chevron-down Created with Sketch Beta.
June 01, 2016

The Brave New World of Internet Evidence: It’s Not as Brave or New as It Seems

Questions of admissibility involved in digital evidence are usually resolvable by existing evidentiary principles.

Hon. Jeffrey Cole

Download a printable PDF of this article.

Given the complexities of digital technology and the evolving and staggering growth of the Internet, it is not surprising that many “[j]udges [and lawyers] approach social media [and other forms of Internet] evidence with trepidation.” Deborah Jones Merritt, Social Media, the Sixth Amendment, and Restyling: Recent Developments in the Federal Laws of Evidence, 28 Touro L. Rev. 27, 51 (2012).

But that angst is unnecessary if we keep in mind that it is the “novelty of the media,” not the inadequacy of the Rules of Evidence, that is the source of much of the difficulty. Gregory P. Joseph, Internet and Email Evidence (Part I), 58 Prac. Law. 19 (2012). And so most cases and commentators have concluded—although sometimes hesitatingly—that questions of admissibility involved in Internet and digital evidence are resolvable by existing evidentiary principles, without enhanced scrutiny or more rigorous standards for authentication.

The Federal Rules of Evidence that most frequently appear in connection with issues involving Internet evidence are Rules 901 and 902, dealing with authentication, and 802, the hearsay rule. It is critical to identify early in the case potential evidentiary issues associated with the admission of Internet evidence and to develop a plan to deal with them. Failure to obtain sufficient authenticating evidence is “almost always . . . [a] self-inflicted injury, which can be avoided by thoughtful advance preparation.” Lorraine v. Markel Am. Ins. Co., 241 F.R.D. 534, 542 (D. Md. 2007).

The primary requirement for (and obstacle to) the admission of Internet evidence is Rule 901, which requires “as a condition precedent to admissibility” that there be evidence “sufficient to support a finding that the matter in question is what its proponent claims.” Grimm, Bergstrom & O’Toole-Loureiro, Authentication of Social Media Evidence, 36 Am. J. Trial Advoc. 433, 439 (2013). While the proof necessary to authenticate Internet evidence may in some instances involve “more complicated variations on the authentication problem than for paper records” (In re Vinhnee, 336 B.R. 437, 445 (9th Cir. 2005)), at bottom, the analysis is no different than it is where traditional forms of evidence are involved. If you approach evidentiary problems in a step-by-step way, the seeming difficulties will vanish.

Often the initial question is where to go to obtain the proof necessary to authenticate social media evidence. How and on what entity do you serve discovery to ascertain the identity of the “owner” of an Internet account or website? How do you subpoena Facebook, Twitter, Instagram, Snapchat, or any of the hundreds of other social media and networking sites? Many have no phone number that even FBI agents can call to serve a grand jury subpoena or search warrant! (Facebook and its social media counterparts deal with these and civil subpoenas exclusively online. See Law Enforcement & Third-Party Matters,, If you are stumped by questions like these, hire a technical expert, early on, who can guide you through the labyrinth that must be traversed in order to get the evidence the authentication rules require.


Rule 901(b) contains 10 subparagraphs that are illustrative examples of authentication or identification conforming with the requirements of the rule. The initial determination of whether the requirements of Rule 901 have been satisfied is made by the judge pursuant to Rule 104(a). The ultimate decision of whether the evidence is what its proponent contends is for the trier of fact. See United States v. Fluker, 698 F.3d 988, 999–1000 (7th Cir. 2012).

Rule 901 does not demand certainty. Indeed, the threshold for authentication of evidence “‘is not particularly high’ . . . and the ‘proponent need not rule out all possibilities inconsistent with authenticity’. . . .” United States v. Gagliardi, 506 F.3d 140, 151 (2d Cir. 2007). Regardless of the source of the evidence, Rule 901 is satisfied when there is sufficient proof that a reasonable juror could find in favor of authenticity. See United States v. Tank, 200 F.3d 627, 630 (9th Cir. 2000).

A common and obvious method of authentication is testimony by a witness who has knowledge that a matter is what it is claimed to be or who has firsthand knowledge of information needed to demonstrate authenticity. “To authenticate printouts from a website, the party proffering the evidence must produce ‘some statement or affidavit from someone with knowledge [of the website] . . . for example [a] web master or someone else with personal knowledge would be sufficient.’” St. Luke’s Cataract & Laser Inst., P.A. v. Sanderson, 2006 U.S. Dist. LEXIS 28873, at *2 (M.D. Fla. 2006). The person taking the screenshot, of course, will suffice.

