Explanation of the hidden data that can provide evidence about a document, and US authority on discovery of such evidence

The camera never lies, they say. Perhaps, but digital cameras can be economical with the truth. When you fire the shutter on a digital camera, it records more than just an image. With each photograph, the camera also attaches descriptive data – information such as date and time, make and model of camera, various exposure and balance settings, and whether flash was used. Potentially, as many as 300 types of data can be attached including Global Positioning System (GPS) coordinates, pinpointing where the photograph was taken. (Most digital cameras cannot be connected to a GPS receiver. But Frederik Ramm, a German software engineer, recently toured Northern Scotland with such a device, posting his exploits on the web in the form of a geographically navigable blog.)

This example is cited to underscore the proposition that assuming WYSIWYG (What You See Is What You Get) represents an unsafe approach to the provenance of electronic evidence. All digital documents and emails have their own hidden repositories of data. It is a question of knowing where and how to look for it.

Given that the legislative framework for the increased usage of email and electronic contracts has been in place in the UK for almost five years, it is remarkable how little case law exists. Litigators will however do well to start thinking beyond face value in respect of evidence gathering.

The Electronic Communications Act 2000 provides in section 7 (electronic signatures etc):

“(1) In any legal proceedings – (a) an electronic signature incorporated into or logically associated with a particular electronic communication or particular electronic data, and(b) the certification by any person of such a signature,shall each be admissible in evidence in relation to any question as to the authenticity of the communication or data or as to the integrity of the communication or data.”

This provision is properly viewed as offering an evidential platform for the proof of digitally signed electronic transactions. It does not have the effect of rendering digitally signed emails self-proving, however desirable that might ultimately be from the perspective of bringing true e-conveyancing a step closer. A digitally signed email from A to B purporting to dispone A’s property to B would not as Scots law stands be a valid transfer of A’s interest since the email does not comply with the current formalities prescribed by the Requirements of Writing (Scotland) Act 1995. At best the digital signature would enable B, by leading certification evidence “from any person”, presumably the certification authority that issued the digital certificate, to repudiate a suggestion that A did not send the email, or that it had been tampered with and was not originally sent by A in the form that B received it. Section 7 therefore at best introduces a rule of evidence. As conveyancing law stands, the physical delivery of a disposition is also required to complete the transfer of title to heritable subjects: there is no room yet in Scots law for digital dispositions, or the abolition of dispositions. (A more interesting question outwith the scope of this article is whether digital missives are already competent as a matter of EU jurisprudence, standing article 9 of the E-Commerce Directive (2000/31/EC), which requires member states to allow “contracts” to be concluded by electronic means; and why the UK and Scottish Parliaments have opted out from the obligation to give article 9 legislative effect.)

Bearing the above in mind, and on the hypothesis that Scots lawyers will in the near future require to become more familiar both with the proof of electronic transactions and the treatment of electronic evidence, it is instructive to consider (a) what the current approach of the US courts is towards retrieval of electronic evidence, together with their view of the responsibilities of parties or their representatives during litigation; and (b) the general concepts, thought processes and degree of analysis required to extract maximum benefit from digital documents.

Electronic retrieval in the USA

During 2003 and 2004, District Court Judge Shira A Scheindlin issued five seminal opinions in the case of Zubulake v UBS Warburg, the first definitive judicial statement in the United States on electronic discovery issues. Three are noted here. The issues raised included:

  • the scope of a party’s duty to preserve electronic evidence during litigation;
  • a solicitor’s duty to monitor their clients’ compliance with electronic data preservation and production;
  • data sampling;
  • who pays the cost of restoring “inaccessible” digital information;
  • sanctions for violation or destruction of electronic evidence.

Cost shifting

The first case was Zubulake v UBS Warburg 217 FRD 309 (SDNY 2003). In a sex discrimination claim the defendant produced 350 pages of documents, including approximately 100 pages of email. The plaintiff knew more email existed and that the defendant had failed to produce it: she had already produced approximately 450 pages of email. She requested that the defendant produce emails from its archives. The defendant asked the court to shift the cost of production to the plaintiff. Starting from the premise that a court should consider cost-shifting only when electronic data is relatively inaccessible, the court came up with a seven-factor test: (1) the precision of the plaintiff’s request; (2) the availability of the information from other sources; (3) the overall cost of production compared to the amount in dispute; (4) the total cost of production compared to the resources available to each party; (5) the relative abilities of each party to control costs and its incentive to do so; (6) the importance of the subject matter of the litigation; and (7) the relative benefits to the parties of obtaining the information. Ultimately the court ordered the defendant to produce, at its own expense, all email replies existing on its optical disks, servers, and five backup tapes (selected by the plaintiff). The court held that it was unable to decide the question of cost-shifting until after the contents of the backup tapes had been reviewed, and the defendant’s costs quantified.

Duty to preserve in anticipation

In the fourth Zubulake decision, 220 FRD 212 (SDNY 2003), it had been discovered after the restoration of deleted emails that certain backup tapes were missing and that emails had been deleted. The plaintiff moved for evidentiary and monetary sanctions. The court held that the defendant had a duty to preserve the missing evidence. It should have known that the emails might be relevant to future litigation. “Almost everyone associated with Zubulake recognized the possibility that she might sue,” stated the judge. The court also held that the defendant had failed to comply even with its own retention policy, which would have preserved the missing evidence. But ironically the judge found that although the defendant had a duty to preserve all of the backup tapes at issue, and destroyed them with the requisite culpability, the plaintiff could not demonstrate that the lost evidence would have supported her claims.

