Constant development of innovative technologies gives great benefit to
society and global economy. No doubt that by shifting many elements of our
every day lives and commerce to on line we push our boundaries forward.
However criminals also try to take those advantages to serve their malicious
intents. That’s why evidence from computers has been used in legal
proceedings as long as computers have been in service. Many sorts of
crimes that could somehow left traces in digital form are successfully
prosecuted by the means of digital forensics.
The Draft Convention on Electronic evidence is a necessary attempt to make
a guideline for presenting digital evidence in the court as it’s often the case
when judges technical background is not so profound so and evidence
collected should be presented very clearly and undoubtedly.
Cyber threat is a global problem and it needs a global solution, involving all
stakeholders. All countries linked together through cyber space must have
adequate laws to cop with electronic crimes and especially computer
All authorities encounter the same issues while reviewing the electronic
evidence, as it must be reviewed in a different way we do with the paper one.
However the draft could be not welcomed due to the complex view on the
evidence authentication in different jurisdictions. digital evidence becomes a
cross-jurisdictional issue that needs rules on how to deal with differences
and contradictions in jurisdiction.
Also as the Draft is a private initiative it is not obvious whether local judges
would follow its suggestions as most of them are quite conservative.
Quite doubtful is also a paragraph 2 (b): «If the data have changed from the
moment they were identified (and possibly seized) as potential evidence in
legal proceedings, there is an accurate and reliable method of documenting
any such changes, including the reasons for any such modifications.»
Because even if you analyze the suspect’s workstation using forensic tools it
is not evident whether those tools don’t make any changes to the hard drive
and whether those changes could be «accurately and reliably» logged, as
before you launch any logger or make an image the changes would already
occur. So data integrity and authenticity is questioned. And courts are
particularly concerned with authentication of digital evidence because digital
evidence can be easily manipulated, such data may be corrupted or its
metadata may be changed.
International courts have favored admissibility of evidence that is challenged
on grounds of authenticity. For example, after the prosecution objected to
the authenticity of redacted emails in Prosecutor v. Lubanaga the ICC stated
that it would discern probative value on a case-by-case basis. In Prosecutor
v. Milutinovic limited the scope of the digital evidence to victim identification
rather than excluding such evidence altogether. In Prosecutor v. Blagojevic
the court evaluated the evidence from a holistic lens stating that it did not
consider unsigned, undated or unstamped documents, a priori, to be void of
Identically paragraph 2 (d): «(d) Any techniques that were used to obtain,
secure and process the data can be tested and shown to have been
appropriate for the purpose for which they were applied.» is also
controversial as it’s not clear how the court without having technical
background should decide whether those techniques were appropriate and
1 An Overview of the Use of Digital Evidence in International Criminal Courts, SALZBURG
WORKSHOP ON CYBERINVESTIGATIONS, October 2013
Also I think Article 9 – «Admissibility of electronic evidence from other
jurisdictions» and Article 10 «Recognition of foreign electronic evidence and
signatures” does not take into consideration that today most of the data
especially criminal one is created and stored remotely in the cloud services
and virtual dedicated servers so that data will unlikely be of a domestic
jurisdiction. «Cyber-investigation challenges of cloud data are compounded
by certain factors. For example, cloud computing can involve multiple
providers, in different layered constellations; a SaaS provider can, for
example, use the infrastructure of a IaaS provider, or even use the platform
of a PaaS provider which in turn relies on a IaaS service.38 Dropbox, for
example, is a SaaS provider that uses Amazon’s infrastructure service;39 in
such layered constructions, it may be more difficult to determine the scope
of the different providers’ rights and capacities to access customer-uploaded
data, or at least to determine the possible or likely place of the server(s) on
which data are stored.»2
Article 11 – «Interpretation» recommends to interpret the meaning of
technical phrases in accordance with the domestic law, however in order to
do so it should have proper equivalent which is not always the case when it
is dealt with new technologies.
As the convention covers not only recognition but also investigation and
examination of electronic evidence I suggest that it should include such
topics as cooperation with private sector such as Internet Service Providers
and Data centers holders, specifically the legal procedures of international
data seizure from private companies etc.
Also there should be recommendations on dealing with encrypted evidence,
as there is always a slight chance when working with encrypted media that
data may be damaged or corrupted, so its authenticity is also questionable.
2 Cyberspace, the cloud, and cross-border criminal investigation, Bert-Jaap Koops Morag
Goodwin,Tilburg University, December 2014
For instance, in United States v. Hersh case: «… encrypted files found on a
high-capacity Zip disk. The images on the Zip disk had been encrypted by
software known as F-Secure, which was found on Hersh’s computer. When
agents could not break the encryption code, they obtained a partial source
code from the manufacturer that allowed them to interpret information on the
file print outs. The Zip disk contained 1,090 computer files, each identified in
the directory by a unique file name, such as “sfuckmo2,” “naked31,”
“boydoggy,” “dvsex01, dvsex02, dvsex03,” etc., that was consistent with
names of child pornography files. The list of encrypted files was compared
with a government database of child pornography. Agents compared the
1,090 files on Hersh’s Zip disk with the database and matched 120 file
names. Twenty- two of those had the same number of pre-encryption
computer bytes as the pre- encrypted version of the files on Hersh’s Zip
disk.» So by having just names and file sizes can we assume and use the
content of encrypted storage as evidence, considering that there could be
two different files having the same name and size.
Another aspect which I think should be described more clearly is Article 6 –
«Digital evidence practitioner» in which there need to list some instructions
about what are that «minimum standards for their formal education and
training» because that standards may vary from country to country. As such
practitioners need not only to know how to collect or recover the evidence,
but also to present it in a coherent and understandable way to the court.
Generally, law on digital evidence is controversial, largely because it is an
new form of evidence in criminal cases. While analyzing the draft it seems
that by trying to generalize the approach to processing digital evidence it
became too vague without having any direct instructions or
recommendations for both judges and prosecutors, and the aim of such
convention should be getting rid of law contradictions and inaccuracies, and
not producing them.