EVIDENTIARY ASPECTS OF COMPUTER CRIME
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP89B01356R000100140025-7
Release Decision:
RIPPUB
Original Classification:
K
Document Page Count:
37
Document Creation Date:
December 23, 2016
Document Release Date:
December 2, 2011
Sequence Number:
25
Case Number:
Publication Date:
December 18, 1986
Content Type:
REPORT
File:
Attachment | Size |
---|---|
CIA-RDP89B01356R000100140025-7.pdf | 2.08 MB |
Body:
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
STAT
STAT
STAT
STAT
0S REGISTRY I
ROUTING AND RECORD SHEET
SUBJECT: (Optional)
computer Crime
FROM: EXTENSION NO.
C/ISG
DATE
9/18/87
TO: (Officer designation, room number, and
building)
DATE
OFFICER'S
COMMENTS (Number each comment to show from whom
lei
RECEIVED
FORWA
A
INITIALS
A-)
to whom. Draw a line across column after each comment.)
IN!
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
FOR
I-79M 610 EEDITTIIONNSStt'S
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
EVIDENTIARY ASPECTS OF CCI TUTER CRIh
Stephen C. Gross
Crime in Commerce III:e a Information Systems
ForS 234
December 18, 1936
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
TABLE OF COI':TEI;TS
Pave
1. IINTRODUCCTIOU .................................................... 1
II. 'LITER E VJDET;C . COiiS IDEEAT L I:? ................................ 2
A. Search and Seizure ....................................... 2
B. Obtaining Computer Evidence .............................. 5
C. Computer Records and Reports as Evidence ................. C
D. Storing and Caring for Evidence .......................... 8
E. Privacy and Secrecy of Evidence ..........................
III. PROSECUTION AU D COI':PUTER EVIDELCE ............. .....:.......... 10
A. Foundational Problems .................................. 10
Be Evidentiary Froblems with Computer Records ............. 12
C. Practical Recommendations .............................. 14
IV. (:O1 LU:ilul~ ................................................. 1
J
FOOTNOTES ................................................. 18
BIBLIOGRi.FHY ............................................. 21
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
1. INTRODUCTION
Computers and information systems have permeated today's society to such
an extent that there is virtually no sector which does not rely heavily
their use. As might be expected,(comruter crim
resulting annual losses incurred, by an , enormous. In fact, respond-
ents to an American Bar Association survey of private organizations and pub-
lic agencies disclosed estimated total annual losses between $145 million
and $730 million, highlighting the need for more and better computer crime
investigative efforts. As is true in any investigation or preparation
for court trial, the use of evidence is a significant element. In fact, the
most likely of the principle defense strategies that will arise in a com-
puter-related crime case will be an attack on the admissibility of computer
generated physical evidence. This paper will discum.ss coi::cuter evidence issues
based on general law principles and sound investigative procedures, including
preventive measures to be considered during: all investigative and nrosecutive
stages. 3/
Initially, the discussion will focus on computer evidence considerations from
an investigative perspective. Search and seizure issues will be discussed, as
well as procedures used in obtaining computer evidence, computer records and
reports as evidence, proper handling and storage of computer evidence, and
computer evidence privacy and secrecy consideraticns. I:ext, we will address
foundational problems encountered in computer crime cases, problems associated
with admitting computer records into evidence, and, finally, some practical
recommendations for the successful prosecution of computer crime cases.
It is not surprising to see attention focusing on computer crime, con-
sidering the power and leverage of co,nruters, the dependence upon them, and
their increasing role in society. _4/ Suceeding in combatting the growing
threat imposed by bonrputer-related crime will depend upon the knowledge and
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
ingenuity of criminal investi itorn and pronecutoroi a proper understanding of
computer crime evidence will be crucial to this fight.