Compliance duties of solicitors

In the fifth judgment, Zubulake v UBS Warburg 2004 WL 1620866 (SDNY 20 July 2004) the employee moved for sanctions against the employer for failing to produce backup tapes containing relevant emails and failing to produce other relevant documents in a timely manner. Holding that the employer had wilfully deleted relevant emails contrary to court orders, the court granted the motion for sanctions and also ordered the employer to pay costs. The court held defence counsel partly to blame. Counsel had failed in its duty to locate relevant information, to preserve that information, and to produce that information in good time. The court stated: “Counsel must take affirmative steps to monitor compliance so that all sources of discoverable information are identified and searched.” The court concluded that solicitors are obliged to ensure all relevant documents are discovered, retained, and produced. The court went on to say that litigators were required to guarantee that all identified relevant documents are preserved by placing what it called a “litigation hold” on the documents, communicating to clients and third parties the need to preserve them, and arranging for safeguarding of relevant archival media.

The formats of electronic data

How far into the digital murk is a solicitor required to peer in order to perform these duties to the satisfaction of a court? To answer this question it is necessary to understand something of (a) the differing generic terms applicable to the data format of stored electronic data; and (b) the “metadata” relevant to, for example an individual Word document, spreadsheet, or email.

Four broad categories of electronic data exist. Active data is what is held on the hard disk of your computer. To access this data one need do no more than turn on the machine. Replicated data describes the copies of data automatically created by your computer when, for instance, one visits a web page or opens an email attachment. Backup data is self-explanatory and habitually resides on floppy disks, tapes, removable hard disks, or rewritable CD-ROMs (CD-RW) or DVDs (DVD-RW). Lastly, residual data is that data which has been “deleted” from active use but is still to be found in the farthest-flung regions of the hard disk. This is the data described in Zubulake as “inaccessible”.

All four categories may contain discoverable information, but anything other than active data may require expert technical input to recover it and place it into a comprehensible form. In Zubulake, UBS Warburg informed the court that it would cost approximately $300,000 to restore and produce emails held on backup tapes. Against such a possible cost exposure, parties may reasonably wish to restrict their scrutiny to the active data, since this of itself may yield much hidden information as to date, time, and provenance of each document. This hidden information is referred to as each electronic document’s “metadata”. It has been likened to DNA testing for computers – not really a perfect analogy but one that serves to emphasise the concepts of individual persona and parentage.


Metadata is information about an electronic document that is routinely recorded in the background, as it were, by the software creating the document. Basic metadata includes:

  • n User name and computer name.
  • Comments and tracked changes that may not be displayed. This is a particular trap for the unwary. Often pleadings are exchanged by email showing change tracking – from this it is possible to deduce which areas have received repeat visits by the author, indicative perhaps of some uncertainty or doubt as to the appropriate form of words, or the strength or appropriateness of a point.
  • Embedded objects such as Excel worksheets, drawing objects, and pictures.
  • PivotTable® cache.
  • The file name of the document.
  • The author of the document, at least as far as the computer is concerned. A document that has undergone a multitude of revisals poses a particular challenge and parole evidence may be required as to how the computer came to regard the author as such.
  • The organisation the document originated from. This might be important in cases of intellectual property theft, or copyright infringement. In June 2003 the author was involved in a case where a motion for expert examination of metadata was enrolled precisely to determine such a point – the action settled before the issue could be tested.
  • The file’s location on the computer system.
  • Speaker notes on presentations.
  • Time and date information: when the file was created.
  • Hidden text, worksheets, data columns, and data rows.
  • When the file was last opened.
  • When the file size changed – usually a clue that the file has been altered.
  • Who saved the file most recently.

The foregoing are examples of straightforward metadata that an in-house IT department may be able to recover. When examining any file’s metadata, the same elementary rule as for fax machines applies – check the time and date setting of the computer before embarking on the exercise.

More esoteric metadata is available, such as information confirming when a document was last saved or last printed. The procedure for recovery is more advanced and in all probability an expert witness will need to be called in – if not already involved. For example the identity of the last 10 authors of a document can be ascertained, and clearly that may be significant information. However Microsoft Office 2003 includes a tool for removing this information. Microsoft also provide comprehensive information and tips for the removal of metadata (http://office.microsoft.com/en-us/assistance/HA011400341033. aspx). Both Office 2003 and Windows XP include a Remove Hidden Data function which “Creates a new version of your document without comments, revisions, or file properties that you might not want others to see”. Running this facility however in itself creates a Notepad file showing that the document has been “wiped”, when and by whom. Presumably any such file would also be deleted – so is it safe for the curious legal adviser to proceed without also undertaking a forensic search for incriminating deleted Notepad files?

Where does this leave the solicitor diligently attempting to comply with the Zubulake guidelines? Picking up the phone to an IT expert sooner rather than later, in all probability. And you thought technology existed to make your life easier.

Paul Motion is a partner with Ledingham Chalmers, is Convener of the Law Society of Scotland’s E-Commerce Committee, and Chairman of the Scottish Society for Computers and Law.

Share this article
Add To Favorites