platforms for a given user’s private (“hidden”) content often fail: social media providers will usually not furnish contents of an individual’s account, even when subpoenaed, relying on the Stored Communications Act (18 U.S.C. 2701). Attorneys should assume that providers of services will not comply with requests to produce content; attorneys should always make the best records possible, and as early as possible before opposing party changes access permissions.
In order to ensure against charges of spoliation, a party to litigation may record the exact state of their page or social media account at the beginning of a matter. An authentic record of the material at a point in time is essential in case opposing party accuses the litigant of having deleted or altered the webpage and will furnish a defense against spoliation.
What constitutes digital chain of custody for webpage evidence.
Michael Arkfeld, in a seminal work on electronic discovery, notes that, “Chain of custody testimony would include documentation on how the data was gathered, transported, analyzed, and preserved for production. This information is important to assist in the authentication of electronic data since it can be easily altered if proper precautions are not taken.”
When introducing webpage evidence in court, there are four key points for establishing a digital chain of custody:
A record of how the webpage appeared at a given date and time. Typically, the Court intends that the record of the webpage depicts the page as it was originally rendered in a browser. The most straightforward way to do this is through a “screenshot”—i.e. use the print-screen feature on your computer to make an image file of the appearance of your browser. A screenshot shows the page exactly as it appeared to the viewer. Other methods often fall short of reproducing the page as it appeared—browser’s “print” functions often fail to print out some elements on the page or re-arrange the format and layout of the page as it originally appeared in the browser.
Legal professionals should verify that any application used to expedite collection produces such exact records; some web archiving tools are designed only to archive text or other features of the page, but do not provide legal-grade screenshots.
Accompanying metadata specifying the date and time of collection, and typically the person collecting the evidence. Metadata (“data about data”) specifies information about the record produced, such as the date and time when the record was made and the URL of the page recorded. Attorneys should insist that a systematic method of recording metadata be followed. An Excel spreadsheet can be dedicated to a case matter with columns for time, date, URL, and person collecting evidence; in this case, the filename(s) of each capture should be carefully recorded so that reviewers are clear which screenshots correspond to which metadata.
The name of the person collecting the evidence is recorded chiefly in order to establish who is able to testify to the authenticity of the capture should the court require this for authentication (see below). This may be omitted if the attorney is using other methods of authentication that do not rely on the testimony of the person capturing the webpage.
Attorneys reviewing software solutions should look for software that automatically records and attaches metadata to captures; such software will increase productivity while reducing errors of omission and disorganization.
Evidence that the collection was performed at the date and URL indicated in the metadata. In order to authenticate the evidence in court, a typical route is to have the person making the record testify that that they made the record and that the record is a true and accurate representation of the webpage as it appeared at the time and URL specified (in accordance with FRE 901(b)(1) or state equivalents). But forensic experts Sharon Nelson and John Simek, writing in the ABA’s Judges’ Journal, caution:
You really don’t want to put anyone from your firm on the stand to authenticate the evidence, particularly because your firm and your client have a vested interest in the outcome of the case.
Trusted third parties such as forensic experts may be a better choice, but may be expensive, especially when large amounts of webpage evidence needs to be collected.
An alternative to having individuals testify is to authenticate the evidence in court under FRE 901(b)(9), which requires “evidence describing a system or process and showing that it produces an accurate result.” In this case, attorneys need to employ a software process for webpage captures that produces accurate representations of webpages. Companies offering such products may offer affidavits and explanations of their process that can accompany submissions of the evidence in court.
Evidence that the collection has not been altered. The best practice for preserving webpage evidence is to hash and digitally timestamp data immediately after the collection is made. Hashing and timestamping the data establishes that there has been no alteration of the record since the hash or timestamp was made. However, this can be expensive and onerous for large collections. Additionally, alterations made between the point of collection and the point of hashing/timestamping are not detectable and the possibility of such alteration cannot be ruled out. Again, forensic consultants who collected and preserved the evidence can act as trusted third parties and testify to the authenticity of the evidence.
Performed manually, these procedures may seem difficult or burdensome, but software products designed specifically for legal-grade webpage capture are becoming available. Attorneys who take digital chain of custody seriously should review such software in light of the best practices listed above. Forensic experts Nelson and Simek, cited above, describe what they are looking for in such software:
In a perfect world, the collection of social media will have timestamps and header metadata, the data will be stored unchanged, and they will be played back so that they are viewed as they originally existed. And of course, there should be an audit trail to the original content.
For the lawyer and firm wishing to employ best practices, Page Vault offers software that accurately records webpages and metadata while removing the user from the chain of custody. The company also offers affidavits describing the chain of custody. The software is suitable for individual lawyers, teams, and large firms; attorneys can easily extend use of the software to clients or interested parties who can then capture webpage evidence without being part of the digital chain of custody.
New rules of evidence.
Current systems for establishing chain of custody seem out of proportion to the risks involved; lawyers may opt for less stringent measures but then risk a challenge or problem in court. On the other hand, lawyers may incur large expenses in collecting and preserving evidence whose authenticity is later unchallenged.
The Federal Judiciary Conference is proposing changes to Federal Rules of Evidence 901 to lessen the expense and inconvenience of authenticating webpage evidence. “A proponent establishing authenticity under this Rule must present a certification containing information that would be sufficient to establish authenticity were the information established by a witness.”
This would likely entail making, and later verifying, that hash values are the same, thus ensuring that the electronic evidence has not been altered, and then submitting a certification of that finding. If approved, these rules will encourage attorneys to adopt technology designed to collect and authenticate webpages.
Conclusion
Legal professionals, and especially civil litigators, should be familiar with the concept of digital chain of custody. Not only should they understand how they can document and maintain such a chain of custody, but they should be competent to challenge opponents when their evidence gathering has been inconsistent with best practices. Understanding digital chain of custody can help lawyers to evaluate new software tools designed to collect and preserve web evidence.
About the Authors
Patrick Schweihs, Esq. is a licensed patent attorney with years of experience in intellectual property and anti-counterfeiting law, and serves as VP of Customer Solutions at Page Vault. Stephen Nazaran is Co-founder and CFO of Page Vault. Please contact Patrick with questions or comments at patrick@page-vault.com or 312-970-0003.
Disclaimer: Any statements made in the above document are for promotional, educational, and/or informational purposes only, are general in nature, and are not intended, and should not be construed, as legal advice. The authors hereby disclaim any responsibility in connection with the above document and reader should consult a licensed attorney for appropriate legal advice.