The Danger of Exposure to the Internet
Cherry, Michael, Imwinkelried, Edward, Judicature
The lack of Internet security means that judges need to be more skeptical of computer data proffered in court.
We are entering an era of rampant error in Internet data. It may soon become next to impossible for the courts to determine the truth based on digital information. In the long term, America should implement a strategy of isolating key computer systems with sensitive data from the Internet. In the short term, the judiciary needs to adopt a more skeptical attitude toward computer data proffered in court and in particular permit extensive discovery concerning the possibility that the data has been compromised by alteration.
The hard reality is that if you want to keep computerized information safe and secure, the computer system should not be exposed to the Internet. Unfortunately, in practice that reality has been almost universally disregarded. Instead, public and private sector computer systems rely on Internet Surfware such as virus scanners, firewalls, spyware detectors, penetration detectors, and filters to minimize the risks associated with an Internet connection. Those security measures are helpful, but they are far from foolproof. Internet hacking is so pervasive and effective that in many cases it can defeat these measures. In the United States alone, despite the widespread use of such security measures, millions of false identifications are created every year. As a consequence, there are grave and growing doubts about the reliability of even the most critical data maintained in law enforcement and regulatory computer systems. Better solutions are available, but they will come at a cost.
Virtually every sector of American society has decided to rely increasingly on computer data. The very future of our society is tied to the accuracy and security of that data. For example, a steadily increasing number of statutes and regulations prescribe requirements for the accuracy and confidentiality of such data:
* The Sarbanes-Oxley Act mandates such requirements for certain financial data.
* Under the Gramm-Leach-Bliley legislation, financial institutions must take steps to secure customer data from unauthorized access.
* The Health Insurance Portability and Accountability Act (HIPAA) imposes security measures for the information that doctors, nurses, and other health care providers insert in patients' medical files.
* Under the FBI/INS/Homeland security program, fingerprint repositories used to identify criminals and terrorists must be secured from tampering.
* In medical trials, the accuracy of test results throughout product development has to be protected.
Like the average citizen, the typical participant in the legal system tends to have naïve faith in the effectiveness of the popular safeguards against Internet alteration. During both pretrial discovery and at trial, the focus is on the question of whether the evidence proffered correctly reflects the data on the computer. The texts and articles on e-discovery address such problems as acquiring diskettes printed out from the computer, learning the passwords to the electronic files, and gaining access to the hard drive. Today the "hot button" discovery issue is obtaining the metadata, the embedded information that reflects the deliberate changes to the electronic file. At trial, when the proponent lays a foundation to "authenticate" computer data under Federal Rule of Evidence 901, the understanding is that the proponent's obligation is to show that the exhibit accurately reflects the data in the computer. In the typical trial, there is little, if any, attention to the risk that Internet alteration may have rendered the data substantively inaccurate.
Today that is a huge risk. Every year computer thieves create 10 million false identifications1 in the United States. Those thefts are only the tip of the iceberg of alteration. The problem is mounting precisely because of the inadequacy of current strategies relying on Internet Surfware. …