I. Do You Use E-Mail?
During the mid-1980s an obscure officer connected with the Reagan Administration sent memoranda relaying confidential details of an ultra secret deal to his superiors at the National Security Council. He was unconcerned that the messages might be intercepted because the system and the communications lines were secure. Realizing that these communications contained extremely sensitive material, the officer altered or deleted many of the memoranda. Unbeknownst to the officer, however, computer system backups were performed on a daily and weekly basis. These backups not only captured the messages, but also documented his attempts to delete and alter them. The officer was Lieutenant Colonel Oliver North, and the secret deal became known as the Iran-Contra affair. After White House Communications Agency programmers searched through backup tapes and produced a stack of printouts nearly four feet high, the memoranda became part of the publicly available Tower Commission Report. (1) Oliver North could not have made his temporary and informal electronic musings more permanent if he had carved them in stone.
Is this an isolated case involving an unsophisticated computer user? Apparently not. In the 1990s, Microsoft was sued for gender discrimination based, in part, upon one of its executive's electronic mail ("E-mail") messages allegedly containing jokes and references that were offensive to women. (2) Eugene Wang, a former vice president employed by Borland who left Borland to go to Symantec, prompted a civil lawsuit and criminal charges against both himself and his new employer when he allegedly E-mailed trade secrets to Gordon Eubanks, the President and Chief Executive officer of Symantec. (3) All three of these cases hinged upon the discovery and introduction into evidence of computerized information that was thought to be secure.
We have all seen or heard of data that is taken from a business computer and entered into evidence. After some discussion as to whether such information could be produced as "documents" and whether computers were capable of hearsay, the rules of civil procedure and the rules of evidence now allow for the discovery of and entry into evidence of data that has been seized from computers. (4) But discovery is becoming more difficult as computer technology becomes increasingly complex, and the technology is prompting more difficult evidentiary questions. Computers hold crucial evidence in new and different ways. What are some of the techniques used to seize this data and what questions arise when litigants attempt to enter this data into evidence?
II. Discovery of Electronic Evidence
A. What Is Subject To Discovery?
In 1970, Rule 34 of the Federal Rules of Civil Procedure was amended to allow discovery of electronically stored information. (5) The rule, entitled "Production of Documents and Things and Entry Upon Land for Inspection and Other Purposes" now states that:
Any party may serve on any other party a request:
By requiring that the information sought be in a "reasonably usable form," the party seeking production can require electronic as well as printed "hard copies." The electronic copies can be in virtually any form, depending upon the structure of the subject computer system, e.g., production of punch cards may be appropriate for litigation involving an old mainframe, whereas diskettes or hard disks might be more appropriate for the discovery of data from a personal computer ("PC").
B. Computer Evidence Escapes from the Mainframe to the Internet.
In the 1970's, drafting a demand for the production of computer evidence was, by today's standards, relatively simple. Most computers were large mainframes that existed in specially built rooms with dumb terminals attached. By "dumb" we mean that the terminals (and keyboards) were really only capable of displaying or entering information, not storing information. Accordingly, the only place information could be stored by these computers was the computer room. A request for a mirror image of the hard disks and the backup tapes could be expected to recover nearly all of the available computerized information that could be entered as evidence. Moreover, since businesses and government were the only entities that could afford mainframes, the data was usually kept in a reasonably organized and accessible manner.
In the 1980's, personal computers ("PCs") became prevalent. Information escaped from air-conditioned computer rooms and traveled into each employee's office. But the information that resided on PCs was trapped since the PCs were not connected to each other or to the mainframes. Towards the end of the decade, it became commonplace to link the mainframe with each individual user's PC so that information could migrate to and from the PC. The result was that in addition to the traditional mainframe areas that needed to be searched, each individual user's PC also could contain valuable information and likewise needed to be searched. This vastly expanded the number of places that could contain data. Each PC could have contained one or more disk drives, which could take hours or days to peruse. Additionally, each office with a PC in it probably contained numerous diskettes organized by the individual worker's whims, each of which could hold dozens or even hundreds of documents -- any one of which could contain critical evidence.