Subpoenas can be served on social media sites to obtain the necessary evidence to identify the author of an Internet posting and the ownership of an account. To ascertain email account information, subpoenas can be served on the email provider, like Yahoo or Hotmail. For chat rooms, discovery can be directed toward the relevant host, while individual conversations are often authenticated by someone who participated and can testify to the accuracy of resulting transcripts. See Tank, 200 F.3d at 630. For websites, discovery should target the web hosts, the person who communicates with the owner of the account, the person who set up the account (see Targonski v. City of Oak Ridge, 921 F. Supp. 2d 820, 834 (E.D. Tenn. 2013)), or the website designer (see United States v. Hauze, 501 F. App’x 638, 639 (9th Cir. 2012)).

Authentication of Internet posts can also be sought through a person who took the screenshot of the post in question or saw it being taken. See Premier Nutrition, Inc. v. Organic Food Bar, Inc., 2008 U.S. Dist. LEXIS 78353, at *7 (C.D. Cal. 2008). But this will authenticate only the screenshot itself—much like a photograph. See Internet Specialities W. Inc. v. ISPWest, 2006 U.S. Dist. LEXIS 96373, at *2 (C.D. Cal. 2006). And that isn’t enough to link it to the party or person against whom or for whom it is sought to be admitted. See United States v. Vayner, 769 F.3d 125, 131–33 (2d Cir. 2014).

These are easy examples, but the problems encountered in authenticating Internet evidence can be more difficult. Anyone can obtain an email address, open a social media account, log into a chat room, or create a website under a fictitious name or post things anonymously. Indeed, the Internet has instructions on how to create a fake Facebook page. See Gregory P. Joseph, What Every Judge and Lawyer Needs to Know About Electronic Evidence, 99 Judicature 49, 51 (2015). If you have someone’s password, you can log on under that person’s identity, while the problem of hacking by strangers is well documented.

So merely proving something appeared on a website won’t be enough to permit that evidence to be used in favor of or against the purported “poster” or the owner of the site. The name on the website isn’t enough, any more than the name on a letter is enough to show who wrote it. Subpoenas to the operators of social media sites will often be necessary to ascertain the particulars about the account and its purported owner.

But even then, information obtained may not, without more, suffice under Rule 901(a) to show who made postings sought to be attributed to a party or person. This is where Rule 901(b)(4) comes into play. This rule is an important and frequently utilized tool permitting authentication by appearance, contents, substance, internal patterns, or other distinctive characteristics, taken in conjunction with circumstances. The familiar methodology used to circumstantially authenticate emails, texts, and letters applies equally to Internet evidence. See United States v. Simpson, 152 F.3d 1241, 1250 (10th Cir. 1998).

For example, evidence has been deemed sufficient to authenticate statements made on social media as coming from a named person where the person used the same screen name, signature nickname, or emoticon on other occasions; disclosures were made of particularized information known only to a small group, including that person; the person had information acquired while using the screen name; the person discussed the same subject matter elsewhere; and the person acted in accordance with the posting. See Joseph, What Every Judge and Lawyer Needs to Know, supra, at 52.

Yet, some courts have expressed reservations about this sort of circumstantial authentication. In Vayner, the question was whether the email address from which a document was sent—[email protected]—belonged to the defendant. The government’s proof on that score was a printout of a webpage, which it claimed was the defendant’s profile page from a Russian social networking site akin to Facebook, containing his name and picture and listing “Azmadeuz” as his Skype address. Vayner, 769 F.3d at 127–28. The Second Circuit found this insufficient, reversing because the information on the printout was known to the cooperating witness and others, some of whom may have had a motive to fabricate the webpage. See id. at 131–33.

This same concern about the reliability of information on the Internet is seen in United States v. Jackson, 208 F.3d 633 (7th Cir. 2000). There, the defendant sought to introduce postings on white supremacist groups’ websites, which, if placed there by the groups, strongly tended to show that the defendant was innocent. While there was no issue of the authenticity of the supremacist groups’ websites or the screenshots of the postings, the district court excluded the postings because the defendant was unable to show they were actually posted by the groups, as opposed to being slipped onto the groups’ websites by the defendant, who was a skilled computer user. The court of appeals affirmed. See id. at 637.

