Standards of Digital Evidence

Standards of Digital Evidence

July 2017

This document was prepared by Global Rights Compliance.

Global Rights Compliance is registered as a limited liability partnership through Companies House in the United Kingdom, Partnership No. OC388087. Its registered address is Endeavour House, 78 Stafford Road, Wallington, Surrey, United Kingdom, SM6 9AY.

This document is available in electronic format in English and Ukrainian at www.globalrightscompliance.co.uk, as well as on Global Rights Compliance’s Facebook page.

Disclaimer

The views expressed in this publication are those of the author(s) and may not coincide with the official position of the Ukrainian Government.

Table of Contents

Introduction 1 Direct and Indirect Evidence 4 Legal Standard of Admissibility of Evidence 6 Probative Value & Evidentiary Weight of Evidence: An Overview 6 E-Court Protocol 8 Evidentiary Considerations of Digital Evidence 10 Authenticity 10 Hearsay 10 Provenance and Chain of Custody 12 Preservation 13 Standards for Collecting and Handling Digital Evidence 14 Collecting Digital Evidence 14 If the Device is Turned Off: 14 If the Device is Turned On: (live forensic investigators should undertake the following steps) 14 Handling Digital Evidence 15 Packaging 15 Transport 15 Storage 15 Conclusion 17

Standards of Digital Evidence

Introduction

As the use of digital evidence, defined as information transmitted or stored in a digital format that a party to a case may use at a proceeding, becomes increasingly customary in international law, we must consider how to respond to its use. This report, drafted by Global Rights Compliance (“GRC”), aims to contribute to the dialogue on how best to respond to the challenges of digital evidence by outlining best practices when handling and collecting digital evidence, providing brief examples of some of the leading international criminal cases involving digital evidence, and including how judges have interpreted the admissibility and probative value of digital evidence presented in such proceedings, with a specific focus from cases and investigations by the International Criminal Court (“ICC”).1 The increasing use of digital evidence within international criminal tribunals indicates a trajectory that obliges us to more carefully consider the collection, preservation and use of digital evidence. Recent investigations by the ICC in Kenya,2 and the Ivory Coast,3 involved conflicts where evidence

1 While case examples from the International Court of former Yugoslavia (“ICTY”) and International Court of Rwanda (“ICTR”) may be used, the evidentiary standards at the ICC closely mirror “current developments of the procedural models adopted by the international criminal tribunals,” making any references to jurisprudence from these applicable. See ICC, Prosecutor v. Jean-Pierre Bemba Gombo, Case No. ICC-01/05-01/08, Decision on the admission into evidence of materials contained in the prosecution’s list of evidence (19 November 2010).

2 ICC, Prosecutor v. William Samoei Ruto and Joshua Arap Sang, Case No. ICC-01/09-01/11, Decision on Defence Applications for Judgments of Acquittal (5 April 2016), para. 130. In its decision to drop charges against William Ruto and Joshua Sang, the Court took into account the lack of corroborating digital evidence, stating: Given the extensive media attention and the audio/visual recording of election events at the time, it is striking that not a single press report or

1 STANDARDS OF DIGITAL EVIDENCE

from mobile phones, email and social media was considered.4 It is anticipated that aerial and satellite images – or more broadly “remote sensing technologies” – may play a more prominent role in future ICC trial proceedings. For example, in Darfur, the security and political situation makes it nearly impossible for the ICC to investigate on the ground; thus, images may provide context and background information, establishing patterns and usage of a location. The use of digital evidence has the potential to provide additional means that will enable us to determine the truth of a conflict. For example, digital evidence can retain its authentic and probative means of proof for an extended period of time. The footage recorded by British reporter Nick Hughes of the murder of a father and his daughter in the 1994 Rwandan genocide was used four years later in the trial of George Rutaganda, a leader of the Rwandan Hutu militia, before the ICTR. Rutaganda was subsequently convicted and sent to prison in 1998.5 Additionally, as one of the only three pieces of footage of killings that took place in Rwanda in 1994, it was later used for research and remembrance purposes.6 In sum, given the important role digital evidence can play both inside and outside the courtroom, it is crucial that investigators ensure the proper collection and handling of digital evidence with the particular challenges these medium presents.7 For the purpose of this report, we have identified four types of evidentiary considerations particularly relevant to digital evidence: 1. Authentication; 2. Hearsay; 3. Provenance (chain of custody); and 4. Preservation of digital evidence. With these four considerations in mind, we will outline best practices for handling and collecting digital evidence.

