What Evidence is Real in a World of Digitally Altered Material?

Imagine you are prosecuting a child pornography case and have incriminating chats made through Facebook showing the Defendant coercing and soliciting sexually explicit material from minors.  Knowing that you will submit these chats as evidence in trial, you acquire a certificate from Facebook’s records custodian authenticating the documents.  The custodian provides information that confirms the times, accounts and users.  That should be enough, right?

Wrong.  Your strategy relies on the legal theory that chats made through a third-party provider fall into a hearsay exception known as the “business records exemption.”  Under the Federal Rules of Evidence 902(11) “self-authenticating” business records “provides that ‘records of a regularly conducted activity’ that fall into the hearsay exception under Rule 803(6)—more commonly known as the “business records exception”—may be authenticated by way of a certificate from the records custodian.”  (Fed. R. Evid. 902(11)), (United States v. Browne, 834 F.3d 403 (3d Cir. 2016)).

Why does this certification fail to actually show authenticity?  The Third Circuit answers, saying there must be additional, outside evidence (extrinsic) establishing relevance of the evidence.  (United States v. Browne, 834 F.3d 403 (3d Cir. 2016)).

Relevance is another legal concept where “its existence simply has some ‘tendency to make the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence.’”  (United States v. Jones, 566 F.3d 353, 364 (3d Cir. 2009) (quoting Fed. R. Evid. 401)).  Put simply, the existence of this evidence has a material effect on the evaluation of an action.

In Browne, the Third Circuit says the “business records exemption” is not enough because Facebook chats are fundamentally different than business records.  Business records are “supplied by systematic checking, by regularity and continuity which produce habits of precision, by actual experience of business in relying upon them, or by a duty to make an accurate record as part of a continuing job or occupation,” which results in records that can be relied upon as legitimate.

The issue here deals with authenticating the entirety of the chat – not just the timestamps or cached information.  The court delineates this distinction, saying “If the Government here had sought to authenticate only the timestamps on the Facebook chats, the fact that the chats took place between particular Facebook accounts, and similarly technical information verified by Facebook ‘in the course of a regularly conducted activity,’ the records might be more readily analogized to bank records or phone records conventionally authenticated and admitted under Rules 902(11) and 803(6).”

In contrast, Facebook chats are not authenticated based on confirmation of their substance, but instead on the user linked to that account.  Moreover, in this case, the Facebook records certification showed “alleged” activity between user accounts but not the actual identification of the person communicating, which the court found is not conclusive in determining authorship.

The policy concern is that information is easily falsified – accounts may be created with a fake name and email address, or a person’s account may be hacked into and operated by another.  As a result of the ruling in Browne, submitting chat logs into evidence made through a third party such as Facebook requires more than verification of technical data.  The Browne court describes the second step for evidence to be successfully admitted – there must be, extrinsic, or additional outside evidence, presented to show that the chat logs really occurred between certain people and that the content is consistent with the allegations.  (United States v. Browne, 834 F.3d 403 (3d Cir. 2016))

When there is enough extrinsic evidence, the “authentication challenge collapses under the veritable mountain of evidence linking [Defendant] and the incriminating chats.”  In the Browne case, there was enough of this outside evidence that the court found there was “abundant evidence linking [Defendant] and the testifying victims to the chats conducted… [and the] Facebook records were thus duly authenticated” under Federal Rule of Evidence 901(b)(1) in a traditional analysis.

The idea that extrinsic evidence must support authentication of evidence collected from third-party platforms is echoed in the Seventh Circuit decision United States v. Barber, 937 F.3d 965 (7th Cir. 2019).  Here, “this court has relied on evidence such as the presence of a nickname, date of birth, address, email address, and photos on someone’s Facebook page as circumstantial evidence that a page might belong to that person.”

The requirement for extrinsic evidence represents a shift in thinking from the original requirement that the government carries the burden of only ‘“produc[ing] evidence sufficient to support a finding’ that the account belonged to [Defendant] and the linked messages were actually sent and received by him.”  United States v. Barber, 937 F.3d 965 (7th Cir. 2019) citing Fed. R. Evid. 901(a), United States v. Lewisbey, 843 F.3d 653, 658 (7th Cir. 2016).  Here, “Facebook records must be authenticated through the ‘traditional standard’ of Rule 901.” United States v. Frazier, 443 F. Supp. 3d 885 (M.D. Tenn. 2020).

