User login

Preserving & Authenticating Electronically Stored Information (ESI)


Hello everyone! Recently on the LSTech email list we had a question about using text messages as evidence, most likely in domestic violence cases. How does one preserve such evidence, and how can the sender be verified? I thought it was an interesting query, and did some research.

The first thing I learned was that this is an entire field of study. The Bow Tie Law Blog has a huge amount of articles, videos, podcasts, and other information written by an expert in e-discovery (discovery in civil litigation of electronically stored information, or ESI). It turns out that ESI isn’t just text messages; it also includes emails, instant messaging chats, photos, videos, databases, voicemails, social media, backups of company files, and any other electronically-stored media.


Your ease in accessing and preserving ESI depends on whose ESI you want. If you want the adverse party’s ESI, the rules surrounding disclosure of ESI are in the 18 U.S.C. Chapter 121, the Stored Communications Act (SCA). Basically, the Act strengthens individuals’ privacy on the Internet to (sort of) the level granted to personal space and physical property under the Fourth Amendment. Working with the fact that most information is stored with a third party (usually an Internet Service Provider, or ISP), the Act defines how users’ information can be disclosed: which situations require a warrant versus a subpoena, and whether or not notice has to be provided to the owner of the information.

If you plan on seizing information from the adverse party, the official process goes something like this: (1) both parties identify potentially relevant sources of ESI; (2) the named sources are placed under legal hold (meaning that they cannot be modified, deleted, or otherwise tampered with, and that the adverse party has a duty to preserve the sources); and (3) data is collected, indexed, and placed into a database, where relevant information can be culled from the rest. Metadata (commonly defined as “data about data”) including sent and received timestamps, sender and recipient information, and other properties of the file can be used to sort what can be a huge amount of information. Metadata is also vulnerable to being tampered with and as such is an important part of the legal hold. Companies like Paraben Consulting, Complete Discovery Source (CDS), or X1 Discovery can be used to help with the process, though their help can be pretty expensive.

Preserving your client’s texts, emails, chat logs, or other sources of ESI – as is more likely in a civil suit – can be a lot simpler. Oftentimes, screenshots will suffice, or (in the case of text messages) you can call the cell service provider for a printed record of texts sent and received. A Verizon representative I spoke with advised simply calling the Customer Service number and asking for a record of text messages to be mailed to me. Sometimes texts or other forms of ESI are backed up to a computer or the Cloud, in which case they can be printed off or saved as PDFs.

Submission as evidence

In either situation (your client’s ESI or the adverse party’s), the files can be submitted as evidence in one of three formats: as a native file (the format in which the file was created and used originally); as an image file like TIFF or PDF; or in paper format. The latter two make it easy to redact sensitive information.

The Federal Rules of Civil Procedure (FRCP) rules 16, 26, 33, 34, 37, and 45 were updated in December 2006 to address issues related to e-discovery. For example, the new Rule 26(a) creates ESI as its own category of evidence (removing ambiguity around the terms “document” and “data compilations”). According to Rule 16(b), courts should establish their own rules around disclosure, privilege, methods, and work product before e-discovery commences. Additionally, according to Rule 26(f), the parties to a case should meet and establish protocol for disclosure and presentation of ESI.

Some states have adopted the FRCP rules partially outlined above; others have come up with their own rules for disclosing and presenting ESI. This map shows which states (as of 2012) complied with the FRCP, which had an independent e-discovery model, which were still working on developing a policy, and which hadn’t even begun considering the procedure. Clicking on the image should take you to a document with more specifics for each state.

ESI Admissibility by state


Once information is collected, analyzed, and submitted, its authentication becomes important. I found several cases in which defendants denied having sent particular email or text messages upon which the case against them hinged. Proving that they did, in fact, send the messages became critical to the case.

Authentication frequently relies on the basic guideline outlined in Rule 901 of the Federal Rules of Evidence: “the proponent [introducing an item as evidence] must produce evidence sufficient to support a finding that the item is what the proponent claims it is.” Ten (nonexhaustive) methods for meeting this requirement are next listed, including testimony by a witness (for example, one who saw the email written), comparison of handwriting (when relevant), analysis of distinctive characteristics (for example, an email or text signature or specific language patterns), an opinion on a recorded voice, and so on.

Of course, the method for proving that the file in question is what you claim it is can take many forms, depending on what type of file you’re working with. “The Next Frontier: Admissibility of Electronic Evidence” by Listrom et al outlines some ideas for authentication of different types of ESI. In addition to these methods, metadata can be a valuable asset for authenticating documents or messages, because it can show who created the file, who has permission to edit it, and when and by whom edits were carried out. The “wayback machine” provided by Internet Archive can be a useful tool for authenticating websites. A number of social media capture tools such as Archive-It and ArchiveSocial are commercially available which can help in authenticating Facebook, Twitter, YouTube, and other comments and messages.

The bottom line is that, whatever kind of ESI you’re working with and however you decide to authenticate it, you usually have to prove more than just that the phone number or email address belongs or belonged to your client/the adverse party. It’s not too difficult to use someone else’s social media profile, email account, or cell phone; you have to prove that that didn’t happen. There must be more circumstantial evidence to corroborate the argument that they actually sent the message (or posted the information, or authored the document, etc).

In the words of Joshua Gilliland, the blogger for the Bow Tie Law Blog, you need some indication of the creator, source, and/or custodian of the ESI in question beyond the fact that their name, phone number, or email address is associated with it. That can be a strong piece of evidence (ESI is occasionally “self-authenticating” because of the name attached to it) but it isn’t always conclusive. Furthermore, you need to explain the “chain of custody” for the ESI: where, when, and how it was collected; who handled it; how it was stored, and so on. This can help defend against claims of evidence spoliation.

In the end, there’s probably no way to prove absolutely that the adverse party really sent the offending text message/email/chat/etc. Web communications are relatively anonymous, but then, paper communications can be as well. Stolen letterhead could be used to send threatening messages and would need to go through the same authentication process: just because it has Person A’s name on it doesn’t mean that Person B didn’t send it. The technical methods for dealing with ESI are different from those for more traditional forms of evidence, but the goals are the same. As a Pennsylvania appellate court noted, “We see no justification for constructing unique rules for admissibility of electronic communications such as instant messages; they are to be evaluated on a case-by-case basis as any other document to determine whether or not there has been an adequate foundational showing of their relevance and authenticity.”


Happy e-discovering!