THE VICISSITUDES OF "ELECTRONIC EVIDENCE" IN FISHERIES CASES - PART 2 / by Francisco Blaha

Following my last post on electronic evidence, I will go to part 2, which presents some key terminology and a typological framework for maritime evidence admissibility.

As I mentioned in my last post, I am not well-versed in this area; nevertheless, I find it exceptionally interesting. As part of the "process" of gathering and securing evidence, I continue referencing Professor Andrew Norris's excellent study (previously cited) on how digital evidence related to maritime crime cases can be presented in court, forming this post's basis.

Beau is acquiring evidence

Terminology and Related Concepts

In any analytical product, there must be a common understanding of the essential terms of art necessary to understand the process, analysis, and conclusions related to that product. To this end, basic definitions are provided below.

Digital (electronic) evidence - Digital evidence is ‘information and data of value to an investigation that is stored on, received, or transmitted by an electronic device’.

Device evidence - Evidence autonomously produced by a ‘device’ by its programming in the form of computer code that ordinarily is fixed and that can be examined. No human being controls the production of the evidence; instead, the device produces the data.

There are three types of device evidence:

Type 1 (Devices that store data): These devices are limited to collecting and storing data. They typically function rule-based and produce data according to their fixed coding. Unlike Type 2 or Type 3 devices, they do not act on, analyse, or classify that data.

Type 2 (Devices that can evaluate and act on data) - Devices that can draw conclusions from the data they gather and act on those conclusions, having been trained to tackle specific tasks using algorithms and statistical models. They apply their insights to new situations without following explicit instructions. The hallmark of Type 2 devices is a digital layer of “intelligence: enhanced through machine learning, which allows them to evaluate data and determine when and how to act on their assessments. Examples include software that monitors the location of specific individuals or objects, such as fitness trackers, Google Earth, or GPS devices, as well as smart robotic vacuum cleaners that "identify" and avoid obstacles like toys, pet waste, or cords.

Type 3 (Devices with capacity for self-modification) - Type 3 devices, also known as Artificial Intelligence devices, can employ specific, self-optimizing, highly complex machine-learning to modify their own operations based on their ‘experience.’ Examples encompass smart grids, self-driving cars, and facial recognition devices, from smart doorbells to advanced identification systems that can not only adapt but also optimise their own code.

Acquired evidence - Evidence generated by the subjects of an adjudicative proceeding and obtained by government agents.  An example of ‘acquired’ electronic evidence may be waypoint or other information stored in an electronic chart to prove the suspect vessel’s location or activities.

Generated evidence—Evidence created by law enforcement agents, such as video shot by government agents to document the location of suspected contraband discovered aboard a vessel. An example of generated evidence is when government agents may forensically exploit or use evidence to create electronic (digital) evidence that has derivative yet independent evidentiary value, such as DNA match testing conducted on samples collected on board.

Forensic evidence - It requires some advanced processing before its full evidentiary value/potential can be realised.   

 Typological Framework for Maritime Evidence Admissibility

According to the UNODC e-book ‘Maritime Crime: A Manual for Criminal Justice Practitioners,’ 3rd ed., Section 5.1, maritime law enforcement (MLE) includes the following non-exhaustive sequence of actions:

  1. Signalling and stopping suspect vessels;

  2. Boarding suspect vessels;

  3. Searching suspect vessels and the people and cargo in such vessels;

  4. Detaining or arresting people in suspect vessels and/or the suspect vessels themselves;

  5. Seizing items on suspect vessels;

  6. Directing or steaming suspect vessels and the people and cargo in those vessels to a coastal State port or similar place for investigation;

  7. Conducting such investigations; and

  8. Subsequent prosecution or other forms of administrative action or sanctions.

This list does not include detecting suspicious activity that kicks off the MLE operation.

The prosecutor primarily acts as the ‘end-user’ of evidence, which is mainly, if not entirely, collected by other officials in the enforcement chain. All these officials must understand the requirements for the admissibility of any evidence, whether electronic or otherwise, that they may gather for potential adjudicative purposes. This understanding can be complicated by discrepancies in how evidence is collected, who collects it when it is collected, where it is collected, how it is collected, and for what purpose.

