Electronic evidence

Electronic signatures and electronic evidence are central to our lives; we all use technology.

At present, there is no agreed term relating to the form of evidence that comes from our use of technology: specifically, software. For the sake of shorthand, the words “electronic” and “digital” are used interchangeably.

A change of outlook

Recording content on paper means the medium and the content are bound together. Digital information is completely different. At its basic level, “bits and bytes” comprise the content, ie 0s and 1s. In addition, the medium can be many disparate devices, and software written by human beings is required to read and interpret the data. This means it is necessary for a conceptual change. With its unique characteristics, complex questions about the integrity and security of electronic evidence may be raised, although the authentication of complex forms of electronic evidence will differ to less complex forms of electronic evidence, such as emails or text messages, for instance.

There are some areas of knowledge relating to electronic evidence that are not inherently necessary in a conventional text on evidence. For instance, a more considered approach is necessary regarding how digital evidence is seized, investigated and examined. This is because this initial process can be so flawed as to render the evidence inadmissible or open to challenges, especially regarding its authenticity. In addition, lawyers must not lose sight of where the burden of proof lies and whether the party with the burden has met it. This is because it might be necessary to take a determined stance at trial where it appears the judge has not quite fully grasped that the evidence is not sufficient to discharge the burden.

There is also a significant gap in the need to consider authenticity as between criminal proceedings and civil proceedings. This is because civil proceedings deal with the issue of authenticity under CPR 32.19, where each party is deemed to admit the authenticity of documents disclosed.

Understanding the digital realm

The fundamentals of digital evidence cover the characteristics and sources of digital evidence. Almost all evidence is now created digitally, and what we mean by “digital” is anything that has been created or stored on a computer or a computer-like device; this includes data from satellites, for instance. We are familiar with the fact that the volume of digital evidence continues to increase, and the ability to store large volumes of data means we communicate and exchange data in new ways. These changes have occurred in the last 20 years, and the world is, arguably, now truly global. This affects every aspect of evidence in digital format.

The characteristics of digital evidence can affect the authenticity and analysis of the evidence and includes the following, each of which merits a more detailed discussion: the dependency on machinery and software; the mediation of technology; the speed of change; volume and replication; metadata; storage media; illicitly obtaining confidential data; anti-forensics and the interpretation of evidence; falsifying data; hiding data; attacks against computer forensics and trail obfuscation. The practising lawyer needs to be alert to this list of potential problems where even a smidgeon of digital evidence is present.

The sources of electronic evidence may appear to be obvious, but include a wide range of possibilities, including: physical devices, such as computers, mobile telephones, smartphones, PDAs, tablets and such like; components, including hardware, the processor, storage, software (system software, application software), the clock, time stamps, storage media and memory and data formats; networks, such as the internet; corporate intranets, wireless networking, cellular networks and dial-up; and applications, including email, instant messaging, computer to computer (P2P, meaning peer-to-peer) and social networking.

The importance of the accuracy of the clock was discussed during the trial of Harold Shipman in 1999, and an illustration from the United States serves to highlight this issue. In the case of Liser v Smith 254 F.Supp.2d 89 (2003), Jason Liser was arrested for the murder of Vidalina Semino Door on 12 August 2000 after being identified as the man withdrawing money from a Bank of America ATM in a video surveillance photograph taken on the night of the murder. The police knew that the victim’s ATM card had been used at that same machine shortly after her death. The police released the photograph to the public because its subject purported to match a description of an eyewitness of one of the suspects who had been seen fleeing from the scene of the crime. Mr Liser was subsequently released when it became apparent that the time indicated by the camera on the ATM was significantly inaccurate. Mr Liser had used the ATM before the murder took place. Two other men were arrested and convicted of the killing.


