Windows Security Logging and Other Esoterica : Laws

If you're gonna herd bots, do it from New Zealand!

Eric Fitzgerald — Wed, 16 Jul 2008 20:37:00 GMT

A judge in New Zealand declined to convict the admitted (guilty plea) botherder of a million-bot botnet, citing the negative consequences a conviction would have on the young man's future prospects. See the story here.

Well duh. The whole theory of crime and punishment is that if you do something bad, you get punished, and punishment is something that is unpleasant, so you try to avoid it, hopefully by not doing the crime. See? One would hope that a judge would understand this concept.

I could understand if the judge said "this is just a stupid kid, he doesn't deserve to do 20 years", and gave the kid probation, community service and a big fine. I don't know if New Zealand has such options, or if the judge has latitude in sentencing. There is probably more to the story than is being told. But you don't take over a million computers that don't belong to you, personally making tens of thousands of dollars, and not realize that you're doing something wrong. Unless you're a sociopath. And in either case, you either need punishment (for doing something you know is wrong) or separation from society for the protection of society while you get treatment (if you are a sociopath). So whatever the case, the judge got it wrong, and as a result is practically encouraging future behavior of the same sort.

German court bans retention of logged IP addresses

Eric Fitzgerald — Wed, 03 Oct 2007 20:53:00 GMT

A German court has ruled that a government web site may not retain IP addresses and other personally identifiable information (PII) in their logs for any longer than the user is actually using the site.

The judges pointed out that in many cases it was simple to map an IP address to an identity with the help of 3rd parties, and declared that logging IP addresses was a "violation of the right to informational self-determination."

OK whatever.

Germany does not seem to be of one mind regarding logging. On the one hand their draconian privacy laws (how's that for an oxymoron?) are pretty much in opposition to any meaningful user activity logging. On the other hand, their law enforcement folks at least seem to know the value of logs, even if they are a little draconian in the other direction. Finally the article above notes that even the Bundestag, the lower house of the German Parliament, doesn't comply with with the privacy laws that body created- the web site logs and retains PII.

Attention Germany: the privacy horse has left the barn. Technology has far outpaced the capability of an individual to control where his or her information flows. Expecting to both receive service from an online provider, and to remain "private" (whatever that means) from the provider, is unreasonable- and in fact denying the provider the right to log prevents the provider from systematically improving service to you. Logging is a best practice for administrative activity, including maintenance-related activities, marketing & service planning, and security-related activities such as forensics. Everything generates logs nowadays. It would probably be better to write laws restricting what can be done with logs rather than to outlaw logging. In this manner you could mitigate abuses such as those by the ambulance chasers but still provide organizations of all sorts, including the government itself, the information they need to do their jobs.

Ensuring that there's no useful data in your logs...

Eric Fitzgerald — Sat, 01 Sep 2007 00:23:00 GMT

As I wrote about earlier, TorrentSpy, a file-sharing search engine, was ordered by a U.S. magistrate to enable logging on its servers and to subsequently make those logs available to the MPAA, the plaintiff in an illegal file-sharing lawsuit against TorrentSpy. They have lost their appeals and as a result have decided to block US IP addresses from their web servers (which will effectively ensure that no information interesting to the MPAA will reach their logs). This ruling also puts copyright law squarely at odds with privacy rights, as pointed out by the Electronic Frontier Foundation. The whole case seems to hinge on the fact that the judge interpreted the fact that information such as IP addresses temporarily reside in a computer's RAM as meaning that information is "stored" by the computer and therefore discoverable; many computer experts reject that argument. More analysis of the implications of the ruling are found here.

United Kingdom passes EC telecom-logging legislation

Eric Fitzgerald — Wed, 01 Aug 2007 00:13:00 GMT

To comply with EC telecommunications logging directives (as other EU nations recently have), the UK has passed a law that starting October 1 telecommunications firms must generate and retain logs of landline and mobile communications for one year.

http://www.out-law.com/page-8332
http://www.jisclegal.ac.uk/publications/dataretention.htm

VoIP calls are not covered by the new law.

