Column

Evidentiary Vulnerabilities of Bad Electronic Records and Information Management

This article is based upon my several decades of experience working with experts in electronic records management systems (ERMSs), servicing institutional clients, and drafting related national standards-see the list of articles at the end of this one. In Canada, the requirements of good e-records management and the legal consequences of its absence are still not recognized as being a distinct area, field, or division of law. It is part of a larger problem concerning the lack of knowledge by which to challenge the ability of all electronic systems and devices to produce reliable evidence. The nature and substantial vulnerability to error of such technology, and its necessary impact upon the law of evidence and related rules of procedure, is not yet taught in law schools, nor is it part of lawyers’ CPD/CLE competence-maintaining requirements, e.g., arguing that each different electronic system and device produces its own unique issues as to, admissibility, production, reliability, presumptions and inferences, burdens and onuses of proof, in relation to the evidence that each produces. For example, in an “admissibility” voir dire, how to satisfy burdens of proof such as, “circumstantial guarantees of reliability,” (for the party adducing the evidence), and, “evidence to the contrary,” (for the party opposing admissibility), should be made to vary with each different kind of electronic system and device, because each produces its own type of: (1) “circumstantial guarantees of reliability”; (2) accountable witnesses who should be required to testify; (3) particular type of “evidence to the contrary”; and, (4) different degrees of difficulty and cost in obtaining and preserving such evidence. Those factors will bear upon the required content of the evidence necessary to satisfy those two different burdens of proof, which in turn, should determine when it is that the onus of proof should transfer from the one party to the other.

As a real-life example, having an electronic records management systems expert (an ERMS expert) thoroughly investigate and then testify as to the probability of a particular badly managed, large institutional ERMS’s losing, destroying, or corrupting relevant records would cost approximately $30,000, plus the witness fees. In Canada, such work is done for clients for the purpose of “fixing” their ERMSs and then providing a certification of compliance with this National Standard of Canada: Electronic Records as Documentary Evidence CAN/CGSB-72.34-2017 (“72.34”).[1] That requires the application of more than 200 tests, after conducting extensive interviews of the records managers and other experts and systems-users who are accountable for the ERMS’s performance, and to obtain information such as, its structure, vulnerabilities, and software. The resulting report will be more than 100 pages long. A legal opinion as to the ERMS’s ability to satisfy the records requirements of various laws may accompany the report.

Just as it is wrong to think of motor vehicle technology as being merely an improved version of other forms of transportation such as bicycles, ERMS technology is much more complex than being merely the electronic version of paper records in pre-electronic file drawers and cabinets. The main reason is that, whereas paper records have a physical existence and therefore are not affected by or dependent upon their file drawers and cabinets for their existence, electronic records are dependent upon their ERMSs for everything, including their continued existence. Think of e-records as having a relationship with their ERMSs comparable to that of a drop of water once it is added to a pool of water which may be very clean or dirty and possibly subject to varying states of evaporation. Secondly, unlike paper records, e-records don’t sit stationary in their ERMSs until they are accessed. They are constantly being moved around by the ERMS’s operating system to make room for more e-records, which is also doing such things as prioritizing location to minimize access time for the most frequently accessed e-records. And sometimes that requires that they be fragmented such that a single record might be made up of a number of separated electronic impressions on its electronic storage device.

And very frequently, the data that describes a mobile phone call that is to be used as “person location evidence,” is in such electronic storage for more than a year before it is downloaded in response to a court-authorized demand. During that time, it must be assumed that in response to normally-expected frequency of commercial, institutional ERMS operations, that data has been moved around hundreds of times by the operating system. That should raise an issue as to the error rates of the software by which the ERMS functions. Can it do all of that moving around and fragmenting without losing, destroying, or corrupting records? And can it do the necessary “de-fragging” of fragmented records with 100% accuracy? Frequently we receive notices such as, “an update has been installed, please re-start your computer to make it operative.” About 95% of those “updates” involve corrections to errors in software source code. The technical literature warns repeatedly that we trust software-based systems and devices far too much. They are far from infallible. In court, if not challenged, they assume the strategic status of “the infallible.” In addition, there are potential loses due to bad records control and ERMS management, including not knowing which version of a particular record is the original.

Even now, most of the evidence used in legal proceedings, and for legal services, comes from electronic systems and devices. For example, records are the most frequently used kind of evidence, almost all of which come from institutional ERMSs. So, ask the records manager, “when was the last time you had your records system certified as being in compliance with Canada’s national standard for electronic records management, and can you produce a copy of any such certifying document?” And, “what is the error rate of the software being used and its history of performance within your records management system?”

Because so far, there is no legal infrastructure of general application controlling the quality of ERMS management and maintenance, the incidence of bad records management is shockingly high, and the list of bad practices and defects that make ERMSs non-compliant with the above national standard shockingly long and commonly prevalent.

