The Journal of The DuPage County Bar Association

Back Issues > Vol. 14 (2001-02)

Authenticating On-line Communications and Making Them Count
By Craig J. Chval and Keith G. Chval

After months or even years of investigation, preparation and perhaps even a little anguish, it all comes down to this. It’s that single statement that will make the difference between conviction and acquittal for a murder defendant; or cement a finding of liability in a million-dollar medical malpractice case; or sway a custody determination in a dissolution of marriage trial. 

All you must do is convince the judge to receive the statement into evidence. The only trouble is that you’re dealing with a statement recovered from a computer. The statement is not spoken, not heard, and not in the declarant’s own hand.  

Earlier in your case-in-chief, a civilian witness testified that the content of the written version of the statement is identical to the content of the e-mail message she received on her computer. You tie it all up during the direct examination of your computer expert, when you elicit testimony that the printed version of the statement truly and accurately depicts the electronic version of the statement he recovered from the witness’ hard drive. All that’s left before you rest your case is the cross-examination of your computer expert. 

What could possibly go wrong now? You can almost feel the back-slapping sure to occur when you return to your office in triumph after a lightning-quick verdict in your client’s favor. But you have barely settled back into your seat at counsel table when giddiness turns to panic. Opposing counsel queries:

Q: Sir, it’s common knowledge in the technical community that an e-mail can be "spoofed" where a person can alter an e-mail message to make it appear as if it’s coming from another individual, isn’t it? 

A: Yes, of course. 

Q: And you have no proof that this e-mail wasn’t spoofed by someone with a grudge against my client so as to make it appear that this e-mail was from my client when it really wasn’t, do you? 

A: It sounds as if you’re asking me whether I can prove the existence of a negative. But to answer your question, no I don’t.

Opposing counsel continues: 

Q: Sir, aren’t there frequent reports in the media of third parties gaining access to individual’s e-mail accounts either because they have access to another’s physical computer or, through one of any number of means, obtain another’s password information? 

A: Yes, those kinds of reports are common. 

Q: You have no proof that one of my client’s co-workers, or perhaps his estranged wife herself, didn’t access his e-mail account and send this e-mail themselves, do you? 

A: That’s very unlikely.

Opposing counsel is just getting warmed up: 

Q: Sir, you agree that unsophisticated computer users can create very genuine looking, but phony, documents such as bank checks and driver’s licenses? 

A: Yes, I agree. 

Q: Can you prove that the e-mail you found on Ms. Clump’s computer, but not on my client’s computer, was not in fact created by Ms. Clump? 

A:  No. 

And finally: 

Q: Sir, you’re familiar with "Trojan horses" and other such programs whereby an individual surreptitiously installs a program on another’s computer allowing a person, without the knowledge of the true owner of the computer, to remotely access and use the computer, including sending e-mails, as if the remote user was sitting at the keyboard himself, aren’t you? 

A: Yes, of course. 

Q: Sir, can you prove that, without my client’s knowledge, someone did not utilize a "Trojan horse" program and remotely access my client’s computer? 

A:  As a matter of fact, I did run hash sets of 25 different known Trojan horse programs (which the witness proceeds to name) against the files on the defendant’s computer, and ruled that out as a possibility. 

Q: Sir, I noticed among the 25 Trojan horse programs that you named that you did not mention the "MyClient IsInnocent.exe" program, so you really can’t say with complete certainty that a Trojan horse program was not on my client’s computer, can you? 

A: Well, um . . .

The moral of this sad story is not the dangers of utilizing experts of dubious expertise. Even well-qualified experts could find themselves in such a scenario, particularly while many lawyers and judges are still early on the high-tech learning curve. The constantly changing nature of the Internet and related functions such as e-mail lead to an unpleasant yet inescapable truth: there is no ironclad way to conclusively rule out every possibility of tampering with e-mail and other Internet communications. Hiring a well-qualified expert is critical to cases involving computer evidence. But when it comes to authenticating computer evidence, nothing is more important than building a circumstantial case for its reliability. Corroborating authorship of the communication can be accomplished through "hi-tech" as well as "low-tech" means. 

There are several well-established doctrines that can be used in creating the requisite inference of reliability for the admission of on-line communications. See U.S. v Siddiqui, 235 F.3d 1318 (11th Cir. 2000) cert. denied, 2001 U.S. Lexis 4878 (U.S. June 25, 2001); Handbook of Illinois Evidence, Sec. 901.10 (7th ed. 2000); Weinstein’s Federal Evidence, sec. 901.01[3] (2001). However, it is important to remember that admissibility is just the threshold objective; the ultimate goal is to bolster the communications in ways that maximize their probative value. Thus, utilizing as many theories of admissibility as possible for a single on-line statement is of paramount importance. 

The reply letter doctrine is a long-standing and generally accepted doctrine that can be applied to authenticate on-line communications. Graham, Steigmann, Brandt, Imwinkelried, Illinois Evidentiary Foundations, chap. 1, sec. L, subsec. 1. (2d ed. 1997). The essence of this doctrine is a presumption that the United States Postal Service is a reliable form of communication. Accordingly, if (1) an individual properly addresses, stamps and places a letter in the mail, and (2) subsequently receives a return correspondence in due course, referencing or responding to the original mailed letter and bearing the name of the intended recipient of the original letter, then (3) the return correspondence is presumed to be from the intended recipient of the original letter. If those foundational elements are present, courts have generally held that the identity of the author has been established sufficiently to authenticate the letter for admission. Id. 

