The Federal Rules of Evidence were originally established to create uniformity in evidence law by providing guidance for every evidentiary problem that could be reasonably expected to occur at a trial. The rules are firmly grounded in the tangible, as courts typically deal with the concrete concerns posed by physical evidence or the testimony of witnesses. But, as our tangible world has grown increasingly virtual, so too has the evidence, creating a diametric switch the existing rules are ill-designed to accommodate. The rules of evidence simply do not speak specifically to the admissibility of digital evidence lawyers and judges now confront. Rules that speak to the written word, testimony, or physical evidence must now be construed and applied to electronic evidence, despite the radical differences between how most evidence was once created, and how it is generated now. The question of how and whether to adapt the rules of evidence for the digital era presents two possible approaches: Does disruptive technology compel a rewriting of existing rules, or are technology-specific approaches to evidentiary issues a solution in search of a problem, and more likely to create new problems as lawyers and judges struggle to craft new rules for digital evidence?
In May 2015, the Advisory Committee on Evidence proposed Rules 902(13) and 902(14) concerning the authenticity of electronically stored information.1 While the proposed amendments are not overly ambitious and do not tackle the issue of proof needed to establish the authenticity of all digital evidence under Rule 901, they do embrace certain technological realities that can guide courts into an updated understanding of evidence in the digital age. Rule 902(13) would provide for a certification process for digital information produced by a computer system or process, analogous to Rule 902(11)’s provision for certification of business records.2 Rule 902(14), governing the self-authentication of copies of electronic information, would allow the authentication of a file by using its hash value, a unique identifier frequently referred to as a “digital fingerprint,”3 obviating the need for further authentication by witness testimony.4 The proposed Rules will likely reduce litigation costs spent authenticating information, and help foster judicial efficiency and familiarity with technology. Authentication using hash values will allow courts and lawyers to focus on more pressing issues, and will provide courts with the assurance that presented digital evidence is, in fact, what it purports to be.
The proposed new rules represent a modest step toward updating rules that were created to ensure sufficient authentication of physical documents to meet the needs of an increasingly digital evidentiary landscape. The amendments must, however, be implemented carefully, lest lawyers ignore that ascertaining the authenticity of digital evidence is only the first step in determining admissibility. Difficult questions under other evidentiary rules, and in articulating the demands of the right to confrontation persist.5 But the new rules are, at the very least, a significant start.
The question of how to coalesce new technology with older legal frameworks has produced contradictory approaches, summarized in now-classic form by Professor Lawrence Lessig6 and Judge Frank Easterbrook.7 The first would take an exceptionalist approach to applying old laws to new facts, recognizing that disruptive technology frequently compels the construction of new rules to preserve the principles and objectives those rules are intended to serve.8 The second would critique that approach as unduly hasty and apt to create conflicting, erroneous, and patchwork rules for a world changing too quickly for lawmakers to keep apace.9 As Judge Easterbrook famously described it, “Lots of cases deal with sales of horses; others deal with people kicked by horses; still more deal with the licensing and racing of horses…[a]ny effort to collect these strands into a course on “The Law of the Horse” is doomed to be shallow and to miss unifying principles.”10 The fear of creating a well-intentioned but misguided set of new rules continues to nag lawmakers attempting to adapt existing rules to new facts.
The divide between the two approaches is keenly felt in the evolving world of digital evidence. In his book, Foundations of Digital Evidence, George Paul argues that the rules of evidence were premised on a philosophy of empiricism, and the rules that this philosophy generated have nothing to do with how the modern world assesses the accuracy of its communications.11 Paul, therefore, argues in favor of a radically different approach to the admission of digital evidence.12 A competing, Easterbrook-sympathizing school would argue that “if it ain’t broke, don’t fix it,” insisting that the old rules of evidence will work very well with the new technology, as they have worked with information generated by telegraph messages and Xerox machines.13
The digital era has therefore created a dramatic issue for courts – how to apply rules and doctrine intended for physical evidence to intangible, digital evidence. The Lessig-Easterbrook fault line divides those, like George Paul, who would completely re-conceptualize and reimagine the rules to deal with a changing evidentiary landscape, and those that want to graft the old rules onto new kinds of evidence. While the battle lines have formed, there is a stalemate. There is no perceptible movement towards the wholesale revision of the Federal Rules of Evidence to deal with digital information.14 Like it or not, the competent lawyer will largely have to grapple with the Rules as they are, no matter how ill-fitting the applicability of the pertinent Rule and the information being offered. Nevertheless, the proposed new rules are a refreshing step towards a more modern and efficient judiciary for the Information Age.