II. COI-TUTER EVIDL1ICE COI4SILE ATIObS
A. SEARCH AND SEIZURE
As computer technology becomes more accessable, so does the liklihood of
computer crime; the computer is quickly becoming "abuser friendly". 1/ Investigators
seeking and executing search warrants authorizing the seizure of computers and
related computerized information are generally on untested ground since complete
judicial guidance is still limited in this area. They must comply with an
18th century prohibition against "unreasonable searches and seizures" while
contending with 20th century electronic technology; an often formidable task.
They may sometimes find themselves searchinf- for intangible rather than the
ordinary and more familiar type--- of eviuenee, such as stolen guns and stock cert-
ificates./ Very little has been done to overcome obvious problems in discovery,
search warrants, and subpoenas. 8/ Thus, a pandora's box of legal issues becomes
available to the defense regarding computer evidence, requiring alert pro-
secutors to be ever mindful of this potential. Fortunately, those routine
issues concerning search and seizure, such as consent, informers, entry, and
searches incident to arrest generally will arise and apply much as they would
in noncomputer-related cases. / But, what are the necessary steps to take in
conducting a successful search and in gathering computer evidence in the non-
routine situations?
In general, search warrants should be obtained and used in computer-related
crime cases. 10 Regardless of technological advances, search and seizure by
law enforcement officers continues to be governed by the fourth amendment to
the U.S. Constitution, protecting the right of the people to be secure against
unreasonable Government intrusion. This protection extends to computers and
to computer processed information and requires that proper search warrants be
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
obtained prior to legitimate searches.
This requirement is applied with special
strictness where businesses or residences, the places where computers are most
likely to be located, must be entered to perform the search. There must be a
showing of probable cause and the warrant must particularly describe the place
to be searched and the persons or things to be seized. Unique problems can
sometimes arise concerning probable cause and particularity where computers
are the search target and will comprise the evidence to be seized. 11
It is necessary to excercise great care in preparing a search warrant in a
computer crime case, due in large part to this being a technical area often new
and unfamilier to ,judges and ii isLraLeS. Thu inv n;tiF;ator nhuuld huvu t
detailed affidavit which covers all the technical bases, yet is understandable
to someone who knows very little or nothing at all about computers.. 12 The
difficulties involved in such a task become apparent when one considers the
enormity and complexity of the "scene of the crime"in some of the larger business
computer centers. For instance, in the litigation involving Equity Funding
6orporation of America, thousn;nds of fictitious insurance policies had been
created and existed somewhere within a computer memory. At the same time, that
particular computer was processing hundreds of thousands of valid insurance
policies. I!/
It becomes apparent that one of the first obstacles to be overcome is
explaining in an affidavit that certain records being sought may be contained in
sophisticated technological equipment. Fortunately, this obstacle is normally
easily overcome since the investigator seeking the search warrant can simply
state that the information sought i:kuy Le in electronic or written furin, thereby
circumventing a non-meaningful description of the computerized information
in its encoded form. It is more critical that the information itself be de-
scribed with particularity, rather than in the form in which it may be fot&nd.
Also, the storage media which contains the information should be described as
concisely as the facts known will allow. 14
Another hurdle to overcome in establishing Probable cause to search is to
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
articulate the necessary facts to show that a crime has actually been committed.
In doing so, it is helpful to examine the role played by the computer in the crim-
inal activity and then detailing to the magistrate that such a crime has been
committed. The mechanics of the crime should be clear and easily understood.
In instances where the crime is unusual or unfamiliar, the investigator
rho i1 ii rnnri d"r using the nervi is of .i, eomrut.er exrcrt..
