What is the Legal Definition of a Virtual Currency?

The way we use language affects legal outcomes. Language is causing legal controversy around so-called “Bitcoin” and “virtual currencies.” Let’s assess the language applicable to the phenomenon popularly known as “Bitcoin.”

What Would a New York BitLicense Cover?


The New York Department of Financial Services proposes to license and regulate virtual currency businesses under a program commonly known as “BitLicense.”  Some people welcome this proposal as an advance for Bitcoin. Others denounce it as a threat to privacy and freedom because it requires a virtual currency business to collect much identifying information about customers.


What exactly does the proposed regulation cover? Section 200.2 Definitions includes this first sentence:

“(m) Virtual Currency means any type of digital unit that is used as a medium of exchange or a form of digitally stored value or that is incorporated into payment system technology.”

How to Interpret the Definition “Virtual Currency”?


The quoted sentence of Section 200.2(m) is a definition of cosmic breadth. Let’s parse it.

First, it covers digital stuff. But in 2014 a lot of stuff is “digital.”

Second, it covers a “unit.” But it does not define the word “unit.” The word “unit” is so broad, especially when we are talking about digital stuff, it more or less covers anything. The word “unit” could mean a number, a word, a song or most any other digital expression.

If the word “unit” includes any expression of any idea, then the draft BitLicense (strangely) starts to raise First Amendment freedom-of-speech issues.

Third, Section 200.2(m) is limited to a digital unit . . .

1. that is used as . . .

A. a medium of exchange; or 

B. a form of digitally stored value;

OR 

2. that is incorporated into payment system technology.

Wow. That embraces a lot of territory.

Is an Ordinary Electronic Contract a Virtual Currency?


Let’s consider an example.

Suppose Bob sends a message via Gmail to Sally that says, “I promise to pay $100 for a widget.” And Sally replies, “OK.” That email is (more or less) a legally-enforceable contract.

Under contract law, Sally could then via Gmail assign her rights of contract with Bob to Jack in exchange for a gadget. Further, Jack could hold on to the rights for a while (because they are valuable), storing the emails in Gmail.

Finally, using Gmail, Jack could assign his rights to Maria in exchange for a whats-it.

Thus, arguably, the $100-for-a-widget contract is covered by Section 200.2(m). The contract is – at least arguably – a virtual currency because it is “a digital unit that is used as a medium of exchange or a form of digitally stored value.” It is a set of valuable, stored rights that went digitally from Bob to Sally to Jack to Maria.

Would Google Need a License?


Furthermore, if Bob, Sally, Jack or Maria has a New York connection, then the operator of Gmail, i.e., Google, would arguably be engaged in a “Virtual Currency Business Activity” for which Google must have a license. Section 200.2(n) of the draft BitLicense regulation defines “Virtual Currency Business Activity” as “the conduct of any one of the following types of activities . . . : (1) receiving Virtual Currency for transmission or transmitting the same; (2) securing, storing, holding, or maintaining custody or control of Virtual Currency on behalf of others”.

Hmm. So a plain reading of the draft regulation results in Google needing a BitLicense. How strange.

Expansive Language is Common in Cyber Law.


It is not unusual in the Internet age for lawmakers to write laws of such immeasurable scope that they arguably lead to strange interpretations.

The state of Connecticut for instance proclaims: “Any person in possession of personal information of another person shall safeguard the data . . . containing the information from misuse by third parties . . .”  Connecticut goes on to define “personal information” as pretty much any data that could be connected to a particular human. Arguably, “personal information” could include any statement, photo, mouse-click or metadata roughly connected to a person.

But to expect absolutely everyone to protect absolutely every iota of personal information of any other person seems a strange and impractical result. Arguably for example it expects great-grandmother to secure the personal information (photos, names, comments, metadata and so on) about her friends that her computer automatically collects in her browser’s cache as she logs onto Facebook.

Enforcement Limited to the Spirit of the Law?


Now, an advocate for New York’s proposed BitLicense regulation might argue it is not the spirit of the law to regulate the provision of email services like Gmail. The spirit of the law is to regulate some other activity that is hard to define.

Likewise an advocate for Connecticut’s data privacy law might argue it is not the spirit of the law to cover every speck of data in the cache of great-grandmother’s browser.

Other computer laws that use expansive words are interpreted according to their spirit. The federal Computer Fraud and Abuse Act for example hinges on "access" to a computer. In 2014 the expansive word “access” to a computer leaves much room for interpretation. In difficult cases authorities interpreting the word “access” strive to find and apply the spirit behind the CFAA.

However, leaving e-commerce laws to be interpreted according to their spirit rather than their actual words is problematic.  Imprecisely-worded e-commerce laws (albeit well-meaning) cause confusion.*[See Footnote]

What is the Legal Definition of “Bitcoin”?


So how do the words of the draft BitLicense regulation apply to Bitcoin (or Dogecoin)?

The phenomenon popularly called “Bitcoin” might be described by lots of words. The phenomenon is new and rapidly evolving. It was not created by government. The phenomenon is not necessarily locked into words like “currency,” “unit,” “medium,” “exchange,” “value,” “transmission” or “storage.” Even though some people use words like that in relation to the phenomenon, that does not mean those words are binding on all people who observe and dance with the phenomenon.

Disclaim the Regulated Concepts?


When law like the draft BitLicense regulation relies on spirit rather than precise words to define the novel technology it is regulating, people have room to define their activity relative to that law.

For instance, people and businesses who observe and converse within the “Bitcoin” phenomenon could declare words like these:

We are engaged in a computing relationship. The relationship is evolving. It has not settled into maturity. We declare that said relationship does not involve any “currency,” “unit,” “medium,” “exchange,” “value,” “transmission” or “storage” as those words are enforceably used by the New York Department of Financial Services. We further declare that our computing relationship . . . our communication . . . disclaims the following words and the spirit behind them: "currency," "unit," "medium," "exchange," "value," "transmission" or "storage" as those words are enforceably used by the New York Department of Financial Services. We compute and communicate in the spirit of free speech, but we don’t engage in the activities regulated by the Department of Financial Services.

No Guarantee


Would a declaration like the foregoing guarantee that law will abstain from enforcing the draft BitLicense regulation against people? No.

However, a declaration like that does no harm.

What’s more, for some people a declaration like that could be constructive, especially given that the draft BitLicense regulation (if adopted) is subject to strange interpretation.

Further, those people would be safer from enforcement if they avoid tricking, deceiving or defrauding anyone.

What do you think?

==
Notice: Statements like the above by Benjamin Wright are just public discussion; rely upon them at your own risk. They are not legal advice for any particular situation. If you need legal advice, you should consult a lawyer who has explicitly agreed to provide you advice.

*Footnote: In the mid-1990s Utah adopted legislation to promote cryptographic e-commerce by licensing public-key-infrastructure certification authorities. The legislation was ill-conceived and caused much confusion. Utah eventually repealed the legislation.

Update: More analysis of the definition of "Virtual Currency" under NYDFS's proposed Bitlicense regulation.

How to Prove Bitcoin Evidence

Evidence is fundamental to the use and regulation of cryptocurrencies like Bitcoin. This blog post demonstrates one way to collect and preserve evidence about cryptocurrency transactions, technology and businesses.