Good List of Regulatory Requirements for Logging

Eric Fitzgerald — Tue, 10 Jul 2007 23:43:00 GMT

My friend Dr. Tina Bird has put together a good list of regulatory requirements that pertain to logging and log retention.

Draft law in Germany may force telcos & ISPs to gather logs; Gmail Germany may shut down as a result

Eric Fitzgerald — Wed, 27 Jun 2007 02:26:00 GMT

A draft law (English translation) being proposed in Germany to enforce the European Mandatory Data Retention Directive of 2006 would require telcos, ISPs, and email service providers to track and retain data necessary to trace and identify the source, destination, date, time, duration, type, and communication device for any fixed network telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony communication, and whatever location information was available for mobile communication. Retention of these records would required be for anywhere from six to 24 months.

As a result of inability or unwillingness to meet such requirements, Google has announced that if the law passes that they are considering withdrawing Gmail service from Germany.

The Electronic Privacy Information Center has ain informative page on the EU data retention directive. I don't think those guys like audit trails ;-) In all seriousness, it appears that the trend the last couple of years is towards government-mandated audit trails for many kinds of commercial and communications activity.

Not generating logs is not an option... when you're under subpoena

Eric Fitzgerald — Tue, 12 Jun 2007 00:10:00 GMT

Working as I do for a company that exists because of copyright, I'm not particularly sympathetic to TorrentSpy, a search engine company that is accused by the Motion Picture Association of America (MPAA) of helping to enable copyright infringement by making it easier to find content on the BitTorrent file sharing network.

How does this pertain to logging? Well, TorrentSpy doesn't do any. Or at least they didn't used to. So when they received a court order demanding logs, they said "sorry, no can do". However the judge ruled that since the server's memory temporarily contained information like the search terms that were requested and the IP address that was the source of the request, and that even though that was only temporarily in RAM, that it was still "stored information", so turn it over. In other words, TorrentSpy had better produce some logs, and soon. Initially the court will allow masking of IP address information before the logs are turned over to the MPAA

Auditing and the Payment Card Industry (PCI) Data Security Standard

Eric Fitzgerald — Tue, 12 Sep 2006 21:01:00 GMT

Here is a link to an interesting blog article interpreting the audit requirement of the PCI standard.

For reference, here is a link (pdf) to the PCI 1.1 Data Security Standard itself.

The high-level PCI requirements are listed below. Requirement 10 is the requirement pertaining to audit.

Build and Maintain a Secure Network

· Requirement 1: Install and maintain a firewall configuration to protect data

· Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

· Requirement 3: Protect stored data

· Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program

· Requirement 5: Use and regularly update anti-virus software

· Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

· Requirement 7: Restrict access to data by business need-to-know

· Requirement 8: Assign a unique ID to each person with computer access

· Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

· Requirement 10: Track and monitor all access to network resources and cardholder data

· Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy

· Requirement 12: Maintain a policy that addresses information security

UPDATE 2006/09/13: Linked to PCI standard v1.1. Thanks Mike for the heads up!

Logs and the US Department of Justice Cybercrime Manual

Eric Fitzgerald — Thu, 31 Aug 2006 23:39:00 GMT

Source: http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm

Here is the most relevant excerpt; highlighting is mine.

