Two posts ago, I speculated on the future need for real witness chairs and suggested that the birth of quantitative law was nearing. In quantitative law, compliance would be measured, not judged. The recent indictments against Chinese government employees provoked the discussion. Now, a new development accelerates the need to ask, “What digital information can be trusted as evidence of the truth?”
Many press reports covered the indictment and arrest in Canada of Su Bin, described as a Chinese citizen and permanent resident living in Canada. Su is accused of stealing production data from Boeing’s systems on several military aircraft and then attempting to sell that data to Chinese buyers. The US government asked Canada to arrest him and extradition proceedings are anticipated.
Now we have a case far more certain to provoke the tough questions and answers about digital information as evidence (as compared to the indictments of Chinese military employees described in my earlier post). Put yourself in the position of Su’s attorneys—what questions need to be asked to create “reasonable doubt” that the digital information offered as evidence has not been fabricated, edited, or otherwise tainted?
Now, the witness chair is still needed, because those attorneys need some person to testify. The testimony, and cross-examination, is no different than what we see on television regarding a gun found at the scene of a crime. But the questions, and the answers, are much more nuanced. Digital evidence is not yet self-authenticating. Someone (or many someones) must swear to tell the truth and then testify about the collection and preservation of the evidence.
News reports indicate the FBI first informed Boeing their computers had been compromised. What systems were accessed? What consents had been provided? What legal authority had been obtained (such as a search warrant) to do so? How were the digital records ‘touched’? By whom? How was their integrity maintained? Or, in other words, what was the digital ‘evidence locker’ used to preserve the information? Did Su truly hack into Boeing’s systems or was he able to exploit weaknesses elsewhere (such as a patent lawyer’s office system, or a third party cloud service provider, or a military system)?
This case, and others, still raise the thorny issues of “minimum contacts” and international law—can a sovereign government prosecute and convict someone who is never physically present in the country? What digital ‘presence’ is required to proceed with that prosecution?
But, even as these tough questions deserve to be asked, the emergence of quantitative law relies on a different table setting, one in which digital information that has been created and maintained pursuant to known rules and protocols can be self-authenticating—meaning the evidence itself proves its authenticity. Only then will the witness chair be offered for sale.
How do we get to that point in our legal and social evolution? What steps will be needed? A new architecture is required, and that is exactly what my new book unfolds.