Authenticating Evidence Found On Social Media And In Cell Phones – “It’s Complicated”
Cell Phone and Social Media Evidence
Robert C. Bonsib, Esq. & Megan E. Coleman, Esq.
It is now almost routine that when a new case comes into the office to identify not just the critical witnesses and businesses pertinent to the case but to do social media research as part of the initial case investigation as well. No longer is searching Case Search sufficient. A common initial discussion with our clients pertains to the client’s social media activities past, present, and future. Don’t take the client’s word for the fact that the post is “innocuous” or not relevant. Look at it yourself. It is not just what the client posts, but also what others might be posting on the client’s social media site. It is generally good advice to have the client shut down all social media sites. In this day that advice may be easier given than it is followed. Following up by periodically checking your client’s social media sites is always a wise course of conduct. We have had these initial discussions with clients, only to find a few weeks later the client is posting again.
If you are fortunate to have a younger legal assistant or paralegal in your office (or if you are one who is comfortable with the current forms of social media), a search of Facebook, Twitter, Snapchat, Instagram, LinkedIn, Google+, YouTube, and the list goes on and on…may produce amazing evidence for your case. Photographs, inflated and/or misrepresented backgrounds, political or personal opinions, and conversations about the very events relevant in your case are often available online. Not surprisingly, many of these posts pop up right around the time of the relevant event.
Once you have located a potentially useful and relevant social media post, what should you do? Don’t delay. Immediately capture it. Even if the initial manner in which you preserve the evidence isn’t the best, it is important to capture it because people can quickly close down or delete a social media site. Take a screen shot of the entire screen, capturing as much as you can, and not just the relevant picture or message. In order to later authenticate the screenshot you may need to show the whole page so you can see other information that helps tie the screenshot to the person you are attempting to prove posted the message or picture. Most computer programs have a program that allows you to take a screenshot of what appears on the computer page. You can also use your cellphone or iPad to take a picture of the page. If you wish to show a video or to show the page as you scroll through it, use the video record feature on your cellphone, tablet or iPad. While the quality of this ad hoc method of capturing the evidence may be a little “rough” it is better than losing the evidence all together. Pages may not only be shut down, but they can be edited so that the message you see today may not be the same message you saw yesterday. Unless you have preserved the original message, you may not be able to prove what was originally said.
Even where the client has control over his or her own social media site or evidence on the cell phone, it is still critical to devise a plan to capture the evidence. Cell phones gets stolen, broken or otherwise became unavailable. Evidence that was stored only on that device can be lost.
Another obvious suggestion is that you should have someone in your office capture the evidence for you so that if it becomes necessary to rely upon the original capture of the evidence, you are not in the position of being the only necessary witness to authenticate the evidence.
Capturing the evidence is only the first step, getting it admitted during a hearing or trial is the real challenge. Awareness of the foundational requirements for admissibility of the evidence must be considered. While the evidentiary requirements are still evolving, a number of reported cases give guidance as to how courts are addressing this issue. The article will summarize some of those cases and highlight circumstances where social media has not been properly authenticated versus situations where it has been properly authenticated.
CASES IN WHICH THE EVIDENCE WAS NOT PROPERLY AUTHENTICATED
In Griffin v. State, 419 Md. 343 (2011), the Court of Appeals addressed the admissibility of a screenshot of a MySpace page and held that the State did not sufficiently authenticate pages that allegedly were printed from the defendant’s girlfriend’s profile on a social-networking website, and the error was reversible error.
In this case a screenshot of a MySpace page of the girlfriend of Griffin, who was on trial for murder, was in issue. The lead investigator printed the screenshot from Griffin’s computer. The screenshot showed that the girlfriend threatened a witness to the murder. The girlfriend was never questioned at trial about her ownership of the MySpace profile. The screenshot contained a picture of a person that looked like her, that described her birthday and where she was from.
The Court of Appeals rejected the mere printout of the screenshot because the lead investigator who created the document lacked any knowledge about the ownership of or who created the profile. Even though the profile featured a photo of the defendant and the girlfriend, and her date of birth, it is possible that another user could have created the profile. There were no distinctive characteristics to authenticate the printout.
The Court of Appeals suggested three non-exclusive means of authentication of ownership of such websites:
1) Ask the purported creator if she indeed created the profile and if she added the posting in question.
