Cyber-evidence: Toward New Standards?


When it comes to computer evidence, seizure is governed by different rules than traditional evidence. In cases where the evidence is on the Internet and must be reported by a third party, a new French standard may change our ways of doing things by creating new requirements for obtaining cyber-evidence.

Online Statement of Facts

On the Internet, evidence is often volatile and fleeting. In the event of a dispute, it is important to act quickly, especially in cases of trademark counterfeiting—however, cyber-evidence cannot be obtained in the blink of an eye, or by “physically” seizing incriminating material.

To meet the criteria admissible to the courts, computer evidence must comply with strict standards of acquisition, storage and analysis. Other considerations include the qualifications of the expert who will carry out the seizure and analyze the litigious data, as well as the recording software used.

To report an offense on the Internet, whether involving forgery, unfair competition, reputation damage or illicit material, the evidence cannot be acquired by analyzing the data contained on media such as a hard disk or a USB key. Instead, it must be located in a virtual and intangible universe that is accessible from a webpage which is liable to be modified or simply disappear.

Under these conditions, how is it possible to make sure that a screenshot taken as evidence will not be from a previous webpage, or to demonstrate that litigious elements that truly existed in a previous version were deleted from an existing Web page? Furthermore, if the evidence comes from the acquisition of a good on a buying site, is an appointed third party who orders incriminating material under a false identity obtaining it “fallaciously”?

The “Dislike” Judgement

In Quebec, these questions do not seem to have raised much debate. This is not so in France, where Internet reporting is governed by standards and subject to numerous technical prerequisites that ensure validity. If this current gains ground in Quebec, appointed third parties, whether lawyers, investigators or bailiffs, will have to take account of these technical requirements. Otherwise, Internet reports will risk being voided and stripped of all their probative force. A decision rendered by the Cour d’appel de Paris aptly demonstrates this issue.

In this case, a plaintiff claimed the copyrights on the application “Dislike,” as the cofounder of the company responsible for the program “Facebook Dislike,” against the two other cofounders.

To support his allegations, the plaintiff, who was attempting to win an appeal on the basis of his capacity as author, provided Web reports drawn up by bailiff. These materials had been deemed valid in first instance. However, the defendants once more appealed the report, claiming they were null and void owing to non-compliance with rules of jurisprudence as well as standard AFNOR NFZ 67-147 on Internet reporting methods.

Specifically, the bailiff was accused of not having verified the DNS servers as set out by the AFNOR standard, and having directly connected to the URLs supplied by the claimant, without having gone through and documented a normal Internet user’s path to access these URL addresses.

The court upheld the prior judgment and refused to base itself on the AFNOR standard to deliver its verdict on the validity of the Internet-based reports. According to the Court, this standard “… Is in no way mandatory and consists of nothing more than recommendations of best practices.”

However, the validity of Internet reporting entails that one abide by the methods and technical prerequisites established by jurisprudence:

  • Description of the material used for reporting;
  • Listing of the IP address of the computer used to draw up the report;
  • Deletion of the caches of the computer prior to all reporting;
  • Deactivation of the proxy connection;
  • Deletion of all temporary files stored on the computer;
  • Deletion of all cookies and browsing histories.

It is clear that respecting these prerequisites implies greater computing skills on the part of appointed third parties, which must be qualified.
This decision illustrates the rigour that the appointed third party must abide by, in a context where even the time of an internal clock’s synchronization can be challenged.

What is the AFNOR NFZ 67-147 standard?

The abbreviation AFNOR refers to the Association française de normalisation, whose federal and provincial counterparts are the Canadian Standards Association (CSA) and the Bureau de normalisation du Québec (BNQ).

The AFNOR NFZ 67-147 standard governs the reporting of Internet evidence by bailiff and sets out technical prerequisites for the resulting Web reports. Given that this is a standard, it is not binding. However, it could become the standard for Internet reporting.

Subscribe to our Newsletter

Find out more about various issues that can affect you or your organization, and about how SIRCO can help.