Web Content Display Web Content Display

Search

The Army Lawyer

   
   
   
   
   
   
   
   
 

The Spoof Is in the Evidence:

 

Obtaining Electronic Records to Corroborate Text Message Screenshots

 
 
   
   
  PDF Version
   
   
(Credit: istockphoto.com/Roman Stavila)

Web Content Display Web Content Display


“Don’t like your buddy’s girlfriend? Well, break them up. Just send a fake text message! www.spoofmytextmessage.com”1

Most modern courts-martial include text/chat message evidence from a cell phone. Digital evidence, like all evidence, is susceptible to fraud, alteration, and fabrication. A common method of fabricating text messages is “spoofing.”2 Using a spoofing application (app), an individual can falsify a text message and send the message from any phone number they choose. Thus, an alleged victim can enter the accused’s phone number and send a message—in which the accused appears to admit his guilt—to the alleged victim’s phone. Or, a witness could use a spoofing app to create an entire fake conversation on the user’s phone, allowing the user to take a screenshot of the spoofed conversation and represent it as a genuine conversation.

Access to spoofing has become so prolific that law enforcement should no longer assume the genuineness of a screenshot depicting a digital communication.3 Using the search term “spoof” in the Apple App store, the author scrolled through over 100 spoofing apps that enable the spoofing of text messages, phone calls, Global Positioning System location, email, and/or social media messages.4

Recognizing that electronic communications are susceptible to “spoofing” or fraud, courts have found it is insufficient to merely argue that, on its face, a message purports to be from a person’s messaging system.5 The availability and ease of modern spoofing technology makes such an assumption naive.

Fraudulent text message services are becoming increasingly prevalent. It is important for military justice practitioners to understand the primary ways to fabricate a text message, how to authenticate text message evidence using the “digital footprint” of electronic communications, and how recent changes to the Stored Communications Act (SCA)6 make compelling disclosure of the “digital footprint” from service providers much easier for military investigators. In response to the SCA changes, law enforcement should obtain SCA court orders or warrants7 for data recovery as a matter of course in all cases involving text/chat message digital evidence. Even when the physical communication device is secured and forensically analyzed, investigators should still secure the SCA records to ensure the forensic examination collected all the messages on the phone.8 Taking the steps to secure this data creates a minimal burden on law enforcement. However, obtaining this data provides corroboration when authenticating digital evidence at trial and may be the difference between obtaining a conviction or a not guilty finding. A blueprint for law enforcement to gather and litigators to analyze text or chat message evidence, placing particular importance on situations in which the cell phone is unavailable for forensic examination, will be helpful to judge advocates navigating this realm.

Spoofing Services Are Abundant, Affordable, and Easy to Use

As mentioned above, there are hundreds of companies providing spoofing services for relatively low costs. There are two main ways to spoof a text message. This article will refer to the first spoofing technique as the Fake-Text Transmission method. In this method, a user (the spoofer) accesses a spoofing website or app to send an actual text message to the recipient’s phone (spoofing recipient), appearing as though the message originated from a phone number of the spoofer’s choosing. The spoofer creates the content of the text message and chooses the phone number of the “sender” of the text message.9 The website or app then sends the text message to the spoofing recipient, appearing to originate from the “sender” selected by the spoofer.10 If the spoofing recipient takes a screenshot of the spoofed text message that they received, the screenshot would depict a picture of an actual text message received by the spoofing recipient, even though the “sender” identified on the screenshot had never actually sent that message to the spoofing recipient from their own phone.

This article will refer to the second spoofing technique as the No Transmission, Fake Conversation method. Here, the spoofer accesses a spoofing website or app and creates either a single fake text message11 or an entire fake conversation between any two (real or fictional) individuals on the spoofer’s own phone.12 No actual communication is sent or received by either phone. The spoofer inputs the names (or phone numbers) of both the sender and recipient of the spoofed message and creates the content of the messages. The spoofer inputs the date and time of each message.13 Using this method, the spoofer can take a screenshot of the fake text message conversation on their phone. That screenshot looks identical to the screenshot of an authentic text message conversation taken from a phone.14 This technology allows the presenter of the screenshot to present this spoofed text message conversation to law enforcement, even though the conversation never occurred.15

Both of these spoofing methods are user-friendly and readily available to anyone with access to internet websites16 or digital apps.17 Anyone with the smallest amount of comfort using cell phone apps could effectively use this spoofing technology. Law enforcement and litigators must be aware of this new technological reality to accurately investigate and litigate cases that include digital evidence of electronic communications. An accurate investigation requires pursuing a method to verify the genuineness of the text message.