Those facts determine whether e-discovery can produce all relevant records in civil proceedings, and determine whether the “fruits of the investigation” disclosure rule can do so in criminal proceedings.[2] And they should be argued to require the proponent of admissibility to call as witnesses the chief records managers, technicians, etc., responsible for the management of ERMSs so as to facilitate cross-examination by the opposing party, and in that way avoiding the expense of the defendant’s having to hire ERMS experts to do such ERMS examinations. In addition, the Sedona Canada Principles-Addressing Electronic Discovery (2d), (2015, pdf), should contain a requirement that the parties exchange information as to the state of ERMS management.[3] But that is not yet part of the arguments presented in such voir dires because rare it is that counsel has sufficient knowledge of ERMS technology. And most clients can’t afford to hire the ERMS experts to teach their lawyers what questions to ask in cross-examination, and arguments to make as to procedural burdens and transfer points of onuses of proof, etc. It’s a big hole in our legal education that law societies and law schools don’t appear to be aware of.

For example, in R. v. Oland 2015 NBQB 245, (being a pre-murder trial mobile phone “data admissibility” voir dire), the Crown prosecutor had to call merely the security people whom Rogers Communications had taught how to download court-ordered mobile phone call data. Security personnel are not required to know anything about ERMS technology. But the evidence revealed that on average, Rogers Communications received 1,500 such demands per year (para. 11). Therefore apparently, to minimize costs and disruptions, security employees were trained to answer such demands.[4] See in particular, paragraphs 60 and 64 as to how poorly the existing law deals with issues as to burdens and onuses of proof for such proceedings, because it is “pre-electronic era” law.[5]

There are now several very commonly used complex electronic systems and devices that produce very frequently used kinds of evidence, such as: (1) ERMSs; (2) mobile phone tracking evidence, because we all carry mobile phones which makes use of the data automatically produced by such phone communications, a frequent means of proving a person’s location; (3) “TAR devices” (technology assisted review devices) used in e-discovery proceedings to reduce the cost of finding the relevant and potentially “privileged” records in very large collections of records; and, (4) breathalyzer/intoxilyzer devices used in impaired driving and “over 80” prosecutions (over 80 milligrams of alcohol in 100 millilitres of blood)-see the new Criminal Code s. 320.14. And, as we become more completely dependent upon the many uses of electronic technology, there will be more such commonly used electronic systems and devices producing very frequently used kinds of evidence. How will sufficient knowledge of such e-systems and devices be made affordably available to lawyers for legal proceedings and services? Because such technology is so rapidly and constantly changing, that will be a difficult “competence-of-lawyers” problem for law societies.

Lawyers’ inability to challenge the reliability of such sources of evidence means an inability to make adequate use of a constitutionally-guaranteed “opportunity to make full answer and defence,” and therefore, impairs the courts’ ability to provide “fundamental justice,” and, “a fair and public hearing,” (Canadian Charter of Rights and Freedoms ss. 7 and 11(d)).

An ERMS expert’s certification of compliance with 72.34 provides proof that an ERMS is able to produce all relevant records in their original form. And so it is that 72.34’s “primary principle” states:

The primary principle advanced by this standard is that an organization shall always be prepared to produce its records as evidence. Continuous compliance with this standard is an essential part of the proof of the integrity of an electronic record or records system. Intermittent compliance may be better than no compliance, but it is not enough to prove the integrity. Therefore, compliance obtained only when legal proceedings are anticipated or are underway is not sufficient.

The use of the word, “integrity,” alludes to its use in provisions such as s. 31.2(1)(a) of the Canada Evidence Act, which states:

31.2(1) The best evidence rule in respect of an electronic document is satisfied

(a) on proof of the integrity of the electronic documents system by or in which the electronic document was recorded or stored.

[the Evidence Acts of most of Canada’s provinces and territories contain a comparable provision]

The absence of proof of compliance with 72.34 should be taken into account in regard to issues as to the admissibility and production of institutional records, i.e., for such proceedings as, voir dires, trials, electronic discovery, and any proceeding or requirement as to the adequacy of disclosure. Other necessary considerations are laws concerning, privacy, electronic commerce, taxation, and those factors referred to in the legal information provided in section 5 of 72.34 (pp. 9-13).

But the existence of an express statutory link between standards and statutory evidentiary rules is not required in order to make standards relevant and of considerable probative value. Once expert ERMS opinion evidence establishes the authority of a standard such as 72.34, it can be used in, argument, in examination-in-chief, and in cross-examination, to establish or diminish the ability of an ERMS to produce reliable records and produce all of the relevant records that were stored in its database. “Frequency of use” that produces familiarity with such standards during legal proceedings, will eventually make that expert opinion evidence unnecessary.

Creating that familiarity can be aided by referring to the use of such standards in case law, or in statutory rules of evidence such as s. 31.5 of the Canada Evidence Act, which states:

For the purpose of determining under any rule of law whether an electronic document is admissible, evidence may be presented in respect of any standard, procedure, usage or practice concerning the manner in which electronic documents are to be recorded or stored, having regard to the type of business, enterprise or endeavour that used, recorded or stored the electronic document and the nature and purpose of the electronic document.