Bitcoin evidence might be used as follows:

  • in a court of law to enforce a contract for sale of a product purchased with Bitcoin
  • by a tax authority to calculate tax (The IRS says Bitcoin is property on which capital gains taxes must be paid.)
  • by an accountant to audit the financial condition of a company that owns Bitcoin
  • by a regulator to monitor a Bitcoin exchange (The New York Department of Financial Services proposes to license and regulate virtual currency businesses under a program popularly known as BitLicense.)
  • by a compliance officer at a licensed Bitcoin business to show she checked the function of Bitcoin software at a specified time


Example Evidence in Failed Transaction


Cryptocoinsnews recently reported how evidence was captured and shared regarding a failed purchase purchase of goods paid with Bitcoin. The author says he tried, unsuccessfully, to make a purchase at Tiger Direct, which uses Bitpay to accept
Bitcoin payments. In connection with the author’s research of the failed transaction, “BitPay has sent [the author] the screenshot showing the proper amount paid . . .” In other words Bitpay proffered the screenshot that it made as probative evidence of Bitpay's proper performance in the transaction.



A Screencast Video Is Sometimes Better than a Screenshot.


A screenshot is a common form of evidence for online data and transactions. Screenshots are commonly relied upon in court and in financial audits. They are commonly retained as archives of online events, including contracts or statements of account.

But a problem with a screenshot is that it misses the interactivity of software or an online event. It misses audio feedback. If an investigator wants evidence that after he clicks X then Y happens, he can try to make multiple screenshots and explain them in a written report. But compiling multiple screenshots into a detailed written report is awkward and time-consuming.

A screencast video (including audio), on the other hand, can be worth 10,000 words. Here is a screencast video of a hypothetical review by a compliance officer of a web-based Bitcoin wallet. Notice the audio beeps and the brief notices that blink in the upper right-hand corner and then go away; these would be hard to represent with screenshots stitched into a written report.
 
(I use the demo wallet at Blockchain.info, which is described as “Free. Open Source.”)

Video Freezes Evidence at a Point in Time.


Software and other technology change constantly. This video documents precisely what the investigator sees at a particular time. It also records the audio “beeps” he hears, and it shows precisely when he heard them.

Could the investigator forge or manipulate this video record? Yes, just as investigators can forge other evidence like screenshots or old-fashioned paper documents.

The value of the screencast video evidence depends on the reputation of the investigator.

I have previously analyzed video evidence like this.

The credibility of the video could be enhanced if it were created and signed by more than one investigator.

The statement of date and time by the investigator via webcam makes it more difficult for anyone to manipulate the video, especially if date and time are corroborated by an outside source, such as email to which the video is attached or a cloud service to which the video is uploaded.

For instance, the Youtube (i.e., cloud computing) page for the video above shows the video was uploaded July 17, 2014. I (the Youtube subscriber who controls the page) am not able to manipulate that date. Thus, if six months from now I wanted to create a fake video and claim the date was July 17, 2014, I could not use Youtube to corroborate the date for the fake video.

Legal Signature Supports Authenticity.


A crucial aspect of the video is the webcam signature of the investigator at the end. The webcam-recorded words “I Ben Wright hereby sign and affirm this video as my official work,” make clear the investigator is putting his professional reputation on the line. He is going so far as to record his face and moving lips as he speaks the words. He is making a form of legal affidavit.

The signature potentially opens him to legal and professional punishment if he is lying or cheating. (If he is licensed like a certified public accountant, he could lose his license. He could jeopardize his ability to ever get professional employment again in the future.)

This signed video record could even be valuable years later when the investigator is no longer available or willing to vouch for it. His employer (in the hypothetical video the employer is Acme Virtual Currency Brokerage) may need his evidence long after he leaves employment.

Deeper Evidence Might Be Available.

The video above of course records the function of a wallet at the level of user interface. This record may be adequate for many audits and regulatory reviews. But sometimes deeper evidence may be necessary. Records of logs, ledgers, journals, meta-data, audit trails, and the like may be necessary . . . assuming the investigator has access to them, as well as the time and expertise to make use of them.

In any case, the application of a legal signature by the investigator who collects and authenticates such evidence can contribute to the long-term credibility of the evidence. Often a webcam signature (stating date and time) would be practical, reliable and persuasive to legal authorities like juries.

What do you think?

--
Related: How to verify online forensic evidence.

How to Find Legal Evidence in Backups

Copies of legal and audit evidence are spreading everywhere. The “syncing” of digital devices and services is revolutionizing the forensic collection of electronic evidence.

Discoverable evidence is no longer confined to islands like an email archive or a hard drive. The evidence is multiplying. It is being copied and copied again. It is backed up here, it is automatically shared there, and it is accessible some other place.

Hence, if relevant text messages have been deleted from a phone, they may still be recoverable from a synced backup on:

  • PC hard drive 
  • enterprise email account
  • cloud storage account like Dropbox or Gdrive (cloud storage often enables automated copying to multiple devices; something copied to Gdrive may automatically be copied to your home PC hard drive and the hard drive of your personal laptop)
  • wearable device like a smart watch
  • dedicated local storage device (a “cloud in your home”)
  • television in the living room
  • soon . . . your Internet-of-Things refrigerator!

Can You Remember All the Services Enabled on Your Smartphone?


Today, when a consumer or a business professional sets up a new device like an Android phone, they are encouraged to sync their
contacts and photos with cloud services and with other devices. Many people do not deeply understand what this means.

Recently I witnessed the surprise of an iPhone user who lost her phone and bought a new one. All of her details, like photos and settings emerged like magic on the new phone. Why? Because they were backed up in the iCloud . . . even though she did not realize they were stored there.

Many modern cell phones automatically back up data to the cloud so that the data can be restored if the user "resets" the phone. See this image from an HTC One phone.

Such cloud backup service is a relatively new development in the smartphone universe. The full implications of this service can vary from one situation to the next and from time to time. Can texts be recovered from this backup? Photos? Log-on credentials for mobile apps like Snapchat? Contents of mobile apps, which may themselves contain sensitive messages, images, geolocation data etc., etc.?

An investigator may need to research and play around with a service to learn what evidence can be recovered from it in any given situation. The investigative process is unpredictable and labor-intensive. Therefore it may be expensive if you are paying an investigator to work by the hour.

The backup functionality can be complex, and hard for even a reasonably educated person to understand. I have been working with a new HTC One phone (July 2014). I've enabled automatic backup, but I am still puzzled about precisely what the backup does. I see this explanation on HTC's web site:



It says my data is at my "Dropbox storage" . . . but I am not aware that I have ever set up a Dropbox account. So far I've not been able to ascertain whether I can access this "Dropbox storage" by any means other than "resetting" the phone . . . or possibly duplicating the contents of the phone onto a different HTC phone.

(I am guessing that somewhere in the setup of the phone and the setup of the backup function HTC created a Dropbox account for me . . . but that is just a guess. I did not notice this happening. I have not noticed a "welcome" message from Dropbox.)

Many people come to this blog seeking to get texts and photos from a telecommunications carrier like AT&T. However, the carriers are often uncooperative. The better path for recovering data may be from the cloud backup, such as HTC's Dropbox storage or Apple's iCloud.

Did You Automate and Then Forget?


Some cloud services encourage you to make automatic backups because they want you to become dependent on them. Microsoft’s OneDrive gave me three extra free gigabytes of space if I’d set up the CameraRoll on my Windows laptop to upload its contents automatically to OneDrive. Microsoft is hoping I will upload so much (perhaps without thinking about it) that I will need to purchase additional storage.