2) Search the computer of the person who allegedly created the profile and posting and examine the computer’s internet history and hard drive to determine whether that computer was used to originate the social networking profile and posting in question.
3) Obtain information directly from the social networking website which would link together the profile and the entry to the person who created them.
In a case out of Mississippi citing Griffin, the Supreme Court in Smith v. State, 136 So.3d 424 (2014), held that photocopies of electronic messages posted on a social media network account belonging to the defendant’s wife, purportedly written by the defendant, were not properly authenticated but the error in admission was harmless.
The defendant Smith was charged with killing his wife’s 17 month old daughter. It was alleged that Smith didn’t like caring for the child because she cried a lot. At trial, the State introduced two Facebook messages and one email notification containing a Facebook message. Two of the messages purported to be from Smith to his wife and the third message was from his wife to him. Two of the messages introduced were cut off at the right margin giving an incomplete account of what the messages contained. Otherwise they contained conversations regarding their marriage, their fights, and the problems Smith had with the child including how much she cried, that he felt his temper building and that he would hurt someone.
The Supreme Court found that the State failed to provide evidence sufficient to support a finding that the Facebook messages from Smith were what the State claimed. The State failed to make a prima facie case that the Facebook profile from which the messages came belonged to Smith as the only information tying the Facebook account to Smith was that the messages purported to be from a “Scott Smith” and were accompanied by a very small, grainy, low-quality photograph. No other identifying information from the Facebook profile was provided such as date of birth, interests, or hometown.
The State also failed to make a prima facie case that the messages were actually sent by Smith. The only information tying the actual messages to Smith was his wife’s testimony that they were Smith’s messages to her. This did not suffice as the testimony of a witness with knowledge because the State failed to provide any information as to the basis of her purported knowledge. She did not testify how she knew that the Facebook account was Smith’s, nor did she testify as to how she knew that Smith actually authored the messages. Further, the information contained in the messages was known not only to Smith but also to his wife’s friends and family members. Lastly, the messages did not appear to be part of the same conversation and therefore it did not appear that Smith’s messages were replying to anything in the wife’s message. Also, no testimony regarding the security or access to Smith’s Facebook account was elicited. Thus, it was an abuse of discretion to admit messages that were not properly authenticated.
In U.S. v. Vayner, 769 F.3d 125 (2d. Cir. 2014), cited by Sublet v. State, infra, the Second Circuit held that the government did not provide a sufficient basis from which the jury could conclude that the proffered printout was Vayner’s profile page from a Russian social networking Internet website, and thus the document was not properly authenticated. This abuse of discretion was not harmless.
In this case, the government offered into evidence a copy of a web page which it claimed was Vayner’s profile page from a Russian social networking site akin to Facebook. Vayner objected arguing that the page had not been properly authenticated. A special agent introduced the profile. He testified that the profile page was of Vayner, just with an alternate spelling of his last name, and that it contained a photo of Vayner. The agent testified that under the heading “Contact Information” the profile reflected that Vayner worked at a company called Martex International and at an Internet café called Cyber Heaven, both of which corresponded with a cooperator’s testimony about the Vayner’s employment. The agent admitted he did not know whether any identify verification was required for a user to create an account on this site.
The Second Circuit found that even though information about Vayner appeared on the social media page, there was no evidence that Vayner himself created the page or was responsible for its contents. The mere fact that a page with Vayner’s name and photo happen to exist on the Internet does not permit a reasonable conclusion that the page was created by Vayner or on his behalf. All of the information allegedly tying Vayner to the page was also known by the cooperating witness and others, some of whom may have had reasons to create a profile page falsely attributed to Vayner. Nor was there any evidence that identity verification is necessary to create such a page.
A CONSOLIDATED CASE IN WHICH ONE OF THE CASES HAD EVIDENCE THAT WAS NOT PROPERLY AUTHENTICATED AND THE OTHER TWO CASES HAD EVIDENCE THAT WAS PROPERLY AUTHENTICATED
In Sublet v. State, 442 Md. 632 (2015), the Court of Appeals had the opportunity to explore the authentication of documents related to social networking websites. This case consolidated three appeals, Sublet, Harris, and Monge-Martinez and implemented the holding in Griffin.
The COA held that in order to authenticate evidence derived from a social networking website, the trial judge must determine that there is proof from which a reasonable juror could find that the evidence is what the proponent claims it to be.