recording of any of the alleged ‘hate speeches’ was entered into evidence. The Chamber has experienced first-hand how pervasive Kenyan media coverage tends to be. It is therefore extremely unlikely that a plan to evict all Kikuyu from the Rift Valley could have been communicated to the thousands of alleged perpetrators without being picked up by the media, even if some witnesses claimed that the calls were made in coded language. 3 The Court is currently investigating alleged crimes against humanity committed during the 2010-2011 post-electoral violence in the Ivory Coast. Trial is currently underway against Laurent Gbagbo and Charles Blé Goudé and a case is currently pending against Simone Gbagbo pending her transfer to the Court. The Court cited video evidence and media statements made by the accused in its decision to confirm charges against Gbagbo and Blé Goudé. See ICC, Situation in the Republic of Côte d'Ivoire, ICC-02/11 [online] Available at: https://www.icc-cpi.int/cdi (Last accessed 20 June 2017). 4 Human Rights Center, UC Berkeley School of Law, ‘Digital Fingerprints: Using Electronic Evidence to Advance Prosecutions at the International Criminal Court’ (2014) 8 [online] Available at: www.law.berkeley.edu/files/HRC/Digital_fingerprints_interior_cover2.pdf (Last accessed 16 June 2017). See also OTP Strategic Plan 2016–2018 (November 2015), para. 58, which states the following: ‘The use of computers, internet, mobile phones, and social media, etc., has exponentially expanded worldwide, including in the countries in which investigations are undertaken by the Office’ [online] Available at: https://www.icc-cpi.int/iccdocs/otp/EN- OTP_Strategic_Plan_2016-2018.pdf (Last accessed 16 June 2017). 5 John D. and Katherine T. MacArthur Foundation, Center for Research Libraries, “Human Rights Electronic Evidence Study Final Report” (February 2012), p. 7 [online] Available at: http://www.crl.edu/grn/hradp/electronic-evidence (Last accessed 20 June 2017). 6 Ibid. 7 Ibid.

2 STANDARDS OF DIGITAL EVIDENCE

First, some primary considerations to note. At first glance, the terms “evidence” and “information” appear to be terms that may be used interchangeably, particularly considering that all evidence is information, although not all information is evidence. Furthermore, both evidence and information seek to inform its audience of the events that took place, when and who was responsible and also the matters under investigation. They both take various forms, including hard copy documents and electronic records. In order to assess the distinctions between information and evidence, one must look at their inherent value and the stage of criminal proceedings in which it is used. In essence, information is the original, raw form of evidence, and evidence is the term used to describe the information that is relevant to proving or disproving the facts connected to alleged crimes during trial.

3 STANDARDS OF DIGITAL EVIDENCE

Direct and Indirect Evidence

There are two types of evidence – direct and indirect. Direct evidence proves the existence of a fact without needing further explanation, whereas indirect evidence alone does not prove a fact; rather, it needs to be corroborated by other evidence, human experience, and/or common sense to indirectly establish a fact. Although the Appeals Chamber in Lubanga did not rely on any direct digital evidence, it kept open the possibility that such evidence could exist, stating: “[d]epending on the circumstances, a single piece of evidence, such as a video image of a person, may suffice to establish a specific fact. However, as recognised by the Trial Chamber, this does not mean that any piece of evidence provides a sufficient evidentiary basis for a factual finding.”8 Regarding indirect digital evidence, the Trial Chamber in Lubanga relied on video evidence showing children under the age of 15 within Lubanga’s armed group when it convicted Lubanga of the crime of enlistment, conscription and use of child soldiers. The court used the video, along with other testimony including from eye witnesses, to ascertain the ages of the boys in question.9 Direct and indirect evidence exist in one of three forms: testimonial evidence, physical evidence, or documentary evidence: 1. Testimonial Evidence a. Testimonial Evidence is a written or oral assertion offered as proof of truth in court on matters of fact or expertise by a witness, victim, or suspect. The ICC generally requires that witness testimony be given in person. Expert evidence, a subset of testimonial evidence, is oral (often opinion-based) evidence given by an expert on matters outside the court’s ordinary knowledge. 2. Physical Evidence: a. Physical evidence refers to objects, including materials detected through scientific means, that can be produced before a court. Examples of physical evidence include computers, equipment or weapons, as well as scientific evidence such as DNA or fingerprints. 3. Documentary Evidence: a. Documentary evidence is anything in which information is recorded. This includes official documents, e-mails, databases, maps, and photographs. It is commonly a combination of physical and testimonial evidence, such as a document containing a military order. Ordinarily, a witness will provide this evidence and be expected to “tender” (formally produce) the documentary evidence to the ICC.