The 1990s is the decade of networking. Most organizations network their PCs into Local Area Networks, or "LANs." In turn, the LANs can be networked into Wide Area Networks, or "WANs." Many businesses today are connecting the Internet, which allows worldwide access to any other computer that is also connected to the Internet. The needle that was once limited to the computer room haystack now could be anywhere in the world.
Storage devices have remained fairly stable since the 1980s. Thus, for any individual PC, a request drafted in the 1980s for the production of computer evidence might still be technically accurate. But networking has greatly increased the transportability of data. It is now easy and commonplace for computer users to send information to remote PCs that are in the next office, the next building, or thousands of miles away. For example, in Morrow v. II Morrow, Inc., 139 Ore. App. 212; 911 P.2d 964 (1996), Piedra, one of the defendants, wrote a confidential memorandum addressing the performance of Morrow, an employee who worked for II Morrow, Inc. The memorandum was sent to Piedra's supervisor Hughes and to a confidential file. Piedra then proceeded to delete the electronic copy from his computer. Unbeknownst to Piedra, however, the file was stored on the company's "O" hard disk drive. The "O" drive was accessed by Morrow, who promptly resigned from the firm and filed a lawsuit alleging constructive discharge and defamation. Only someone familiar with computer networks would know enough to look at the "O" drive for a copy of the memorandum.
When determining which PC's to search, a careful trial lawyer should not overlook the possibility that a business could be storing critical data in the homes of its employees. Many users carry either a portable PC or diskettes to and from work or they simply "dial in". Accordingly, valuable evidence may be destroyed or lost in an office, but easily available from an individual employee's home. This is particularly true in the case of employees who telecommute (i.e., work on a PC in their home during business hours and connect to PCs or other computers via modem.)
C. A Word About E-Mail.
Because E-mail is a convenient and informal way to communicate, people tend to treat E-mail as if it were conversation. In fact, many people feel less inhibited during an E-mail exchange than in conversation, because of the perceived anonymity of conversing with a "computer". As Oliver North discovered, E-mail is not at all anonymous and it has a surprisingly persistent life. This can be a veritable gold mine for the party discovering information and a nightmare for the party producing the information. And unlike bulky and obtrusive file cabinets full of memoranda, E-mail is unobtrusive; it can lie around unnoticed for years, just waiting to be discovered.
One example of the potential price of E-mail is the recent case where four women filed charges against Chevron Corp. stemming from alleged sexual harassment. (6) Among the E-mail messages that were cited by the women as harassing was one listing "twenty-five reasons why beer is better than women." Whether this particular message was intended to harass the women is beside the point -- the message is compelling evidence in favor of their case. In February 1995, Chevron agreed to pay 2.2 million dollars to settle the women's claims, while steadfastly denying the charges.
D. In Extreme Cases...
In all of the above cases, the information we look for is located close to the central processing unit ("CPU"). Technically speaking a CPU may only be a microprocessor or a circuit board. In this context, however, we mean the actual CPU and its accompanying information processing hardware like disk drives and random access memory ("RAM"), as opposed to peripheral input/output devices such as scanners, printers, keyboards and terminals. Nevertheless, in extreme cases, where it is believed that a user may have destroyed evidence, other devices may also contain valuable information.