Records of regularly conducted activity. A memorandum, report, record, or data compilation, in any form, of acts, events, conditions, opinions, or diagnoses, made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record, or data compilation, all as shown by the testimony of the custodian or other qualified witness, or by certification that complies with Rule 902(11), Rule 902(12), or a statute permitting certification, unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness. The term "business" as used in this paragraph includes business, institution, association, profession, occupation, and calling of every kind, whether or not conducted for profit.
See, e.g., United States v. Salgado, 250 F.3d 438, 452 (6th Cir. 2001); United States v. Cestnik, 36 F.3d 904, 909-10 (10th Cir. 1994); United States v. Goodchild, 25 F.3d 55, 61-62 (1st Cir. 1994); United States v. Moore, 923 F.2d 910, 914 (1st Cir. 1991); United States v. Briscoe, 896 F.2d 1476, 1494 (7th Cir. 1990); United States v. Catabran, 836 F.2d 453, 457 (9th Cir. 1988). Applying this test, the courts have indicated that computer records generally can be admitted as business records if they were kept pursuant to a routine procedure for motives that tend to assure their accuracy.
However, the federal courts are likely to move away from this "one size fits all" approach as they become more comfortable and familiar with computer records. Like paper records, computer records are not monolithic: the evidentiary issues raised by their admission should depend on what kind of computer records a proponent seeks to have admitted. For example, computer records that contain text often can be divided into two categories: computer-generated records, and records that are merely computer-stored. See People v. Holowko, 486 N.E.2d 877, 878-79 (Ill. 1985). The difference hinges upon whether a person or a machine created the records' contents. Computer-stored records refer to documents that contain the writings of some person or persons and happen to be in electronic form. E-mail messages, word processing files, and Internet chat room messages provide common examples. As with any other testimony or documentary evidence containing human statements, computer-stored records must comply with the hearsay rule. If the records are admitted to prove the truth of the matter they assert, the offeror of the records must show circumstances indicating that the human statements contained in the record are reliable and trustworthy, see Advisory Committee Notes to Proposed Rule 801 (1972), and the records must be authentic.
In contrast, computer-generated records contain the output of computer programs, untouched by human hands. Log-in records from Internet service providers, telephone records, and ATM receipts tend to be computer-generated records. Unlike computer-stored records, computer-generated records do not contain human "statements," but only the output of a computer program designed to process input following a defined algorithm. Of course, a computer program can direct a computer to generate a record that mimics a human statement: an e-mail program can announce "You've got mail!" when mail arrives in an inbox, and an ATM receipt can state that $100 was deposited in an account at 2:25 pm. However, the fact that a computer rather than a human being has created the record alters the evidentiary issues that the computer-generated records present. See, e.g., 2 J. Strong, McCormick on Evidence § 294, at 286 (4th ed. 1992). The evidentiary issue is no longer whether a human's out-of-court statement was truthful and accurate (a question of hearsay), but instead whether the computer program that generated the record was functioning properly (a question of authenticity). See id.; Richard O. Lempert & Steven A. Saltzburg, A Modern Approach to Evidence 370 (2d ed. 1983); Holowko, 486 N.E.2d at 878-79.
Finally, a third category of computer records exists: some computer records are both computer-generated and computer-stored. For example, a suspect in a fraud case might use a spreadsheet program to process financial figures relating to the fraudulent scheme. A computer record containing the output of the program would derive from both human statements (the suspect's input to the spreadsheet program) and computer processing (the mathematical operations of the spreadsheet program). Accordingly, the record combines the evidentiary concerns raised by computer-stored and computer-generated records. The party seeking the admission of the record should address both the hearsay issues implicated by the original input and the authenticity issues raised by the computer processing.
As the federal courts develop a more nuanced appreciation of the distinctions to be made between different kinds of computer records, they are likely to see that the admission of computer records generally raises two distinct issues. First, the government must establish the authenticity of all computer records by providing "evidence sufficient to support a finding that the matter in question is what its proponent claims." Fed. R. Evid. 901(a). Second, if the computer records are computer-stored records that contain human statements, the government must show that those human statements are not inadmissible hearsay.

[Table of Contents]