Methods to Authenticate a Text/Chat Message

Traditional methods of authenticating digital evidence include testimony from the sender or recipient asserting the text messages are genuine or from a witness who saw the message being sent. When the purported “sender” denies sending the message and there were no witness to the transmission, the best evidence that a text message is what it purports to be is the “digital footprint” found through data recovery on the cell phone itself or in records stored by the service provider.

Text/chat messages, like all electronic communications, leave a digital footprint that is tracked in the records maintained by the service provider. Text messages produce transactional records18 that memorialize the date/time of when a text message was sent or received by a user’s account.19 Of note, some telecommunication service providers keep records of the content of text messages for a short period of time.20

Ideally, in a case involving text/chat message evidence, law enforcement will secure the physical device from the alleged victim and the accused and conduct forensic analysis to obtain the digital footprint of the messages. However, there are situations where the cell phone is unavailable.21 In these situations, it is crucial for law enforcement to obtain information regarding the witnesses’ smartphone or tablet brand, cellular service provider (e.g., Verizon, Sprint), and chat application service provider (e.g., Apple iMessage, Facebook Messenger); that information informs law enforcement of which service providers to contact.

Even when a cell phone is available for forensic examination, obtaining data from the service provider will corroborate the authenticity of the digital evidence and ensure the forensic examination captured all the message history associated with the phone’s user. As discussed in the next section, military investigators and litigators can easily request this data pursuant to a SCA search warrant or court order.

Military Judges Are Now Competent Authorities to Issue SCA Warrants/Orders

Prior to 1 January 2019, military investigators were limited in their ability to use the SCA to compel disclosure of electronic records from service providers. Since the SCA did not include military courts in its definition of a “court of competent jurisdiction,” military judges did not have the power to compel civilian service providers to disclose electronic communication records. Rather, law enforcement had to go through a lengthy process of working with a United States Attorney’s office to request a SCA order or warrant from a Federal Magistrate.22

As of 1 January 2019,23 military judges24 gained the authority to issue SCA court orders and warrants,25 compelling civilian service providers to produce these electronic records to military law enforcement.26 This removes a major hurdle for military investigators and supports the argument that trial counsel should obtain a SCA order or warrant for data recovery as a matter of course in all cases involving text/chat message digital evidence. The following section describes the consequences for litigators at trial should a SCA court order or warrant not be obtained.

Consequences of Spoofing for Litigators at Trial

As discussed above, law enforcement should be taking the additional investigative steps to pursue corroboration for screenshots of electronic communications. Trial counsel need the digital records to help prove their case27 and authenticate a screenshot at trial.28 Even if the military judge admits the screenshot into evidence without the SCA records, once they learn from the defense counsel how easy it is to spoof a text message, the finder of fact may determine the screenshot is unpersuasive evidence.29

Defense counsel need to understand the technology to properly evaluate the case and to make the proper arguments at trial. Defense counsel should highlight the shortcomings of the investigation by showing that law enforcement could have easily secured electronic records that would have verified the genuineness of the messages and corroborated the alleged victim’s claim, but they chose not to collect that evidence.30

Special victim counsel (SVCs) also need to understand this spoofing issue in order to effectively advise their clients. An alleged victim may want to report a crime but does not want to turn over their phone to law enforcement for forensic examination. The SVC could help preserve their client’s privacy interests by advising law enforcement to seek the SCA records for corroboration of the screenshot, thereby reducing the likelihood that Criminal Investigation Command (CID) would need to seize the client’s phone for corroboration. Additionally, the SVC should advise their client about CID’s investigative capabilities, to deter a client who may have considered spoofing a communication. The final section below provides a blueprint for military law enforcement and trial counsel to request electronic communication records from service providers.

Steps to Follow to Secure SCA Records

Freeze the Evidence Immediately by Sending Preservation Letters.

