Several prior posts on this blog have addressed authenticating and admitting digital evidence like social media posts and text messages (see here, here, here, and here) and we’ve also previously covered the basic rules and requirements for using the business records hearsay exception (see here, here and here), but we’ve not yet explored the questions and issues that arise when those two topics collide.
For example, if the state obtains a complete copy of a suspect’s account records from Facebook, Twitter, or AT&T, including user-generated content such as messages, chats, texts, and posts, can that evidence be admitted as a business record? I recently had an opportunity to talk about digital evidence with prosecutors in several other states, and there are opposing views in different jurisdictions about the correct answer to this question. This post looks at the conflicting interpretations, the North Carolina guidance we have so far, and an interesting alternative approach.
Haven’t We Covered This Before?
Surprisingly, no. The earlier posts about text messages and social media focused on evidence that was either found online or stored on a local device, so the evidence was just authenticated under Rule 901 and then admitted under another hearsay exception (usually as a statement of a party opponent). Based on the case law that seems to be the more common scenario, but it’s certainly not the only one. After all, messages get deleted, hard drives fail, phones go missing, and passwords expire. In those situations, investigators may choose to send a search warrant or other court order directly to the service provider to obtain the complete records. To simplify and streamline that process, some companies like Facebook even offer a “law enforcement portal” to submit requests and receive records: upload a search warrant; download the user’s entire account.
Assuming the records are lawfully obtained, properly authenticated, and relevant, are they admissible as business records under Rule 803(6) or not?
One View: Admissible as Business Records
Although most of us still use the term “business records,” the hearsay exception currently found in Rule 803(6) is actually much broader than the old common law business records rule. The modern rule applies to businesses, organizations, and associations “of every kind,” and the covered records include any report, memorandum, or “data compilation, in any form.” G.S. 8C-803(6), Official Commentary. As explained more fully in the prior posts linked above, the exception generally applies as long as the records were made at or near the time of the occurrence they document, by a person with knowledge, and kept in the regular course of business.
Little surprise, then, that the rule has been applied in our case law to permit the introduction of computerized phone records acquired directly from a service provider, as long as a proper foundation was laid. See, e.g., State v. Crawley, 217 N.C. App. 509 (2011); State v. Hunnicutt, 44 N.C. App. 531 (1980). If traditional phone records are admissible under this exception, it seems reasonable to argue that similar records obtained directly from other communication service providers like Facebook should be treated the same way, and some courts have adopted that view. See, e.g., United States v. Hassan, 742 F.3d 104 (4th Cir. 2014) (Facebook pages and Youtube videos properly authenticated and admitted as business records through a records custodian affidavit, when paired up with other evidence linking the defendants to the records); accord, People v. Maya, 88 N.E.3d 10 (Ill. App. 3d. 2017); United States v. Landaverde-Giron, 2018 WL 902168 (D. MD. 2018) (unpublished).
But what about when those records contain more than an account name, numbers dialed, or billing address? In many cases, the main reason why the proponent wants to introduce the records is because they also contain user-generated statements found in texts, chats, and messages. The opponent will argue that those statements are inadmissible double hearsay that falls outside the scope of the business records exception. See State v. Sisk, 123 N.C. App. 361 (1996) (“Statements made by a person other than the person(s) compiling the business record which are recorded within the record are double hearsay, or compound hearsay, and may only be admitted if an exception to the hearsay rule is found for that statement”). Since the actual content of the communications is not being verified by the company or relied upon for a legitimate business purpose, the user-generated statements within the records don’t have the same guarantee of trustworthiness that the exception requires. Therefore, although the records themselves may be admissible as business records, the proponent should also come prepared with a second hearsay exception that covers the user’s statements or messages found within those records (admission of a party opponent, statement of co-conspirator, adopted admission, excited utterance, etc.), and be ready to explain why it’s reasonable to conclude that the purported declarant is the author of that statement. That’s another hurdle to admissibility, yes, but in most cases it will be a fairly easy one to clear, so proceeding under this approach seems possible. See, e.g., United States v. Recio, 884 F.3d 230 (4th Cir. 2018) (Facebook records authenticated by “a certification by a Facebook records custodian, showing that the Facebook record containing the post was made ‘at or near the time the information was transmitted by the Facebook user’” and the prosecution “sufficiently tied that ‘Facebook user’ to Recio” through distinctive characteristics such as account name, email address, and photos).
Opposing View: Not Business Records
The double hearsay issue above is one of the reasons why some courts have concluded that the business records framework just doesn’t “work” for records that contain user-generated statements and content. Unlike billing, usage, or even location records, statements from the user are not created or verified by the entity keeping the records, nor are they kept for a business purpose, so the exception doesn’t apply. See, e.g., United States v. Browne, 834 F.3d 403 (3rd Cir. 2016); State v. Griffith, 449 P.3d 353 (Ariz. App. 2019); People v. Glover, 363 P.3d 736 (Colo. App. 2015).