The Proposed New Rules
The Advisory Committee on Evidence Rules has proposed to the Committee on Rules of Practice and Procedure that the Federal Rules of Evidence be amended to add two new rules governing the authenticity of electronically stored information.15 The proposed rules seem to be a compromise between the Lessig16 and Easterbrook17 schools, and recognize the novelty of this new evidence within the context of traditional evidence law. While the amendments do not deal with the substantive issues as to how digital information is authenticated under Rule 901,18 they do accomplish two laudable goals. First, the proposed rules create a means of authentication that will relieve the proponent of calling a witness to authenticate the information, if the witness provides a certificate that this information is the product of a process or system that produces an accurate result.19 Second, they permit a copy of electronically stored information to be admitted if a declarant indicates that she has copied that information from a device, storage media, or electronic file if it is authenticated by what the proposed rule call a “process of digital identification.”20 In the latter situation, the person who derived the copy need not testify; written certification that she made the copy will suffice.21 More specifically, proposed Rule 902(13) provides that “a record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person that complies with the certification requirements of 902(11) or 902(12).”22 Proposed Rule 902(14) provides that “data copied from an electronic device, storage media, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or 902(12).”23
The Committee began with the proposition that in the vast majority of cases, the authenticity of electronically stored information is never challenged and it is, therefore, wasteful to insist that a witness come to court to state what is obvious and unlikely to be challenged.24 On a daily basis, the courts admit into evidence paper documents upon the certification of a custodian, complying with the requirements of Rule 803(6) without any need to call the custodian.25 Accordingly, electronically stored information should be admitted on the same basis. The Committee, therefore, indicated that its purpose is “narrow: to allow authentication of electronic information that would otherwise be established by a witness.”26 The opposing party, who is entitled to notice of the intention to use such a certification, remains free to challenge the representations made in the certification. The certification suffices only to excuse the witness from appearing if her certification is filed with the court and there is no objection to the authenticity of the evidence as asserted by the certification.
The Advisory Committee provides a series of helpful examples of how the new rule would operate to relieve a party from calling a witness and securing instead the necessary certification from a witness.27 A party could establish how the iPhone software captures the date, time, and GPS coordinates of each picture taken with the iPhone, permitting the court to conclude that whoever took the picture did so at a particular time and from a particular place.28 It bears noting that Exif data, the automatically generated metadata indicating, among other things, the date, time and place a particular photo was taken,29 can be altered—but this is highly unlikely to be the case for the vast majority of cases, and is further counteracted by the requirement that the party certify that the metadata is legitimate.30 A party could explain how a Samsung phone logs the content date, time and communicating phone that called or was called by the Samsung phone of text messages that were sent to or from the phone.31 In each of these instances, the certification of how the electronically stored information was created, transmitted, and stored would suffice to establish authenticity even though the witness was not called. Authenticity is further contingent on the court finding that that the electronically stored information being offered into evidence is what it purports to be (under Rule 901(a)), or self-authenticating (under Rule 902(9)) because the certification establishes that it is the product of a process or system that produced an accurate result.32
The proposed rule pertaining to copies of electronically stored information, Rule 902(14), is much easier to apply. The Rule is premised on the fact that it is possible to assign a unique numerical identifier called a “hash value” to electronically stored information by performing calculations on the data within the electronically stored information. It is premised on the incontrovertible reality that each piece of electronically stored information has a unique hash value.33 The hash value has been referred to as a digital fingerprint because it is a functionally unique and random identifier for a given set of data.34 The hash value of a file is created when a data string (such as an electronic file serving as evidence) is run through a series of mathematical functions, resulting in a seemingly random string of characters of a fixed length, and much shorter than the input data string.35 That output is the hash value of the input file, which could have been anything from a simple string of characters to all the files on a hard drive.36