For example, many laser printers retain in memory the last few pages to be printed. If the memory is electronic and the printer is left powered on, then this information may be accessible. Even if the laser printer is turned off, it may store this information on hard disk, and the information will remain during the power off. Since printers often do have the storage capacity to store an entire document, most computers actually create a "print file" commonly known as a spooler file which is then sent to the printer piece by piece. These spooler files can continue to exist, even after the document in question is printed. Hard cards (circuit boards that act as disk drives) also can contain valuable data that should not be overlooked. Finally, electronic devices such as modems, pagers, and especially fax machines contain significant amounts of memory that can be accessed and saved. (8)
The party who requests "a printout of all files on the machine" is likely to miss a substantial amount of data because of the way computers read and write data. (9) For both hardware and software designers, efficiency is paramount. Efficient operation means that a particular operation occurs quickly and that it uses as little resources (e.g., memory space) as possible. To delete a file, nearly all computers simply mark the space occupied by the file as empty. The data remains, but it is subject to being overwritten at any time. The remaining data has been termed "shadow data". (10) Shadow data is what popular "undelete" utility programs look for. For example, when files are deleted from the computer's memory, the deleted files remain on the computer hard drive and disappear in a random fashion as other data is written over the files. See Gates Rubber Company v. Bando Chemical Industries, 167 F.R.D. 90, 112 (D. Co. 1996) (where a court granted a Site Inspection Order of defendant's computer to retrieve data allegedly deleted and destroyed in anticipation of litigation). Using space once occupied by a deleted file is faster than physically clearing all of the space left over by the file. It also results in better hardware life since one extra write operation is avoided. Finally, computer designers are indoctrinated from the start that their job is to not "lose" data. Accordingly, it makes sense not to clear the space used by a file -- just like the average office worker would hesitate to put papers into a shredder as opposed to a wastepaper basket.
This type of design is not restricted to computers: a Dictaphone works the same way. After an hour-long memorandum has been entered by the typist, it is unusual for the typist to actually go back and delete the tape. Rather, the tape is given back to the person who dictated the memorandum and a second memorandum is dictated. If the second dictation only lasts five minutes, then the last fifty-five minutes of the previous dictation are still on the tape.
For a computer, the result is that when a six-page memo is deleted from the hard drive, the top of each page is marked as available for overwriting, but the memo survives intact. If a three-page memo is written to the same space, pages four through six of the original memo still remain available and could be read by the appropriate software. This is why deleting incriminating files on a hard disk is particularly inappropriate way to comply with a discovery request. The evidence is still there, and now there is also clear evidence of intent to destroy it and a tacit acknowledgment of its importance. A poignant example of the devastating impact that shadow data can have is illustrated by Commonwealth v. Copenhefer, 565 Pa. 555, 587 A.2d 1353 (1991). Copenhefer kidnapped and killed the wife of a bank executive. The ransom notes were all generated by computer. Although Copenhefer deleted a series of ransom notes from the computer's hard drive, he did not actually destroy the files. The FBI's computer experts retrieved the shadow data and it was subsequently used to convict Copenhafer and sentence him to death.
Shadow data may exist as pages of data, but the pages themselves may also contain shadow data. It may be that the three-page memo was really two and one half pages long. To avoid inconsistency, the file will be written as a three-page file. Some applications do not bother to clear the final half page. Accordingly, the second half of page three of the "deleted" memo may still be readable. So when does this shadow data get destroyed? The answer is when the space is needed. Shadow data may last for as little as a few seconds or as long as several decades if the machine is rarely used. On other point bears mentioning about shadow data. Some operating systems keep a record of what was deleted. If, on the eve of discovery, the system has a record of massive deletions, counsel's suspicions should be aroused.
Shadow data appears in other places as well. For example, when backup tapes are made, if the whole tape is not used, data may remain at the end of the tape from the previous backup. When a file is sent to a printer, the file will remain in the printer's memory until the printer receives the next file. The thing to keep in mind is that the shadow data is still there, but it is subject to actual destruction (by being overwritten) at any time.
