Are e-mails proof of anything?

I always archive and never delete any work e-mails I receive because I know how useful it is to have a record of all work-based conversations.

It can be fun showing a client that they’ve directly contradicted something they’ve said previously :slight_smile:

But how solid are e-mails as a form of proof? If my clients’ had deleted their copy of the mail would they have any way of validating that the e-mail I show them is genuine?
What about to governmental organisations, such as the Inland Revenue (IRS)? Do they have other means of seeing e-mail records? Could such records be tampered with?

Yes. You will find that major companies that deal with sensitive information, like banks and law firms, have extensive electronic records management policies in the event of civil or criminal proceedings. You can probably get more info if you look up e-discovery (“discovery” referring to pre-trial document request and disclosure in civil proceedings).

ETA: to validate the authenticity of an emails and IMs, they are all essentially tracked/archived with a unique identifying code. They could be tampered with, but a forensic IT specialist could probably track down original, authentic versions and catch you up.

If you can provide the full set of headers, those would be difficult (but not impossible) to fake. If it’s recent enough, you could trace back the email through the servers that touched it and find the email in their logs as well. No idea if this is, say, admissible in court, but that should provide sufficient evidence to convince most people that a given email is legit.

It goes way beyond the basics of headers these days. Federal regulations for e-discovery were introduced in the U.S. in 2006 in an amendment to the Federal Rules of Procedure. It’s quite comprehensive. You must have a way of storing and retrieving electronic information, you must have solid document retention policies in place, and you have to be able to guarantee document integrity (have systems in place so people can’t fuck with the email headers etc.)

That’s why a lot of companies keeps copies of everything that goes in and out of their e-mail servers and blocks access to non-company servers. Eg/ my buddy works at a bank and their systems prevent any external Web 2.0 technology from functioning (so no MySPace, Hotmail, Facebook, IM, etc.)

ETA: Emails have been admissible in court for years, but the rules have just been much more formalized, and the rules cover any media that may be introduced in the future.

Of course, they’re also useful for proof if the only thing being disputed is your memory, not your integrity. All else being equal, a witness with some sort of record of events is more reliable than one who’s just remembering them. See, for instance, the recent thread on the unreliability of human memory.

It’s trivially easy to modify e-mail stored on a local machine. Yes, you could show a client an e-mail with a relavant date and time stamp and the correct headers, but the body of the message could be completely changed and there be no sign of it in the e-mail application.

There is a difference between showing a client a CYA email to prove you did what you said and a forensically collected email provided for discovery.

I’m sort of an expert on this stuff. I worked for years in a consulting firm that specializes in computer forensics, electronic discovery, litigation consulting and related services. Now I work on a team in a Fortune 500 company that advises the legal department on those same issues.

Basically, emails and other electronic files are considered evidence and are often provided during the discovery process of a legal proceeding or other investigation.

Your email generally resides on a server somewhere. It may also reside on old backups of that server or in a dedicated archiving system specifically designed to retain email (i.e. Zantaz is a popular tool), even if you delete it. Even if it didn’t, forensic experts can collect local email from the sender and the recipient. We can use tools to capture an exact copy of your hard drive and thus maintain proper chain of custody in that they can prove the files they have are the same as when they collected them from you. When an analysis is performed, we can see that the emails don’t match or that metadata (ie modified date, modified by) has been changed when the email was edited.

It’s pretty big business actually.

Some interesting links:

http://www.thesedonaconference.org/
Rules & Policies | United States Courts (link to Federal Rules of Civil Procedure)
Most large accounting and IT/management consulting firms have ediscovery and computer forensics practices as well as many small ones and specialized service providers.

So basically the validity of e-mails is determined by comparing two or more backups/copies of the e-mail? Why couldn’t the backups be tampered with as well, or why couldn’t the e-mail be altered immediately, before it was backed up?

I’m sure what you say is true about fortune 500 companies and many others, but it’s really not true of thousands of small-to-medium sized companies where the job of setting up a mail server was grabbed by whatever random geek could figure it out. I set mine up for my current company, and I personally have the power to edit any message stored on it, including backups. So do several other people. It does a simple job simply and we have no desire (or requirement, as I understand it) to add any sort of auditing to it.

Yes, it is not out of the realm of possibility that you could modify or delete an email. But why would you, random IT geek, do so? What are you covering up and for whom?

Let’s say you do work for a company of 5 of your close friends or family and your email is run off an Exchange server sitting in your basement. Sure, you could go in and mess around with it easily enough. But you sent those emails somewhere. Say you were in a dispute with some mid-sized company with a dedicated IT staff and formal backup procedures. A court is not going to assume that the mid-sized company just fabricated a bunch of emails for it’s own benefit.