B. Authentication
Before a party may move for admission of a computer record or any other evidence, the proponent must show that it is authentic. That is, the government must offer evidence "sufficient to support a finding that the [computer record or other evidence] in question is what its proponent claims." Fed. R. Evid. 901(a). See United States v. Simpson, 152 F.3d 1241, 1250 (10th Cir. 1998).
The standard for authenticating computer records is the same for authenticating other records. The degree of authentication does not vary simply because a record happens to be (or has been at one point) in electronic form. See United States v. Vela, 673 F.2d 86, 90 (5th Cir. 1982); United States v. DeGeorgia, 420 F.2d 889, 893 n.11 (9th Cir. 1969). But see United States v. Scholle, 553 F.2d 1109, 1125 (8th Cir. 1977) (stating in dicta that "the complex nature of computer storage calls for a more comprehensive foundation"). For example, witnesses who testify to the authenticity of computer records need not have special qualifications. The witness does not need to have programmed the computer himself, or even need to understand the maintenance and technical operation of the computer. See United States v. Salgado, 250 F.3d 438, 453 (6th Cir. 2001) (stating that "it is not necessary that the computer programmer testify in order to authenticate computer-generated records"); United States v. Moore, 923 F.2d 910, 915 (1st Cir. 1991) (citing cases). Instead, the witness simply must have first-hand knowledge of the relevant facts to which she testifies. See generally United States v. Whitaker, 127 F.3d 595, 601 (7th Cir. 1997) (FBI agent who was present when the defendant's computer was seized can authenticate seized files) ; United States v. Miller, 771 F.2d 1219, 1237 (9th Cir. 1985) (telephone company billing supervisor can authenticate phone company records); Moore, 923 F.2d at 915 (head of bank's consumer loan department can authenticate computerized loan data).
Challenges to the authenticity of computer records often take on one of three forms. First, parties may challenge the authenticity of both computer-generated and computer-stored records by questioning whether the records were altered, manipulated, or damaged after they were created. Second, parties may question the authenticity of computer-generated records by challenging the reliability of the computer program that generated the records. Third, parties may challenge the authenticity of computer-stored records by questioning the identity of their author.
1. Authenticity and the Alteration of Computer Records
Computer records can be altered easily, and opposing parties often allege that computer records lack authenticity because they have been tampered with or changed after they were created. For example, in United States v. Whitaker, 127 F.3d 595, 602 (7th Cir. 1997), the government retrieved computer files from the computer of a narcotics dealer named Frost. The files from Frost's computer included detailed records of narcotics sales by three aliases: "Me" (Frost himself, presumably), "Gator" (the nickname of Frost's co-defendant Whitaker), and "Cruz" (the nickname of another dealer). After the government permitted Frost to help retrieve the evidence from his computer and declined to establish a formal chain of custody for the computer at trial, Whitaker argued that the files implicating him through his alias were not properly authenticated. Whitaker argued that "with a few rapid keystrokes, Frost could have easily added Whitaker's alias, 'Gator' to the printouts in order to finger Whitaker and to appear more helpful to the government." Id.
The courts have responded with considerable skepticism to such unsupported claims that computer records have been altered. Absent specific evidence that tampering occurred, the mere possibility of tampering does not affect the authenticity of a computer record. See Whitaker, 127 F.3d at 602 (declining to disturb trial judge's ruling that computer records were admissible because allegation of tampering was "almost wild-eyed speculation . . . [without] evidence to support such a scenario"); United States v. Bonallo, 858 F.2d 1427, 1436 (9th Cir. 1988) ("The fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness."); United States v. Glasser, 773 F.2d 1553, 1559 (11th Cir. 1985) ("The existence of an air-tight security system [to prevent tampering] is not, however, a prerequisite to the admissibility of computer printouts. If such a prerequisite did exist, it would become virtually impossible to admit computer-generated records; the party opposing admission would have to show only that a better security system was feasible."). This is consistent with the rule used to establish the authenticity of other evidence such as narcotics. See United States v. Allen, 106 F.3d 695, 700 (6th Cir. 1997) ("Merely raising the possibility of tampering is insufficient to render evidence inadmissible."). Absent specific evidence of tampering, allegations that computer records have been altered go to their weight, not their admissibility. See Bonallo, 858 F.2d at 1436.