The bottom line is that Facebook cannot attest to the accuracy of the content of its chats and can only provide specific technical data.  This difference is further supported by a District Court ruling mandating traditional analysis under Rule 901 and not allowing a business hearsay exception, saying “Rule 803(6) is designed to capture records that are likely accurate and reliable in content, as demonstrated by the trustworthiness of the underlying sources of information and the process by which and purposes for which that information is recorded… This is no more sufficient to confirm the accuracy or reliability of the contents of the Facebook chats than a postal receipt would be to attest to the accuracy or reliability of the contents of the enclosed mailed letter.”  (United States v. Browne, 834 F.3d 403, 410 (3rd Cir. 2016), United States v. Frazier, 443 F. Supp. 3d 885 (M.D. Tenn. 2020)).

Evidence from social media is allowed under the business records exemption in a select-few circumstances.  For example, United States v. El Gammal, 831 F. App’x 539 (2d Cir. 2020) presents a case that does find authentication of Facebook’s message logs based on testimony from a records custodian.  However, there is an important distinction here – the logs admitted were directly from a “deleted” output, where Facebook itself created the record, rather than a person.  Accordingly, the Tenth Circuit agreed that “spreadsheets fell under the business records exception and, alternatively, appeared to be machine-generated non-hearsay.”  United States v. Channon, 881 F.3d 806 (10th Cir. 2018).

What about photographs – are pictures taken from social media dealt with in the same way as chats when it comes to authentication?  Reviewing a lower court decision, the Sixth Circuit in United States v. Farrad, 895 F.3d 859 (6th Cir. 2018) found that “it was an error for the district court to deem the photographs self-authenticating business records.”  Here, there is a bar on using the business exception that is similar to that found in the authentication of chats, where photographs must also be supported by extrinsic evidence.

While not using the business exception to do so, the court in Farrad nevertheless found that social media photographs were admissible because it would be logically inconsistent to allow “physical photos that police stumble across lying on a sidewalk” while barring “electronic photos that police stumble across on Facebook.”  It is notable that the court does not address the ease with which photographs may be altered digitally, given that was a major concern voiced by the Browne court regarding alteration of digital text.

United States v. Vazquez-Soto, 939 F.3d 365 (1st Cir. 2019) further supports the idea that photographs found through social media need to be authenticated traditionally.  Here, the court explains the authentication process, saying “The standard [the court] must apply in evaluating a[n] [item]’s authenticity is whether there is enough support in the record to warrant a reasonable person in determining that the evidence is what it purports to be.” United States v. Vazquez-Soto, 939 F.3d 365 (1st Cir. 2019) quoting United States v. Blanchard, 867 F.3d 1, 6 (1st Cir. 2017) (internal quotation marks omitted); Fed. R. Evid. 901(a).”  In other words, based on the totality of the evidence to include extrinsic evidence, do you believe the photograph is real?  Here, “what is at issue is only the authenticity of the photographs, not the Facebook page” – it does not necessarily matter who posted the photo, only what was depicted.

Against the backdrop of an alterable digital world, courts seek to emplace guards against falsified information.  The cases here represent the beginning of a foray into what measures can be realistically taken to protect ourselves from digital fabrications.















Who Pays When Your Amazon Purchase Catches Fire?