HTC and Apple provide backup as an incentive for the customer to come back to them when the customer purchases a new device.

Many users will forget about their various backups. Therefore, if they were asked in a legal deposition or interrogatory whether they had backups they’d honestly say no. However, a diligent investigator could find the backup(s).

Does Investigator Need Training?


An effective investigator does not necessarily need special equipment or high technical skills to find the backed up data. Instead, the investigator needs patience and an inquisitive disposition. Computer devices like tablets and online services like OneDrive are emerging and changing constantly. No one can know everything about them. However, their features and behaviors can be researched and intuited by a persistent investigator.

With that said, a trained investigator will know how to order and document his work so it can more readily be established as reliable in court. In a criminal prosecution, a court may expect proof of the “chain of custody” for the evidence. Further, the work of a licensed and/or certified investigator may be perceived as more credible.

What’s more, sometimes special forensic tools are critical to recovering data. For example, a forensic specialist reports he recently used forensic tools to recover deleted email by accessing the “shadow” copy maintained for disaster recovery on the hard drive of a Windows PC.

Is the User Given Good Legal Disclosure?


When a user syncs a device with something else, there’s never a sensational notice like this: “Warning. By syncing your phone, you are creating backup records of photos and text messages that can be discovered by the police or your ex-spouse in a legal investigation.” Users are often presented lengthy (boring) terms and conditions, but few users scroll screen-after-screen on their mobile devices to read and absorb the
implications of the terms. As the adjacent photo shows, the terms may say that nonspecific, neutral-sounding “content” will be stored, but rarely do users cogitate over that word.

When a user sets up syncing, they may create a password that they then forget. Sometimes the only practical way to access the synced backup records is by using the device from which the records originally came. For instance, an app on a phone may be causing records to be stored on a social media or cloud site. The only practical way for the investigator to get credentials for logging onto the site might be to use the app as it is installed and configured on the phone.

With appropriate authority, a talented investigator can reset passwords and recover forgotten accounts. Authority might come from, for example, user consent, a court order or a BYOD agreement between the user and her employer. 

Professional Standard of Responsibility for Data Security

The CEO of retail merchant Target lost his job owing in part to a data security breach. The Chief Information Officer lost his job too. Target is a turning point in the history of data breaches. It is changing the way enterprises approach data security.
Lessons from Target

Insecurity Is a Fact of Life


To prevent data from leaking out is very hard – in fact, super hard – for an enterprise to achieve. To explain that point, journalist Quinn Norton publishes an article titled “Everything Is Broken.”  Although she speaks in terms I would not use (she says computers are “broken”; I say our expectations for computer security are unrealistic), I subscribe to her basic message: typical computers and software are inherently insecure. They are riddled with holes. They were not designed, they were not created, they are not deployed like M1 tanks.

Encryption Exemplifies Security's Unachievability

Take encryption. The public discussion about security often assumes that “encryption” is an achievable solution to much of the data security problem. But sustained use of encryption in a functioning enterprise – or by a reasonably careful individual – is a nightmare that is rarely acknowledged. To quote Norton: “Managing all the encryption and decryption keys you need to keep your data safe across multiple devices, sites, and accounts is theoretically possible, in the same way performing an appendectomy on yourself is theoretically possible.”

She goes on to explain that so often encryption programs can be circumvented because – for example -- they sit on top of code written in the C programming language, which is often written by sloppy developers who fail to use secure coding practices. Secure coding in C requires a lot of discipline. According to knowledgeable expert, "C is unforgiving if you are lax in secure coding practices."

An example of a C programming vulnerability is the catastrophic Heartbleed bug that attracted so much attention when news of it broke April 2014. Security guru Bruce Schneier said that on a scale of 1 to 10, Heatbleed is an 11 in its magnitude!

Think about Schneier’s comment from a public policy perspective. Heartbleed had been sitting out there for years, unknown to the community, as loophole in commercially-popular encryption (OpenSSL). But the public policy conversation assumes “encryption” is good, practical, achievable.

Norton argues there are more Heartbleeds out there; the community just hasn’t identified them yet.

Another recent controversy demonstrates how impractical encryption can be. For years, many smart people have relied on TrueCrypt to encrypt records. Then suddenly TrueCrypt's developers announced the program is insecure and everything encrypted with it needs to be re-encrypted with something else. Even though the community is debating whether TrueCrypt is in fact insecure, the controversy compounds the nightmare for many enterprises that in good faith have devoted resources to encryption.

When we consider encryption as solution, we must acknowledge that the practical application of encryption is destined to fall short.

Breaches Are Normal


In data security, everyone makes mistakes, even the best experts. RSA itself – the gold standard among infosec vendors – suffered a major security breach in 2011. Hackers used spear phishing against RSA employees to compromise the company’s SecurID authentication tokens. (csoonline.com “The 15 worst data security breaches of the 21st Century,” February 15, 2012)

What about the National Security Agency? It is reputed to employ the best computer security team in the world. It devotes a massive budget to computer security. But it suffered a cataclysmic breach. Edward Snowden stole the NSA blind.

No one is immune to data security breaches, even when they have very qualified people working for them and they devote tremendous resources to the problem.

Data security is a highly adversarial contest, similar to high-stakes litigation. The enterprise faces very smart, capable and persistent adversaries, like Mr. Snowden or like talented opposing counsel.

Losing the data security contest is normal, just as losing a lawsuit is normal and losing a football game is normal.

CISO Emerges as a Peer to General Counsel


It is in this harsh, unpredictable environment that enterprises like Target must manage sensitive data like payment cards and healthcare records.

For an enterprise, managing data security has become like managing legal rights and liability. The enterprise will never get close to perfection. It will never know whether it made all the correct decisions. But it can devote professional attention to the problem.

Historically the infosec team at the enterprise was composed of technical staff under direction of the Chief Information Officer. Infosec guys often complained that their guidance did not get the needed respect. They’ve had a reputation for writing long, highly prescriptive security policies that say this “will” be done and that “must” be installed. Even though their policies often would not be followed, they felt it necessary to use unrealistic, compulsory policy language just to be heard. They spoke in simplistic, black and white terms.

The historical practice out of the infosec team is markedly different from the practice out of general counsel’s office.  Business lawyers eschew directives like you "must" do this and you "will" do that.  Often such absolute mandates are too simplistic to address the challenges the enterprise faces. Rarely do lawyers say something like, “The enterprise must file this lawsuit because the enterprise is guaranteed to win a bunch of money in the lawsuit.”

But when lawyers talk, executives listen. Corporate lawyers are esteemed, pretty-well paid professionals. General counsel is an executive.

Though lawyers can speak in soft tones, their “advice” and “recommendations” carry weight. Their advice and recommendations are perceived as having serious impact, even if the advice and recommendations are not always followed or not perfectly followed.

Seeking Higher-Caliber Security Advice


The world is changing. Target is rumored to be shopping for a Chief Information Security Officer who will not be a subordinate of the CIO.  Rather, the CISO will be a peer of the CIO. According to Business Insider, this elevation of the CISO (and therefore the elevation of the infosec team) is an emerging trend among enterprises. “This Week In Payments News: Target Undecided On Who Will Be In Charge Of Stopping Hackers,” May 25, 2014.