A number of cases have taken judicial notice of private business websites. See Joseph, What Every Judge and Lawyer Needs to Know, supra, at 51. But don’t count on a court routinely using judicial notice, assuming the site was created by the person or entity in the uniform resource locator (URL) or assuming information posted on the site is true. See, e.g., Victaulic Co. v. Tieman, 499 F.3d 227, 236 (3d Cir. 2007); Jackson, 208 F.3d at 638; but see Jeandron v. Bd. of Regents of Univ. Sys. of Md., 510 F. App’x 223, 227 (4th Cir. 2013) (“[A] court may take judicial notice of information publicly announced on a party’s web site, so long as the web site’s authenticity is not in dispute and ‘it is capable of accurate and ready determination.’”). By contrast, government websites are self-authenticating. See Fed. R. Evid. 902(5).

In United States v. Hassan, 742 F.3d 104 (4th Cir. 2014), the defendants were convicted of conspiracy to provide material support to terrorists and murder, kidnap, and injure persons in a foreign country. The government introduced screenshots of Facebook pages and the files embedded in them, including videos hosted on YouTube (and maintained by Google). The district court held that the Facebook pages and YouTube video were regularly conducted activities of the Internet companies, admissible under Rule 803(6). The Fourth Circuit affirmed because the government introduced sufficient evidence linking the pages to the defendants. See id. at 133.

Two proposed amendments to the Federal Rules of Evidence that, if approved, will become effective in December 2017, and make authentication a bit easier. But they won’t eliminate the issues discussed above. Proposed Rule 902(13) would allow authentication of “records generated by an electronic process or system” and permit a certification that complies with Rule 902(11) for records under Rule 803(6) to authenticate a record that “produces an accurate result”—for example, a screenshot. But the certification won’t ensure admissibility if there is an independent basis for exclusion, such as a lack of evidence that statements shown on a screenshot are sufficiently tied to the opponent. The proposed Rule 902(14) permits authentication by a Rule 902(11) certification for “certified data copied from an electronic device, storage medium, or file.”

Of course, authentication will not ensure admissibility. The evidence must satisfy the most basic requirement of the Federal Rules of Evidence: relevance under Rule 401. But note that failure to authenticate evidence will ensure inadmissibility under Rule 402 because “[a]uthentication and identification are specialized aspects of relevancy.” United States v. Rembert, 863 F.2d 1023, 1027 (D.C. Cir. 1988). To be relevant and admissible, a screenshot or printout must be shown to be the same as it was on the applicable date. See Specht v. Google, 747 F.3d 929, 932 (7th Cir. 2014). This will often require authenticating archived web files, see id., which entails a further level of analysis.

In United States v. Bansal, 663 F.3d 634, 667–78 (3d Cir. 2011), the government obtained screenshot images from the Wayback Machine website, which catalogues all other websites by date since 1966. To authenticate the screenshot, the government’s witness testified about how the Wayback Machine works and about its reliability. She compared the screenshots with previously authenticated and admitted images from Bansal’s website and concluded, based on her personal knowledge, that the screenshots were authentic. This was sufficient under Rule 901(b)(1). See Bansal, 663 F.3d at 667–68; see also Deborah R. Eltgroth, Best Evidence and the Wayback Machine: Toward a Workable Authentication Standard for Archived Internet Evidence, 78 Fordham L. Rev. 181, 184 (2009).

Absent a stipulation, authenticating a computer’s Internet protocol (IP) address requires proof from the Internet service provider. In United States v. Wyss, 542 F. App’x 401 (5th Cir. 2013), Sprint’s custodian of records authenticated records of IP addresses, data usage, and customer subscriber information. The government’s computer forensics expert testified how he linked the IP addresses and data used on certain servers to those assigned to Wyss’s Sprint account. That was enough.

In contrast to private websites, which are not self-authenticating, there are 14 categories of evidence that don’t require extrinsic evidence as a precondition to authentication. These are delineated in Rule 902.

Where the evidence has been produced in discovery by a party opponent and is the record of that party, there is generally no issue of authentication. The act of production is enough to warrant a finding that the evidence is that of the producing party. See, e.g., Orr v. Bank of Am., NT & SA, 285 F.3d 764, 770–71, 777 n.20 (9th Cir. 2002).