The application of this doctrine to e-mail communications is relatively straightforward. Based upon our wide reliance upon e-mail in all aspects of everyday life and work, on-line communication has been accepted as reliable by courts. See e.g., Siddiqui, 235 F.3d at 1318; Handbook of Illinois Evidence, Sec. 901.10. This acceptance follows the same logic, under the reply letter doctrine, applicable to the regular mail system. While the author might not physically sign an e-mail letter that he sends, his return e-mail address typically bears his name through one or more common electronic methods: it might be automatically generated in the "From" line in the e-mail header information; he might type it at the end of the body of the e-mail; it might be automatically included at the end of the body of the e-mail; or it may be attached to the e-mail as an electronic signature or business card. See Siddiqui, 235 F.3d at 1322. 

A final consideration, in applying the reply letter doctrine to on-line communication, is what constitutes "due course." With regular mail, perhaps a week or two reasonably might be considered due course. However, with the near-instantaneous reply capability of e-mail, practitioners should be prepared to argue that a shorter period should constitute due course when it comes to e-mail correspondence. Illinois Evidentiary Foundations at 99. With these minor adaptations, the reply letter doctrine should be an effective means of authenticating return e-mail. 

Another situation that falls under the reply letter doctrine is where the communication at issue is a response to a previous e-mail and contains the original e-mail in its body. Cf., Siddiqui, 235 F.3d at 1322. This occurs when a user has his e-mail program set to include the message from the sender in the reply e-mail. Provided that you have a witness who can testify that she sent the original e-mail to a valid address for the purported author of the response e-mail, the presence of the original witness’ e-mail in the reply should raise an inference that the author of the reply is the person to whom the original was sent. 

Content of an on-line communication can often provide the necessary foundation to authenticate the document. . See, e.g., Siddiqui, 235 F.3d at 1323; Illinois Evidentiary Foundations, at 99. Frequently, such communications include information that only the purported author would know. Siddiqui, 235 F.3d at 1322. For example, the author shares the fact that her hard drive is quickly running out of storage space. Through investigation or discovery, you are able to prove that the purported author had a hard drive on her computer that was nearing capacity. A reasonable inference is that only the true author would possess that information. 

Another content authentication circumstance involves an author revealing personal or business information that only the author would be expected to know. Such information might include details about a person’s work assignments or appointments, or perhaps information about the author’s health or family. On occasion, the content of an on-line communication will contain information from more than one facet of an individual’s life. The improbability of one person knowing information about multiple facets of another individual’s life further strengthens your claim as to authorship. 

The identity of the author of an on-line communication can also be established by tracing the communication back to the sender based upon Internet Protocol (IP) information that may be contained in the header of the e-mail. Typically, only the "From," "To" and "Subject" information is visible in an e-mail header. However, the header can be expanded to reveal additional information, such as the IP address from where the e-mail was sent. At any given point in time, every computer or terminal attached to the Internet has a unique IP address assigned to it. Through the use of on-line databases and subscriber information obtained from Internet Service Providers, it may be possible to identify who was assigned to the particular IP address in an e-mail header at the time the message in question was sent. 

However, as is frequently the case with telephones, the issue of shared access can be an additional hurdle to admissibility and probative value. Commonplace shared access to computers and associated IP addresses require additional evidence to establish that a purported author actually composed and sent the message. A further note of caution: people seeking to hide their identity may utilize more than one service provider, or use other methods to try to make it difficult to trace back their address. Tracing a message back to the sender may require obtaining information from several service providers and in some instances may be virtually impossible to accomplish. 

Another familiar authentication strategy is establishing that the purported author of an on-line communication took action consistent with the content of the communication. Siddiqui, 235 F.3d at 1322-23. For instance, an author who indicates that her hard drive is running out of capacity may also indicate that she is going to have to swap it out and install a new hard drive. If investigation uncovers a hard drive out on her desk and subsequent analysis of the drive and the computer’s internal hard drive establish that the loose drive was near capacity and the drive in the computer was virtually empty, the sum of the parts is fairly compelling evidence that the person with access to the computer is the person who authored the on-line communication. Additional corroborative authentication evidence may include proof that the author had sufficient knowledge to execute the hard drive swap. 

Although the foregoing methods are certainly not the only means for authenticating on-line communications, they are the most common and illustrate how traditional theories of authenticating various forms of more conventional communications can be adapted to today’s cyber world. 

So, what of our poor witness who was subjected to a barrage of near-impossible questions on cross-examination? First, those questions are grounded in legitimate technical theory – the hypothetical situations posited can and do happen. Second, provided enough time and expertise, a sharp computer examiner could negate all of those theories. Third, even the best examiners lack the time and resources necessary to refute every possible theoretical challenge to the integrity of on-line statements. Finally, the questions above represent the tip of the iceberg of technical issues that could sink your case faster than you can say "Titanic." The lesson to be learned about authentication and utilization of on-line communication evidence is the use of multiple indicia of reliability in attempting to authenticate on-line communications.

Keith Chval is Chief of the High Tech Crimes Bureau, Office of Illinois Attorney General Jim Ryan. Mr. Chval was an Assistant State’s Attorney for the DuPage County State’s Attorney’s Office. He received his J.D. at IIT/Chicago-Kent College of Law in 1992 and his B.S. at Indiana University in 1985

Craig J. Chval is Special Counsel to Illinois Attorney General Jim Ryan. Mr. Chval was an Assistant State’s Attorney and Chief of the Gang Prosecutions Unit for the DuPage County State’s Attorney’s Office. He received his J.D. at IIT/Chicago-Kent College of Law in 1984 and his B.B.A. at the University of Notre Dame in 1981.

DCBA Brief