Here is my interpretation of the trend: Management of data security has become mission critical for the modern enterprise. But management of security involves tradeoffs and unknowns akin to those applicable to the management of legal rights and liability.

The modern enterprise seeks sage leadership on data security. The enterprise will never achieve perfection; it will never know whether its decisions were the best. But the enterprise wants to get the kind of guidance from its security staff that it gets from its legal staff.

The implication is that the modern enterprise is seeking sharper, better-qualified security staff, and it is willing to pay higher salaries to get it. The modern enterprise is in the hunt for a more professional infosec team, lead by an executive-level CISO.

Legal Motivations for Professional Attention


When a patient visits a doctor, there is no guarantee the patient will get well. When a client retains a lawyer, there is no guarantee the client will win its lawsuit or achieve a desirable legal outcome.

The risk of an unhappy outcome is recognized in professional malpractice law.

So long as the doctor or lawyer exercises diligence and care, the professional is not liable for malpractice, even though the outcome is undesirable. Law motivates the professional to work and even be creative and take educated risks, but it recognizes that the task at hand can be unwinnable. It leaves much room for imperfection, mistakes in judgment and plain old bad luck.

I argue similar motivation should apply to data security in an enterprise. The enterprise should be motivated to seek qualified security expertise. But very commonly a diligent application of that expertise will fail to a greater or lesser degree. Qualified people will make mistakes. The possibilities for error and surprise are infinite.

Moreover, data leakage is like a serious disease. Often it is simply not curable. Law should motivate good work, but it should not punish a failure to cure.

Hence I argue that the law of data security should not hold an enterprise liable for a data leak if the enterprise meaningfully employs qualified staff.

I don’t anticipate infosec staff will be licensed like doctors or lawyers anytime soon. But I do think law can recognize the difference between qualified, vigilant staff and the absence of the same. And the law should recognize that even with qualified, vigilant staff, bad outcomes are normal, par for the course.

==
Attorney Benjamin Wright teaches Law of Data Security and Investigations at the SANS Institute.

Update:

Target's new CISO will report to the CIO. However, I'll bet that the new CISO will be treated as a trusted professional whose recommendations are given weight.

Related:

1. Floods of data breach notices

2.  Putting a Professional Standard of Care into Infosec Practice

How to Conduct a Private Internet Investigation

The online universe brims over with data and evidence about firms, people and events. But effective access to it can require hiring a private researcher or private investigator. In some cases a lawyer should be the first professional consulted.

Trend: Evidence Exists, But It is Hidden


A growing trend is that the data you want is hidden from easy public access. There are three reasons for this trend:

1. Right to Be Forgotten. The first reason is the recent ruling in the European Union that search engines like Google and Bing must respect the “right to be forgotten” and remove links to some data about a person when the person requests. The data -- which might relate to an old debt or crime -- may still be publicly accessible on a web site, but easy-to-use search engines (Google/Bing) can’t point to it. It exists in the so-called "Deep Web."

2. Closed Apps and Sites. A second reason for this trend is the rise of apps and web sites that disallow indexing by Google/Bing. Most Facebook content, for example, is not indexed by Google.  Much of the content collected by a mobile app – like the health apps published by Noom -- is not indexed by Google.

Many services not indexed by Google do collect loads of valuable information and make it available to subscribers/customers, whether paying or otherwise.

3. Inhospitable Terms of Service. This is the third reason for the trend that data is inaccessible. Legal terms of service that impede investigation are becoming more common. For example, Facebook’s terms say, “If you collect information from users, you will: obtain their consent . . .”

Huh? Those terms seem to say that before you get “public” Facebook info about the target of an investigation you must get the target’s consent. But you may not to do that because you don’t want the target to know you are investigating.

Although terms like this can be subject to interpretation, they can restrict the collection of data or limit its use as evidence in court.

A Professional Can Uncover Scattered Recorded Evidence


The upshot of the foregoing trend is that recorded information is becoming more fragmented, even as it becomes much, much more plentiful. It is scattered around. Finding it and making sense of it can require the payment of fees and the expenditure of much labor – more money and more labor than was perceived to be true a few years ago when Google/Bing seemed like the universal gateway to the web.

This means professional researchers and investigators are becoming more valuable. Professionals have training and experience. Better ones are creative. They have access to and know how to use many databases and search services, including less-conventional ones like Tineye, an image search engine, or Yandex, a Russian search engine, and fee-based databases like Proquest Obituaries or Ancestry.com.

They are skilled in searching the Deep Web using tools like Biznar, though no one knows how to use every online investigative tool.

Skilled investigators know how – or can quickly learn how -- to use Worldcam   to find recent Instagram photos near a certain location. Or they can find and apply new tools, such as Ready or Not, which maps
Map Location of Recent Social Updates by the Target of Investigation!
a person’s recent physical location based on where they were at the time they broadcast a tweet or Instagram post.

New search tools emerge every day!


Good research might involve a lot of trial and error. For instance, suppose a researcher is collecting information about Courtney. The researcher sees that Courtney talks on Facebook about using the Noom Weight Loss Coach mobile app. The researcher might look up the Noom app, subscribe to it and pay for premium service so as to have access to user forums, where – maybe or maybe not – Courtney would have posted something relevant.

The number of mobile apps is endless; apps come and go like Texas weather.

Sometimes, when a professional gathers research, s/he must be licensed as a private investigator. For example, Texas law broadly requires independent businesses that collect sensitive information to be licensed as a PI.*

An Attorney’s Role in Five Parts


When seeking information, the services of attorney may be helpful.

For one, an attorney may possess the necessary skills and license to conduct the investigation himself.

Two: An attorney’s interpretation of terms of service or end user license agreements (EULAs) may be necessary. Terms of service can be confusing or ambiguous. Competent interpretation of the terms may direct an investigation to pursue one course of action (e.g., just taking written notes about what the investigator encounters on a site) while avoiding another course of action (e.g., making copies of material the investigator encounters on the site).

An attorney might recommend a non-obvious method for an investigation to obtain permission before proceeding.

Attorney Can Invoke Powerful Confidentiality


Moreover, an attorney may be able to cloak the investigation in confidentiality. The “attorney work product doctrine” says that when an attorney does work in preparation for a dispute the attorney’s work is confidential and cannot be discovered by legal means such as a deposition or subpoena.

The work product doctrine is powerful. It is a sibling to “attorney-client privilege” which protects the confidentiality of communications like email or phone calls between a lawyer and his client.

The work product doctrine can protect the attorney’s notes, his research and investigations he preforms or directs others to perform. Thus, if the doctrine applies, the attorney can direct a private investigator to gather evidence from social media or online databases, and the investigation itself would remain legally confidential. This means that an adversary, such as a tax authority or an ex-spouse, could not legally force disclosure of the existence and mechanics of the investigation.

In practice, when an investigation is undertaken, many kinds of potential legal disputes could be present. The potential disputes could cover, for instance:

  • defamation
  • heirship
  • divorce
  • child custody
  • control of a corporation
  • property ownership
  • employment discrimination
  • tax evasion
  • much more

Attorney’s Analysis Can Guide Investigation


Here’s a fourth reason for engaging a lawyer. A savvy attorney can analyze and articulate the need for and purpose of an investigation. A well-reasoned mission-statement for an investigation can help guide the scope and methods of the investigation. It can determine what evidence is required and what is not.