Three properties of commonly available hash functions—high collision resistance, high preimage resistance, and high second preimage resistance—make their use the ideal for the authentication of digital evidence. A hash function has a high collision resistance when it would be computationally infeasible (computer science-speak for “almost impossible”) for two different inputs, computer files for example, to have the same hash value after the hash function is applied to them.37 A hash function has a high preimage resistance when it is computationally infeasible to determine the input based on the algorithm and the hash value (such that the hash algorithm is “one-way”); and it is second preimage resistant is when it is computationally infeasible for two different inputs to produce the same hash value.38 If one uses a hashing algorithm with the three properties mentioned above, it is overwhelmingly unlikely that two pieces of evidence will ever produce the same hash value. The odds of hashing two different pieces of evidence and getting the same hash value is on the order of one in one billion if using the popular MD5 hash algorithm.39 Because a hash algorithm is designed to give a complex and highly random output, even a slight change in the input will result in a radically different hash value. This change could be as small as a single pixel added to an image.40 Comparing hash values makes it easy to identify if the file has been even slightly modified.41
The uniqueness of a hash value to a file, the fact that the hash value it is a compact microcosm of the larger file, and the feature that the slightest change to the input will be immediately revealed, strengthens the argument for Proposed Rule 902(14). The Committee extrapolated from the primary premise, namely that authentication using hash values is essentially error-proof, that assigning hash values to original files could provide for a more seamless self-certification process. The odds of a false positive, of the system finding a match because a different file and the piece of evidence happened to share the same hash value, are infinitesimally low.42 Hashing provides exactly the proof that Rule 902 requires: that the document is what the attorney states that it is.43
While the new rules eliminate the unnecessary, there is an obvious concern: Lawyers will seek the path of least resistance and will resort to forms that will simply regurgitate the new rules (“I certify that ___________was the result of an accurate system or process”), and move on. But, if the once tangible has become virtual, lawyers and judges will make very little progress if they use these new rules as an excuse not to understand how the underlying technology works. They will fail to realize that the technology properly understood can lead to further advances in creating new rules that will deal with the other issues of authenticity that are based on a forensic evaluation of how computers operate, and create vitally useful information. Forensic technology may answer quickly whether a particular computer produced this electronically stored information because data created by the system itself can answer that question indubitably in particular case.44 Unless an individual uses a privacy-enhancing technique like Tor,45 user metadata indicating the time and IP address of a particular user activity took place can be stored by the company operating the application, such as Facebook or Google, or the internet service provider, such as Comcast or AT&T.46 Should we undertake to create new rules that more precisely define when forensic evidence can permit the court to conclude that a particular piece of digital evidence is authentic? These rules are arguably only the beginning of a process that will use technological certainty as the only true premise of the authenticity of digital evidence.
Counsel also must realize that a certification of the authenticity of a result is not a certification of its correctness. There are two questions presented when, for example, the report of a breathalyzer is offered into evidence and the resolution of the first, is the report authentic, is, at best, an introduction to the second—did it work? If only the first question is asked and answered we run the risk that the new rules will be completely misconstrued. While Rule 901 speaks of authenticity, a malfunctioning machine cannot produce relevant evidence and, despite the certification, counsel still must call the scientist who performed the analysis if there is reason to doubt that result. Knowing that a report is an accurate reproduction of the results of a process or system is one thing; knowing whether that process or system worked correctly is another.
The ultimate implications of hashing for self-authenticating evidence is clear, and the steps that the Committee have taken to move towards a pragmatic understanding of how digital evidence works is promising. Hashing has presented lawyers with a strongly practical alternative to requiring certification of evidence that both computer science and basic statistics declare authentic. The other rule, which neatly equates certification of digital records with the certification of paper business records, is equally sensible and, properly used, can save the time and money spared by avoiding call a witness who will state the obvious.
But the ambition of these rules is humble. They do not deal with an articulation of the proof needed to establish authenticity under Rules 901 or 902, leaving significant questions of substantive proof still up for debate.ourts will, therefore, continue to apply rules truly designed for paper to electronically stored information. Nevertheless, there is reason for optimism—if the certifications are done correctly, they could illuminate for the court the underlying forensic science that will explain why the evidence being offered can be trusted and relied upon. This is, of course, a welcome alternative to lawyers and courts looking everywhere except the technological basis to determine the authenticity of an email or a Facebook entry. Finally, the use of hash values as the means of guaranteeing that one electronically stored file is the same as its copy is particularly welcome. Time spent attempting to establish that two electronically stored files are identical other than by using hash values at this juncture is inefficient in both time and cost. Rules 902(13) and (14) are an acknowledgment of the need to reform analog rules for a digital age; while a modest and careful beginning, they are at the very least a modest and careful step in the right direction.