Benjamin Dynkin and Barry Dynkin
Benjamin Dynkin and Barry Dynkin ()

We live in a truly digital age. 2.5 exabytes of data are created each day. Mikal Khoso, “How Much Data is Produced Every Day?,” Level Blog (May 13, 2016). Put in other words, we fill 250,000 Libraries of Congress per day. This data comes in all forms, and particularly with the rise of the Internet of Things (IoT), more and more of that data contains information about people, rather than just the systems themselves. Tamara Dull, “Big data and the Internet of Things: Two sides of the same coin?,” SAS Institute. Naturally, this data has begun to seep into our legal system, but lawyers and litigants have not paid close enough attention to how that data can be used to attack witness credibility on the stand. All those who own late model automobiles, computers, smartphones, smartwatches, etc., walk around with a cloud of surrounding data. That cloud is constantly gathering information on where they are, what they are doing, who they are with, and what is happening around them. With a clever forensic technician, an attorney can request access to, and analyze a nigh unlimited amount of data, which can be used to impeach a witness’s credibility to devastating effect.

Unlike social media, where individuals know what they put online for public consumption, people are generally unaware of what data they are generating and retaining and how it can be used against them.

What Data Is Being Created

While most litigators are aware of certain common repositories of data, such as emails, digital documents, and text messages, almost every Internet-connected device generates a wealth of data of which most of us remain blissfully, or dangerously, unaware. For example, cellphones, by default in most cases, actively track their owners, and create map overlays showing where someone has been, what routes were taken, and how long they remained in any particular place. Cars, for example, have “black boxes” that are constantly gathering a variety of information about the car. In the event of a crash, it records all of the data for a set period of time leading up to the crash. Data recorded generally includes: vehicle speed, throttle position, airbag deployment times, whether the brakes were applied, if seatbelts were worn, steering angles and more. Some manufacturers may also have additional data points, including GPS location, video and audio of the car cabin. Navigation systems and other on-board computers can record even more data. Fitness trackers, such as the popular Fitbit, store data on an individual’s level of activity, location, what he or she was doing, and much more. Putting together the data recorded from any one of these devices or, even more effectively, the data from two or more of these devices, a skilled analyst can decipher almost any detail about the life of the device’s owner and compare that evidence against the narratives proffered by parties in a case. Simply put, there is a lot of very specific, very private, and very potentially unfavorable data being created.

Finding Data; Protecting Clients

When considering sources of evidence, creativity—rather than rote and routine—should govern. Digital forensics, though a science, has a substantial degree of artistry to it as well. Lawyers and technical experts must think critically and carefully about what data might exist, where it might be recorded, and how best to collect, preserve, and analyze it. In certain instances, the potential value of the data must be weighed against the monetary costs of obtaining it, and the risk of aiding the claim of the adversary in the matter. With the rapid growth of connected devices, it is impossible to create a comprehensive checklist; rather, carefully interviewing your client and collecting broadly will ensure that as much of the relevant data as possible is captured and preserved. It is important to recognize that all of this data is theoretically subject to preservation obligations and, generally, discoverable unless subject to a particular exception. Unlike other forms of traditional paper discovery, metadata (aka data about data) is relevant and can further complicate and confound considerations related to data preservation and analysis. These are several of the issues that are central to digital forensics in litigation.

Digital forensics is a complex, highly technical discipline that requires not only legal but also substantial technical expertise as well. It is advisable to seek the aid of a forensic expert who can find, collect, preserve, and analyze all relevant data. Importantly, a forensic expert does not merely assist with finding data, but also serves the critically important function of ensuring that no potentially relevant data is destroyed. Digital evidence can, without a careful hand, very easily be altered or deleted. Not only could this compromise the claim of the client, but it could ultimately result in potentially severe liability for the client, the forensic expert, and the attorney.

Metadata: Good, Bad and Ugly

Even with the use of a forensic expert, the sheer quantity, multiplicity, and complexity of metadata make its collection and analysis a particularly complex and confounding matter. Metadata includes everything from timestamps on documents, to prior versions of the document, to the location where the data was generated and everything in between. While this metadata can be extremely valuable for understanding and contextualizing the data being analyzed, in many circumstances metadata can be a difficult thing to preserve, process and interpret, and can also be a potential source of spoliation allegations from opposing counsel. See, e.g., Digital Preservation Metadata Standards, 22 Information Standards Quarterly 5 (2010). Something as simple as copying a file to a new location can irrecoverably alter a file’s metadata.