Furthermore, even if we overlook the portion of the records that contain double hearsay statements from the user, some courts have decided that we should not be treating the underlying records as “hearsay” anyway, since these records are not merely stored on a computer — they are actually generated by a computer, and hence they are not statements from a declarant at all. See, e.g., Godoy v. Commonwealth, 742 S.E.2d 407 (Va. App. 2013). In Godoy, phone records from T-Mobile were admitted at trial as business records, and the appellate court decided that was the wrong approach:
Under the modern Shopbook Rule [business records exception], adopted in Virginia, verified regular entries may be admitted into evidence without requiring proof from the regular observers or record keepers, generally limiting admission of such evidence to facts or events within the personal knowledge of the recorder. […] There is no “person” or declarant, however, where the evidence is based on computer generated information and not simply the repetition of prior recorded human input or observation. […] Likewise, in the present case, there was no out-of-court asserter upon whom the veracity of the telephone records relied. Witt testified that T–Mobile’s telephone records were automatically self-generating and that they were created contemporaneously with the placement or receipt of a telephone call. […] Accordingly, the admissibility of the telephone records was not governed by hearsay principles, and so we need not consider whether the Commonwealth established all of the elements for the business records exception to apply.
Id. at 411-12 (internal citations and quotations omitted). That interpretation would seem to run contrary to the North Carolina precedent we have for computerized phone records above, despite the fact that Rule 803(6) refers to records made by a “person,” so I’m not suggesting that it’s controlling law on this issue. See also State v. Jackson, 229 N.C. App. 644 (2013) (computer-generated GPS tracking data admissible as business record).
But those cases from other jurisdictions do raise a good point about the somewhat odd reasoning behind our current doctrine. They also raise a good question: if these records aren’t hearsay in search of an exception, then what are they?
Alternative Approach: Not Business Records, But Authenticated Like Business Records
Cases like Godoy and Griffith close one door to admissibility, but they open another. Instead of trying to shoehorn the records into a hearsay exception doctrine that arguably doesn’t fit, they treat the evidence as what it is: computer data. To lay a foundation for the admissibility of the data records, the proponent simply has to show that they are reliable, accurate, and relevant. See Godoy, 742 S.E.2d at 412 (“having determined the business records exception is inapplicable to the present case, we consider more broadly whether the telephone records were reliable”); Griffith, 449 P.3d at 357 (“social media communications, when offered to prove the truth of what a user said, fall outside the scope of Rule 803(6)” but “[w]e nonetheless determine the Facebook message was admissible under Rules 801(d)(2) and 901(a)”).
In both of those cases, the appellate courts held that the trial court had erred by admitting the evidence as business records, and yet they still found that the records were properly authenticated and admitted. Why? Because it turns out that the same foundation the proponent offered at trial in an effort to establish that these were business records (made at the time, kept in the regular course of business, relied on by the business, provided directly to law enforcement, same thing here in court today, etc.) coincidentally did a pretty good job of establishing that the records were reliable and accurate, thereby (almost accidentally) authenticating them under Rule 901 anyway. In other words, even though they were not business records, the process of checking all the boxes for offering them as business records still laid a sufficient foundation to make the necessary showing that they probably “are what they purport to be” under Rule 901. And once the records themselves were authenticated, the proponent could satisfy the other admissibility and hearsay requirements like relevance and authorship by linking the statements within the records back to the declarant in the same way we’ve seen in North Carolina cases like Ford and Clemons (distinctive characteristics, witness with knowledge, acknowledged by the sender, account name, profile pic, etc.).
What’s the Recommendation?
If your preference is to proceed under a business records theory, citing cases like Crawley and Hassan, and then link the purported declarant to those records and argue a second hearsay exception like admission of a party opponent to cover the declarant’s statements within the records — well, I haven’t yet found a North Carolina case that says that’s wrong. (As always, please let me know if you think I’ve overlooked a significant case.) In fact, if you plan to authenticate the records by using a records custodian affidavit, this may be your only option since our affidavit provisions are more limited than some other jurisdictions.
But the alternative approach taken in some jurisdictions to acknowledge that these records are really just big piles of computer data, rather than traditional business records, seems a little more precise. Even if the foundation testimony from the sponsoring witness is exactly the same as what it would have been for business records, admitting the evidence under Rules 801(d) and 901, rather than Rules 803(6) and 902, might be a better fit for what the exhibit truly is.
So, same basic foundation, same end result, just using different rules of evidence? Much ado about nothing? Perhaps. But given the ever-expanding role that digital evidence plays in criminal cases, and considering the limited case precedent we have in this area so far, it’s an issue worth considering.