An attorney might rationally document that an investigation is needed, for example, for the purposes of

  • personal safety, or
  • defense of property in a manner that is proportionate to the threat, or
  • confirmation of compliance with law

The attorney might then know which private investigators are best suited for the job.

Fifth role of attorney: A sharp lawyer may be able to develop a strategy for collecting hard-to-get evidence in a way that will stand up in court.

What are your comments?

==

*Footnote: Texas Occupation Code Section 1702.104 reads: "(a) A person acts as an investigations company [which must be licensed] if the person: (1) engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to . . . the cause or responsibility for . . . loss, accident, damage, or injury to a person or to property. . . . (b) For purposes of Subsection (a)(1), obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public." Arguably one way that online data may not be available to the public is that terms of service forbid access to it. 

Therefore online data that you want as evidence for lawsuit may appear to be public.  But if terms of service restrict the collection of it for purposes of a lawsuit, then you may need help from a licensed professional to collect it.

 

Related: PI License for Computer Forensics Expert

How to Obtain a Subpoena . . . or Results Equivalent to One

You want legal evidence – such as a photo, a text message, a utility log or a surveillance video -- that is in the hands of some other person.* A subpoena might be a legal way to get that evidence.

But to reach your goal, you may have many alternatives. You are wise to consider alternatives, possibly with the advice of legal counsel. Creative, analytical thinking may be more effective than you expect.

The proliferation of digital devices, and the networking of computers, give rise to a cornucopia of data and evidence about any given event:

  • burglary
  • traffic accident
  • breach of contract
  • sale of property
  • extramarital affair
  • bribery
  • act of good Samaritan

This expanding cornucopia may be richer and more detailed than you image. Simply put, there is always more data, always more evidence.


A Simple Letter Might Work


Traditionally a subpoena uses demanding, adversarial language to request information. But that type of language can be counterproductive and can make people cautious and defensive.

One option might be just to write a polite letter requesting the evidence . . . or information about the evidence. For example, the sheriff in Howard County, Indiana, used a polite letter to get information about a fugitive from the operator of the online game World of Warcraft. The letter was not a legally enforceable order. It was an explanation for why the sheriff needed the information about a particular WoW user. The WoW operator responded with a letter providing details about the geographic location of the fugitive in question.

You, the reader may not be a sheriff or a government officer. However, if you have a good justification you may be able to persuade an authority to write a letter on your behalf. That authority might be your local sheriff. Or it might be a politician, such as your state representative in your state legislature.

Although large Internet Service Providers like Facebook can be uncooperative and bureaucratic with requests for information, smaller service providers may be different. For instance, today many mobile apps are operated by small companies. A sympathetic appeal to them for help can sometimes work.

Appeal to a Foreign Official


Surprisingly, the person who might issue a letter on your behalf (if not an official order or demand) is a foreign government official. The Internet has changed the way many government officials view their responsibilities. Legal jurisdiction is not perceived to be as territorial as it once was. For instance the Canadian Privacy Commission is known for taking action against data brokers located outside of Canada . . . when they are handling data about Canadian citizens incorrectly. Thus a US citizen might be able to get help from a Canadian official if the US citizen can show a Canadian connection to the problem.

Subpoena By Way of Bankruptcy


A legal process that enables issuance of a subpoena may not be pleasant. Example: Douglas Himmelfarb has long believed he owns a valuable painting by famous artist Mark Rothko. He has been working for years to prove the painting's authenticity.

15 years ago Himmelfarb learned that Rothko’s family may possess a photograph that would lend credence to the claim of authenticity. Himmelfarb could not persuade the family to release a copy of the photograph.

Then, unfortunately, Himmelfarb went into bankruptcy. An interesting by-product of bankruptcy proceedings is legal power to issue subpoenas for the purpose of ascertaining the value of assets, such as this painting. A bankruptcy subpoena at long last forced the Rothko family to release a copy of the photograph to the court (though the family’s lawyer included with it a written warning that it should not be assigned undue weight in evaluating whether the painting is authentic). “Is This Rothko Real?” Wall Street Journal, April 25, 2014.

How to Write a Subpoena


Please refer to my earlier blog post on how to write a subpoena for computer records. It contains numerous suggestions on how to obtain a subpoena, such as through a police investigation or proceedings in small claims court.

Analyze Your Interest and Your Public Appeal


When you want information from another person, think carefully about why you want it and why you are entitled to help. It may actually be that you have a property interest in the information, or a moral right to it because it affects your safety or privacy or it belonged to deceased relative.

A well-articulated statement of your interest may go farther than you expect. Companies and institutions are sensitive to public perception. A well-formulated campaign on Twitter, on Kickstarter (a crowfunded public petition) and/or on a blog can persuade a larger organization that it should, in the interest of its community, cooperate with a fact-gathering effort.

For example: Facebook released a one-minute "Look Back Video," composed of posts by a deceased user, after the user's father posted a compelling plea on Youtube. (The father, John Berlin, could not access his son's account.)

You Never Know What the Owner of Information Might Do.


The owner may decide, for example, to reveal the information to a neutral third party, who can assess it and report to the public.  It may reveal some information, with sensitive parts redacted. It may decide to reveal only meta data about the information, such as
Internet of Things


  • when the information was collected, 
  • how it was collected (smart grid meter? surveillance microphone? navigation system on-board a moving vehicle),
  • what format it exists in (spreadsheet? mp3? video?),
  • whether it has been deleted 
  • and so on.


The information owner very possibly does not even realize what evidence it possesses or the significance of the evidence!

When a firm or a responsible person is faced with a public request for help that appeals to the sympathies of popular opinion, surprising things can happen. You might point out that generosity on the part of the other party might lead to positive publicity and a positive public image.

A similar public appeal might nudge a government entity – like a state attorney general, a school board or a county commission – to open an investigation that would cause a subpoena to be issued. It might cause a public hearing to be scheduled, which could require a party holding information to appear and explain the status of the information and explain why the information is being withheld.

It might cause a local TV station to broadcast a news report.

Ask the Public for Help


Interested members of the public will tell you secrets you don’t know. They might for instance explain to you that the information you seek is backed up in a place you can access.

I recently helped a client who believed certain government employees were harassing him. We blogged about the harassment. This publicity caught the attention of allies, who gave us tips on how to get more information.


====
*Footnote: A dramatic example of third-party evidence is a surveillance video that surprised Los Angeles prosecutors in a criminal drug trial against Guillermo Alarcon, Jr. Unbeknownst to police officers a camera on an apartment building recorded their arrest of Alarcon. Management at the building was sympathetic to Alarcon and gave the video to his defense lawyer, without telling police. Then at trial Alarcon's defense lawyer produced the video, Perry Mason-style, after the police officers delivered sworn testimony that was inconsistent with the video.  The charges against Alarcon were dismissed. The police officers were convicted of perjury.

Related: Retain Licensed Professional to Follow Online Footprints

Computer Investigator Arguably Crosses Line | Breaks Eavesdropping Law?

In computer investigations, the difference between legal and not legal can be subtle. Our computer crime laws are written so broadly that they leave much to subjective interpretation.

Technology is changing so quickly that bright-line rules about what is permitted and what is not are rare.

Legal compliance requires computer investigators to exercise good judgment. Smart investigators will take proactive steps to increase the probability that their actions will be interpreted as legal and ethical.