E. To Catch A Shadow.
The way to capture shadow data is to make an "image backup" of the hard disk. An image backup is one that copies all data, regardless of whether it has been deleted. An image backup will not only contain active files, but also a copy of unused space which may contain shadow data. In addition to picking up discarded data, making an image backup of a disk and properly analyzing it can produce some other benefits. For example, most operating systems have the ability to tag a file as "hidden." If a listing of a directory is made, these files will not appear. Usually only files used by the operating system are tagged as "hidden", but a clever user can tag sensitive documents as hidden and possibly avoid detection. During normal processing, most word processing programs have a backup feature that writes the latest changes to a hard disk. In the event of a sudden power failure or operating system failure, all of the changes to the document will be lost if they are only stored in RAM. The backup feature allows the word processing program to retrieve all but the very latest changes to the document from the hard drive when the system resumes functioning. If the backup file is not needed, it is simply deleted. Making an image backup of the hard drive allows for the discovery of these "deleted" backup files.
In order to retrieve an accurate reading of these deleted files, proper steps must be taken. In Gates Rubber Co. v. Bando Chemical Industries, 167 F.R.D. 90 (D. Colo. 1996), the court granted plaintiff Gates Rubber Company ("Gates") a Site Inspection Order after Gates alleged that defendant Bando Chemical Industries ("Bando") was destroying computer files in anticipation of litigation. Gates' computer expert sought to inspect the Bando computer backup files to yield information or take partial pictures to yield information or take partial pictures of files that had been deleted. The proper procedure to retrieve such files is to make an "image backup" of the hard drive, which would collect all information contained on the hard drive, including deleted information that had not been overwritten. The "expert", however, first foolishly copied an "unerase" program onto the Bando computer hard drive, which obliterated 7 to 10 percent of the information on the backup file. Once the information was overwritten, it was lost forever. Thus, what initially appeared to be a thorough discovery inspection ended in a loss of potentially critical evidence for Gates.
Other information can be gleaned from data that is taken electronically rather than in printed format. For example, most word processing programs allow for comments or remarks to be placed into the document. These comments are not seen when the document is printed. By recovering an electronic version of the document, these comments can be viewed. Most files also contain a date and time stamp of when the file was last changed. If, for example, the date and time are later than the date of a letter or memorandum, that may mean that the memorandum may have been written after the fact. Of course, the memorandum may just as easily have been accessed and rewritten with no changes at the later date. The date and time stamp is not infallible, in fact, it is very easy to manipulate with the proper software tools. Accordingly, just because the date and time stamp appears to be a certain date, do not believe that date to be an absolute fact. An example of some of the problems that can occur with time stamps is In the Matter of the Impeachment of Judith K. Moriarty, 902 S.W.2d 273 (Mo. 1994), where the Secretary of State was charged with altering the date and time of a declaration of candidacy on behalf of her son. The court found it significant that the error messages, "RECORD NOT FOUND 0" and ": XM" appeared in lieu of the date and time fields respectively, because these error messages indicated that the date and time on the declaration of candidacy had been manipulated. Like any other digital data, the date and time stamp is highly manipulable.
F. Deciphering Peculiar File Formats.
Up until now, it has been assumed that a file is a file, and that printing the file is relatively simple. For files stored in "ASCII" format (also known as "flat files") printing an individual file is fairly trivial and can be done with a few simple commands. Most data however, is created by software applications such as word processing applications, spreadsheet applications and applications containing a proprietary database. In fact, very few software applications store files in a format that can be viewed or printed easily without that application. For example, a Lotus spreadsheet may have a combination of text and numbers in it, but without the Lotus software on the machine, it is nearly impossible to view. When requesting data, the name and version number of the application used to access the data should also be requested. If the file is encrypted or compressed, then the encryption program and any passwords should be requested. Finally, most software developers (and some document control systems) store iterative copies of files. A competent expert should be engaged to ensure that all versions can be recovered. For example, in a copyright infringement case dealing with software, an earlier version of the defendant's source code may resemble more closely the source code that the plaintiff claims was infringed. An examination of different iterations of a document or source code can also illustrate an adversary's thought processes.