2. Establishing the Reliability of Computer Programs
The authenticity of computer-generated records sometimes implicates the reliability of the computer programs that create the records. For example, a computer-generated record might not be authentic if the program that creates the record contains serious programming errors. If the program's output is inaccurate, the record may not be "what its proponent claims" according to Fed. R. Evid. 901.
Defendants in criminal trials often attempt to challenge the authenticity of computer -generated records by challenging the reliability of the programs. See, e.g., United States v. Salgado, 250 F.3d 438, 452-53 (6th Cir. 2001); United States v. Liebert, 519 F.2d 542, 547-48 (3d Cir. 1975). The courts have indicated that the government can overcome this challenge so long as the government provides sufficient facts to warrant a finding that the records are trustworthy and the opposing party is afforded an opportunity to inquire into the accuracy thereof[.]
United States v. Briscoe, 896 F.2d 1476, 1494-95 (7th Cir. 1990). See also United States v. Oshatz, 912 F.2d 534, 543 (2d Cir. 1990) (stating that defense should have sufficient time to check the validity of a program and cross-examine government experts regarding error in calculations); Liebert, 519 F.2d at 547; DeGeorgia, 420 F.2d. at 893 n.11. Cf. Fed. R. Evid. 901(b)(9) (indicating that matters created according to a process or system can be authenticated with "[e]vidence describing a process or system used . . . and showing that the process or system produces an accurate result"). In most cases, the reliability of a computer program can be established by showing that users of the program actually do rely on it on a regular basis, such as in the ordinary course of business. See, e.g., Salgado, 250 F.3d at 453 (holding that "evidence that the computer was sufficiently accurate that the company relied upon it in conducting its business" was sufficient for establishing trustworthiness); United States v. Moore, 923 F.2d 910, 915 (1st Cir. 1991) ("[T]he ordinary business circumstances described suggest trustworthiness, . . . at least where absolutely nothing in the record in any way implies the lack thereof.") (computerized tax records held by the I.R.S.); Briscoe, 896 F.2d at 1494 (computerized telephone records held by Illinois Bell). When the computer program is not used on a regular basis and the government cannot establish reliability based on reliance in the ordinary course of business, the government may need to disclose "what operations the computer had been instructed to perform [as well as] the precise instruction that had been given" if the opposing party requests. United States v. Dioguardi, 428 F.2d 1033, 1038 (C.A.N.Y. 1970). Notably, once a minimum standard of trustworthiness has been established, questions as to the accuracy of computer records "resulting from . . . the operation of the computer program" affect only the weight of the evidence, not its admissibility. United States v. Catabran, 836 F.2d 453, 458 (9th Cir. 1988).
Prosecutors may note the conceptual overlap between establishing the authenticity of a computer-generated record and establishing the trustworthiness of a computer record for the business record exception to the hearsay rule. In fact, federal courts that evaluate the authenticity of computer-generated records often assume that the records contain hearsay, and then apply the business records exception. See, e.g., Salgado, 250 F.3d at 452-53 (applying business records exception to telephone records generated "automatically" by a computer) United States v. Linn, 880 F.2d 209, 216 (9th Cir. 1989) (same); United States v. Vela, 673 F.2d 86, 89-90 (5th Cir. 1982) (same). As discussed later in this chapter, this analysis is technically incorrect in many cases: computer records generated entirely by computers cannot contain hearsay and cannot qualify for the business records exception because they do not contain human "statements." See Chapter 5.C, infra. As a practical matter, however, prosecutors who lay a foundation to establish a computer-generated record as a business record will also lay the foundation to establish the record's authenticity. Evidence that a computer program is sufficiently trustworthy so that its results qualify as business records according to Fed. R. Evid. 803(6) also establishes the authenticity of the record. Cf. United States v. Saputski, 496 F.2d 140, 142 (9th Cir. 1974).