Because s. 31.5 is not expressly permissive or mandatory in relation to admissibility, it is in effect, ignored. But it does make known the relevance of standards to issues of admissibility. A more effective way of bringing about the use of standards would be a provision stating that admissibility may be achieved by proof of compliance with the standard. That expressly establishes a route to admissibility, but not the only route. It would make citing the principles and policies of 72.34 an important part of law and practice, i.e., specifically, as a basis for cross-examination, and arguments concerning the need for flexibility in applying the rules of procedure in conducting, voir dires, e-discovery, and disclosure proceedings and duties. Conducting them so as to be compatible with the different kinds and vulnerabilities of each type of electronic system and device that produces the evidence at issue—vulnerabilities not only as to the quality of records management as measured by the degree of compliance with 72.34, but also as to the quality of the software upon which an ERMS operates.

The laws of privacy make use of standards, especially in regard to the privacy of information in records. For example, section 5 of Canada’s, Personal Information Protection and Electronic Documents Act (PIPEDA), makes mandatory, compliance with the ten principles set out in the National Standard of Canada entitled, Model Code for the Protection of Personal Information (reproduced in Schedule 1 of the Act).

And organizations that have a power, by way of statutory law or regulations, to demand records and proof that the records systems that they come from are maintained in compliance with a recognized standard, are an aspect of an emerging law of records management. For example, the Canada Revenue Agency, in relation to the submission of financial records, still specifies proof of compliance with the 2005 first edition of the 72.34 National Standard of Canada (72.34-2005).[6]

There are several articles, posted on my SSRN author’s page, that deal with the above issues and problems (pdf), such as:

Challenging Electronic Systems’ and Devices’ Ability to Produce Reliable Evidence” (SSRN, May 21, 2019);

Electronic Records as Evidence” (SSRN, February 19, 2018); and,

Electronic Discovery’s ‘Records Review Stage’ Software Programs” (SSRN, Oct. 1, 2018).

And on Slaw, see: “Electronic Systems Are Trusted Far Too Much as to Producing Reliable Evidence—the Oland Example” (June 19, 2019).

Also, the University of Toronto’s School of Continuing Studies has 7 online courses on Records and Information Management.

 

_________________________________

[1] However, the drafting of this National Standard of Canada had a much troubled history that significantly diminished: (1) the integrity of the drafting process; and, (2) the quality of its content; see, Ken Chasse: “Innovation Canada, IP, and Dependence Upon the Standards Council of Canada” (SSRN, November 25, 2019, pdf.). Therefore, records managers should obtain a certification of compliance with the first edition (72.34-2005), as well as with the second edition (72.34-2017), of this national standard—see: section 20, p. 88.

[2] See; R. v. Stinchcombe 1991 CanLII 45 (SCC), [1991] 3 SCR 326, (Sopinka J., delivering the judgment of the Court); [the paragraphs of judgments were not yet numbered in 1991]. Stinchcombe is the origin of the “fruits of the investigation” duty of disclosure from Crown prosecutor to the accused. But in 1991 electronic sources of evidence were much less available than they are now. Such sources will significantly alter rules of evidence and related procedures in regard to the evidence they produce.

[3] In Ontario, the application of the Sedona Canada Principles is made mandatory by the, (Ontario) Rules of Civil Procedure, Rule 29.1.03(4), in regard to, “preparing the discovery plan.”

[4] Dennis Oland was convicted, (2016 NBQB 43), but acquitted at his re-trial, the mobile phone tracking evidence having been significantly weakened by evidence as to the complexities and vulnerabilities of such expert opinion evidence as to the location of mobile phones at the time of a particular call; see: R. v. Oland 2019 NBQB 151 (paras. 113-134, at pp. 55-68).

[5] Therefore, compare this once authoritative article by, David M. Paciocco, “Proof and Progress: Coping with the Law of Evidence in a Technological Age.” (2013), 11 Canadian Journal of Law and technology 181-228. In my opinion it is out-of-date because its major theme is that the rules of evidence at present are sufficient to deal with electronically-produced evidence, and that all they need is, “an overlay of common sense” (p. 201). Nevertheless, in R. v. Oland 2015 NBQB 245, it was much quoted and its author, (now a Justice of the Ontario Court of Appeal), praised. Greatly criticizing such use of “common sense,” is Stephen Mason, in, “The Presumption that Computers are Reliable,” pp. 101-192 at 191-192, in the text by Stephen Mason and Daniel Seng (eds.), Electronic Evidence 4th edition (Inst. Of Advanced Legal Studies, 2017, pdf. download, 380 pages).

[6] See the Canada Revenue Agency’s, Income Tax Information Circular, IC05-1R1, Electronic Record Keeping (paragraph 24), along with the imaging national standard, Microfilm and Electronic Images as Documentary Evidence CAN/CGSB-72.11-93 (updated to 2000), (referred to in paragraph 26). However, this imaging standard is said now to have been made part of 72.34’s second edition, 72.34-2017, which was declared by the Standards Council of Canada to be a national standard and published on March 22, 2017.

Start the discussion!

Leave a Reply

(Your email address will not be published or distributed)