The COA held that the Sublet trial court did not err in excluding the admission of the four pages of the Facebook conversation. Defense counsel sought to introduce four pages alleged to have been a printout from a witness Ms. Parker’s Facebook page of a conversation among seven different people. Across each of the four pages was hand-written “printed on 10-30-12 from Facebook.” Each of the entries contained the name of the profile that had allegedly created it, and the time the entry was created. Next to the name of the profile was a picture. Although Ms. Parker acknowledged discussing an assault on Facebook with other people and even acknowledged that some things in the conversation were posted by her, the linchpin was that Ms. Parker denied writing entries on the last page and said she did not understand where they came from. When a witness denies having personal knowledge of the creation of the item to be authenticated, that denial necessarily undercuts the notion of authenticity. Furthermore, Ms. Parker explained that she gave her password to other people. This undermines authorship as well. Additionally, there was no proof that the fourth page in any way related to the first three pages.
In the second consolidated case, the COA held that the Harris trial court did not err in admitting the direct messages and tweets. In this case the State acquired evidence that Harris planned to shoot someone the day before the actual shooting. The State discovered evidence in direct messages sent via Twitter and recovered from an iPhone found in Harris’s bedroom as well as public tweets obtained from an Android phone recovered from Harris’s person.
The COA found that there were sufficient distinctive characteristics from which the trial judge could determine that a reasonable juror could find the direct messages and tweets authentic. For instance, a witness testified to Harris’s Twitter name and that the photographs accompanying the messages were of Harris. The substance of the conversation referenced a plan to “avenge” that had only just been created in response to events occurring that same day. Someone with knowledge of and involvement in the situation had to author the messages. The tweets were authored around the same time as the direct messages.
In the third consolidated case, the COA held that in Monge-Martinez, the trial court did not error in admitting the Facebook messages authored by Monge-Martinez. The State introduced Facebook messages by the defendant expressing remorse for his actions of assaulting his former girlfriend. The messages were screenshots from the victim’s phone. She had dated him for a year and testified that he wrote the messages and that the date and time stamps indicate they were sent soon after the stabbing. Few people were aware of the incident at the time the messages were written, they were written in Spanish in the defendant’s mother’s tongue, and they expressed remorse for getting carried away by anger. After sending the messages the defendant also started calling the victim on the phone and left a note for her at her apartment written in Spanish.
CASES IN WHICH THE EVIDENCE HAS BEEN PROPERLY AUTHENTICATED
In Dickens v. State, 175 Md.App. 231 (2007), the CSA held that threatening text messages the victim received on her cell phone in the months prior to her murder that were allegedly from the defendant were properly authenticated by the State to be admissible.
In this case the defendant fatally shot his wife. The only dispute at trial was whether it was premeditated or not. Prior to the victim’s murder, she had received numerous threats from the defendant both in person and over the phone.
The victim’s mother testified that she had given the victim a cell phone before her murder in the event she needed to call 911 on her husband. A few days after the murder the mother took possession of the phone and found the threatening text messages. A detective photographed the messages which were introduced at trial.
A text message sent on August 29, 2004 showed the number of the sender was a number that initially belonged to the victim’s cellphone but that the victim had given that phone to the defendant. The victim’s mother testified that the defendant had use of that phone from July through August 2004. This was corroborated by the fact that this phone was found the day after the murder near the neighbor’s house where the defendant had run after the shooting.
The content of the messages were also corroborated. In one of the messages the sender wrote on August 29, 2004 “She better enjoy her last day in the motel.” The boyfriend of the victim testified that the defendant had followed the two of them to a motel on that day and tried to break in to their room only two hours before the messages were sent.
Messages sent on August 25, 2004 did not have a number associated with the sender, but the content of the message also corroborated that it was the defendant who sent them. The messages discussed seeing their minor child in common.
Likewise messages sent on July 7, 2004 were authenticated by their content because they talked about being together until “death do us part” and they were husband and wife. Also, the sender used a nickname “Doll/M” from “Dial M for Murder” and the defendant’s wife was later murdered. This was bolstered by other witnesses to whom the defendant directly told he was going to “deal with” his wife and her boyfriend, and that his wife didn’t know who she “was messing with.”