8 ICC, Prosecutor v Thomas Lubanga Dyilo, Case No. ICC-01/04-01/06 A 5, Judgment (1 December 2014), para. 218. 9 ‘An Overview of the Use of Digital Evidence in International Criminal Courts’ (Salzburg Workshop on Cyberinvestigations, October 2013) [online] Available at: https://www.law.berkeley.edu/files/HRC/Scholarly_articles_Salzburg_2013.pdf (Last accessed 20 June 2017) citing ICC, Prosecutor v Thomas Lubanga Dyilo, Case No. ICC-01/04-01/06-3121-Anx2, Dissenting Opinion of Judge Anita Ušacka to the Appeals Judgment (1 December 2014), para. 79.

4 STANDARDS OF DIGITAL EVIDENCE

b. Digital evidence is a subcategory of documentary evidence. It may be defined as “information transmitted or stored in a digital format that a party to a case may use at a proceeding”.10 Digital evidence may come in the form of photographs, video and audio recordings, e-mails, blogs, and social media (e.g. Facebook, Twitter).

10 See E. Casey, “Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet” (3d ed. 2011).

5 STANDARDS OF DIGITAL EVIDENCE

Legal Standard of Admissibility of Evidence

The use of digital evidence in international criminal courts must be understood in light of the general approach to the admission of evidence in trial proceedings. For example, Rule 69(4) of the ICC Rules of Procedure and Evidence (“Rules”) directs judges to admit evidence, “taking into account, inter alia, the probative value of the evidence and any prejudice that such evidence may cause to a fair trial or to a fair evaluation of the testimony of a witness.”11 Historically, the ICC has accorded more probative value to viva voce (oral) evidence.12 However, the ICC also encourages parties to submit documentary evidence of various formats such as digital evidence accompanied by “succinct information” on the relevance and probative value, including authenticity, to ensure an expeditious trial.13 In accordance with Rule 63(2), ICC judges determine the probative value and the “appropriate weight” of admitted evidence at the end of a case, when they are considering the evidence as a whole.14

Probative Value & Evidentiary Weight of Evidence: An Overview

In Katanga et al., the Trial Chamber distinguishes between probative value and evidentiary weight. While probative value is determined “on the basis of a number of considerations pertaining to the inherent characteristics of the evidence,” evidentiary weight “is the relative importance that is attached to a piece of evidence in deciding whether a certain issue has been proven or not.”15 The Trial Chamber in Katanga et al. identified two factors that determine probative value: (1) “the reliability of the exhibit” and (2) “the measure by which an item of evidence is likely to influence the determination of a particular issue in the case.”16 When considering the reliability of a piece of evidence, including digital evidence, the court will first determine the authenticity of the evidence before assessing the reliability of the proffered evidence. While authentication and reliability are interconnected, they are still very distinct legal concepts. The

11 ICC, Prosecutor v Thomas Lubanga Dyilo, Case No. ICC-01/04-01/06, Decision on Confirmation Charges (29 January 2007), para. 100. 12 ICC, Prosecutor v. Jean-Pierre Bemba Gombo, Case No. ICC-01/05-01/08, Decision on the admission into evidence of materials contained in the prosecution's list of evidence (19 November 2010), para. 14. 13 ICC, Prosecutor v. Laurent Gbagbo and Charles Blé Goudé, Case No. ICC-02/11-01/15, Trial Chamber I, Decision concerning the Prosecutor’s submission of documentary evidence on 13 June, 14 July, 7 September and 19 September 2016 (9 December 2016), paras. 34-35, 37. 14 ICC, Prosecutor v Thomas Lubanga Dyilo, Case No. ICC-01/04-01/06, Decision on Confirmation Charges (29 January 2007). See also ICC, Prosecutor v. Jean- Pierre Bemba Gombo, Case No. ICC-01/05-01/08, Trial Chamber III, Decision on the Prosecution's Application for Admission of Materials into Evidence Pursuant to Article 64(9) of the Rome Statute (8 October 2012), paras. 8, 11. ICC, Prosecutor v. Jean-Pierre Bemba Gombo, Case No. ICC-01/05-01/08, Decision on the admission into evidence of materials contained in the prosecution's list of evidence (19 November 2010), para. 15. Probative value refers “to the reliability and weight to be attached to the evidence concerned.” In order to be considered relevant, evidence must have the potential to influence the determination on at least one fact. The Chamber must consider all the evidence “‘submitted’ before it and ‘discussed’ at trial in making its final determination regardless of the type of evidence presented.” 15 ICC, Prosecutor v. Germain Katanga and Mathieu Ngudjolo Chui, Case No. ICC-01/04-01/07 Decision on the Bar Table Motion of the Defence of Germain Katanga (17 December 2010), para. 13. 16 Ibid., para. 20.

