Path: utzoo!attcan!uunet!decwrl!purdue!spaf From: spaf@cs.purdue.EDU (Gene Spafford) Newsgroups: comp.org.eff.talk Subject: Evidence (was Re: Musing on Constitutionality) Message-ID: <11621@medusa.cs.purdue.edu> Date: 7 Sep 90 15:36:37 GMT References: <11503@medusa.cs.purdue.edu> <82778@aerospace.AERO.ORG> <11521@medusa.cs.purdue.edu> <1990Sep3.182712.2260@world.std.com> <11548@medusa.cs.purdue.edu> <12945@paperboy.OSF.ORG> <11608@medusa.cs.purdue.edu> <55@hyprion.ddmi.com> Sender: news@cs.purdue.EDU Reply-To: spaf@cs.purdue.edu (Gene Spafford) Organization: Department of Computer Science, Purdue University Lines: 74 In article <55@hyprion.ddmi.com> rabbit@hyprion.UUCP (Dr. Roger Rabbit) writes: >You know - I wonder why the SS just doesn't get a computer expert to >come with them to the site of the raid and duplicate the hard drive >contents? Why do they need to take someone's machine?? ... And, I DON'T >want to hear anything that implies that "Oh well, if we're raiding them, >they must be guilty of something...." Believe it or not, it has to do with your rights to trial and to challenge evidence. As it has been explained to me by lawyer-types (prosecutors and "private" lawyers alike), there is the concept of "best evidence." If something is going to be introduced as evidence in a trial, the law requires that the best version of the evidence be produced, i.e., the original version, if possible. If a copy was introduced, the defense could challenge it and claim that the copy was not the same as the original -- that it had been doctored by the prosecution to make it look bad, or that accidental changes had been made, or that it wasn't a complete copy. According to both statute and case law, that objection would probably have to be sustained. Thus, a copy might not be admissable as evidence, and it is difficult to make a case when you can't introduce evidence! That's one reason why, when something is under investigation, they continue to hold the system long after the search warrant has been executed -- if an indictment is brought later, they need the system as evidence in the trial. If a challenge is made by the defendant about the material introduced as evidence, the prosecution needs to be able to fire up the system in the courtroom to prove their point. (I'm told that the normal course of prosecution is such that it may take upwards of 2 years for an indictment to be made. Thus, the equipment needs to be held all that time. This is a hardship for the defendant, but not at all unusual -- cases involving the seizure of cars, boats, printing presses (in counterfeiting cases), business records and so on often result in in the material being held for similar lengths of time. The belief is that it is more important to preserve the evidence to allow you to challenge it in court than it is to return it to you quickly.) Certainly, the prosecution could produce the experts to claim that a copy was a true and accurate copy, but the defense could have a lot of fun trying to cast doubt in the jury's minds by holding up 3.5" floopy disks and pointing at mounds of printouts and asking the experts to explain how they know it's a true copy, and how all that data is encoded, and how the know the software is correct and.... Ever try explaining all that to someone who is doesn't know about computers and may be mildlu computer-phobic? Now imagine explaining that to a jury of 12 similar people and convincing them beyond any reasonable doubt. Also, btw, that is part of the reason why peripherals are also taken during search warrants -- they are part of the system, and if the prosecution is going to print off copies of things, it needs to be done without "contaminating" the system with "outside" equipment or software. (I'm also told {and have seen} that the law enforcement agencies have very limited equipment resources, and the only way they can be sure to have a printer that works with the hardware/software on the confiscated system is to take the printer that's already attached.) Obviously, this is pretty silly -- as computer literate individuals, we understand that copies (when done correctly) are exactly the same as the originals, but the law wasn't developed by people who know computers. The law was developed when evidence was paper files or adding machine tapes, and xerox copies or handwritten copies were not allowed if the originals were available. (Someone made a snide comment earlier about SJ Games' laser printer being taken. It is my understanding that the above rationale is standard practice with the Feds. If you look in the NIJ (National Institutes of Justice) handbooks and similar texts on organizing computer crime investigation, you will see the same thing given as advice to local law enforcement types. If you don't like it, contact your Congress-criter about amendments to the Federal rules of evidence -- don't continue to abuse me for reporting information that I have spent time researching.)