Considering all these factors requires a systematic approach. Electronic evidence types or categories should be organised to facilitate an orderly examination of the relevant admissibility considerations should the evidence be presented in a national tribunal. This systematic approach will benefit not only prosecutors but also those within the enforcement chain, who are responsible for gathering and producing admissible evidence that prosecutors can use to achieve a successful legal outcome.

To this end, Professor Norris proposes a six-category scheme for classifying electronic evidence in an MLE case based on the differing admissibility considerations for evidence collected within each category. For ease of conceptualisation, the categories are arranged sequentially; that is, they reflect the progression of a case from the detection of suspicious activities through interdiction, acquisition of evidence, processing of evidence, and presentation of evidence in an adjudicative structure aids operators in illustrating and organising the broad spectrum of potential evidence that may be gathered in an MLE case. However, evidence in each category possesses different admissibility consideration proceedings.

The 6-category Typological Framework for Maritime Admissibility is as follows:

Category 1 (‘Remote awareness’)

Category 1 evidence (‘remote awareness’) is generated through remote electronic means and is used in specific cases to detect and monitor suspicious vessel activity that may lead to the dispatch of an enforcement asset to the scene for further investigation. Examples of electronic systems that may be employed, either individually or in combination, for this purpose include AI/ML-enhanced systems (such as Skylight, GFW, Starboard, etc.) based on the Automatic Identification System (AIS), Vessel Monitoring System (VMS), and shore-based radar.

The primary purpose of Category 1 evidence is to identify a suspect vessel or activity and potentially guide an enforcement unit to the scene; it would not be used in any subsequent adjudicative proceedings to prove a case or an element of an offence (this use would categorise it as Category 2 - see below). As a result, evidence in this category is seldom regarded as evidence, as there is no intention to use it in that capacity. In fact, rather than wishing to incorporate it into its case-in-chief, the government may be particularly keen to avoid disclosing it, as doing so could compromise sensitive capabilities, sources, and methods.

Category 2 (‘Remote Proof’)

Category 2 (‘remote proof’) evidence is identical to the evidence in Category 1, with the only distinction being that the government intends to use it as evidence in a subsequent adjudicative proceeding to prove a case or an element of an offence. Circumstances in which the government may wish to do this include: (1) proving the vessel’s location when that may be relevant to an element of an offence (did the fishing vessel enter the EEZ? Did it transit through a marine protected area in violation of coastal State laws?); (2) demonstrating suspicious activities the vessel was engaged in (loitering, going dead in the water, vessel movements consistent with IUU fishing, etc.); (3) establishing that an at-sea rendezvous involving the suspect vessel and another vessel or vessels took place, where, for instance, the other vessel is found to be carrying contraband believed to have been supplied by the suspect vessel; and (4) related information (duration and location of suspicious activities etc.).

Category 3 (‘Enforcement unit generated’)

Category 3 (‘enforcement unit generated’) evidence refers to electronic evidence produced by the enforcement unit and/or supporting units, such as aircraft, drones, and other resources collaborating with the enforcement unit. This evidence serves to (a) document activities related to the suspect vessel that are observable from the enforcement unit and (b) document the activities of the enforcement unit and its personnel that can be perceived from outside the suspect vessel. The key aspect of the evidence in this category is defined by what it is not—it is not collected while aboard the suspect vessel itself (as that falls under Categories 4 and 5 evidence). Instead, it comprises evidence gathered by enforcement units and their personnel from external vantage points relative to the suspect vessel.

Examples of Category 3 evidence include: (1) video footage captured by the enforcement unit that records suspicious behaviour by the crew of the suspect vessel or the vessel itself; (2) audio recordings of communications from the enforcement unit to the suspect vessel, along with any responses from the suspect vessel; and (3) photographs and/or electronic captures of electronic charts, GPS readouts, and similar documents aboard the enforcement unit to document vessel locations and other potentially critical information.