Justified Investigation May Have Gone Too Far.

A case in point involved Absolute Software. A school installed Absolute Software’s tracking software on its laptop. Thief stole laptop, sold it to an intermediary, who sold it for $60 to an unsuspecting party, Susan Clements-Jeffrey. Ms. Clements-Jeffrey used the laptop at home to engage sexually explicit text and webcam conversations with her boyfriend over the Internet.

By Legal Standards Technology is Advancing at a Blistering Pace.

Let’s pause and reflect before we dig deeper into the facts of this case. In 2014 it does not seem like a technological feat that two ordinary computer users could use webcams to engage in private, sexually explicit conversation. Webcams have come as standard equipment on low-cost laptops for about five years now.

But the computer crime laws that (as we will see) apply to this case date back to the 1980s. In the 1980s, nobody knew what a “webcam” was; no one even knew what the “world wide web” was!

Furthermore, the handful of years in which webcams
Spycam
have been available to the masses is just a flash in time by legal measures. There has been little opportunity for meaty legal cases – like this one – to tell us how computer crime laws should be interpreted in the “Age of the Webcam.”

Investigation Starts with Justified Objective.

Let’s go back to the facts of the Clements-Jeffrey case. Absolute Software was paid by the school to track down the stolen laptop. Absolute’s software pre-installed on the laptop was capable of invasively, surreptitiously collecting loads of evidence from the laptop – IP address, keystrokes, electronic mail, webcam images and so on.

This is Like Science Fiction, From the Perspective of the People Who Wrote Computer Crime Laws!

Again, I pause in my recitation of the facts in this case to reflect. In 2014 many people have heard of spy software, keystroke loggers and the like. But ladies and gentlemen this technology is bizarre from the perspective of the mid-1980s. In the 1980s the use of this kind of powerful surveillance to resolve petty crimes happened only in a few science fiction novels.

Thus, as we try to interpret these old laws for relatively new technology, surprises are inevitable.

Do the Right Thing: Give Evidence to the Police.

Absolute went to work collecting evidence after the school reported the laptop was missing. In the course of this work, Absolute collected IP address and sexually explicit content and images from the laptop, as Ms. Clements-Jeffrey used it.

Absolute did not publish this evidence on Facebook. No. It turned the evidence over the local police. That’s good behavior on the part of Absolute, right?

However, when the police arrived at Ms. Clements-Jeffrey’s residence to further the investigation and recover the laptop, they allegedly made remarks about the evidence that embarrassed her. That may not have been perfectly professional behavior on the part of the officers, but allegedly it happened. Police officers are human and fallible.

Ultimately the police investigation determined that Ms. Clements-Jeffrey was innocent. She genuinely did not realize the laptop was stolen.

Civil Lawsuit Filed Against Absolute Software.

But then Ms. Clements-Jeffrey and her boyfriend sued Absolute Software in civil court, claiming the software company and its investigator violated their privacy under eavesdropping laws such as the Stored Communications Act (which is part of the Electronic Communications Privacy Act of 1986).*

The crux of the argument was whether Absolute Software – a legitimate investigator – went too far.  Arguably it was OK for Absolute to collect IP address and give that to police. But arguably when it saw the sexually explicit material it should have stopped looking and stop recording.

Now, in Absolute’s defense, it could be argued that a good investigation needs more than IP address. IP address by itself does not tell the police very much. If Absolute gave the local police no more than IP address, the police may drop the investigation because there is too much more work to do to ascertain who has the laptop and what the circumstances are.

Hence, this case takes us to a gray area of law, involving technology that has not been around very long. Few if any good prior cases tell Absolute what it should or should not be doing here.

Gray in Law Is Often Resolved by Juries.

The judge ruled that a trial before a jury was needed.  The judge said a jury that hears all the facts might reasonably conclude that Absolute had violated eavesdropping law and therefore owed money to the woman and her boyfriend. But, on the other hand, the jury might conclude that Absolute did the right thing under these difficult circumstances and therefore owes no money. Who knows?

This ruling was a problem for a business like Absolute. The ruling is not a conclusion that Absolute violated the law, but it sets the stage for a lengthy, expensive and uncomfortable trial for the company. The publicity around such a trial would probably be damaging for a company like Absolute.

Often when companies are faced with the prospect of such a trial they settle quietly and pay money to the plaintiffs. In such a settlement, there is no final decision or admission that the company was wrong, but the company pays money.

What Proactive Steps Could Reduce Risk?

Unfortunately modern, ethical investigators face conundrums like this case every day. These conundrums are a symptom of our fast-paced world of technology.

For these conundrums, I have no perfect solutions. But companies like Absolute can take proactive steps to reduce risk, such as:

1. Place physical and virtual warnings on protected computers explaining that they are under surveillance and that users consent to such surveillance and consent to all data being turned over to police.

2. Train investigators to exercise good judgment. Good judgment is like beauty; it is in the eyes of the beholder. But wise cyber-investigators should be aware that risk lies around every corner. If they encounter sensational evidence that is not absolutely critical to the investigation, they are wise to back away from it and/or redact it.

3. Good investigators work in teams. They deliberate among themselves about difficult questions, and they document their deliberation. Documented deliberation can reduce the risk of bad judgment and can help to make decisions more defensible.

4. Good judgment may dictate that an investigator warn authorities about privacy and controversy. For example, Absolute Software could have told the police the following, in writing: "In the course of our investigation, we inadvertently encountered very sensitive, sexually explicit communications (which are not necessarily illegal) on  the part of the suspect and another, apparently innocent party. At this time, out of respect for privacy of people who have not yet been proven to be guilty of anything, we refrain from including records of these explicit communications in the evidence we are now delivering to the police."

==
*The ECPA/Stored Communications Act are criminal laws that forbid computer eavesdropping. Often they are enforced by a government prosecutor in criminal courts. However, like some other computer crime laws in the US, they can also be enforced by an aggrieved citizen (the "plaintiff") in a lawsuit in civil court seeking money damages from the perpetrator (the "defendant").

P.S. See more tips for how investigators can stay within the bounds of privacy law.

How to Apply Transparency to Assure Privacy

Microsoft (temporarily) adopted a policy of transparency to address a privacy issue. Transparency can indeed help show that an institution is handling privacy responsibly, even though Microsoft decided it was not enough in this particular case.

Cloud Provider Searches Customer Content!

Here is the story behind Microsoft's temporary, special policy of transparency.
Court documents revealed that Microsoft searched the content of a Hotmail account belonging to a Microsoft customer. The customer was an independent blogger who did not work for Microsoft. (Hotmail is a webmail service also known as Outlook.com, owned and operated by Microsoft.) Microsoft searched the account as part of an investigation into the alleged theft of Microsoft trade secrets by a now-former Microsoft employee. The trade secrets in question were software code.
Microsoft's decision to search a customer account raises privacy worries. Microsoft is a cloud computing service provider. Hotmail is one of Microsoft's cloud offerings, just as OneDrive is one of Microsoft's cloud offerings. When customers use Microsoft's cloud services, they store data like email and files with Microsoft and they expect Microsoft to provide some degree of protection for the data.
Microsoft said it had legal permission to search the Hotmail account because the terms agreed by the customer permit Microsoft to conduct searches to protect Microsoft rights and intellectual property.

Microsoft as Intellectual Property Search Monster?