At this point the investigator must set forth enough facts to convince a
magistrate of the probability that evidence of the crime exists at the place
to be searched. The legal requirement for recent irrfori,w.tion is satisfied where
the investigator can set forth reliable information that the objects sought
were recently observed at the proposed search site. 15
Although search warrants are preferable in computer-related crime cases,
special mention and consideration should also be given to situations providing
application of exigent circumstance exceptions to preserve evidence because
of the' high degree of ease with which both the instrurnentc and fruit:: of the
crime can rapidly destroy or alter the computer evidence. 16 Because any
power interruption will result in the loss of information stored in the computer's
internal memory, valuable evidentiary data can be destroyed in the instant it
takes to flip a power interruption switch. i'.lco, a Par.-.netic device known as a
degausser can instantly erase millions of data characters from a computer
tape or disc. Therefore, a "no-;.nock" entry is reasonable where the investigator
reasonably believes that making a pre-entry announcement will result in de-
struction of the evidence. I
The "plain view" doctrine is another possibility, however, this should be used
cautiously since there is a strong liklihood b1ia t defense z..ttornies will attempt
to show the lack of sophistication of most investigators in computer technology.
Also, avoid reliance on "expert" informants to point out at the scene what items
should be seized. They will generally be in:,ider. and will likely be legally
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
"untested" as an informant. 1A/
Overall, investigators should be open to using imagination and ingenuity,
wall u:: Lliulf: LrZLJJJ1,:E;, Lu ,1 Llm]::u LI,_ 1 r i'i::u:1 L:: III
and seizure situations.
B. OBTAINING COMPUTER EVIDEP,CE
Evidence in a computer is much more "dense" than in any other information
system, in that a single computer tape can contain as much information as a
shelf full of books. As an example, in the Equity Funding case alone, ap-
proximately 3,000 reels of computer tapes were potential evidence ! I
Ensuring that the best evidence for prosecution available at the crime scene is
obtained can be both challenging and rewarding for the careful investigator..
When a search is directed towards obtaining documents, they can normally be
visually identified and expert knowledge of computer technology is unneccessary.
20 Documentation practices vary from phenomenally obsessive and complete
to non-existent. Ideally, they will thoroughly describe every aspect of the
computer system and list each type of output that it produce:;. 21/ Documents
such as systems manuals, computer run books, interpreted -punch cards, program
documentation logs, data and program input forms, and computer printed forms
are usually labeled as to their contents and should be relatively easy to
recognize. The completeness and originality of these documents can be determined
by careful and complete questioning of those who are most familiar with them. L2/
Recognizing and requesting program documentation is somewhat more difficult
and may require knowledge of computer program concepts to understand the types
and extent of documentation requird, such as source and object listings, flow-
charts, test data, and storage dumps. It must also be realized that program
documentation is frequently obsolete relative tocurrently used versions and,
-5-
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
thus, may necessitate new computer printouts. If the inve:;tir;:ator is un::ure
about what may be obtained or identified, an expert should accompany him on the
search.
Taking possession of other computer media materials may be more technically
complex. Magnetic tapes and disks will normally have external labels, however,
logs and program documentation will normally be necessary to obtain Full titles
and descriptions of their w ntents. A trusted technologist may be necessary
to check a tape or disk's contents by using a compatable computer and computer
program. 24
Also, where appropriate, consideration should be given to shutting down the
operation of the business being searched for a reasonable time to protect the
evidence covered by the warrant and to properly sort through the computer
documentation. / This sorting process, performed at the scene, can serve
to prevent the seizure, and thus the denial of access and use by the owner, of
innocent records. The mere fact that the sorting process is time consuming
will not necessarily render a wholesale :seizure of records reasonable. 26
the creation of the generated information and the deceptively neat package in
which it is displayed. 27/
computer-stored records are more easily equated with ordinary business
records, while computer-generated data involves the complexity of examining
C. COMPUTER RECORL6 AUD REPORTS AS EVIDI2.CTE