6 STANDARDS OF DIGITAL EVIDENCE

purpose of authentication is to ensure that the admitted evidence has not been tampered with, while the purpose of reliability is to establish whether a piece of evidence is what it purports to be. This review process is aimed at promoting the integrity of the trial process by ensuring tendered evidence authentically establishes what it was offered to prove. As an example, in 2010 the Sri Lankan government examined the reliability of video footage taken from a soldier’s cell phone in 2009 that supposedly showed the killing of several Sri Lankan prisoners. It was argued by the Sri Lankan Government that the killings were, in fact, staged. Thus, even if the footage was authentic, meaning not tampered with, the prosecutor must prove the video was reliable, i.e. the footage was not staged and actually depicted the killing of Sri Lankan prisoners.17 The ICC noted in the Bemba case that an article found on the Internet was admissible even though it was given little weight: In relation to probative value, although the document seems to have been found as a result of an internet search and was not directly downloaded from the BBC news agency from which it apparently originated, the Chamber is satisfied that it provides sufficient indicia that the document is what it purports to be, that is a press article published by the BBC on the date mentioned therein. […] the Majority […] is not persuaded by the defence argument that press/media reports should be rejected where the prosecution is unable to identify the authors of such reports. Moreover, the Majority reiterates its view that the admissibility of such reports should be approached with caution and notes that, if admitted, it is for limited purposes to be determined on a case-by-case basis. Therefore, the Majority admits the BBC news article with the limited purpose that the information contained therein may serve to corroborate other pieces of evidence. In light of the envisioned limited usage of the information contained in the document, the majority is of the view that there is no reason to believe that its admission will have a prejudicial effect on a fair trial.18 Once authenticity has been established, the Court must determine whether the evidence can reasonably be believed.19 There are “innumerable factors which may be relevant” to the determination of whether a piece of evidence possesses some indicia of reliability. The Chamber in Lubanga further emphasised the lack of a definitive list of criteria for determining reliability, stressing that the Court “must be careful not to impose artificial limits on its ability to consider any piece of evidence freely, subject to the requirements of fairness.”20 Although there is no finite list of criteria useful to determining reliability, the following key factors are often considered:

17 Robert Mackey, ‘Video of Sri Lankan Executions Appear Authentic UN Says’ (8 January 2010) [online] Available at: http://thelede.blogs.nytimes.com/2010/01/08/sri-lanka-atrocity-video-appears-authentic-un-says/ (Last accessed 20 June 2017). 18 ICC, Prosecutor v. Jean-Pierre Bemba Gombo, ICC-01/05-01/08, Trial Chamber III, Decision on the Admission into Evidence of Items Deferred in the Chamber's “Decision on the Prosecution's Application for Admission of Materials into Evidence Pursuant to Article 64(9) of the Rome Statute” (27 June 2013), para. 25, footnotes omitted. 19 Ibid., para. 26. 20 Ibid., para. 29.

7 STANDARDS OF DIGITAL EVIDENCE

• whether there is any indication the source is biased;21 • nature and characteristics of the item of evidence;22 • contemporaneousness of the evidence to the events in question;23 • the purpose for which the evidence was created;24 and • whether the information and the way it was gathered can be independently verified and tested.25 Secondly, once a piece of evidence is found to be reliable, the Court must determine the significance of the evidence or the extent to which it will advance the Chamber’s inquiries.26 The Court in Katanga et al. identified two ways in which evidence could be deemed significant: (1) by significantly helping the Chamber reach “a conclusion about the existence or non-existence of a material fact;” or (2) helping the Chamber assess “the reliability of other evidence in the case.”27 A piece of evidence may be relevant, but have little to no impact on the issues before the court and thus be deemed insignificant.28 If or when the admissibility of evidence is questioned, the question for consideration by the ICC Chamber is to “ensure that the evidence is prima facie relevant to the trial, in that it relates to the matters that are properly to be considered by the Chamber in its investigation of the charges against the accused and its consideration of the views and concerns of participating victims.”29 Prima facie evidence is “evidence that will establish a fact or sustain a judgment unless contradictory evidence is produced.”30 ICC jurisprudence considers evidence to be prima facie relevant when it “relates to matters that are properly considered by the Chamber in its investigation of the charges against the accused and its consideration of the views and concerns of participating victims.”31