As soon as the allegation arrives, the CID agent should ask the alleged victim how she communicated with the accused,31 then send preservation letters32 to the appropriate service providers33 as a way to freeze the evidence and prevent its destruction. Service providers will preserve the requested content and transactional records for ninety days. Under the SCA, CID may ask for an additional ninety days of preservation, but no more than the total of 180 days.34 If the defense counsel is aware of potential exculpatory evidence, they may send the trial counsel a request for law enforcement to send preservation letters to service providers. Now that the data is preserved, the next step is to categorize the desired information.

Categorize the Information to Determine Scope of Judicial Process Request.

Law enforcement must categorize the information sought as either content records, transactional records, or basic subscriber information. Content records are less frequently available, whereas transactional records and basic subscriber information is readily available and require a much lower standard of proof.

Content records (i.e., the text of the written message) are only available from a cellular service provider, not a chat application service provider.35 Not all cellular service providers store content records and, if they do store content records, they do so usually only for three to five days before deleting the records.36 Courts require a showing of probable cause to obtain a search warrant for content records.37 So, if law enforcement is seeking the content of the text message on the screenshot, they will need a SCA search warrant based upon probable cause.

Transactional records (date/time of when messages were sent, the internet protocol (IP) addresses the request was made from, etc.,38) and records of a user’s basic subscriber information39 are available from any service provider— both cellular providers and chat application providers.40 For transactional records (not including historic cell site location information41), and basic subscriber information, a petitioner must secure a court order from a judge after demonstrating the desired records were relevant and material to an ongoing criminal investigation.42

Obtain the Proper Process in a Pre-Referral Judicial Hearing.

Once law enforcement has categorized the information it seeks and determined which provider to get it from, they must seek an audience from a judge for the appropriate judicial process. Law enforcement may seek this hearing as soon as the investigation begins. Hearings will usually be conducted ex parte,43 and the military judge may review the evidence in camera.44 Trial counsel request the pre-referral hearing with the military judge.45 The ideal process is to send the affidavit and administer the entire process over email, culminating in the military judge signing the warrant or court order and emailing the process back to the trial counsel. A hearing with the military judge is available, if necessary; in this case, a court reporter would record the hearing. Trial counsel is responsible to keep the records of the proceedings and must attach the entire correspondence to the record of trial if the case is eventually referred to court-martial.46

To obtain basic subscriber info or transactional records, petition the military judge for a SCA court order.47 To obtain content records or historic cell site location information, petition the military judge for a warrant. Despite the plain language in SCA and Rule for Court-Martial 703A, a warrant based upon probable cause is required for content, regardless of the length or location of storage.48 Law enforcement may also seek SCA warrants for items located in “the cloud.”49

Seek Non-Disclosure Orders, If Appropriate, and Follow Notification Requirements.

The Government may request non-disclosure orders (NDO) for court orders that prohibit the service provider from notifying the subscriber that the Government requested electronic records.50 Judges will issue NDOs when the Government demonstrates that one or more of five adverse results (set out in the statute) may occur due to notification of the judicial process.51 NDOs may last for up to ninety days and extensions are permissible.52 Neither the Government, nor the service provider, is required to notify the subscriber of process seeking basic subscriber info. However, the service provider may choose to notify the subscriber. To prevent or delay that notification, law enforcement may obtain an NDO in the court order. Once the NDO notification delay period expires, the Government serves or mails the subscriber a copy of the process.53

Conclusion

Given the proliferation of spoofing, courts may no longer accept screenshots of text messages as trustworthy evidence. Investigators and litigators must understand the capabilities of spoofing technologies and have a basic understanding of the digital footprint found in these records.

As of 1 January 2019, the SCA provides an efficient method for obtaining the digital records of communications conducted through civilian service providers, like Verizon or Facebook. Due diligence should include pursuing these records (or exploiting at trial the lack of these records). These investigative actions, or lack thereof, provide arguments for the litigators at court-martial that may be the difference between a conviction and a not guilty finding. TAL

 


LtCol Catto is currently assigned as an associate professor of criminal law at TJAGLCS.



Notes

1. See Spoof My Text, https://www.spoofmytextmessage.com (last visited Oct. 20, 2019).

2. The Federal Communications Commission defines spoofing as, “when a caller [texter] deliberately falsifies the information transmitted to your caller ID display to disguise their identity.” See Caller ID Spoofing, FCC.gov, https://www.fcc.gov/consumers/guides/spoofing-and-caller-id?from=home (last updated July 15, 2019).