Computer records may be divided into two types: (1) computer-E-tcrcd, :'here
the printout produced from computer storage is a restatement of information or
data previously supplied to the computer; and- (2) computer-generated, where
the computer makes a computation, performs a logical operation, or analyzes
the input and other stored data. In judicial proceedings, a distinction appears
to be drawn between the two types. It is more difficult to get computer reports
containing computer-generated records into evidence. This is probably because
K
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
There is no clear-cut answer as to which kind of computer output can or cannot
be admissable as evidence, whether from a printer, cathode ray tube, audio
response, microfilm, or speech mail. In the case of "Cotton v. John W. Eshelman
& Sons. Inc, the court held that computer generated output was admissable, since
"our statute was intended to bring the realities of business and professional
practice into the courtroom and should not be interpreted so as to destroy its
obvious usefulness". Generally, the court gill apply the i*allc,,dn,-. ruler
( Eusiness Records Excertior_n to the Ecarray Rule ) to evaluate the adu.issil?ility
of computer output as evidences (1) that the records were made in the usual
course of business, and not ir.erely for the purpo:.e of litigation; (2) it was
normal business procedure for an employee with knowledge of the act to make
the records and ()) the record ti ;a., made at or near the time of the act. 28
Another possible basis for admission of computer digital-image printouts
into evidence is the "Eest Evidence Rule". This rule requires that original
writing or recording is necessary to !rove it-.; own contents; however, if the
original is unavailable, then other relevant evidence of its contents is
admissable unless the original was lost or destroyed in bad faith. 20
During the procedure of obtaining and u:;ing computer reports as evidence,
errors and omissions or malicious intentional acts are possible at each stage
of the report-producing process or through nonreal--time program or data mod-
ification. It is often not practical to detect or prevent these sufficiently
sophisticated intentional acts to alter the reports. Thus, it becomes necessary
to take varying degrees of precautions and to invoke the trust of the data pro-
cessing personnel. Additional confidence in the irtegrity of the report can be
gained by taking the storage medium ( tape or disk ) to a separate computer
center to have its contents printed. Further "independence" can be ensured
by verifying that personnel in the new center have no special interest in
the work they would be required to do. Throughout the process, independant,
trustworthy observers with the skills and knowledge to derermine correct op-
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
erations should observe and supervise all the production steps.
D. STORING AND CARII:G FOR EVIDEI;CE
A basic requirement for the admission of evidence is proof that the physical
condition of the object is substantially unchanged from its state at the
time of seizure. ).I/ On the surface, this would not appear to pose any
additional problem for computer related evidence than would normally be ex-
pected in the handling and storage of regular inve-tigative evidence. However,
some types of computer evidence require special care and their storage en-
vironments must be controlled, with steps taken to minimize the chance of
physical damage from manual handling. Even though most criminal justice
agencies normally have acceptable storage facilities for regular types of
evidence, these environments may not be suited to computer-related evidence,
plus experience in correctly handling computer products may be lacking in
their personnel. 32-1
Separate types of computer evidence have special needs in their handling
and storage. For instance, magnetic tapes and disks should be stored, hand-
led, and transported in hard cover containers. Care should be taken to
avoid dropping or squeezing, and no parts of the recording surfaces should be
either touched, bent, or creased. The tape reels should be stored vertically
in Lap.: r.Lek:;, wh&:rc room Lein i:iL.uri::: :Q.-t: 1i1:i.wi:.?? h0 dr('i ct :: .tiui 110
degrees fahrenheit. Storage life for data retention and recovery is three
years. Storage requirements for punch cards. and paper tape is similar to that
of magnetic tape, except the storage life is indefinite. Special care should
be taken to avoid folding, spinning, or knicking edges-and tape that might
remove paper surfaces should not be used. Computer listings should be stored
between binder covers and should not be subjected to strong light. They should
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
be broken into separate pages, unless having them in a continous sheet is
important to the case. When storing electronic and mechanical components,
it is always wise to consult the manufacturer or owner for ,special instructions.