E-Court Protocol

21 Ibid., para. 27(a). 22 Ibid., para. 27(b). 23 Ibid., para. 27(c). 24 Ibid., para. 27(d). 25 Ibid., para. 27(e). 26 Ibid., para. 34-35. 27 Ibid. para. 34. 28 Ibid. para. 35. 29 Ibid., para. 10 fn.23 citing ICC, Prosecutor v Thomas Lubanga Dyilo, Case No. ICC-01704-01/06, Decision on the consequences of non-disclosure of exculpatory materials covered by Article 54(3)(e) agreements and the application to stay the prosecution of the accused, together with certain other issues raised at the Status Conference on 10 June 2008 (13 June 2008), paras. 26-27. 30 Black’s Law Dictionary “Prima Facie Evidence”. 31 ICC, Prosecutor v. William Samoei Ruto and Joshua Arap Sang, Case No. ICC-01/09-01/11, Joint Defence Application for the Admission of Items related to the Testimony of P-0536 from the Bar Table (6 July 2016), para. 9 citing ICC, Prosecutor v Thomas Lubanga Dyilo, Case No. ICC-01704-01/06, Decision on the consequences of non- disclosure of exculpatory materials covered by Article 54(3)(e) agreements and the application to stay the prosecution of the accused, together with certain other issues raised at the Status Conference on 10 June 2008 (13 June 2008), paras. 27- 31. In Katanga et al., the Trial Chamber further elaborated the concept of relevance, stating: If the evidence tendered makes the existence of a fact at issue more or less probable, it is relevant. Whether or not this is the case depends on the purpose for which the evidence is adduced. Unless immediately apparent from the exhibit itself, it is the responsibility of the party tendering it to explain: (1) the relevance of a specific factual proposition to a material fact of the case; (2) how the item of evidence tendered makes this factual proposition more probable or less probable.

8 STANDARDS OF DIGITAL EVIDENCE

The ICC has established standards specific to digital evidence. Digital evidence must conform to the “E-Court Protocol” before it is submitted.32 The Protocol is designed to “ensure authenticity, accuracy, confidentiality and preservation of the record of proceedings.”33 It compels parties to the proceedings to attach metadata to the evidence submitted, including the chain of custody in chronological order, the identity of the source, the original author and recipient information, and the author and recipient’s respective organisations. 34 While the Protocol offers some regulation in assisting the admission and use of digital evidence, it is limited to coordinating the format of digital evidence, and how it is stored in the Court’s systems. 35 National authorities ought not to be concerned with this process during their investigation, to the extent that the relevant information for the metadata is kept.

32 ICC, Prosecutor v. Callixte Mbarushimana, Case No. ICC-01/04-01/10, Decision Amending the e-Court Protocol (28 April, 2011), para. 4. 33 ICC, ICC-01/04-01/10-87-Anx 30-03-2011, Unified Technical protocol (“e-Court Protocol”) for the provision of evidence, witness and victims information in electronic form, para. 1 [online] Available at: https://www.icc- cpi.int/RelatedRecords/CR2011_03065.PDF (Last accessed 22 June 2017). 34 Ibid. 35 ‘An Overview of the Use of Digital Evidence in International Criminal Courts’ (Salzburg Workshop on Cyberinvestigations, October 2013), p. 4.

9 STANDARDS OF DIGITAL EVIDENCE

Evidentiary Considerations of Digital Evidence

Authenticity

The international criminal courts are particularly concerned with authentication of digital evidence as it can be easily manipulated. For example, video footage may be altered or metadata (internal digital information that describes characteristics of the data) may be changed. Therefore, authentication is required to ensure the veracity of the evidence. Judges will not consider the digital evidence’s authenticity if the parties agree that the evidence is authentic or if the evidence is prima facie reliable.36 If the judges find that the evidence does not meet the prima facie standard, a party has the opportunity to provide additional information.37 In the Bemba case, one can see how the judges show some flexibility regarding authentication of evidence. In that matter, the prosecution attempted to admit ten audio recordings of broadcasts into evidence. The prosecution claimed that the audio recordings provided background information about the conflict, the identity of those involved, as well as accounts from eyewitnesses and victims.38 The defense questioned the authenticity of the recordings. The judges found that “recordings that have not been authenticated in court can still be admitted, as in-court authentication is but one factor for the Chamber to consider when determining an item’s authenticity and probative value.”39 To support the authenticity of a piece of evidence, it is not uncommon for digital evidence to be corroborated with external (testimony or source identification) and internal (timestamps and metadata) indicators. For example, in Prosecutor v. Bagosora, video footage combined with a transcript, led the ICTR to find that the accused was acting as the Minister of Defense and therefore exercised control over the army.40 This corroboration digital evidence provided the ICTR with linkage evidence to support a conviction.41

Hearsay

The term generally refers to statements made outside of a given judicial proceeding that are outside the direct knowledge of the witness in question. Such statements are typically not admissible as evidence because the person communicating the statement is either a) not the person who originally