Logs and the Canadian Rules for Electronic Evidence

Eric Fitzgerald — Thu, 31 Aug 2006 23:32:00 GMT

Source: http://laws.justice.gc.ca/en/c-5/232082.html, 8/31/2006

Here are two excerpts from the Canadian national laws pertaining to the introduction of business records and electronic records as evidence in courts of law.

Business Records


Inference where information not in business record	30. (1) Where oral evidence in respect of a matter would be admissible in a legal proceeding, a record made in the usual and ordinary course of business that contains information in respect of that matter is admissible in evidence under this section in the legal proceeding on production of the record. (2) Where a record made in the usual and ordinary course of business does not contain information in respect of a matter the occurrence or existence of which might reasonably be expected to be recorded in that record, the court may on production of the record admit the record for the purpose of establishing that fact and may draw the inference that the matter did not occur or exist.
Copy of records	(3) Where it is not possible or reasonably practicable to produce any record described in subsection (1) or (2), a copy of the record accompanied by two documents, one that is made by a person who states why it is not possible or reasonably practicable to produce the record and one that sets out the source from which the copy was made, that attests to the copy’s authenticity and that is made by the person who made the copy, is admissible in evidence under this section in the same manner as if it were the original of the record if each document is (a) an affidavit of each of those persons sworn before a commissioner or other person authorized to take affidavits; or (b) a certificate or other statement pertaining to the record in which the person attests that the certificate or statement is made in conformity with the laws of a foreign state, whether or not the certificate or statement is in the form of an affidavit attested to before an official of the foreign state.
Where record kept in form requiring explanation	(4) Where production of any record or of a copy of any record described in subsection (1) or (2) would not convey to the court the information contained in the record by reason of its having been kept in a form that requires explanation, a transcript of the explanation of the record or copy prepared by a person qualified to make the explanation is admissible in evidence under this section in the same manner as if it were the original of the record if it is accompanied by a document that sets out the person’s qualifications to make the explanation, attests to the accuracy of the explanation, and is (a) an affidavit of that person sworn before a commissioner or other person authorized to take affidavits; or (b) a certificate or other statement pertaining to the record in which the person attests that the certificate or statement is made in conformity with the laws of a foreign state, whether or not the certificate or statement is in the form of an affidavit attested to before an official of the foreign state.
Court may order other part of record to be produced	(5) Where part only of a record is produced under this section by any party, the court may examine any other part of the record and direct that, together with the part of the record previously so produced, the whole or any part of the other part thereof be produced by that party as the record produced by him.
Court may examine record and hear evidence	(6) For the purpose of determining whether any provision of this section applies, or for the purpose of determining the probative value, if any, to be given to information contained in any record admitted in evidence under this section, the court may, on production of any record, examine the record, admit any evidence in respect thereof given orally or by affidavit including evidence as to the circumstances in which the information contained in the record was written, recorded, stored or reproduced, and draw any reasonable inference from the form or content of the record.
Notice of intention to produce record or affidavit	(7) Unless the court orders otherwise, no record or affidavit shall be admitted in evidence under this section unless the party producing the record or affidavit has, at least seven days before its production, given notice of his intention to produce it to each other party to the legal proceeding and has, within five days after receiving any notice in that behalf given by any such party, produced it for inspection by that party.
Not necessary to prove signature and official character	(8) Where evidence is offered by affidavit under this section, it is not necessary to prove the signature or official character of the person making the affidavit if the official character of that person is set out in the body of the affidavit.
Examination on record with leave of court	(9) Subject to section 4, any person who has or may reasonably be expected to have knowledge of the making or contents of any record produced or received in evidence under this section may, with leave of the court, be examined or cross-examined thereon by any party to the legal proceeding.
Evidence inadmissible under this section	(10) Nothing in this section renders admissible in evidence in any legal proceeding (a) such part of any record as is proved to be (i) a record made in the course of an investigation or inquiry, (ii) a record made in the course of obtaining or giving legal advice or in contemplation of a legal proceeding, (iii) a record in respect of the production of which any privilege exists and is claimed, or (iv) a record of or alluding to a statement made by a person who is not, or if he were living and of sound mind would not be, competent and compellable to disclose in the legal proceeding a matter disclosed in the record; (b) any record the production of which would be contrary to public policy; or (c) any transcript or recording of evidence taken in the course of another legal proceeding.
Construction of this section	(11) The provisions of this section shall be deemed to be in addition to and not in derogation of (a) any other provision of this or any other Act of Parliament respecting the admissibility in evidence of any record or the proof of any matter; or (b) any existing rule of law under which any record is admissible in evidence or any matter may be proved.
Definitions	(12) In this section,
	“business” means any business, profession, trade, calling, manufacture or undertaking of any kind carried on in Canada or elsewhere whether for profit or otherwise, including any activity or operation carried on or performed in Canada or elsewhere by any government, by any department, branch, board, commission or agency of any government, by any court or other tribunal or by any other body or authority performing a function of government;
	“copy”, in relation to any record, includes a print, whether enlarged or not, from a photographic film of the record, and “photographic film” includes a photographic plate, microphotographic film or photostatic negative;
	“court” means the court, judge, arbitrator or person before whom a legal proceeding is held or taken;
	“legal proceeding” means any civil or criminal proceeding or inquiry in which evidence is or may be given, and includes an arbitration;
	“record” includes the whole or any part of any book, document, paper, card, tape or other thing on or in which information is written, recorded, stored or reproduced, and, except for the purposes of subsections (3) and (4), any copy or transcript admitted in evidence under this section pursuant to subsection (3) or (4). R.S., 1985, c. C-5, s. 30; 1994, c. 44, s. 91.