Once authentication is set aside, hearsay often comes into play. Authentication doesn’t do away with the application of the hearsay rule to a given piece of evidence. A perfect example is newspapers, which, though self-authenticating, are classic hearsay. See Fed. R. Evid. 901(6); Chi. Firefighters Local 2 v. City of Chicago, 249 F.3d 649, 654 (7th Cir. 2001). And hearsay is still hearsay and inadmissible, even if the evidence containing the hearsay is properly authenticated. See Houchins v. Jefferson Cnty. Bd. of Educ., 2013 U.S. Dist. LEXIS 29569, at *2 (E.D. Tenn. 2013).

Larez v. City of Los Angeles, 946 F.2d 630 (9th Cir. 1991), illustrates how hearsay and authentication remain distinct. The Los Angeles chief of police was quoted in a newspaper article as having made an inflammatory remark, which, if actually made, was helpful to the plaintiff. Because the newspaper was self-authenticating, the plaintiff thought he didn’t need to call the reporters as witnesses. The jury found for the plaintiff, but the court of appeals reversed because receipt of the article for the truth of the matters asserted—that the chief of police made the quoted statement—violated the hearsay rule. See id. at 642; but see Ner Tamid Congregation of North Town v. Krivoruchko, 638 F. Supp. 2d 913, 925 (N.D. Ill. 2009) (using articles in various publications warning of possible crash in real estate market to rebut plaintiff’s contention that crash was not foreseeable).

The hearsay rule has long bedeviled lawyers and judges, and scholars have groused about the rule’s “unintelligible” and “obtuse” qualities. See, e.g., John M. Maguire, The Hearsay System: Around and Through the Thicket, 14 Vand. L. Rev. 741 (1961). Even Judge Posner has adverted to the rule’s “complexities.” United States v. Boyce, 742 F.3d 792, 802 (7th Cir. 2014) (concurring opinion). And Judge Weinstein, in his ubiquitous treatise, has said that while lawyers are well drilled in the exceptions to the hearsay rule, they simply do not understand the rule itself. See 4 Weinstein’s Evidence ¶ 800[01], at 800–09 (1991). Not surprisingly, the ubiquity of Internet evidence has only made things murkier.

Hearsay is an out-of-court “statement”—an oral or written “assertion,” or nonverbal conduct intended by the actor as an assertion—other than one made by the declarant while testifying at the trial or hearing, offered to prove the truth of the matter asserted. Fed. R. Evid. 801(c). If the definition seems cumbersome, its underlying rationale is straightforward: Where the out-of-court statement is offered to prove that what it asserts is true, the party against whom the statement is offered must have an opportunity to cross-examine the declarant or else the jury can’t evaluate the declarant’s credibility and, hence, the truthfulness of the statement. Where the assertion isn’t offered for its truthfulness, the hearsay rule isn’t violated. These basic principles apply no less to evidence obtained from the Internet than to that obtained from less exotic sources.

Of course, an out-of-court statement offered for a purpose other than its truthfulness must, like all evidence, be relevant and admissible under Rules 401 and 403. Two decisions involving Facebook demonstrate how Internet evidence can satisfy this basic test: Moroccanoil, Inc. v. Marc Anthony Cosmetics, Inc., 2014 U.S. Dist. LEXIS 158788, at *25 (C.D. Cal. 2014) (Facebook comments not hearsay when not offered for their truth); Greco v. Velvet Cactus, LLC 2014 U.S. Dist. LEXIS 87778, at *6 (E.D. La. 2014) (finding Facebook posting admissible to show its effect on witness). Still, if the proponent can’t explain how the supposed non-hearsay use is relevant, it’s a fair bet the statement is really being offered for its truthfulness.

Notwithstanding the Seventh Circuit’s exuberant statement in Jackson, 208 F.3d at 637, that “any evidence procured off the Internet is adequate for almost nothing, even under the most liberal interpretations of the hearsay exception rules,”—something the court has never repeated in any subsequent opinion—courts are more and more citing information taken from websites, including Wikipedia, to support or explain their decisions. Indeed, Judge Posner has advocated that lawyers make use of the “riches of the Web . . . just as ‘real’ people do, and as judges and their law clerks . . . increasingly are doing.” Richard A. Posner, Remarks on Appellate Advocacy, Circuit Rider 7 (Nov. 2009). He has repeatedly cited Wikipedia in his opinions, although generally for background information.