36 ICC, Prosecutor v. Jean- Pierre Bemba Gombo, ICC-01/05-01/08, Trial Chamber III, Decision on the Prosecution's Application for Admission of Materials into Evidence Pursuant to Article 64(9) of the Rome Statute (8 October 2012), para. 9. 37 Ibid. 38 Ibid. 39 Ibid., para. 120. 40 ICTR, Prosecutor v. Théoneste Bagosora, Gratien Kabiligi, Aloys Ntabakuze, Anatole Nsengiyumva, Case No. ICTR- 98-41-T, Judgement (18 December 2008), paras. 2029-2031; ICTR, Prosecutor v. Théoneste Bagosora, Gratien Kabiligi, Aloys Ntabakuze, Anatole Nsengiyumva, Case No. ICTR-98-41-A, Appeals Judgement (14 December 2011), para. 460. 41 Ibid. See also ICTY, Prosecutor v. Stanislav Galić, Case No. IT-98-29-A, Appeals Judgement (30 November 2006), paras. 443, 549. (The ICTY prosecutors offered photographs, ballistics reports, video, and testimony for authentication purposes. The court held that the evidence was admissible because each piece of digital evidence was corroborated by another piece of evidence leading the court to find the evident authentic).

10 STANDARDS OF DIGITAL EVIDENCE

made the statement, or b) is reporting on his or her own previous remembered statement made outside of court. Generally, the term “hearsay” typically prompts solely the idea of speech in lay thought, but in actuality, it refers to “statements” which can be either written or spoken. In this regard, we may consider that a “statement” applies to digital evidence in two ways: 1) emails, text messages, and computer-generated reports are text based; 2) digital video and audio recordings capture spoken utterances or other nonverbal conduct intended to express an assertion. In this respect, we can see that digital evidence may raise hearsay concerns because it is not live testimony and because it is removed from the originating source. The ICC, unlike the ad hoc tribunals, has no definite rule on hearsay evidence.42 While, as mentioned above, the Court prefers to hear live witness testimony, the Court’s actual rules do allow for substitutions in limited circumstances,43 even though practical case examples of hearsay evidence being admitted by the Court are fairly scant. One illustration of the ICC’s approach toward digital evidence hearsay is through its admission of anonymous hearsay. The ICC does not consider hearsay from anonymous sources inadmissible per se,44 and some ICC judgements have found that such anonymous hearsay could be admitted, but only to the degree that it corroborated other evidence.45 In Gbango, the ICC found that sources of digital evidence must be identifiable because it directly impacted the trustworthiness of the evidence and assessment of its probative value. The Trial Chamber said: Proving allegations solely through anonymous hearsay [e.g., NGO reports and press articles] puts the defence in a difficult position because it is not able to investigate and challenge the trustworthiness of the source(s) of the information, thereby unduly limiting the right of the defence under article 61(6)(b) of the Statute to challenge the Prosecutor's evidence... Further, it is highly problematic when the Chamber itself does not know the source of the information and is deprived of vital information about the source of the evidence. In such cases, the

42 Instead, “the drafters of the [Rome] Statute framework have clearly and deliberately avoided proscribing certain categories or types of evidence, a step which would have limited - at the outset - the ability of the Chamber to assess evidence ‘freely’. Instead, the Chamber is authorised by statute to request any evidence that is necessary to determine the truth, subject always to such decisions on relevance and admissibility as are necessary, bearing in mind the dictates of fairness.” ICC, Prosecutor v Thomas Lubanga Dyilo, Case No. ICC-01/04-01/06, Judgment pursuant to Article 74 of the Statute, (14 March 2010), para. 107. 43 ICC Rule 67 allows for a witness to provide testimony by audio or video link, providing that the technology permits the Prosecutor, the defense, and the Chamber to examine the witness. Rules of Evidence and Procedure of the International Criminal Court, Rule 67. Rule 68 allows for testimony that has been previously recorded to be introduced, in accordance with article 69 paragraph 2, if both the Prosecutor and the defense had a prior opportunity to examine the witness, or if the witness is present before the Chamber, that he or she does not object to the previously recorded testimony, and the Prosecutor and the defense have an opportunity to examine the witness. Rules of Evidence and Procedure of the International Criminal Court, Rule 68. These alternatives to live testimony are available in instances where the witness has refused to attend court, is unable to do so, or if it is in the best interest to protect the psychological well-being and dignity of the witness. ICC, Prosecutor v Thomas Lubanga Dyilo, Case No. ICC-01/04-01/06, Redacted Decision on the defence request for a witness to give evidence via video-link, (9 February 2010), para. 15. 44 ICC, Prosecutor v Thomas Lubanga Dyilo, Case No. ICC-01/04-01/06, Decision on Confirmation Charges (29 January 2007), paras. 101, 103. This also includes redacted versions of witness statements. Objections to the use of anonymous hearsay have gone to the probative value of the evidence, and not its admissibility. 45 Ibid., para. 106.