The question of the authenticity of digital evidence can be a vexed issue. There have been instances of lawyers claiming that because an email is easily forged, it follows that it is necessary to lay the appropriate evidential foundations to introduce the evidence – that is, to prove the authenticity of the document. In R v Mawji (Rizwan) [2003] EWCA Crim 3067, the appellant was convicted of making a threat to kill and part of the evidence included an email sent to the victim dated 31 July 2002, which read: “Hi Bitch, Don’t think you’re safe in the UK. I’m going to kill you. I will make sure I get my hands on you ”¦ waiting for you. Your loving husband, Riz.”

A witness for the defence gave evidence to demonstrate how relatively easy it was to produce a document that was supposed to be an email, but which had nothing to do with the email account from which it purported to come. It was suggested that somebody else was responsible for sending the email in question. One of the grounds of appeal was that the email was secondary evidence (which is correct) if adduced in the form of a print-out and it was necessary to provide evidence of the audit trail or similar to show the authenticity of the document. The members of the Court of Appeal rejected this submission, indicating that the email did not have to be authenticated in the way suggested by the appellant because of the circumstances surrounding the events and the other evidence in the case. The internal evidence of the content of the email was similar to other evidence produced at trial, which went to show that the email was written and sent by the appellant and the members of the jury had to consider whether, in all the circumstances, it was possible that somebody else might have produced the email. The content of the email demonstrated its authenticity on the face of the totality of the evidence. If the email was fabricated, it had to be questioned why somebody should go to the length of forging the content of an email that was so obviously linked to the other evidence produced at trial.

Any form of evidence can be (and is) forged. A lawyer cannot use the argument that because an item of digital evidence is capable of being forged, it cannot be adduced into evidence without being authenticated fully. The proposition does not follow.

More serious issues may arise regarding the proof stage, encompassing the investigation, seizure and examination of digital evidence – which is demonstrated in the well-publicised 2007 case of State of Connecticut v Julie Amero.

The presumption of “reliability”

The common law presumption formulated by the Law Commission in their report Evidence in Criminal Proceedings: Hearsay and Related Topics (Law Com No. 245, 1997) is as follows: “In the absence of evidence to the contrary, the courts will presume that mechanical instruments were in order at the material time.” In criminal proceedings, s 129(2) of the Criminal Justice Act 2003 created a presumption that a mechanical device has been properly set or calibrated.

The problem with the presumption that a computer is deemed to be “in order”, or “properly set or calibrated” is that software and the associated systems have become more complex. This means that it has become progressively more challenging to test software to reflect the way the users will use the product. This does not negate the fact that software written by human beings has always been – and continues to be – subject to errors. Care must be given to agreeing to the operation of this presumption regarding digital evidence, especially in the light of software errors. To this extent, consideration should be given to the five-
part test for authentication, especially regarding complex evidence from banking systems.


Digital evidence can be categorised as:

(1) The records of activities that contain content written by one or more people. Examples include email messages, word processing files and instant messages. As evidence, it may be necessary to demonstrate that the content of the document is a reliable record of the human statement that can be trusted.

(2) Records generated by a computer that have not had any input from a human. Examples include data logs, connections made by telephones and ATM transactions. It might be necessary to demonstrate that the computer program that generated the record was functioning consistently at the material time.

(3) Records comprising a mix of human input and calculations generated and stored by software written by a human. Examples include financial spreadsheet that contains human statements (input to the spreadsheet program) and computer processing (mathematical calculations performed by the spreadsheet program). As evidence, it might be necessary to establish whether the person inputting the data or the writer of the software created the content of the record and how much of the content was created by the writer of the software and how much by the person inputting the data.

In general terms, hearsay may not necessarily be a substantial issue, even in criminal proceedings. Where hearsay is important is where reliance is made on the output of a computer to prove the truth that, eg, £500 in cash was removed from an ATM – in the absence of a human being capable of giving evidence that the machine actually did dispense the money.

Stephen Mason is a barrister and author of a number of books on electronic evidence, including Electronic Evidence (3rd edn, LexisNexis Butterworths, 2012). He has conducted training on the subject for judges and lawyers at universities, legal professional organisations and ministries of justice in several countries.

Email stephenmason@stephenmason.eu.

One thought on “Electronic evidence”

Comments are closed.