In Carpenter v. State, 196 Md.App. 212 (2010), the CSA held that information taken from Carpenter’s cell phone was not hearsay, that it was sufficiently authenticated by direct and circumstantial evidence, that the State did not need to produce a witness to explain how the information came to be stored in the cellular telephone, and any error in admitting the officer’s testimony relaying or describing the information taken from the defendant’s cell phone was harmless.
In this case Carpenter stole the victim’s wallet but dropped his own cell phone in the process. The victim retrieved Carpenter’s cellphone. Carpenter then went to a friend’s house to use the friend’s phone and called his own cell phone. The victim answered and agreed to meet up with Carpenter to exchange the cell phone for his wallet. Upon meeting up with Carpenter, the victim returned the cell phone but Carpenter then unloaded a gun striking the victim in the back. Police arrived within minutes and first encountered Carpenter. They patted him down and retrieved his phone but then let him go. Later they found the victim on lying on the street and he identified Carpenter as the shooter. Pursuant to a warrant, officers searched Carpenter’s cell phone and identified numbers that were called that night and the contact name of the numbers stored in Carpenter’s phone. Over objection, an officer testified to this information at trial.
The defendant argued that the content was hearsay and that the information stored in the cell phone was not authentic, reliable, or accurate.
The CSA found that the probative value of Carpenter’s home number and his friends Skinner and Chase whose names and numbers were stored in Carpenter’s phone did not depend upon the belief of a person who called, or upon the accuracy of that person’s belief. Rather, the prosecutor was only showing that the cell phone belonged to Carpenter and that he had made calls to these people, or that there were calls missed, and therefore the calls were not assertions or statements as defined by Rule 5-801.
The CSA, relying on Dickens, found that the content of the phone was authenticated by corroborating information. Some of the calls were made from phones belonging to Chase at whose home Carpenter disposed of the handgun. And some of the calls belonged to Skinner, the person with whom Carpenter assaulted the victim. Furthermore, after the victim answered Carpenter’s phone and agreed to exchange it at the gas station for his wallet, the person who met him at the gas station was Carpenter. Also, one of the phone numbers in the phone received by Carpenter’s phone before he dropped it was a call from Carpenter’s home number. Lastly, Carpenter had to use Chase’s phone to call his own cell phone because he didn’t have his phone in his possession after he dropped it.
Contrary to Griffin, the State did not need to call a witness to explain how the information came to be stored in the phone because Carpenter did not argue that the missed and received calls did not accurately reflect the calls made to the cell phone. The evidence presented by the State was sufficient to authenticate the calls missed and received by the cell phone. Even if there were error, it would be harmless because of all of the other evidence that came in linking Carpenter to the crime.
In U.S. v. Hassan, 742 F.3d 104 (4th Cir. 2014), the Fourth Circuit held that the district court did not abuse its discretion in determining that the government had adequately authenticated screenshots of the defendants’ user profiles and postings on social media websites.
In this case the defendants were charged with conspiracy to commit terrorism and related counts. During the course of the conspiracy one defendant, Yaghi, while in the Middle East, posted numerous statements on Facebook concerning his adherence to the violent jihadist ideology. Yaghi also kept in touch with co-defendant Hassan through Facebook where they would discuss the teachings of al-Awlaki and posted songs and poems about their animosity towards non-Muslim people. The men also discussed on Facebook their need to obtain weapons to implement their beliefs.
The defendants contended that the Facebook pages and videos within were not properly authenticated, and one of the defendants challenged on hearsay grounds as well. The trial court ruled that the Facebook pages and YouTube videos were self-authenticating under Fed.R.Evid. 902(11) and were business records.
However, the trial court also required the government, pursuant to Rule 901, to prove that the Facebook pages were linked to Hassan and Yaghi. Hassan’s and Yaghi’s Facebook pages were captured via screenshots. The screenshots included photos and links to the YouTube videos. On the Facebook pages Hassan and Yaghi had posted their personal biographical information as well as quotations and listings of their interests.
The videos in question were retrieved from Google’s server and the government presented certifications of records custodians of Facebook and Google. The court ruled that Rule 902(11) had been satisfied and that the government satisfied Rule 901(a) by tracking the Facebook pages and accounts to Hassan’s and Yaghi’s mailing and email addresses via Internet protocol addresses. Thus there was no abuse of discretion in admission of any of the Facebook pages and YouTube videos.
Keywords: Cell phone evidence, cell phone tracking, social media evidence, admissibility of cell phone and social media evidence