Court Says Prosecutors Can't Just Assume A MySpace Profile Is Legit
from the why-didn't-they-ask? dept
A murder lawsuit in Maryland involved some evidence from a MySpace profile (allegedly from the defendant’s girlfriend, attempting to intimidate witnesses). A police officer went to the profile and printed it out, but prosecutors did nothing else to authenticate that the MySpace profile and the comments on the page were legit and placed by the girlfriend. A lower court said this was fine, but as Venkat Balasubramani discusses, the Maryland Supreme Court has said that just printing out a MySpace profile and showing it to jurors is not enough to prove that the content really came from the person in question. The court even cites the infamous Lori Drew case, in pointing out that it’s easy to create fake profiles of people. In the end, the court makes a simple point: if you want to authenticate that a social networking page is from a particular person, there are a number of ways to do so, starting with asking the person in question if it’s their website. Stunningly, prosecutors in this case never did that.
I have to admit that I’m a bit confused by the dissent on this case, as described by Venkat:
Two dissenting judges accuse the majority of having a case of the “technological heebie-jeebies,” and note that the key question is whether a “reasonable juror” could conclude that the evidence in question was authentic. In other cases where the authenticity of a piece of evidence is disputed, the typical practice is to let the jury make the call, unless the court concludes that “no reasonable juror” could find the evidence authentic. The dissenting judges fault the majority for not following the same practice in this case.
I don’t see how it’s a case of technological heebie-jeebies at all. If anything, it’s the reverse. It’s recognizing that (1) such evidence is easy to fake and (2) there are some very easy steps to authenticate the evidence. In a case such as a murder case, isn’t it a reasonable standard to make sure that such evidence is, in fact, authentic?
Filed Under: court, evidence, myspace profile, social media
Comments on “Court Says Prosecutors Can't Just Assume A MySpace Profile Is Legit”
Over confidence
I had the exact same reaction you did when I read the dissent from those judges. Understanding the ease with which profiles, even those on Facebook or Linkedin, can be faked, clearly means that the judges in the majority have a depth of understanding. The dissenting judges sound more like people who think they “get it” but really don’t 😉 Over confident about stuff they really don’t understand deeply…those are the scariest type of people.
the "Truth behind the Truth" here...
Maybe the real issue here is what the one the dissenting judges are showing us, but not realizing that they are. Hence, the “Truth behind the Truth” statement, it might be the truth that this case of potential fraudulent evidence was handled differently than other cases because this case had additional easy(and obvious) steps to take to validate the evidence. However, The “Truth” behind that one, is that perhaps the normal way of allowing jurors to see potentially fraudulent evidence is lacking.
I don’t have the answer to how to fix this, but maybe this is a sign there is an issue somewhere else, at a lower level, within our legal framework. Not, that I’d know where to start to fix it… I’d unfortunately have to leave that up to lawyers… (that could get messy)
What is a “murder lawsuit” ?
Is this a wrongful death lawsuit or a criminal murder case ?
Ok, so I read the article and it appears to be a criminal case ….. but wtf is “Circumstantial Authentication” ????
This is unbelievable.
I’ve heard of circumstantial evidence being used in civil cases, but had thought the bar was much higher in criminal cases. Apparently not. The prosecutor really dropped the ball, good thing the appeals court employs more knowledgeable people.
More generally...
…absent a specific admission there’s no way to prove that the page belongs to the person in question or — if it does — that any content placed there was put there by the person in question.
Contemporary malware is quite capable of setting up accounts on “social networks” and on freemail providers, and spammers use this capability all the time. It’s common knowledge among all sufficiently-clueful security/abuse researchers. That same malware is also capable of manipulating content…so unless prosecutors have a video showing the person entering that content, they have nothing.
Re: More generally...
There is a way to show it is very likely, if not beyond a reasonable doubt, that someone’s profile was authentic. It takes a lot more than accepting the profile on it’s face. Myspace would have to maintain, and still possess. logs showing the time and source IP address for the last couple of profile changes. You would have to subpoena Myspace to get that information. You would have to subpoena the ISP that leased that IP address to locate the computer or router the posting came from. Finally, you would have to be able to conclude that the person in question was the only one with access to that computer and Myspace account at the time in question. Forensic examination of the computer may, or may not, uncover evidence of Myspace access in the browser history. Forensic examination should also include an investigation to determine that the computer in question wasn’t infected with malware that allowed remote execution A competent prosecutor would have done all that!
Now, if all that information was available, it is still possible that a very clever criminal set this all up and deleted all evidence on the computer of their manipulations. This is pretty damn hard to do. I know a fair amount about computer forensics but I am not sure I wouldn’t miss some detail, somewhere.
Re: Re: More generally...
You make some good points; certainly all those things should have been done.
However, in toto, they STILL don’t constitute proof. Here’s why:
Contemporary malware and rootkits allow a remote attacker to completely control an infected system. They also assist in maintaining that control over a long period of time. (This is of course highly useful to those trying to maintain botnets.) So if the goal is to set someone up, there’s really not much of a barrier to establishing a long-term pattern that points at the (former) owner of the computer in question.