JJ
Some additional points on the nroper handling of computer evidence are also
worth mentioning. It is often crucial to a case to specifically identify
the location where the physical evidence was acquired. Floor plans, line
drawings of the- system, and photographs may help in the preparation of the
case for court. Lists of the computer evidence and what form it is in - tapes,
printouts, cassettes, etc. - are good ideas. Also, the investigator should
inscribe computer tapes, disk drives, and print-outs with his personal ID
markings. It is appropriate to murk the ttpec, by writing on the dull side
since the first fifteen to twenty feet of tape is "leader" tape and has nothing
on it. Identification markings can also be etched on the bottom metal part
of a disk pack. Care must be taken in handling these items due to their
sensitivity to dust and physical damage. 3/
Finally, to establish that the evidence is substantially unchanged, a complete
chain of custody must be readily available. From the initial stages of the
search until its completion, careful indc,;iztg must be maintained of all the
evidence that is seized. 35/
E. PRIVACY APED SECRECY OF EVIDEICE
Issues of personal privacy, trade secrets, or government secrets may some-
times arise since evidence seized in the form of computer media may have data
stored that is immaterial to the investigation but that may be confidential to
the rightful owner. An obvious consideration would he'to ensure that all re-
trieving and copying on another computer medium contains only that data per-
taining to the investigation. In those instances where this is not possible,
the investigator should make assurances that any extraneous data will not
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
be revealed and will be stored in a secure canner.
In those situations where consent to release the information is denied by
the owner, sufficient safeguards are available in most jurisdictions to
minimize the problem. If necessary, a hearing can be held outside the pre-
sence of the jury or even " in camera", to allow the court to either overrule
the objection or excise the specific objectionable portions. .L01
III. PROSECUTIOV ADD COP;FUT'.ER EVIDENCE
As computer technologies and the means for abusing them have rapidly
emerged, they have confronted a criminal justice system which is largely
uninformed concerning the technical aspects of computerization. Additionally,
this system is bound by traditional legal machinery that is often ineffective
against unconventional criminal operations. Difficulties in coping with
computer abuse arise because a great deal of the property involved does
not nuaLly tit into the c Lu(;urluL of 1,1--op: Ly iiori. Illy eoii i4crud :L:; ::uL,juuL
to abuse or theft. / It becomes obvious that prosecutors face new and
demanding challenges in dealing with their fight against computer crime.
Their use of computer evidence is clearly a significant element in the pre-
paration of those difficult cases for prosecution and will be addressed as
such in this section of the paper. Certain considerations have been mentioned
previously, but merit reconsideration from the prosecutor's viewpoint.
A. FOUNDATIONAL PROBLEMS
Before proffered physical evidence can be admitted into trial evidence,
certain foundational facts must be proved by the party seeking admission.
When these facts are contrasted with the facts sought to be proved by the
evidence, a principal defense avenue of attack is opened to which the prosecutor
is particularly vulnerable.
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
One of the foundational problems encountered by the prosecutor is that
of "authentication" which means, in general terms, being able to introduce
evidence sufficient enough to sustain a finding that the written statement
or document is, in fact, the writing the prosecutor claims it to be. Thus,
it becomes necessary to have testimony from someone who can verify that the
purported maker of the document ( the computer system that generated the
item ) is the actual maker. Sufficient evidence should be introduced to
convince the judge that the proffered item is authentic; however, it is
critical at this stage to not claim more than, simply the output process, for
instance, that the item was generated by such-and-such computer at such-
and-such place and time .... nothing more. The 1prnne,cutor si;:nif icr,.nt1 y cow-
pounds the authentication problem if an attempt is made to claim that the
item reflects a particular configuration or some internal process within the
computer. To do so would allow defense to raise valid objections based on
the authentication of the specific computer configurations and processes
previously mentioned by prosecution. 181
As stated earlier in the report, for computer media to be admitted as
evidence, they must also qualify as business records which are excepted from
the application of the Hearsay Rule. JOY In a 1977 Low Jersey case, i:onarch
Federal Savings and Loan Association v. Censer, the court delineated the re-
quirements necessary in laying the foundation for business records. In
Genser, the court held that personal knowledge testimony regarding the in-
formation received into the computer is not required, nor is the preparer re-
quired to testify. However, testimony is required of a qualified witness
who can testify that the computer records were made in the ordinary course
of business, were made contemporaneously, what the sources of the information
were, and what was the method of preparation. 40 :Although the Genser decision
represented a careful and extensive treatment of the problem of admission of
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
computerized documents into evidence, one should realize that this was only the
decision of the court in one juri;;diction; foundational ru(luii?enu.nt.: will vary
from state to state. 4i
B. EVIDENTIARY PROBLE1 S WITH C01"PJTEB RECOItLS
Computer-generated printed evidence produced to show proof in the courtroom
must satisfy the Business Record Exception requirements Lefore Icing admissable
as a hearsay exception. Again, the prosecutor is faced with the burden of
best strategy will hinge upon leading a presumably non-technical court to
focus upon the legal issues rather than getting lost in technical matterss. 42
Although some look upon the computer as no more than a big adding machine,
it is impossible to look at the phenomenon of computer crime without con-
sidering the varied effects of computers on our leg-i1 consciousness. kJ It
is important that the prosecutor be prepared to as si:st the court With r:rior and
understandable case law dealing with the issue at hand. The best response to
defense objections on Business Record Exception issues is to focus on the law,
particularly the underlying purpose:: for the 1.o a .