When pursuing a discovery request, several key things should be kept in mind. First, an expert should be used to determine what the scope of discovery should be. If counsel is looking for a "smoking gun," the expert should know how to retrieve an "image backup" of the actual disk. Courts have held that production of printouts are insufficient when electronic media could be produced. See National Union Elec. Corp. v. Matsushita Elec. Indus. Co., 494 F.Supp. 1257 (E.D. Pa. 1980); In re Air Crash Disaster, 130 F.R.D. 634 (E.D. Mich. 1989). Thus it may be necessary to include all electronic media data in document requests during the discovery process as well as request an order to inspect the actual computer backup files. A second key is that speed is of the essence. Every minute that the machine is used after a file is marked for deletion is another minute that may destroy the "shadow" data. The longer it takes to make the image backup, the more "shadow" data will be overwritten by new data. And once the "shadow" data is overwritten, it is truly lost forever.
When the party complying with the request for documents is under a duty to preserve the electronic evidence, breach of this duty can result in an adverse judgment. For a time, it appeared that just such a default judgment would be ordered against the defendant in Computer Associates International, Inc. v. American Fundware, Inc., 831 F.Supp. 1516 (D. Colo. 1993) (reversing a default judgment entered by the court for failure to preserve old versions of source code in a copyright infringement case). See also, Carlucci v. Piper Aircraft Corp., 102 F.R.D. 472 (S.D. Fla. 1984) (where liability was imposed for failure to preserve information on design issues). Today, a party attempting to delete computer files in anticipation of litigation may be sanctioned and ordered to preserve backup files. See e.g., Armstrong v. Executive Office of the President, 832 F.Supp. 4 (D.D.C. 1993).
One case in which a party erasing computer files was sanctioned is ABC Home Health Services, Inc. v. International Business Machines Corp., 158 F.R.D. 180 (S.D.Ga. 1994). In that case, the court reviewed its inherent power to impose sanctions for the destruction of documents under Rule 37 of the Federal Rules of Civil Procedure. When IBM was found to have deleted computer data from an AS-400 computer prior to litigation, the court ordered a jury instruction permitting the jury to draw an unfavorable inference from the computer data which was destroyed.
III. Old Rules For New Stuff
A. Evidence is Evidence.
Information obtained from a computer ("computer evidence") has been treated as if it were a mystical and separate category of ordinary evidence. In fact, computer evidence is treated by the same rules as any other evidence (i.e., its proponent must ensure that it is material, relevant, competent and otherwise admissible). Thus, computer evidence is also subject to the same types of attacks as other evidence; it may be unreliable, hearsay, or privileged. Early cases used this line of analysis when faced with the issue of whether computer records were admissible. See Sears, Roebuck & Co. v. Merla, 142 N.J. Super. 205 (App. Div. 1976); Monarch Federal Sav. & Loan Assgn. v. Genzer, 156 N.J. Super. 107 (Ch. Div. 1977). Unfortunately these "old rules" produce anachronistic results when applied to new technologies. For example, in Monarch Federal Sav. & Loan, the court found that the proponent of computer evidence must establish a foundation by satisfying a six-part test. First, the foundation witness must have personal knowledge of the act or event recorded. Second, the proponent of the evidence must show that the foundation witness is sufficiently qualified to testify to the type of computer employed, the permanent nature of the storage and how daily processing of the information is accomplished. Next, the proponent must show that the computerized records were made in the ordinary course of business. The fourth consideration is the time of preparation of the computer printout, i.e., the computerized record must be made at or about the time of the act that is being recorded. The fifth element was that the sources of information upon which the data was based must be verified by the source. Finally, the proponent had to show the method and circumstances of the preparation of the computer record.
Courts, however, are now becoming more facile with computer technology and comfortable with the reliability of computer evidence. Recently, a New Jersey court, in Hahnemann Univ. Hosp. v. Dudnick, 292 N.J. Super. 11 (App. Div. 1996), recognized the general reliability of computer data and expressly rejected the onerous foundational requirements set forth in Monarch Federal Sav. & Loan 20 years earlier.