11 STANDARDS OF DIGITAL EVIDENCE

Chamber is unable to assess the trustworthiness of the source, making it all but impossible to determine what probative value to attribute to the information.46 However, in the same regard, the ICC highlighted the importance of independence of a source of evidence in relation to corroboration: The Chamber does not exclude the possibility that in exceptional cases it may be apparent from the evidence that two or more anonymous hearsay sources in documentary evidence corroborate each other because they are clearly based on independent sources. However, since even in such cases the Chamber may still not have enough information about the trustworthiness of these sources, it will be extremely cautious in attributing the appropriate level of probative value.47 Factors to consider that could improve the probative value of digital evidence hearsay include corroborating evidence, such as live testimony, and explanations of the procedures by which the digital evidence was obtained, including testimony of those involved in obtaining it.48 The reliability of hearsay digital evidence is also reinforced by crafting a solid chain of custody in the presentation of the evidence.49 Additionally, the reliability of digital evidence can also be reinforced if it can be further corroborated by other evidence that has a higher probative value, effectively increasing the total weight of the digital hearsay evidence.50

Provenance and Chain of Custody

Particularly relevant to the ICC’s authenticity determination is identifying the source of evidence which can be done by thoroughly and reliably noting the chain of custody. The chain of custody is defined as “[t]he movement and location of real evidence, and the history of those persons who had it in their custody, from the time it is obtained to the time it is presented in court.”51 The chain of custody should also provide a complete history of who controlled the electronic information. A thoroughly documented chain of custody will help establish the origin of a piece of evidence and will be crucial in establishing whether the evidence has been modified or tampered with. It also increases the weight judges accord to the evidence because “[f]actors such as … proof of authorship will naturally assume the greatest importance in the Trial Chamber’s assessment of the weight to be attached to individual pieces of evidence.”52

46 ICC, The Prosecutor v. Laurent Gbagbo, ICC-02/11-01/11, Pre-Trial Chamber I, Decision adjourning the hearing on the confirmation of charges pursuant to article 61(7)(c)(i) of the Rome Statute (3 June 2013), para. 29. 47 Ibid., para. 30. 48 ICTY, Prosecutor v. Zdravko Tolimir, Case No. IT-05-88/2, Judgment, (12 December 2012), para. 64 (evidence was shown to be reliable in the practices followed by the interceptors). 49 Ibid., para. 64, fn.165. 50 Ibid., para. 65. 51 ‘An Overview of the Use of Digital Evidence in International Criminal Courts’ (Salzburg Workshop on Cyberinvestigations, October 2013), p. 10 referring to Black Law Dictionary, (9th ed. 2009) “Chain of Custody”. 52 ‘An Overview of the Use of Digital Evidence in International Criminal Courts’ (Salzburg Workshop on Cyberinvestigations, October 2013), p. 10 referring to ICTY, Prosecutor v. Radoslav Brđanin and Momir Talić, Case No. IT-99-36-T, Order on the Standards Governing the Admission of Evidence (15 February 2002), para. 18.

12 STANDARDS OF DIGITAL EVIDENCE

International courts often consider an “author” to be a person whom the court may rely on to provide information about the evidence’s origins.53 Evidence providing proof of authorship comes in many forms.54 Although proof of authorship is weighed heavily in the Court’s reliability determination, it is not dispositive, with the Pre-Trial Chamber in Lubanga noting that “nothing in the Statute or Rules expressly states that the absence of information about the chain of custody and transmission affects the admissibility or probative value”.55

Preservation

To date, the international criminal courts have given very little direction on the best methods for preserving digital evidence. “Digital preservation refers to long-term, error-free storage of digital information, with means for retrieval and interpretation, for the entire time span” for which the information is required.56 It is also uncertain to assess what, if any, measures the ICC is taking to safeguard the collection and preservation of digital information before investigators obtain it. Considering this, there are several questions regarding the methods to be used for the proper collection of digital evidence. Below we have outlined the various ways that investigators should follow to properly collect and preserve evidence so it retains its value in any subsequent investigations and/or trials.

53 ‘An Overview of the Use of Digital Evidence in International Criminal Courts’ (Salzburg Workshop on Cyberinvestigations, October 2013), p. 10. 54 “Courts have accepted the testimony of persons note-taking and monitoring radio intercepts, recording audio, or even those who obtain aerial images originally taken by others.” ‘An Overview of the Use of Digital Evidence in International Criminal Courts’ (Salzburg Workshop on Cyberinvestigations, October 2013), p. 10 referring to ICTY, Prosecutor v. Popovic et al., Case No. IT-05-88-T, Judgement (10 June 2010), paras. 64-66, ICTR, Prosecutor v. Tharcisse Renzaho, Case No. ICTR-97-31-T, Decision on Exclusion of Testimony and Admission of Exhibit (20 March 2007), paras. 1-2; ICTY, Prosecutor v. Zdravko Tolimir, Case No. IT-05-88/2, Judgment, (12 December 2012), paras. 67-70. 55 ICC, Prosecutor v Thomas Lubanga Dyilo, Case No. ICC-01/04-01/06, Decision on Confirmation Charges (29 January 2007), para. 96. 56 Digital Preservation Definition, U.S. LEGAL [online] Available at: http://definitions.uslegal.com/d/digital- preservation (Last accessed 20 June 2017).