3. United States (U.S.) consumers received nearly four billion unwanted robocalls per month in 2018. See The FCC’s Push to Combat Robocalls and Spoofing, FCC.gov, https://www.fcc.gov/about-fcc/fcc-initiatives/fccs-push-combat-robocalls-spoofing (last visited Sept. 7, 2019). Advancements in technology enable cheap and easy access to a massive number of robocalls and to “spoof” caller ID information to hide a caller’s true identity. Id. This same spoofing technology applies to text messages, emails, and social media posts. See Evidence Collection Series: Spoofing Calls and Messages, techsafety.org, https://www.techsafety.org/spoofing-evidence (last visited Oct. 20, 2019) [hereinafter Evidence Collection Series].

4. The author conducted a search on 9 Sept. 2019 in the Apple app store by using the search term “spoof.” The author saw both Fake-Message Transmissions and No Transmission, Fake Conversation spoofing apps. Some of the apps were free. None of the apps were cost prohibitive. All of the apps accessed were easy to use.

5. See Campbell v. State, 382 S.W.3d 545, 547 (Tex. Ct. App. 2012). See also Major Scott A. McDonald, Authenticating Digital Evidence from the Cloud, Army Law., Jun. 2014, at 47. The court recognized that “anyone can establish a fictitious profile under any name” and “a person may gain access to another person’s account by obtaining the user’s name and password.” Campbell, 382 S.W.3d at 549.

6. See Stored Wire and Electronic Communications and Transactional Records Access, 18 U.S.C. §§ 2703-2711 (2018).

7. A military judge may compel civilian service providers to disclose records of electronic communications by issuing warrants or court orders. See 18 U.S.C § 2703(a)-(c) (2018); UCMJ art. 46(d)(3) (2019); and Manual for Courts-Martial, United States, Rules for Courts-Martial (R.C.M.)703A(a) (2019) [hereinafter MCM].

8. Sometimes the message history from the forensic examination contains garbled text that does not provide usable information to law enforcement. Additionally, not all message communication is always retained on the phone. Furthermore, it is possible to send data chat messages from more than one device. Person X may be able to send iMessages from their cell phone, as well as their iPad. An examination of the cell phone would not contain the iMessage that Person X sent from their iPad.

9. See Spoof My Text, supra note 1. See Example 4, appendix, as an example of a Fake-Message Transmission created by the author on 9 Sept. 2019 by accessing www.spoofmytextmessage.com and paying $5.00 to send five spoofed text messages.

10. Interview with Special Agent Patrick Eller, United States Army Criminal Investigation Command Forensic Examiner, in Charlottesville, VA (May 2, 2019). Spoofed text messages created through the Fake-Text Transmission method produce data in the transactional records of the recipient’s service provider, but the data does not show a text message from the purported “sender” identified in the spoofed text message. The records show a garbled transmission from an unclear sender. Id.

11. See Example 1, appendix, as an example of a spoofed text messages created by the author using the No Transmission, Fake Conversation method.

12. See Examples 2 and 3, appendix, as examples of spoofed text messages created by the author using the No Transmission, Fake Conversation method.

13. The No Transmission, Fake Conversation method allows the user to create fake messages that appeared to have been transmitted in the past, rather than the real-time transmissions of the Fake-Text Transmission method where the user cannot manipulate the date/time of the message.

14. See Examples 1, 2 and 3, appendix, as examples of spoofed text messages created by the author using the No Transmission, Fake Conversation method.

15. Id.

16. See Spoof My Text, supra note 1. See also How to Fake an Instagram DM [Direct Message], techjunkie, https://www.techjunkie.com/fake-instagram-dm-direct-message/ (last visited on 7 Sept. 2019).

17. See Evidence Collection Series, supra note 3.

18. In addition to texts and chat apps, the following electronic communications also create transactional records maintained by the service provider: phone calls, social media posts, and email. Apple keeps a log of which users have tried to contact, or been contacted by, via iMessages (transactional data). See Jacob Kastrenakes, Apple Keeps Track of Everyone You Try to Chat with on iMessage, The Verge (Sept. 28, 2016, 1:01pm), https://www.theverge.com/2016/9/28/13090930/imessage-records-contact-info-lookup-logs.