The majority of issues within the past few years regarding computer re-
cords and the law of evidence have faller, into three basic categories; (1) ad-
missability of computer printouts; (2) computer printouts as the basis of
expert testimony; and (3) discovery matters with regard to computer systems.
Of the above categories, admissibility receives the mo::t attention from the
courts. The admissability of computer printouts as evidence depends pri-
marily on whether the data from which the report was generated were entered
into the system during the normal course of business. If so, the data record
and reports produced subsequently in the regular course of business, or even for
trial purposes, may be admissable.
!any of the recent court decisions regarding admissibility of computer
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
printouts have addressed foundational requirements and most allowed the admission
into evidence of a computer printout. Typically, in United state:; v. rani., the
the defendant, convicted of failure to file income tax returns, claimed the
court had erred by admitting into evidence the output of a computerized data
system. The 7th Circuit Court urhela tie admi_ ~.icn of the records under 2U L .::. C .
4'1733(b), which allows admission of authorized copies of documents of United
States departments as if they were originals.
A 1976 decision bears on issues raised by computer records being used as
the basis for expert' testimony. In 1'erma research and Development v. Singer
Co, a breach of contracts civil suit, the defendant objected to the use of the
results of computer simulations as a basis for the plaintiffs expert testimony.
Although the court admitted that it would have been better for the plaintiff's
counsel to have delivered to defense, prior to trial, the details of the un-
derlying data and theorems so as to avoid discussion of their technical nature
during trial, it did not charge the trial judge, however, with abuse of dis-
cretion for allowing the expert's testimony regarding the results of the
computer simulation.
In United States v. Liebert, a discovery issue was raised as to whether pre-
trial discovery may be used by defense to secure extrinsic evidence to impeach
the reliability of a computer printout. Again, the defendant in this case
was charged for failure to file tax returns. The IRS computers had no record of
the defendant's filing and the defendant requested that his computer ex-
pert have access to the IRS Service Center to test the reliability of the IRS
data process system; the request was granted. The defendant then requested,
for discovery purposes, records of any notices sent to persons stating that
the IRS had failed to receive their returns. When the court granted the de-
fendant's request as to a portion of the list of non-filers, the government ref-
used to comply with the court order and the defendant's case was dismissed. On
13 -
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
appeal,-the dismissal was reversed and theappellate court held that supplying
the list requested by the de;luIul.ittL would L ; uiu-ua.;utiat)lu beuuu:.u 01 Ltto
infringement of the right of privacy of those persons on the list. The IRS's
willingness to make available all documents regarding their procedures, operat-
ions, and electronic data processing system to discover nonfilers, and their
willingness to allow their expert witness to be deposed, was held sufficient
to provide the defendant with an opportunity to question the accuracy of
the system.
