chevron-down Created with Sketch Beta.

ARTICLE

New Rules for Self-Authenticating Electronic Evidence

Andrew McLure Toft

Summary

  • The Federal Rules of Evidence were amended effective December 1, 2017 to make it easier to authenticate data from electronic sources.
  • The new rules describe a process for authenticating records “generated by an electronic process or system,” such as a printout from a webpage, or a document retrieved from files stored in a personal computer.
  • They also provide for using a “process of digital identification” such as hash values to authenticate that electronic data is what it purports to be.
New Rules for Self-Authenticating Electronic Evidence
shironosov via Getty Images

The Federal Rules of Evidence were amended effective December 1, 2017 to make it easier to authenticate data from electronic sources. The new rules describe a process for authenticating records “generated by an electronic process or system,” such as a printout from a webpage, or a document retrieved from files stored in a personal computer. They also provide for using a “process of digital identification” such as hash values to authenticate that electronic data is what it purports to be.

Rule 902 lists “items of evidence that are self-authenticating” and “require no extrinsic evidence of authenticity in order to be admitted.” Amendments effective December 1, 2017 added two new items of evidence to this list.

Rule 902(13) provides for the self-authentication of: “A record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent must also meet the notice requirements of Rule 902(11).”

Rule 902(14) provides for self-authentication of: “Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent also must meet the notice requirements of Rule 902(11).”

When there is no dispute as to authenticity of ESI, 902(13) and (14) should help achieve the laudable goal of reducing the expense of litigation. Rather than present live testimony of a foundation witness, the proponent establishes authenticity under 902(13) and (14) by presenting a certification containing information that would be sufficient to establish authenticity if the information were provided by testimony at a hearing or trial. While providing a streamlined procedure for authentication, these amendments are not intended to limit a party from establishing authenticity of electronic evidence on any ground provided in the Federal Rules of Evidence.  902(13) and (14) are limited to authentication, and any attempt to satisfy a hearsay exception must be made independently.

Rule 902(13)

Rule 902(13) describes a process for authenticating records “generated by an electronic process or system,” such as a printout from a webpage, or a document retrieved from files stored in a personal computer.

Was a personal computer used to access files stored on a specific USB flash drive? A forensic technician provides a printout from the Windows registry in the personal computer’s operating system that indicates a certain USB flash drive was connected to the computer at a given date and time. Without 902(13), the proponent of the evidence would ordinarily present live testimony from the forensic technician to establish the authenticity of the printout, so 902(13) simply changes the way the submission on authenticity is made. With 902(13), the proponent can obtain a written certification from a forensic technician that complies with 902(11)—which sets out the requirements that apply for a custodian of records declaration—and 902(12)—which provides for authentication through a certification signed under penalty of perjury. The proponent must provide reasonable written notice of its intent to offer the printout at hearing or trial and make the written certification and printout available for inspection. The opponent must then decide whether to object to authenticity.

902(13), by following the approach taken in Rule 902(11) and (12), effectively places the burden of going forward on authenticity questions on the opponent of the evidence. Under 902(11) and (12), a business record is authenticated by a certificate, but the opponent of the evidence is given “a fair opportunity” to challenge both the certificate and the underlying record. Rule 902(13) and has the same effect of shifting to the opponent the burden of going forward (not the burden of proof) on authenticity disputes regarding certain types of electronic evidence. Attorneys will also want to keep in mind Rule 104(a) (providing that the judge is to decide admissibility factors by a preponderance of the evidence) and FRE 104(b) (providing that for questions of conditional relevance—such as authenticity—the standard of proof for admissibility is enough evidence sufficient to support a finding) when preparing for trial that will have 902(13) issues.

As stated in the Committee Notes, 902(13) specifically allows the authenticity foundation that satisfies Rule 901(b)(9) to be established by certification rather than the testimony of a live witness. The notes also state that certification under 902(13) satisfies only the admissibility requirements for authenticity. The opponent can object to admissibility of the record on other grounds. Further, there is no intent to permit a certification under 902(13) to prove the requirements of 803(6). Any attempt to satisfy a hearsay exception must be made independently.  Consider Facebook chats between two or more individuals. A Rule 902(13) certification could establish that Facebook’s system accurately records the substance of the chats exchanged, but the certification would not preclude a hearsay or other appropriate objection to the chats’ content. The business record elements would be confirmation that the depicted communications took place between certain Facebook accounts, on particular dates, or at particular times. However, the content of the communications are not necessarily business records because Facebook does not verify or rely on the substance of the chats in the course of Facebook’s business.

Rule 902(14)

Rule 902(14) provides a similar procedure for authenticating data copies from electronic sources through a certification.

For data copied from an electronic device to be authenticated under 902(14), the certification must meet four requirements. First, it must explain the process of digital identification used to confirm that the electronic record is an authentic copy of what was copied from an electronic device, storage medium, or an electronic file on a certain date at a certain time. By way of example, the Advisory Committee notes refer to the use of a “hash value”—a unique sequence of characters based upon the contents of a drive, medium or file—to authenticate documents with identical hash values as exact duplicates. If a qualified person certifies that she has checked the hash value of the proffered item and it was identical to the original, the item can be self-authenticated. The committee notes discuss authentication by “hash value,” but the rule allows certification through other processes including reliable means provided by future technology (at least that is the intent).

Second, the certification must be from a qualified person. Third, as with Rule 902(13), the certification under Rule 902 (14) must comply with the certification requirements of Rule 902(11) or (12), and provide notice and an opportunity to challenge authenticity.

The last paragraph of the Committee Notes for (14) states:

A challenge to the authenticity of electronic evidence may require technical information about the system or process at issue, including possibly retaining a forensic technical expert; such factors will affect whether the opponent has a fair opportunity to challenge the evidence given the notice provided.

This requirement is intended to give the opponent of the evidence a full opportunity to test the adequacy of the foundation set forth in the declaration. Some cases have held that three day notice or five day notice is adequate for documents under 902(11). The 2017 Committee Note suggests adequate notice for a certification of a copy pursuant to 902(14) may be longer, but adequate notice will only be determined in future litigation under 902(14) and 902(11).    

What if ESI was stored on a device, medium or file 5-10 years, or longer, before being copied and the certification of a qualified person created? The certification authenticates the copy of the original made to be introduced into evidence. The certification has no bearing on whether the original file was altered, intentionally or otherwise, over the 5-10-year period before the copy is made. If the certification establishes the authenticity of the copy and the ESI is admitted pursuant to FRE 104(a), whether there was a hash value file created at the time the ESI was originally stored that will show whether the file admitted is identical to the file as originally stored will perhaps go to the weight of the evidence. Alternatively, admission may be conditional under Rule 104(b).

With a 902(14) certification no live witness will (theoretically) be present for cross-examination at the hearing or trial. Can 902(14) be used to shift the burden and expense from the proponent of the evidence to the opponent? Can the intention to use a 902(14) certification be the subject of written discovery that must be answered and supplemented well in advance of trial to permit the opponent to consider retaining a forensic technical expert as discussed in the committee notes? All these questions and more will only be answered through litigation.

    Author