B. The Problems With Computers.
The difficulty with computer evidence is threefold; it comes from a variety of media, it is subject to manipulation, and it is often not tangible. The laws of evidence are accustomed to dealing with information that, by definition, resides solely in a single medium (like photographs, printed documents, public records, newspapers or commercial paper). Lawyers are comfortable with these documents because we know that, once printed or written, a public document is (or at least appears to be) forever fixed into the paper upon which it resides. Secondly, these types of evidence are not subject to easy manipulation. An attempt to modify a newspaper article would be obvious and easily attacked. A written document can be redacted and copied, but in general, manipulation is difficult. Finally, the intangibility of computer evidence provokes an intellectual unease. For example, during the swearing in of a witness, does the witness who places his hand upon a bible, appear to be more credible than one who places his hand upon a floppy disk containing a bible? The initial reaction is that the two are very different acts since we can see the bible, but even after checking it, we are never quite sure about the floppy disk.
C. Authentication.
Authenticating (or challenging) computer evidence at trial requires preparation from the discovery phase onwards. The proponent of the evidence must establish a chain of custody. Questions that are likely to be asked during the trial are: Who originally entered the information into the computer? What type of skill level did they have, and was the data validated? Once the data was entered, was it manipulated before being placed into a database? After data entry, how was the data maintained and who had access to it? Counsel's failure to adequately anticipate likely evidentiary challenges can prove costly.
Some of the more interesting problems with digitally based evidence were illustrated in a demonstration at a meeting of the Federal Computer Investigations Committee in the Summer of 1991. (11) A photograph of a body lying on the floor with a gaping chest would was shown to agents and prosecutors. On the wall was a message that the "killer" had smeared in the victim's blood. The photograph had been taken by a digital camera. By using commercially available software, two law enforcement agents "removed" the writing from the wall, "closed" the chest wound, made a small wound in the victim's temple, and placed a gun in the victim's hand. The "photograph" then depicted a suicide rather than a murder. The evidentiary problems illustrated by this digital photograph apply to any computer record. Manipulation of digital data rarely leaves behind traces that could prove the data to be fraudulent. The data once manipulated, can be even more believable than the unmanipulated data. Digital data can also be deleted without a trace -- assuming that the person performing the deletion has the knowledge and access to do so. The key, of course, is the believability of the witness who authenticates the photograph.
Authentication of evidence is governed by Rule 901, "Requirement of Authentication or Identification." Forging an electronic mail message is relatively trivial if the forger knows the victim's password. The problem of authenticating sophisticated digital evidence is well illustrated by the example of the digital photograph mentioned above. Modifying a photograph requires a minimal level of sophistication and advanced computer software (albeit commercial off the shelf personal computer software). Changes like the one mentioned above are obvious and could only be authenticated by a witness willing to commit perjury. Smaller changes, however, can be made in digital evidence like photographs which may be more difficult for a witness to identify. For example, blood could be "digitally" removed from or spattered onto a photograph of the defendant's machinery in a personal injury case. Digital signatures can be copied into electronic documents to create forgeries. Noises can be added to recordings on digital tapes with very little trace. Trial lawyers need to be aware that digital evidence may be manipulated -- without a trace. Lawyers unaccustomed to looking at a photograph and asking themselves whether the photograph really is accurate place their clients and possibly themselves at considerable risk.
D. The Best Evidence Rule.
Courts are more comfortable and more persuaded by the original rather than a copy. This preference is known as the "Best Evidence Rule", is codified as Rule 1002, "Requirement of Original" of the Federal Rules of Evidence, which states, "To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by Act of Congress." The Best Evidence Rule is problematic, however, in the case of computers. Few, if any, modern computers store information in a format that can be read by humans. Floppy disks, hard drives, and tapes are all based upon magnetic storage. CD-ROMs use lasers for optical storage, and computers themselves use electrical impulses for storage. In fact, the last wide spread storage method used by computers that could be directly deciphered by humans was the now-obsolete paper punch cards. Accordingly, very little computer evidence will be a true original. To prevent the absurd result of entering a hard disk drive into evidence, the impact of Rule 1002 was ameliorated by the definition in Rule 1001(3) providing that, "If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an 'original.'"