Electronic Evidence

Authentication of electronic documents	31.1 Any person seeking to admit an electronic document as evidence has the burden of proving its authenticity by evidence capable of supporting a finding that the electronic document is that which it is purported to be. 2000, c. 5, s. 56.
Application of best evidence rule — electronic documents	31.2 (1) The best evidence rule in respect of an electronic document is satisfied (a) on proof of the integrity of the electronic documents system by or in which the electronic document was recorded or stored; or (b) if an evidentiary presumption established under section 31.4 applies.
Printouts	(2) Despite subsection (1), in the absence of evidence to the contrary, an electronic document in the form of a printout satisfies the best evidence rule if the printout has been manifestly or consistently acted on, relied on or used as a record of the information recorded or stored in the printout. 2000, c. 5, s. 56.
Presumption of integrity	31.3 For the purposes of subsection 31.2(1), in the absence of evidence to the contrary, the integrity of an electronic documents system by or in which an electronic document is recorded or stored is proven (a) by evidence capable of supporting a finding that at all material times the computer system or other similar device used by the electronic documents system was operating properly or, if it was not, the fact of its not operating properly did not affect the integrity of the electronic document and there are no other reasonable grounds to doubt the integrity of the electronic documents system; (b) if it is established that the electronic document was recorded or stored by a party who is adverse in interest to the party seeking to introduce it; or (c) if it is established that the electronic document was recorded or stored in the usual and ordinary course of business by a person who is not a party and who did not record or store it under the control of the party seeking to introduce it. 2000, c. 5, s. 56.
Presumptions regarding secure electronic signatures	31.4 The Governor in Council may make regulations establishing evidentiary presumptions in relation to electronic documents signed with secure electronic signatures, including regulations respecting (a) the association of secure electronic signatures with persons; and (b) the integrity of information contained in electronic documents signed with secure electronic signatures. 2000, c. 5, s. 56.
Standards may be considered	31.5 For the purpose of determining under any rule of law whether an electronic document is admissible, evidence may be presented in respect of any standard, procedure, usage or practice concerning the manner in which electronic documents are to be recorded or stored, having regard to the type of business, enterprise or endeavour that used, recorded or stored the electronic document and the nature and purpose of the electronic document. 2000, c. 5, s. 56.
Proof by affidavit	31.6 (1) The matters referred to in subsection 31.2(2) and sections 31.3 and 31.5 and in regulations made under section 31.4 may be established by affidavit.
Cross-examination	(2) A party may cross-examine a deponent of an affidavit referred to in subsection (1) that has been introduced in evidence (a) as of right, if the deponent is an adverse party or is under the control of an adverse party; and (b) with leave of the court, in the case of any other deponent. 2000, c. 5, s. 56.
Application	31.7 Sections 31.1 to 31.4 do not affect any rule of law relating to the admissibility of evidence, except the rules relating to authentication and best evidence. 2000, c. 5, s. 56.
Definitions	31.8 The definitions in this section apply in sections 31.1 to 31.6.
	“computer system” means a device that, or a group of interconnected or related devices one or more of which, (a) contains computer programs or other data; and (b) pursuant to computer programs, performs logic and control, and may perform any other function.
	“data” means representations of information or of concepts, in any form.
	“electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data.
	“electronic documents system” includes a computer system or other similar device by or in which data is recorded or stored and any procedures related to the recording or storage of electronic documents.
	“secure electronic signature” means a secure electronic signature as defined in subsection 31(1) of the Personal Information Protection and Electronic Documents Act. 2000, c. 5, s. 56.