13 STANDARDS OF DIGITAL EVIDENCE

Standards for Collecting and Handling Digital Evidence

The basic standards below outline the practical steps investigators should follow in order to ensure the authenticity of evidence and to adequately preserve digital evidence for use in any subsequent criminal trials. Digital evidence can be discovered in a variety of ways, including directly from an electronic device (“e-device”), such as a computer, camera, or mobile phone, or from web research compiled by an investigator. In the case of evidence from an e-device, investigators should be aware that information such as date, time, and system configuration may be lost as a result of prolonged storage. Therefore, investigators should give priority to e-devices powered by batteries, and all relevant data should be noted as soon as possible in a separate file.

Collecting Digital Evidence

Once an electronic device containing potentially relevant information is found, it should be handled with care and examined only by a digital forensic expert.57 To ensure that no information is lost from the e-device, the following measures should be taken:

If the Device is Turned Off:

• Do not turn on the device; • Label connections, peripherals, manuals, cables, and attached devices; • Photograph and document the labeled computers and attached cables connections and devices; • Pull the power plugs from the back of the machines and remove all cables; • Bag, tag and transport all electronic evidence in accordance with agency procedures; and • If possible, record the passwords, codes, or PINs needed to access the device.58

If the Device is Turned On: (live forensic investigators should undertake the following steps)

• If there is a password which cannot be obtained then cold-boot to capture RAM; and • If the password is obtained or there is no password o Check for encryption o Obtain Recovery Key o Copy logical data from encrypted volumes o Capture volatile data (caches, RAM, processes) o Capture data held on network storage,

57 Council of Europe, "Electronic Evidence Guide: A Basic Guide for Police Officers, Prosecutors and Judges", (15 December 2014), Version 2.0, pp. 201 and 202. 58 Ibid., p. 201.

14 STANDARDS OF DIGITAL EVIDENCE

o Pull the power plugs from the back of the machines, and o Follow the steps for seizure and labeling as if the device was turned off.59 If the evidence is audio or video material, investigators should retrieve and note the date and/or location of recording. If the piece of evidence was an online source and is no longer publicly available, this should be clearly indicated, along with the date and location from when accessed and subsequently obtained.

Handling Digital Evidence

The mishandling of digital evidence can lead to unintentional modification or destruction of the evidence due to inexpert handling. Therefore, the following steps should be taken as a precaution:

Packaging

• Properly document and label before packaging; • Use antistatic packaging, when available. Avoid using materials that can produce static electricity, such as standard plastic bags; • Extra precaution shall be taken to not fold, bend, or scratch storage media such as diskettes, CD-ROMs, and tapes; • Do not affix adhesive labels on the surface of the storage media; and • Leave cellular, mobile, or smart phone(s) in the power state (on or off) in which they were found. o When powered on, package mobile or smart phone(s) in airplane mode or in signal- blocking material such isolation bags, radio frequency-shielding material, or wrapped in aluminum foil to prevent data messages from being sent or received by the devices.

Transport

• Keep electronic evidence away from magnetic sources, such as radio transmitters, speakers, magnets and heated seats; • Ensure that the equipment is protected from shock and bumps (e.g., mechanical damage), heat, and humidity; and • Document the transportation of the digital evidence and maintain the chain of custody for all evidence transported.

Storage

• Store evidence in a secure area, away from extreme temperatures and humidity; • Protect it from magnetic sources, moisture, dust, and other harmful particles or contaminants; and

59 Ibid., p. 202.

15 STANDARDS OF DIGITAL EVIDENCE

• Use an adequately secure storage room with: o Access control; and o Fire protection and suppression systems (e.g., alarm, fire extinguishers, prohibitions on smoking in the storage area or in the vicinity).60

60 Ibid., p. 47.

16 STANDARDS OF DIGITAL EVIDENCE

Conclusion

In conclusion, it is certain that while digital and technologically-derived evidence will create new challenges, including the security, verification, and authentication of digital evidence, it will also have the enormous potential to enhance the truth-telling functions of the Courts in investigations and trials by providing new sources of relevant information and evidence. For these reasons, it is necessary that domestic investigators be aware of alternative sources of evidence and understand how to properly collect and handle digital evidence as the increasing prevalence of digital technology makes technologically-derived evidence a predictable component of future investigations and trials.

17 STANDARDS OF DIGITAL EVIDENCE

18 STANDARDS OF DIGITAL EVIDENCE