19. Transactional records do not contain the content of the message. While the content of the message may have been erased, the record of whether a text was sent or received will be preserved (in most cases) for at least twelve months. See U.S. Dep’t of Just. Retention Periods of Major Cellular Service Providers chart (Aug. 2010), ACLU, https://www.aclu.org/cell-phone-location-tracking-request-response-cell-phone-company-data-retention-chart. See also Wired.com, https://www.wired.com/images_blogs/threatlevel/2011/09/retentionpolicy.pdf (last visited Oct. 18, 2019) [hereinafter Retention Policy].

20. Some service providers keep message content for 3-5 days before deleting the data. Retention Policy, supra note 19. Law enforcement has updated charts with data retention information, but they are classified as For Law Enforcement Use only.

21. The allegation may have been a delayed report and the alleged victim may have since lost or replaced their cellular phone (but saved as a screenshot of the text), or perhaps the alleged victim values their privacy and refuses to turn over her phone for forensic examination.

22. For a civilian judge to issue a Stored Communications Act (SCA) warrant or court order, the accused must have violated a law in that civilian jurisdiction. Therefore, the SCA process was not available to investigate uniquely military offenses such as orders violations or UCMJ Article 134 offenses. See Major Sam C. Kidd, Military Courts Declared Incompetent: What Practitioners (Including Defense Counsel) Need to Know about the Stored Communications Act, 40 Reporter no. 3, 2013, at17, 22, (explaining the process for military investigators to secure a SCA warrant or order through a civilian judge). Id.

23. National Defense Authorization Act for Fiscal Year 2018, Pub. L. No. 115-91, 131 Stat. 1283 (2017).

24. Military judges detailed to courts-martial or pre-referral hearings are deemed competent authorities to issue SCA court orders or warrants. See 18 U.S.C. § 2711 (2018); UCMJ art. 26(a), art. 30a (2019); MCM, supra note 7, R.C.M. 703A(a).

25. See 18 U.S.C. § 2711; UCMJ, supra note 7; MCM, supra note 7.

26. See supra note 7.

27. A court considered whether records of electronic communications were produced, when considering the reliability of the message. See United States v. Wolford, 656 Fed. Appx. 59, 64 (6th Cir. 2016).

28. To authenticate an exhibit, the proponent of the evidence must convince the military judge that a fact-finder could determine, by a preponderance of evidence, that the exhibit actually is what the proponent claims it is. Manual for Courts-Martial, United States, Mil. R. Evid. 901(a) (2019) [hereinafter MCM]. To authenticate the screenshot, trial counsel must convince the judge that a fact-finder could determine that the screenshot is a picture of a real communication, rather than a screenshot of an easily spoofed conversation. The SCA records provide corroboration for the testimony of the witness attempting to authenticate the message.

29. Defense counsel will highlight the realities of spoofing during cross examination of the law enforcement agent, or potentially through the testimony of an expert witness.

30. Defense counsel will probably wait until trial to make these arguments, rather than raise them during a pre-trial suppression motion, to ensure the Government does not have time to take corrective action and seek the SCA records after the issue has been highlighted.

31. It is crucial for law enforcement to obtain information regarding the smartphone or tablet brand, cellular service provider (e.g., Verizon, Sprint) and chat application service provider (e.g., Apple iMessage, Facebook Messenger), so they know which service providers to contact.

32. See Yahoo! Compliance Guide for Law Enforcement, EFF.org, https://www.eff.org/files/filenode/social_network/yahoo_sn_leg-doj.pdf (last visited on Oct. 22, 2019) (providing a sample preservation request letter for Yahoo in app. A).

33. List of points of contact for service providers’ legal process (current as of 18 Oct. 2019):
Apple legal process guidelines: https://www.apple.com/legal/privacy/law-enforcement-guidelines-us.pdf

Facebook law enforcement online request portal: https://www.facebook.com/records/login/

Facebook law enforcement guidelines: https://www.facebook.com/safety/groups/law/guidelines

Google: https://support.google.com/transparencyreport/answer/7381738?hl=en&ref_topic=7380433 and https://www.rexxfield.com/how-to-contact-google-legal-department-to-serve-subpoenas-or-court-orders/

Yahoo: https://www.eff.org/files/filenode/social_network/yahoo_sn_leg-doj.pdf

Verizon legal process contact page: https://www.verizon.com/support/residential/account/manage-account/security/security-assist-team