But as a long-time Microsoft customer, I myself am squeamish about Microsoft searching my cloud-stored content for evidence of intellectual property infringement (or some other violation of Microsoft's rights). I have been using Microsoft products and services for almost three decades. In all those years I have clicked on and agreed to hundreds if not thousands of Microsoft End User License Agreements (EULAs) and terms of service. Those long-winded EULAs have come to me when I have
* opened/initiated/installed fresh versions of Microsoft desktop software (Windows, Office, Money, Windows Defender, Streets and Trips, etc., etc.);
* installed updates;
*visited Microsoft web sites, such as to download clipart; and
* opened accounts to use services, such as Windows Live Messenger, which is now retired.
Even though I am a tech lawyer, I have not read and remembered every word of every one of those complex agreements. (Have you?)
Over all the years, I have indeed tried to comply with Microsoft's agreements, and I still try to this day. But I must say that sometimes those agreements have confused and surprised me. As the years have gone by, Microsoft has published subtly different EULAs for similar products (e.g., Office Home and Business Edition, Office Starter Edition, Office Web Apps Edition, Office Blah-Blah-Blah Edition).
In addition to using Microsoft desktop products, I use its cloud services like Outlook.com and OneDrive. I store data and files in those services.
By contract to which I have agreed, Microsoft has reserved the right to search my content for evidence that I have violated Microsoft's legal rights or intellectual property. OK. A deal is a deal. I agreed to let Microsoft search through my files and documents for that purpose.
However, I'd be disappointed if Microsoft conducted a dragnet through my documents looking for evidence that I violated a long-forgotten EULA (forgotten by me). For all I know, some spreadsheet I created in 2005 (and haven't touched since) contains a tell-tale sign that I did not comply precisely with the EULA for an October 2004 update to Office 2003, a product I have not used in years.
If Microsoft did engage in that kind of dragnet, customers like me would be motivated take our cloud computing business elsewhere. We'd be motivated to move our old archives like that spreadsheet to competitors like Dropbox or Google Drive.

Microsoft Wants to Re-assure Its Cloud Storage Customers.

Microsoft seems to understand the problem I have just described. Microsoft does want to keep good customers like me in its cloud computing tent.
Therefore, shortly after Microsoft articulated the (probably valid) legal grounds for its search of the blogger's Hotmail account, Microsoft made an additional public announcement. The announcement had two components:
1. Microsoft said that before it searched the contents of a customer's cloud account, it would seek an opinion from a former US federal judge. This former judge (presumably under the pay of Microsoft) would opine hypothetically on whether Microsoft possessed enough evidence of wrongdoing to justify a court order that the account be searched. If the former judge did so opine, then Microsoft would reserve the right to search the account.
2. Microsoft committed to a form of transparency.
Transparency
It said it would periodically report to the public about any incidents in which Microsoft actually executed on a search of a customer's cloud account.
Microsoft to Change Policy on User Data,”Wall Street Journal, March 21, 2014.

What Benefit Does Transparency Provide?

I think Microsoft committed to the transparency report because it would help set its cloud customers' mind at ease. Customers might suspect the former judge would have a conflict of interest when s/he evaluates Microsoft's evidence; Microsoft is paying the former judge.
Microsoft probably believed that the number of instances in which it actually searched customer accounts would be few. (It is rare that the Microsoft-controlled cloud account of a non-Microsoft employee would hold information about trade secrets stolen by a Microsoft employee.) Microsoft probably believed that it would voluntarily refrain from conducting the kind of dragnet through old spreadsheets that I described above.
Hence, Microsoft's reasoning was that over time customers would feel assured because they could see that in practice Microsoft was not abusing its powers and not violating the normal expectations of customers.
I agree with Microsoft that transparency can help to achieve privacy. Transparency can be a form of check and balance, albeit imperfect.
Transparency can help to inform the public whether an institution is behaving responsibly.
Transparency (in this case the commitment to periodic disclosures) can open an institution to criticism. If it discloses, for example, that it searched a customer account looking for a spreadsheet that violates an October 2004 EULA update, then
a) People would complain in public; and
b) Many customers would be spooked and would take their cloud business to competitors.
What keeps an institution honest about its commitment to transparency? Part of the answer is leaks and whistleblowers. If Microsoft says it will make periodic reports – and then fails to report a relevant case of searching – it is taking a big risk. As Edward Snowden and other leakers have proven, Microsoft's secret can leak out. A leak showing that Microsoft defaulted on its commitment to transparency could be devastating to Microsoft's reputation.

Was This Commitment to Transparency Enough?

All of the foregoing is not to say that Microsoft's commitment to transparency was enough to satisfy customers.
At this time I do not judge whether Microsoft's commitment to transparency is “enough.” But as I weigh what Microsoft did to reassure customers, I note that general counsel at Microsoft's competitor Google declares that Google has never investigated a leak of Google intellectual property by searching the content of a customer's Gmail account. Further, says Google counsel, “it’s hard for me to imagine circumstances where we would investigate a leak in that way.”
Ouch. A statement like that from a competitor makes Microsoft uncomfortable.

Microsoft Quickly Changed Course.

Shortly after Microsoft announced its policy of former-judge-plus-transparency, it changed course again. Microsoft declared: “if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.” 

Let's Draw Larger Lessons about Privacy and Transparency.

Whether Microsoft's short-lived commitment to transparency was good enough is a moot question. Microsoft said that rather than relying on the former-judge-plus-transparency model, it would instead rely on law enforcement.
However, Microsoft's thought process can be helpful to institutions and policy makers who strive to handle sensitive data responsibly.
Microsoft wanted to assure its customers. So it committed to seeking the input of a respected third party – a former judge. But it realized this commitment needed more. It therefore committed to transparency. A commitment to transparency is in fact a substantive control in favor of a civil right like data privacy.
An institution like Microsoft will never know for sure whether controls and commitments will satisfy the public or satisfy ethical obligations. But a genuine observation of transparency can help over time. Candid disclosure of the facts, including embarrassing facts, can help to win trust.
As nonprofits, corporations and government entities search for the right ways to manage data, transparency can aid the search. But transparency does not work by itself. Other controls and commitments are needed, such as honesty, deliberation, accountability and more.

What do you think?

How Much Digital Evidence Is Enough?

Alternatively, how credible are the electronic facts uncovered by a forensic expert?


The short answer is nobody really knows.

Bitcoin is a Morass of Evidence.


Bitcoin investigators are digging through mountains of digital evidence to assess fraud, deception, ownership, security breaches and the identity of Bitcoin's inventor(s).  They find algorithms, digital signatures,
Attribution
snippets of meta data, and messages that purport to come from significant e-mail addresses. "For the Bitcoin Sleuths, Curiouser and Curiouser," Wall Street Journal, March 8 - 9, 2014.  To what extent do these snippets of evidence prove anything? Which evidence is authentic and which is not?

Stay tuned, as the debate among the investigators over-boils.

Intriguingly, Bitcoin's self-appointed investigators find (and publish) a spreadsheet that some claim to be evidence of fraud at a Bitcoin exchange named Mt. Gox, which has filed for bankruptcy in US court.


What Constitutes Probative Evidence of Something?



The larger question is this: To what extent can evidence from text messages or electronic mail or documents stored on a hard drive be believed?

Electronic evidence can be forged; it can be tampered.