Category 4 (‘Suspect vessel, acquired’)

Category 4 (‘suspect vessel, acquired’) evidence, alongside Category 5 (‘suspect vessel, generated’) evidence, comprises electronic evidence collected by enforcement unit personnel aboard the suspect vessel. Originating from the suspect vessel—that is, the self-contained vehicle involved in the commission of an offence—evidence in this category, as well as in Category 5, regardless of whether it is electronic or not, is likely to be the primary evidence upon which the government will rely to substantiate its case in any subsequent adjudicative proceedings. The principal difference between Category 4 and Category 5 evidence is that the former is located or discovered by enforcement personnel, while the latter is produced by them (as with Category 3).

This distinction carries several potential implications for admissibility: (1) there are significantly greater search and seizure ramifications associated with electronic evidence generated and held by criminal suspects compared to electronic evidence created by government agents, primarily aimed at enhancing the likelihood of successful prosecution; and (2) it is highly improbable that government-generated evidence during an MLE boarding will need forensically analysing to determine and fully comprehend its evidentiary usefulness, whereas electronic evidence generated by the suspects—and the systems used to create it—may well necessitate some level of forensic analysis to unlock its full evidentiary significance.

Thus, although both Category 4 and 5 evidence is obtained from the suspect vessel, the separate and distinct evidentiary considerations arising from the distinction between “acquired” and “generated” evidence warrant two separate categories.

Furthermore, it should be noted that only electronic evidence that the government can use without further extraction, manipulation, or forensic analysis will fall into Category 4. If additional forensic analysis is required before the evidence can be accessed (by breaching an encrypted system) or fully comprehended, utilised, or developed (through the forensic analytical process), it would be classified as Category 6 rather than Category 4.

Category 4 evidence may encompass data found in systems or equipment aboard a vessel, such as (1) computer systems, laptops, and mobile phones belonging to the suspects; (2) data stored in electronic charts that document the suspect vessel’s movements and activities; or (3) electronic logbooks, if they exist.

Category 5 (‘Suspect vessel, generated’)

Category 5 electronic evidence generated by enforcement personnel during this phase may include videos, photographs, and audio recordings that document various aspects such as (1) the actions of law enforcement personnel to protect against subsequent allegations of irregularities in search and seizure,
 excessive use of force and other human rights concerns; (2) the location, stowage arrangements, and other evidentially helpful information related to contraband or the fruits of crime discovered on board the vessel; and (3) crew actions and behaviours that might for instance, illustrate mens rea, such as knowledge (for example, of the contraband's location), as well as indicate who held a leadership role or was in charge, etc.

Category 6 (‘Forensically analysed’)

Category 6 (‘forensically analysed’) evidence requires forensic systems to access, understand, analyse, and/or generate. This category's essence lies in needing specialised equipment, processes, and trained personnel to access or generate evidence otherwise unavailable for governmental use in an adjudicative proceeding. Simply needing expert testimony to introduce digital evidence does not suffice for categorisation into Category 6; all ‘acquired’ and possibly some “generated” electronic evidence will necessitate some expert testimony in response to defence challenges regarding authenticity, reliability, etc.

To qualify for Category 6 — which is its very essence — the evidence in question requires further processing to either access it or to realise and develop its evidentiary value fully. This distinction is crucial, as the additional forensic analysis introduces further admissibility requirements for Category 6 evidence absent in other categories.

‘Forensically analysed’ evidence encompasses the involvement of forensic systems to:

Access the evidence: locked and/or encrypted devices may require forensic analysis simply to bypass encryption and obtain the evidence contained within;

Further develop acquired evidence: the government may seize a device (such as a laptop or mobile phone), which requires forensic analysis to uncover or recover all relevant information. Examples include recovering deleted communications from a seized device, determining whether an external device has been connected to a computer (the Windows registry automatically records information about every USB device plugged into the computer), or proving online activities by matching an individual’s IP address to information automatically captured on a website server’s Internet Information Systems (IIS) logs.