By Peter Coons, SVP, Computer Forensics and Collections
Last month I testified in court about some Facebook postings. I got involved in the case after I was contacted by an attorney who had printed out some Facebook postings for her client in 2011 in an attempt to preserve the postings as evidence in a case. The pages in question consisted of four independent messages sent to the attorney’s client by another person. Fast forward to the day she contacted me, and only one of the messages still existed in her client’s Facebook account. These messages were the proverbial “magic bullets” and the attorney feared that the remaining message would not be admitted. She was fully aware that printing the message was not the best preservation method. For starters she did not want to become a witness in the matter and further, she knew opposing counsel would question the origin and authenticity of the message(s).
After obtaining the login credentials, I was able to login to the account in question and properly preserve the remaining message. I accomplished this task using specialized software and proceeded to document the process. I also searched the account for the missing three messages and verified that they were not available online. I wrote a memorandum to the attorney describing the preservation process and the results of my actions, which contained the pertinent details about the message as well as the message itself. The entire procedure took a couple of hours with little expense to the party involved. I was now in a position to testify about the message.
Why was it necessary to go through these steps before getting the Facebook posting admitted into evidence at trial? In a nutshell, my client needed to authenticate the posting before it could be admitted, and my actions assured the authentication of the posting.
Federal Rule of Evidence 901 addresses the authentication of evidence. Evidence cannot be admitted if it is not authenticated. FRE 901(a) states “The requirement of authentication or identification as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.”
Simply put, is there good reason to believe that the evidence is what the person submitting it says it is? FRE 901(b), in existence since 1975, lays out possible methods for the authentication of all evidence, including digital evidence and, in particular, the Facebook message at issue in this case.
1. FRE 901(b)(1): “Testimony of witness with knowledge – Testimony that a matter is what it is claimed to be”. An individual who is the author of an e-mail, or the creator of a Facebook post can testify, and therefore authenticate the e-mail or post.
2. FRE 901(b)(3): “Comparison by trier or expert witness – Comparison by the trier of fact or by expert witnesses with specimens which have been authenticated.” An expert witness can compare existing e-mails or postings to others that have been duly authenticated and secure the authentication of the digital information in question.
3. FRE 901(b)(9): “Process or system. Evidence describing a process or system used to produce a result and showing that the process or system produces an accurate result.” This is a very handy section that can be used to authenticate digital information, including social media postings. A computer forensic expert can testify about how an email or posting was likely created and the subsequent process used to image or collect it, thus authenticating the evidence.
One thing I could not testify about was the author of the message. My role was to support the position that the message was found in one Facebook account and was sent from another Facebook account. I had no knowledge of the owner of the account from which the message was sent, nor if the owner of that account actually sent the message. Those facts came out when the owner of the Facebook account who purportedly sent the message took the stand and provided the “testimony of a witness with knowledge”.
In the end the key piece of evidence was admitted!