But the reality at the trial court level is that the hearsay rule is alive and well and will bar admission of evidence used to prove the truth of the matter asserted on the website. See, e.g., United States v. El-Mezain, 664 F.3d 467 (5th Cir. 2011); Badasa v. Mukasey, 540 F.3d 909, 910 (8th Cir. 2008); Blanks v. Cate, 2013 U.S. Dist. LEXIS 11233, at *2 n.3 (E.D. Cal. 2013). On the other hand, properly authenticated and relevant web postings can be admitted as non-hearsay admissions of the poster. See Fed. R. Evid. 801(d)(2); United States v. Brinson, 772 F.3d 1314, 1320 (10th Cir. 2014) (statements on Facebook page).

Perhaps the most frequently used hearsay exception is Rule 803(6)—the so-called business records exception. The phrasing is imprecise, as the rule applies to the records of any regularly conducted activity of an organization, occupation, or calling, whether for profit or charity or whether lawful or criminal. The rule provides that “[a] record of an act, event, condition, opinion, or diagnosis” is admissible if:

  • the record was made at or near the time by—or from information transmitted by—someone with knowledge;
  • the record was kept in the course of a regularly conducted activity of a business, organization, occupation, or calling, whether or not for profit;
  • the making of the record was a regular practice of that activity, as shown by the testimony of the custodian or another qualified witness; and
  • the opponent does not show that the source of information or the method or circumstances of preparation indicate a lack of trustworthiness.

Fed. R. Evid. 803(6).

The business records exception is based on a presumption of accuracy accorded because the information is part of a regularly conducted activity kept by those trained in the habits of precision and customarily checked for correctness, and because of the accuracy demanded in the conduct of the nation’s business. See United States v. Gwathney, 465 F.3d 1133, 1140 (10th Cir. 2006). Internet companies like Facebook, Twitter, and Google maintain records in the regular course of their businesses relating to their customers, and these records are obviously within the scope of Rule 803(6). See, e.g., Hassan, 742 F.3d at 133. But as courts have recognized in various contexts, Internet companies are conduits, not the authors, of the information posted on their sites. See Tiffany (NJ) Inc. v. eBay Inc., 600 F.3d 93, 107 (2d Cir. 2010); Chi. Lawyers’ Comm. for Civil Rights Under Law, Inc. v. Craigslist, Inc., 519 F.3d 666, 668–69 (7th Cir. 2008).

Consequently, the ability of Internet companies to retrieve information regarding someone’s postings or emails “does not turn that material into a business record of the Internet service provider.” Jackson, 208 F.3d at 637, 638. The same is true of web hosts like Yahoo, GoDaddy, and others that allow individuals and organizations to make their sites accessible to users. The fact that companies maintain their own internal records of what appears on their sites does not mean that what is posted by some third party qualifies as a “business record” of the poster, making it admissible under Rule 803(6). Thus, most courts have rejected the argument that website postings should be admissible under Rule 803(6). But see CA Inc. v. New Relic, Inc., 2015 U.S. Dist. LEXIS 46438 (E.D.N.Y. 2015).

Most web postings don’t involve the kind of entries systematically or routinely made to record events or occurrences, reflect transactions with others, or provide internal controls. Experience has shown that commercial websites (and private ones as well) often post material that “is full of imprecise puffery that no one should take at face value.” Victaulic Co., 499 F.3d at 236; see also Aldana v. Del Monte Fresh Produce N.A., Inc., 578 F.3d 1283, 1291 (11th Cir. 2009) (“[W]e have been unable to find any [case], in which a press release from an Internet website qualified as a business record within the meaning of the exception.”). Noncommercial websites are even less likely to qualify as inherently reliable in the sense required by Rule 803(6).

District courts have also gone both ways with regard to the commercial lists hearsay exception under Rule 803(17). Compare Commercial Credit Grp., Inc. v. Falcon Equip., LLC of Jax, 2010 U.S. Dist. LEXIS 46882, at *12 (W.D.N.C. 2010), with Rainbow Play Sys., Inc. v. Backyard Adventure, Inc., 2009 U.S. Dist. LEXIS 93623, at *23 (D.S.D. 2009).

In conclusion, while Internet evidence often presents challenges, thorough preparation and foresight will allow you to deal effectively with questions of admissibility at trial and on summary judgment.

Hon. Jeffrey Cole

The author is a U.S. magistrate judge in the Northern District of Illinois, Chicago, and editor in chief of The Circuit Rider, the journal of the Seventh Circuit Bar Association. He is a former editor in chief of Litigation.