Moreover, under Rule 1003, "Admissibility of Duplicates":
A duplicate is admissible to the same extent as an original unless
1. a genuine question is raised as to the authenticity of the original, or
2. in the circumstances it would be unfair to admit the duplicate in lieu of the original.
A "Duplicate" is defined in Rule 1001(4) as, "a counterpart produced by... mechanical or electronic re-recording... or by other equivalent techniques which accurately reproduces [sic] the original." Accordingly, a printout from a floppy disk could, assuming that there are no other evidentiary problems, be admitted into evidence, thus avoiding the necessity of removing a hard disk drive from a computer and presenting to a court or setting up a computer and monitor in the courtroom to decipher the contents of a hard disk. Issues are likely to arise as to whether the original contents of the computerized evidence are authentic and whether the copies presented to the court are accurate copies of the original. In this case, experts will be needed to authenticate the original and attest to the accuracy of the copies.
E. Computer Evidence as Hearsay.
Rule 801(c) defines hearsay as, "a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted."(12) Like any other evidence, computer evidence can be challenged on the grounds that it is hearsay, and like any other hearsay evidence, the same exceptions apply. The first step, of course, is to determine whether the computer evidence really is hearsay. For example, in People v. Holuwko, 109 Ill.2d 187, 486 N.E.2d 877 (1985), the Illinois Supreme Court held that computerized reports of telephone traces were not hearsay because such printouts did not rely on the assistance, observations, or reports of a human declarant. In Burleson v. Texas, 802 S.W.2d 429 (Tx. App. 2d Dist. 1991), the court allowed a computer generated display to be entered into evidence to show the number of payroll records missing from the system, on the grounds that it was, not a verbal or nonverbal out-of-court statement made by a person. Rather, it was considered tangible, albeit fleeting, evidence which was generated by the computer itself as part of the computer's internal system designed to monitor and describe the status of the system. The most commonly used exceptions that have been used by the proponent of the computer evidence in the civil, as opposed to criminal, context have been the business records exception, defined by Rule 803(6), "a memorandum, report, record, or data compilation, in any form ... made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity..."(13) and the public records exception 803(7), "Records, reports, statements, or data compilations, in any form, of public offices or agencies setting forth (A) the activities of the office or agency, or (B) matters observed pursuant to duty imposed by law..." The reason that the business records and public records exceptions have been the most prevalent is that historically, only businesses and government could afford computers. These two exceptions provide a good starting point for the trial lawyer to admit what would otherwise be hearsay into evidence, but other exceptions may also apply. For example, an electronic diary containing a formerly existing physical condition or a recorded recollection could apply to evidence obtained from an individual's home computer. Similarly, if an employee's electronic mail message states that he "really only borrowed company funds," the message could be admitted as a statement against interest. In each case there is no substitute for a fundamental understanding of both the rules of evidence and the way that computers process data.
A more difficult evidentiary problem arises when the computer evidence is not merely reproduced, but needs to be processed prior to being offered as proof. For example, many corporate databases are enormous -- printing out all of the data that they contain could fill a room with paper, and even if the printout were to be made, it might be encoded. In this case, it is possible to admit a summary of the relevant data. The summary could be admitted under Rule 1006, "Summaries", which allows, "the contents of voluminous writing, recordings, or photographs which cannot conveniently be examined in court may be presented in the form of a chart, summary, or calculation." This permits the opposing party to challenge the method in which the evidence was retrieved. For example, the program retrieving the data may have errors in it, only a portion of the entire database may be processed, or the conversion process itself may cause incorrect inferences to be made. Even if the offer itself it true, the method upon which it is created may be challenged as inherently unreliable. The adage about computers of "garbage-in, garbage-out" points out two fundamental ways to challenge computer evidence: (i) the results produced by a computer can only be as good as the information that the computer is given; and (ii) often computers will dutifully produce a response that is incorrect, rather than identify that there are errors in the original input.
