Emails can be a great source of evidence but they pose some problems.
When the police know that the emails of an individual contain evidence, do they read every single email in the account? It’s difficult to imagine they would, but how do they know they’re not missing information? They can do a search by keyword or sender but that could let important information slip by.
How does the prosecution show that the other party to the email conversation (against whom the information is being used as evidence) is indeed the defendant?
If it’s a civil case (say, a harassment case), how have courts balanced the right to privacy with the importance of having all relevant facts?
None of these questions are significantly different than evidence taken from telegrams. Courts have been dealing with this since before the Civil War, and have pretty clearly defined precedents for it. Someone with more legal background will probably be along soon to explain those details.
I am not that computer savvy, but can e-mails that were deleted still show up in full text on a hard drive? Assuming no, that means just the ones not deleted can be read. If they went to the trouble of securing a search warrant, they would read all of them.
Even if a person was arrested and happened to have a computer with them does not mean the police can open files without a warrant.
If a search warrant were issued for a home computer as you seem to imply, they will read everything.
Well, you seem to suggest a multi tenant/member household and WHO is responsible. If this is not the case, the burden of proof is not by Divine Providence, just beyond a reasonable doubt, if a criminal proceeding.
If it is a civil case, the Rules of Civil Procedure apply, and if there is a privacy issue for a witness, say after a subpeona is issued, s/he can move to Quash it.
It is? Document review is one of the principal tasks of discovery and plenty of junior associates (and, I imagine, rookie ASAs) toil away many many hours undertaking it.
I am not a lawyer, but from a technical perspective, tools exist to index email messages in a variety of ways. These assist in the search for relevant messages. And there’s always the fallback method of simply reading all the email messages, as Kimmy_Gibbler points out. In the latter case, you’d typically start by reading all message conversations to/from certain recipients, and then go from there.
Email server logs contain records of each machine that a mail message passes through. In principle, it is possible to trace the full path of mail messages from source to destination with proper access to the email logs on various systems. You still have the issue along the lines of “That wasn’t me; that was someone else hijacking my computer and email account, and using it without my approval”, but I assume there are other legal avenues and arguments to cover this.
Well, generally, police can’t legally just look through e-mails without the cooperation of either the sender or receiver, just like they can’t search someone’s house on a whim (without the person’s cooperation). They theoretically need a warrant* which will set out what the police are going to look through and what they are looking for. The police need to follow the terms of the warrant, but as long as the warrant doesn’t specify, it’s up the the police whether to search by keywords, or by reading each one.
Not applicable in any case where ‘terrorism’ can be remotely invoked.
Of course the prosecution needs to prove that the sender/recipient was indeed the defendant; sometimes that’s going to be pretty simple, other times not so much.
That’s criminal cases, where there’s a crime and the DA is prosecuting someone. In civil matters (where John is suing Mary over something), then the police aren’t investigating anything. John can ask Mary to produce evidence, and typically the two sides’ lawyers will negotiate exactly what will be handed over, then Mary’s lawyer will review all the e-mails to decide which ones are relevant, and only give those to John’s lawyer (that’s the ‘document review’ mentioned above).
[In the US], when a warrant is issued, the rules of engagement are usually laid out pretty specifically. In general (in my experience), if the email data in question are being collected from local media (hard drive or similar), everything will get the quick once-over. If we’re talking more along the lines of an intercept (Title III - just like a phone tapping scenario), then the material is categorized as “pertinent” or “non-pertinent”; anything “non-pertinent” is discarded. The evidence collected must be relevant to the investigation.
This protects your momma’s brownie recipe and reduces the risk of abuse of authority (ala, “maybe your wife would like to know that we have 15 pages of sultry email to the girlfriend she doesn’t know about”).
The simplest technique is to search by keyword. Unless the person is speaking completely in code, some keyword will likely catch the necesary email(s). This will give clues for other keywords. If somewhere the perp says “Enron’s California Sales will be called the Midas Project” then obviously, the investigators would re-run a search for “Midas” and “Midas Project” - and so on… They find names, and see what else the person sent to that name, etc. Just like a real investigation. Eventually, someone has to read whatever pops up to see if there is relevance; but google-type smart search tools can be pretty clever at times.
It’s not like they only get one shot at it. If it’s outright criminal rather than regulatory, they have a copy of the defendant’s compute to mess with and can kep searching. In regulatory, it’s obstruction of justice to delete stuff of interest to the regulatorys. Why go from your employer being fined a million dollars to you going to jail for obstruction?
Sarbanes Oxley requires that internal communications for publicly-traded corps IIRC must be retained for a substantial period; even deleted emails are available, and also instant-mesages. As mentioned above, there are also email logs that can trace a message from submission to delivery, when it was read or downloaded to the PC, etc.
For private communication - if they use an email service, it’s likely they’ve been watched for a while and the police have gotten the email trails for every communication; whay was sent, what IP sent and downloaded each message, etc. If the email is not deleted, and still available on the perp’s PC - right click with some email programs, look at properties and view headers, etc. and it tells you which email server the message came from, and when, and so on.
If the person has deleted the email, and not emptied the recycle bin, then the email is still there to look at. If email is deleted and removed from system, then the deleted files may still be there if the file is not consolidated and compressed. Deleted fles are also sometimes recoverable, etc. Some encrrypted files may be harder or impossible to crack, some are trivial.
Like physical forensic evidence, the question is how clever and thorough the person is in covering their tracks, and how much control they have over outside evidence; and how much time they ahd to clean up before the evidence was seized and removed from their control.