But the same was true for paper or other physical evidence on which law has relied for centuries.  Also, testimony from witnesses – a mainstay source of courtroom evidence -- can be faulty.

Evidence Is in the Eyes of the Beholder.


Many legal authorities evaluate evidence.  Different courts evaluate evidence under different standards.  Commonly, a criminal court evaluates evidence under the standard of "proof beyond a reasonable doubt."  That is a high standard.

By contrast, in many civil courts the standard is "preponderance of the evidence."  That is a lower standard.

Yet courts of law are not the only authorities that evaluate evidence.  Other example authorities include an auditor, a prosecutor, a regulatory agency, or simply the court of public opinion. In the Bitcoin investigations, the "authority" who evaluates evidence may be the world-wide community of Bitcoin users, investors and enthusiasts.

Ultimately All Authorities Are Human, and Fallible.


Commonly the evidence available to an authority is imperfect and incomplete.  The authority commonly determines that some evidence is more credible than contrary evidence. This determination might be made on the basis of logic, science, intuition, best guess or the authority's interpretation of what an expert tried to say.

The Outcome of Evidence Disputes is Often More Art Than Science.


It is hard to predict in advance what evidence a legal authority will believe and not believe.  Often, in a criminal court for instance, the primary authority for evaluating evidence is a humble jury of 6 or 12 common people.

Judges, juries and other authorities often do not have much technical expertise.  When it comes to computer evidence, often they must rely upon testimony and guidance from experts.

However, when evaluating complex evidence, even experts can disagree.  Smart forensic experts can see the same evidence and evaluate it differently.

The Quality of Advocacy Counts.


Also, a factor in determining the credibility of electronic evidence is the quality of the lawyer (that is, the advocate) who advances a particular interpretation of the evidence.  A talented lawyer will, depending on the lawyer's objective:

  • explain evidence well, or
  • raise doubts about the evidence, or 
  • cause the evidence to be excluded from consideration altogether.  
A less-talented lawyer will not be able to explain the evidence or will leave the fact-finding authority confused about it.

Is the Expert Qualified Enough and Humble Enough?


Increasingly, legal and financial evidence comes from new electronic sources such as social media, mobile devices, cloud computing and virtual currency communities.  Our ability to fully understand this evidence lags behind.  For this type of evidence, nuances and misunderstanding are common. The need for qualified forensic investigators swells.

A good investigative expert understands how to weigh evidence and how to separate strong evidence from weak evidence.  Such an expert is able to separate emotions from logic.  Such an expert is also able to set his or her ego aside and acknowledge when he or she does not know something or have enough data to state an opinion.

For an example of a case where an expert should have been more humble, see Stephen Mason's critique of a police officer's testimony regarding pornography on a teacher's computer: State of Connecticut v. Julie Amero (Mason argues court failed to understand how malware works; was too ready to believe faulty police work).

The training, experience and reputation of an investigator are all relevant to assigning weight to any conclusions drawn by the investigator from the evidence.

Another factor that is relevant in understanding evidence is whether the investigator is biased.  Bias can come from background, conflict of interest or professional disposition.

Look for Corroboration.


One technique for improving the quality of evidence is to corroborate it.  Corroboration means getting similar evidence from more than one source.  For example, if the time stamp for a photograph on a smart phone is approximately the same as the time stamp connected to the same photograph in Facebook, then evidence of the time of the photograph is stronger.

Cross-examination Compels Accuracy.


In the courtroom, a powerful technique to evaluate evidence is cross-examination.  Cross-examination is a time-honored process for forcing a witness -- such as a digital forensics expert -- to explain himself carefully and to admit any of his shortcomings.

In cross-examination an expert witness must answer hostile questions under oath; if she lies, she could be punished (e.g., fine, loss of license, jail-time, embarrassment).

However, cross-examination of a computer expert can fall short because very few lawyers know how to execute it masterfully. Very few top-flight trial lawyers possess a deep understanding of computer forensics and technology.

Evidence Floats in the Cloud.


Sometimes, such as in cloud computing, the investigator does not have direct access to the hardware that stores digital evidence.  The investigator is only able to see the evidence temporarily, through a software client such as a web browser or a mobile app.  Use of that evidence may require eye witness memory and testimony by the investigator.  In such a case, the investigator may be wise to print what she sees or record it as a video.  See discussion of example videos:


Legal Fact-finding Is a Form of Theater (and That's Not Necessarily Bad or Wrong).


Digital forensic dispute guru Craig Ball publishes a priceless guide for forensic experts who testify as witnesses in court. His guide and his experiences teach a profound lesson about the use of computer forensics in law.

The lesson is that the process for articulating and evaluating the true facts in a case can influence the outcome as much as the facts themselves.

In other words, the following factors in combination can have a heavy impact on the final interpretation of electronic evidence by a judge, a jury or other legal authority:

  • the skill of the lawyers, 
  • the demeanor of the expert witness, 
  • the clothes the expert wears in the witness stand (!), 
  • the expert’s advance preparation, and 
  • many other aspects of courtroom theater and procedure
Justice is Not Inexpensive.

All of the above leads to a philosophical observation: Our justice system is underpinned by checks and balances called due process of law. These checks and balances try to prevent the abuses of civil and property rights and to prevent hasty rushes to judgment.

Owing to these checks and balances, getting to the truth in our justice system is hard work and imprecise work. It requires a lot of resources -- such as the time of people like judges, juries, courtroom staff, lawyers, experts and so on.

Getting to the truth is commonly expensive. It commonly costs the government a lot of money to run a trial, especially a jury trial.

Skilled lawyers and skilled experts are expensive. They are scarce commodities.

A non-lawyer can sometimes believe that the truth in his/her own case is abundantly obvious. I've encountered people who believe the legal system can, will and should just swiftly force out all of the evidence from the computers (deleted records, metadata, yada yada) and declare what the truth is . . . just like a 60-minute TV drama.

That belief is naive.

Postscript - The Presentation of Evidence a Deciding Authority 


Computer technology can be used in novel ways to explain or present evidence to legal authorities. Two examples illustrate how increasingly inexpensive technology can help to put evidence into a context:

1. Shooting simulator: Grand jurors in Harris County, Texas, are offered training in a computer-driven shooting simulator. The simulator is a type of video game that allows the juror to virtually experience the emotions of a person like a police officer who suddenly must decide whether and how to use deadly force (i.e., shoot someone). In Texas it is the role of grand juries to decide whether police officers should be indicted criminally in cases where excessive force was allegedly used. The purpose of the simulator is to provide jurors experience in evaluating the evidence they will be presented later in particular excessive force cases. The simulator serves as a substitute for training that might be delivered in lecture format by a police officer. Critics argue the simulator training causes grand jurors to be biased in favor of police in their future evaluation of evidence.

2. Sentencing Mitigation Videos: After a court has determined that a defendant is guilty of a crime, the judge may hear evidence regarding how harshly to sentence the defendant. Traditionally this evidence included letters and testimony from family, friends and victims. A new form of evidence is a prerecorded video, often created on behalf of the defendant. It provides a controlled, edited, visual format for one side or the other to present evidence on why the sentence should be harsh or lenient. Here is a demo:

The demo above uses a videographer who interviews the witnesses in person. In principle this type of video could be created at much lower cost using webcams and an interviewer who works from a remote location.

The two examples above illustrate how different technological formats for delivering evidence can have subtly different impact on a decision-making authority.