As technology develops, one of the most debated issues remains: how much responsibility should internet service providers bear in respect to third party content published through their website?  Is Section 230 of the of the Communications Decency Act a relic of primitive internet usage?  When products are sold through the internet, does responsibility shift to the marketplace provider?
To shed light on the issue, a parallel arises between how consumer law and internet usage is developing.
Take the Texas case where a third-party sold a remote control through Amazon.com.  The remote was purchased and delivered to a customer with no issues.  However, the customer’s nineteen-month-old child later ingested the remote’s battery which resulted in permanent esophagus damage.  Who is responsible for the damages – Amazon or the third-party seller?  (Amazon.com, Inc. v. McMillan, No. 20-0979, 2021 WL 2605885 (Tex. June 25, 2021))
The customer, Ms. McMillin, brought a lawsuit against both.  Ultimately, the Supreme Court of Texas found that legal liability for the personal injury did not lie with Amazon but remained with the third-party seller.  This decision determined who was the “Seller” under Tex. Civ. Prac. & Rem. Code Ann. § 82.001 and the legal framework behind placing items into a stream of commerce.  The dispositive factor was whether or not, at any point during the “chain of distribution”, title to the remote had been transferred to Amazon.  In other words, who owned the remote?
The court found that unless Amazon held and relinquished title, or the “legal right to control and dispose of property” (TITLE, Black’s Law Dictionary (11th ed. 2019)), they could not be considered an actual “Seller” under the law and therefore were not liable for injury.  Even though throughout use of the marketplace Amazon “controlled the process of the transaction and the delivery of the product,” the third-party seller retained title and was thus the liable “Seller.”
These ideas run parallel to those behind Section 230, where internet service providers are not liable for content published through their services.  Under this section, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” (47 U.S.C. § 230, subd. (c)(1)).  In the McMillin case, the court notes the “significant potential consequences of holding online marketplaces responsible for third-party sellers’ faulty products.”
In a case originating in Arizona, the deciding factor in a strict liability consumer law case again comes down to ownership.  Here, personal injury was incurred by a defective battery in a hoverboard that caught fire which had been sold through Amazon.com.  The court ruled in favor of Amazon after applying state law in a “contextual analysis [that] balanced multiple factors to determine whether a company ‘participate[d] significantly in a stream of commerce.’”  (State Farm Fire & Cas. Co. v. Amazon.com, Inc., 835 F. App’x 213 (9th Cir. 2020))
Under Arizona law, the “realities of the marketplace” bear on the outcome and evaluated using a seven-part test to determine whether strict liability can be held against a party.  This occurs when:
“(1) provide a warranty for the product’s quality; (2) are responsible for the product during transit; (3) exercise enough control over the product to inspect or examine it; (4) take title or *216 ownership over the product; (5) derive an economic benefit from the transaction; (6) have the capacity to influence a product’s design and manufacture; or (7) foster consumer reliance through their involvement.”
In these factors we again see the idea of ownership being used to help draw the line.  Just because Amazon facilitated the sale of defective products through their website, they were not involved enough with the product to actually be liable for its deficiencies.
This trend is not limited to Amazon.com.  Take the example of the consumer in Indiana who purchased a 3D printer through Walmart.com that later caught fire and damaged property.  The consumers, the Terrys, brought a lawsuit for merchantability issues under Indiana Code § 26-1-2-314, which provides that the “warranty that the goods shall be merchantable is implied in a contract for their sale if the seller is a merchant with respect to goods of that kind.”  (Indiana Farm Bureau Ins. v. Shenzhen Anet Tech. Co., No. 419CV00168TWPDML, 2020 WL 7711346 (S.D. Ind. Dec. 29, 2020))
Here, again, the court determined that Walmart.com was not a “Seller” or “Manufacturer” under the Indiana law and could not be held liable for the damages caused by defective third-party products.
However, law developing out of California reaches a contradictory conclusion.  Here, in a case where an Amazon.com-sold laptop battery caught fire, the court ruled that in regard to strict liability the Communications Decency Act did not offer immunity to internet marketplaces.  The court supported the finding by determining that Amazon played an “’integral part of the overall producing and marketing enterprise.’”  Here, Amazon’s role providing speech, which is immunized, is differentiated from its “role in the chain of production and distribution of an allegedly defective product.”  Bolger v. Amazon.com, LLC, 53 Cal. App. 5th 431, 267 Cal. Rptr. 3d 601 (2020), review denied (Nov. 18, 2020)
The convergence between consumer law and Section 230 helps develop an understanding of how we think about the responsibility of internet service providers when the content or products they facilitate cause damage.  Ultimately, the emerging trend is that a party must in some way own the content in question.
Skip to toolbar