AT&T: https://www.dms.myflorida.com/content/download/69972/295441/AT&T_Mobility_exigent_form.pdf

Sprint: https://zetx.com/sprint-info/ and https://www.dms.myflorida.com/content/download/69691/294290/Blank_Exigent_-_3_31_10.pdf

T-Mobile: https://zetx.com/t-mobile-info/0

34. See 18 U.S.C. § 2703(f); MCM, supra note 7, R.C.M. 703A(f)(2).

35. Since chat apps do not save message content, SCA records will not produce content from chat messages. See Jacob Kastrenakes, Apple Keeps Track of Everyone You Try to Chat with on iMessage, The Verge (Sept. 28, 2016, 1:01pm), https://www.theverge.com/2016/9/28/13090930/imessage-records-contact-info-lookup-logs.

36. See Retention Policy, supra note 19.

37. Stored content includes: messages, photos, videos, timelines posts, and location information. See 18 U.S.C. § 2703(a)-(c); MCM, supra note 7, R.C.M. 703A(a)-(b).

38. A court order issued under 18 U.S.C. § 2703(d) or R.C.M. 703A(c) is required to compel the disclosure of certain records pertaining to the account, not including contents of the communications, which may include message headers and IP addresses. See Information for Law Enforcement Authorities, Facebook, https://www.facebook.com/safety/groups/law/guidelines/ (last visited Oct. 22, 2019).

39. Basic subscriber information includes: subscriber’s name, length of service, credit card information, email address(es), and recent login/logout IP address(es). See 18 U.S.C. § 2703(c)(2); MCM, supra note 7, R.C.M. 703A(a)(4).

40. However, Apple’s iMessage transactional records consist of a log showing who the user attempted to send an iMessage. When a user attempts to contact someone else through iMessage, the app automatically pings Apple’s servers to see if that person has an iMessage account. Apple records the date/time the request was made and the IP address from which the request was made. These records do not contain the content of the message. Apple saves these logs for 30 days, then deletes that data. See Jacob Kastrenakes, Apple Keeps Track of Everyone You Try to Chat with on iMessage, The Verge (Sept. 28, 2016, 1:01pm), https://www.theverge.com/2016/9/28/13090930/imessage-records-contact-info-lookup-logs.

41. A search warrant is required when seeking at least seven days of historical cell site location information data, despite the plain language of the SCA and R.C.M. 703A. See Carpenter v. United States, 138 S. Ct. 2206 (2018).

42. Basic subscriber information is available via a court order from a military judge, or via investigative subpoena issued by a trial counsel (with the authorization of a general court-martial convening authority). See MCM, supra note 7, R.C.M. 703A(a)(4), 703(g)(3)(C).

43. In this hearing, only the government counsel is present. See MCM, supra note 7, R.C.M. 309(b)(2); U.S. Dep’t of Army, Interim Reg. 27-10, Legal Services Military Justice para. 5-17 (Jan. 1, 2019) [hereinafter AR 27-10].

44. See UCMJ art. 30a(a)(1)(B); MCM, R.C.M. 309(b)(2); AR 27-10, para. 5-17.

45. See supra note 44.

46. Id.

47. The standard of proof is relevant and material to an ongoing criminal investigation. See UCMJ art. 46(d)(3); and MCM, R.C.M. 703A(c)(1)(A).

48. See United States v. Warshak, 631 F.3d 266 (6th Cir. 2010); AR 27-10, para. 5-17.

49. The SCA also permits military judges to issue warrants for content stored in the cloud. The SCA adopted the broad definition of “electronic communication” from the definition in the Wiretap Act, 18 U.S.C. § 2512 (2018).

50. See 18 U.S.C. § 2705(a)(1)(A)-(B) (2018); MCM, R.C.M. 703A(d)(1)-(2).

51. The following five adverse results (stemming from notification) justify the military judge to delay notification of the court order or warrant: A) endangering the life or physical safety of an individual, B) flight from prosecution, C) destruction of or tampering with evidence, D) intimidation of potential witnesses, or E) otherwise seriously jeopardizing an investigation or unduly delaying a trial. See 18 U.S.C. § 2705(a)(2); MCM, R.C.M. 703A(d)(4).

52 See supra note 50.

53. See MCM, R.C.M. 703A(d)(3).