So yes, MySpace’s logs might show the same IP address (or a set of IP addresses out of the same dynamically-allocated block); the ISPs logs might show the same. But neither of these logs show that the person who allegedly owns the computer was the person sitting at it when those accesses occurred. Moreover, we have hundreds of millions of counterexamples demonstrating systems clearly doing things without the consent of their (former) owners.
Now, you are correct that a forensic examination of the computer might show the presence or absence of malware– but only “might”. Forensic examinations are not always done competently (c.f. the Julie Amero case, where the utterly idiotic fools were involved) and there is always the question of WHEN malware was present.
This is murky ground, technically and legally. Not being an attorney, I can’t speak to the latter, but as a security expert I can speak to the former; and what I say is that absent either (a) a confession or (b) a video showing the person typing the content in, that there is no proof. There is only circumstantial evidence that we KNOW is trivial to fake.
Re: Re: Re: More generally...
You demonstrate what a friend of mine, who is a DA in Santa Clara County (Silicon Valley), once said to me. He said, that prosecutors look to eliminate software engineers from juries because, for them, no amount of evidence is ever enough (I’m a software engineer). I would never vote to convict someone based solely on a Myspace profile, but I would consider it as additional circumstantial evidence if all the investigation I laid out in my comment had been done to authenticate the profile. The existence of malware, including rootkits, can be discovered by good forensic analysis. Apparently though, HBGary (yes, THAT HBGary!) has developed a super-stealthy rootkit called 12 Monkeys. They are claiming it is undetectable. From the emails that were stolen from them, by Anonymous, they planned on selling it for about $240K. If you have enemies that dedicated towards framing you, there may not be much hope.
http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars/3
You can defend against bad forensics experts and bad experts in general by getting your own. Society can’t give up on prosecuting people because the experts might be incompetent or malevolent. In the Julie Amero case her conviction was overturned.
Any computer evidence, purporting to be a statement from someone, that is admitted as evidence needs to be minimally authenticated so as to count as an exception to the hearsay rule. In this Myspace case that would be tying the source IP address for the posting to a computer most likely used by only that person. Further issues can be brought up by the defense.
counterargument
Wouldn’t this be a valid counterargument to the dissenting judges opinion. Why isn’t hearsay allowed if a “reasonable juror” could conclude that the evidence in question was authentic.
If it’s on the Internet, it must be true…
I am the Law!
Just another good reason why judges should be tested every 4 years to see if they understand the issues they will be judging on… if not… good bye!
Then why can’t the prosecutor’s niece or whatever make a MySpace profile impersonating the defendant admitting “I DID IT”, then show it to jurors because, you know, they can make the call if it’s fake or not.
Mike – I’m a little surprised by your reaction (your embrace of the majority’s opinion and your rejection of the dissent). And I think your reaction may result partly from some confusion about admissibility versus credibility. To be admitted into evidence generally requires getting ove ra very low hurdle – is there a modicum of evidence to believe this thing is what it purports to be? What the lower court did here was to allow the government to introduce a printed out Myspace page which they claimed belonged to a particular person. As the government and dissent noted, after this happened, it would be up to the jury to assess the credibility of the printed out page as evidence. Was this an accurate printout of the account in question, or a forgery by govt agents? Even if it were an accurate printout, might the account have been set up by someone else? Even if the account were create dby the person in question, was she responsible for the statements at issue? Both sides could present evidence on this issue, and challenge the opposing side.
The MD Supreme Court rejected this, and the result of their ruling is in essence that the Myspace pages in question don’t get admitted into evidence, and the jury never gets to see them or consider whether they are credible evidence or not. A cynic might say that the MSC basically doesn’t think jurors are smart enough to assess whether the evidence might have been faked. (I don’t think that’s a fair assessment of the court’s ruling, but I can imagine many legal commentators boiling it down to this.)
I understand (and share!) your interest in encouraging the prosecutors here and in future cases to do a better job of providing evidnece to authenticate digital evidence. But because the upshot here is that jurors won’t get an opportunity even to consider digital evidence that seems pretty relevant to the case, I’m somewhat surprised that you’re so dismissive of the dissent’s concerns, and not more worked up about the fact that a court is ruling to keep digital evidence out of a case.
Re: Re:
But – as a commenter above noted – this is nothing different than heresay, which the courts have never allowed. I mean, why not allow witness statements regarding what someone else said as evidence, then let the jury decide if it’s accurate?
Re: Re:
Confirming the authenticity of a print out of a MySpace page is not something a computer forensics expert can do, much less a jury member who is “not a computer person.” A computer forensics expert would have to actually look at the site and logs to be able to tell anything about the authenticity of the evidence.
It’s not digital evidence to provide an unverifiable print out of a digital page.
Unless the page had video or pictures of the defendant committing the crime or describing in explicit detail what was done or to be done and it matched what was done, it’s circumstantial and flimsy evidence.