C. PRACTICAL REC0h1.EUDATIU
Computer crimes are difficult case: to develop and solve and sometimes
require many more resources than most organizations have at their disposal. 46
Often, legal problems are unavoidable. however, adherence to good invest-
gative methodology, and thorough planning for trial will help the case work
flow smoothly. The practical recommendations that follow, while cer-
tainly no panacea, are proven good advice and will enhance the prosecutor's
chances of success.
Expert witnesses are often the keys to the adr::icsion of evidence in computer
criminal trials. Since computer tochnologictz have little or no experience
as expert witnesses, they must be carefully "couched" prior to their test-
imony. It is crucial to keep the computer expert in control and force hin
,to answer questions in court in as few words as possible. mne means of achiev-
ing thisis to ensure the questions themselves are well formulated so as to
elicit brief responses. Remember that good witnesses are those who know what
they are talking about and can show that the method of generating the evidence
is valid. 48
Prosecutors should remember that the most likely image that the judge
and jury have of computer technology is what they last read on the front page
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
of the newspaper, often a highly sensationalized and distorted recounting
of events. It is therefore important to make the case as basic, simple,and
free from computer technology and terminology Possible, explaining only
those circumstances necessary to present the case. If possible, rely on
paper records if they exist rather than introducing computer-generated re-
cords. Do not personify or anthromorphize computers in presentations; rather,
treat'them strictly as inanimate objects, machines, subject to use and man-
ipulation by people. The bottom line, Keep It Simple! L
Prosecutors should also attempt to determine the trial judges degree of
knowledge and attitude towards computer technology. and gear their presentat-
ion accordingly. For example, Judge Van Graafeiland of the United States
Second Circuit Court of Appeals has said, "u.s one of the many who have re-
ceived computerized bills and dunning letters for accounts long since paid,
I am not prepared to accept the Product of a computer as the equivalent of
Holy Writ." JO/ It is, therefore, important to hrf;.ent, and make comnor,
knowledge, a convincing argument depicting computerized record keeping
as rapidly becoming a normal procedure in the business world.
IV. COI4CLUSIOU
In this paper we have examined several different aspects of evidence in
oomputer crime cases, and the criticality of evidentiary issues to the suc-
cessful prosecution of computer criminals. Computer crime continues to grow
by leaps and bounds, making it imperative that investigators and prosecutors
become ever more reliant upon improving their training and skills in this
area. In 1980, experts at the Federal Bureau of Investigation estimated that
only one of 22,000 computer criminals goes to jail. Further, they estimated
that only 1`9 of all computer crimps In detected, only 11r' of that is report-
ed, and only 34, of those cases ever result in jail sentences; clearly leaving
- 15 -
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
Declassified in Part - Sanitized Copy Approved for Release 2011/12/02 : CIA-RDP89B01356R000100140025-7
room for improvement by the separate law enforcement agencies.
In addressing the different investigative evidentiary considerations,
as well as the role of computer evidence in criminal prosecution, we have seen
the value of being properly prepared for the investigation, from the initial
search to the final court trial, and for careful adherence to established
legal principles. We have also observed the apparent need for better training
for both investigators and prosecutors in the area of computer crime evidence,
as well as the need to better utilize the services and advice of those who
are most knowllcdgeable of computer tcchnolu.?.y :_nd oper.tion::.
In response to a survey by the American a-.r Association Task Force on
Computer Crime, an executive for a consumer reporting ?f;ency appropriately
stated:;: ' The most difficult task at present is to educate government so as
to make them aware of the computer problem. Law enforcement agencies are not
familiar enough with computers and the losses that can occur to properly
conduct an investigation and prosecute the perpetrators." A step in
the right direction is the FBI Academy's development of a computer crime
course to assist investigators and prosecutors in gaining a better under-
standing of the technical and legal aspects of computer crime. Combinin-
the expectation of hard work, friendly patience, access to the FBI computer,
and a variety of motivational techniques, the Academy staff has proceeded with
efficiency to create a core of law enforcement personnel with a expanded
knowledge..of computer crime. With this knowledge comes the ability to com-
municate more directly and meanir.