IV. Some Helpful Hints.
A. Preparing Discovery Requests.
When computer evidence is sought, especially to prove a computer related copyright infringement, the first step is to request a hearing to seek a Temporary Restraining Order ("T.R.O.") or a preliminary injunction to prevent continued use of such program. See e.g., Gates Rubber Co. v. Bando Chemical Industries, 9 F.3d 823, 831 (10th Cir. 1993) (denying plaintiff's request for a T.R.O.); In cases where there is a threat that computer evidence related to the litigation will be adversely affected or destroyed, the first step may be to request a judicial order requiring the defendant to take all necessary steps to preserve the computer evidence without erasure. See e.g., Armstrong v. Executive Office of the President, 821 F.Supp. 761 (D.D.C. 1993). In the alternative, a motion for expedited discovery may be necessary. Either way, a motion to for a Site Inspection Order should be made immediately in order to preserve materials from further destruction. See e.g., Gates Rubber Co. v. Bando Chemical Industries, 167 F.R.D. 90 (D. Colo. 1996). When it appears that a defendant is violating the discovery process by destroying computer evidence, sanctions can be granted pursuant to the Federal Rules of Civil Procedure, Rule 37. See, e.g., Wm. T. Thompson Co. v General Nutrition Corp., 593 F.Supp. 1443 (1984).
The next step towards an effective discovery program for computer evidence is to retain a computer expert who is familiar with the types of computers being used by the opposing party. The expert should be contacted immediately, and, as noted above, frequently there should be no delay in filing for an order to preserve all computer-based evidence. A preliminary request should be made for information about the existing hardware, software, storage devices and storage media being used by the adversary. A check list of all possible sources of data should be compiled, including homes, offices, disaster recovery, backup facilities and, if appropriate, source code escrow sites and licensee sites.
After assessing the nature and scope of your discovery request, consider whether:
1. a similar request will be returned to your side,
2. the cost effectiveness of accumulating certain information, and
3. whether your requests will alert your adversary to your possession of damaging evidence.
When the specific request is made, ensure that not only is the data itself sought, but also, for each computer subject to discovery that the opposite party produces:
1. the relevant application software, including the appropriate version number, if any;
2. the appropriate model numbers and configuration of the hardware;
3. the version of the operating system; and
4. the names of any other software, hardware, and any passwords required to access the data.
When the data is collected, make sure that an appropriate chain of evidence is created. Finally, consider creating a litigation database to organize the information so that it is clear and persuasive to a jury.
B. Opposing Discovery.
Being adequately prepared is the most important part of opposing a discovery motion. Determine where and how information is stored. Establish procedures and policies for the use of E-mail. Make sure your employees are aware that their E-mail messages may be produced in court. Periodically review and audit information -- routinely identify data that should be destroyed and then destroy it in a systematic and thorough way. Such a policy should be in writing and the destruction of these files should occur on a regular periodic basis.
After litigation commences, object to wholesale requests for documents, especially entire hard disks or magnetic tapes. Contact an expert to help address technical issues raised by the other side. Any information that is sought should be reviewed by counsel to determine whether a privilege is applicable. If a privilege is applicable, filter out the privileged information to avoid a potential waiver.
V. Conclusion
Attorneys must explore discovery of all possible nooks and crannies for both unerased and erased information. No longer can attorneys approach the discovery of electronic information by using the techniques of traditional discovery. In fact, failure to properly frame requests could not only result in loss of precious evidence, but malpractice, thereby exposing the errant attorney to liability.
The coming years are likely to pose even more difficult discovery and evidentiary problems. The convergence of multimedia, the Internet, and the increased capacity of computers to perform other electronic tasks such as transmitting and receiving facsimiles are all likely to create new rules.