Or let’s pretend your small company hires a woman to work for you. She gets fed up and quits because you keep forwarding sexual emails to her. You can delete them from the server, but what if she forwarded them or printed out copies?

In most cases though, you, as the email support guy, probably have little to no interest in any of it and really would have no reason to modify an email.
The point is, we aren’t lawyers (although some are). Our job is to go in, collect whatever we can in a forensically sound manner and help the lawyers piece together their case with what we can find. It is the lawyers job to argue the merit and reliability of each bit of evidence and it’s opposing counsel’s job to counter argue and discredit it.

All you need to know is that yes, email and other ESI (electronically stored information) is accepted as evidence and provided it is collected in a forensically sound manner and change of custody is preserved, the burden is on you or your lawyers to prove that it has been falsified.

Well, the backups could be tampered with as well, but it’s harder. And more importantly involves more people. Everybody has probably regretted something in an e-mail at some point. But the number of those things that the IT person for the company also has cause to regret are pretty small. And at a larger company, it would take more than one IT person and some really sophisticated work to hide the tampering.

Of course, tampering with the backups at the company of the other end of the e-mail is quite a bit harder on every level.

I was an IT admin and the real problem I had was proving the person sent the email.

I have never been in an office that practiced good privacy. We would get sexual harrassment complaints and if all that was had was an email, it would be basically no proof.

Because you can’t PROVE the guy wrote it. Nine times out of ten, people leave their computers unattended and open. Anyone could sit down and write an write an email.

Unless you can PROVE that person was at his computer at that time (and not in the bathroom etc).

We had a few sexual harassment complaints get as far as court with just and email and the company won. Because the complaintant couldn’t prove the message was sent by the person. If the person just said “I was set up,” you have to prove he sent it.

The company would try to write him up and in these two cases they got laywers back at the company for creating a hostile working environment because the write up was directed soley at them and no other employees.

So in absence of other evidence, an email alone even if verified is pretty worthless.

This is why everybody should be signing their emails using PGP. But of course, very few people do. Why businesses don’t require PGP is beyond me.

Because encryption is a turrist tool and only pedophiles use it. Honestly, having it on your hard drive is a hair away from prima facie evidence you want to rape Obama’s daughters while overthrowing the government.

The real answer to the OP is that email can be modified at any point in the chain in any way imaginable, and it’s impossible to prove that it wasn’t unless it’s cryptographically signed:
[ul]
[li]Headers can be added, changed, or removed.[/li][li]The content of the body can be modified in any way imaginable.[/li][li]The headers are usually not checked to begin with. The From: field, for example, can be set to anything the sender wants, and it’s very rare any computer in the chain will even notice.[/li][li]Even if they are not explicitly modified, the headers only tie the email to a computer or an account, not a person. This is mitigated by cryptography if everyone carries around their private key on a USB thumb drive and never shares it with anyone else.[/li][/ul]Cryptography only works if it is used correctly, of course, and it can be subverted by morons just like anything else. Key sharing is probably the biggest risk: Jack loaning Jill his key because she lost hers or something along those lines means you no longer know whether Jack or Jill sent those emails. It is, however, potentially better than nothing.

Of course I wouldn’t. But at the same time, I cannot personally vouch for the integrity of that email, so if you try to use it as evidence (especially against someone I want to defend), I might be inclined to point out the ways it could have been modified.

Of course e-mails and headers can be tampered with, the same as any sort of document can also be modified ex post facto.

Several points:

  • Most normal communications do not require that level of security.
  • PGP costs money and learning effort.
  • PGP relies on a “web of trust” which may not have official validity while signatures with security certificates issued by government authorities and/or other certification authorities do have official validity.

I use PGP regularly for my own encryption and to communicate with friends, often without special need but just because I feel I want to use it so that it cannot be said I use it because I have something to hide.

But for official signatures I have a certificate issued by the Spanish government. This is my valid proven signature for all official purposes.

A single email maybe. An ongoing pattern of detailed back and forth communications, unlikely.

You start getting into issues of “reasonableness”. Is it reasonable that someone used your computer while you were in the bathroom? Is it reasonable that they had the same detailed level of knowledge of whatever subject as you do? Is it reasonable they snuck in to use your computer to send those communications over a period of weeks or months? Or that Martians spoofed your email address?

I’d be interested to hear from legal types if the OP’s question has different answers in a civil vs. criminal proceeding.

Also, in criminal terms, would the act of going back to the server and altering an e-mail record constitute some kind of forgery, in and of itself? (I’m aware that if the act were carried out in anticipation of records being searched that some kind of “obstruction of justice” charge might apply.)