Using Data at Trial

Authenticating Digital Evidence. While using digital evidence can often be essential to a case, there can be many obstacles to its use, most notably, getting the evidence admitted. While there are no definitive cases that discuss the admissibility of IoT digital evidence, there are several well-established standards which broadly govern the admissibility of electronically stored information (ESI) more broadly. These standards generally apply in full force to IoT digital evidence. U.S. District Judge Paul Grimm’s opinion in Lorraine v. Markel American Insurance, 241 F.R.D. 534, 538 (D. Md. 2007), set forth a comprehensive guide for admitting ESI into evidence. The Lorraine standard begins with determining the relevance of the data and ends with balancing the probative value of the data with the danger of unfair prejudice. In relevant portion, the court stated:

Whenever ESI is offered as evidence, either at trial or in summary judgment, the following evidence rules must be considered: (1) is the ESI relevant as determined by Rule 401 [ … ]; (2) if relevant under 401, is it authentic as required by Rule 901(a); [ … ]; (3) if the ESI is offered for its substantive truth, is it hearsay as defined by Rule 801, and if so, is it covered by an applicable exception [ … ]; (4) is the form of the ESI that is being offered as evidence an original or duplicate under the original writing rule, of [sic] if not, is there admissible secondary evidence to prove the content of the ESI [ … ]; and (5) is the probative value of the ESI substantially outweighed by the danger of unfair prejudice or one of the other factors identified by Rule 403, such that it should be excluded despite its relevance. Preliminarily, the process by which the admissibility of ESI is determined is governed by Rule 104, which addresses the relationship between the judge and the jury with regard to preliminary fact finding associated with the admissibility of evidence. Because Rule 104 governs the very process of determining admissibility of ESI, it must be considered first.

This standard certainly presents a high bar for a proponent to meet, but it is certainly both a clearly ascertainable standard and a standard that can be met in many cases. Once met, it presents a clear path for the evidence to be used at trial.

Impeaching a Witness. With the foregoing background on digital evidence, and specifically IoT evidence above, we now turn our attention to actually using the evidence in court. While this evidence can serve many functions, one of the most effective uses for IoT evidence is for impeachment of a witness’s credibility. Thus, we present a potential use case for the evidence, paired with theoretical deposition and courtroom testimony. This is not the only use case, but it certainly demonstrates how the evidence can be used very effectively.

Imagine the following scenario: A defense counsel is retained by a company that is alleged to have negligently dealt with ice on the sidewalk, resulting in the plaintiff falling and fracturing their L3-L4 vertebrae. The plaintiff claims significant loss of motion, the ability to walk, and other associated damages. Defense counsel found out that the plaintiff wears a fitness tracker. Defense counsel requested the forensic data contained in the tracker, which was produced. Even though the fitness tracker was not set to store data to an online account (assume that plaintiff never set one up), the device still recorded GPS location, level of activity, and other fitness data. This data shows that every morning the plaintiff would engage in strenuous activity that brought him through Central Park, and that there was a rapid increase in his step count and heart rate. This evidence points, quite conclusively, to the fact that the plaintiff went on long morning runs both before and after his alleged injury. The plaintiff, knowing that he had no account, and that the data was not recorded on the cloud, testified as follows during his deposition:

Q: Have you been able to engage in a similar level of activity as you were before your fall?

A: No, since the accident, I have been severely limited in my activity level

Q: So, you cannot go on runs as you used to?

A: No, I haven’t gone on a run since the accident.

Q: Have you been able to engage in any other cardio activity?

A: I have been able to do some limited cardio with my physical therapist, but I have not done any strenuous activity on my own.

Q: Before the accident you used to go on runs through Central Park, have you been able to do so since?

A: I have walked on limited occasions through Central Park to enjoy the scenery, but I have not run through Central Park.

Q: So no running?

A: No.

Q: And no strenuous activity?

A: No.

Defense counsel has now locked the plaintiff into his answers, but has prudently chosen not to confront the defendant with the evidence, saving it for impeachment at trial. The cross examination could be something along the following lines:

Q: You’ve been unable to live an active life since the accident, true?

Q: In fact, before your accident you used to go on daily runs correct?

Q: And since the accident, you’ve been limited to light walks right?

Q: You would never be less than truthful regarding your physical capacity correct?

Q: You wear a fitness tracker correct?

Q: Fitbits monitor physical activity correct?

Q: In fact, a fitness tracker can show how many steps you’ve taken, where you’ve been, and your heartrate during that time, correct?

At this time defense counsel shows a printout of a run that plaintiff did before the accident through Central Park.

Q: You ran this route on [DAY], correct?

Q: You ran this route in 2 hours, correct?

Q: That would be considered active, correct?

Q: In fact, it would be considered strenuous activity, correct?

At this time defense counsel shows a print of a run that plaintiff did after the accident through Central Park and confronts him with the damning evidence, showing the contradictions in testimony presented by the testifying witness.


Understanding the complex world of digital evidence and digital forensics is necessary to be able to effectively use and combat it at trial. Big data is here to stay, and those attorneys who are able to adapt to and adopt the above issues and opportunities will become the new norm. There are multiple considerations, from technical questions, to metadata preservation, to effectively conveying the information to a jury, all of which require the care and attention of an attorney who is not frightened of a deep dive into technical issues, and is also capable of presenting that information in a clear and cogent manner to a jury.