Published: January 18, 2019
I couldn’t help but notice this monstrous money laundering case in Canada that was tossed out because the Crown (Canadian prosecutors) accidentally disclosed a confidential human source.
This hurts for sure.
At the heart of many Hunchly investigations (both from defence investigators and law enforcement) is the fact that you are collecting a massive trove of information, and this information will need to be disclosed to a third party (prosecution, defence, experts, etc.).
What information do you keep? What has to be filtered out?
This can be a very labour intensive process as you need to be able to clearly present your case without disclosing irrelevant information or creating unnecessary doubt.
Hunchly’s primary purpose is to free the investigator from having to remember to take screenshots, maintain a list of URLs, hash content, or track things like target email addresses.
With Hunchly active, investigators can just do their thing, their way, and not sweat the small stuff.
However, when we think of Hunchly’s evidence capture from the perspective of vetting we definitely see that there is a potential problem: When they collect more data, doesn’t the investigator have to do more work vetting?
Short answer? Yup, it sure does.
The long answer is more complicated. I will always opt for having more data to sift through at the end of an investigation than having an incomplete case or having some Facebook account get deactivated and now I can’t retrieve valuable intel.
Worse is having evidence tossed out because it is incomplete. R vs. Hamdan taught us this well.
This really comes down to investigator organization.
What we’ve learned from experience and from our power users is that If you setup your case using selectors, tags, and you star pages as you browse (mark them Important), then you save countless hours in vetting time down the road. Need help with this? Just ask for a demo and I’ll show you.
We also track deletions from your case, so if you need to do some cleanup you are still maintaining an audit trail of what you deleted and when.
In short, our recommendations are:
I reached out to Nick Ibbott, former police officer and founder of L.E.A.D. Solutions Inc. to get some perspective on vetting. Nick has years of experience in law enforcement, and has dealt with his fair share of disclosure before.
Here is a summary of our Q&A session, edited for length and clarity:
Justin: What are some strategies you recommend people employ before they start their investigations?
Nick: First of all Justin, I would like to thank you for allowing me to be a part of your blog. You and your team at Hunchly have done an excellent job in providing a world-class application for practitioners involved in digital investigations. It is the “must have” tool, so much that it is one of building blocks in the digital investigations training program I have developed and delivered to investigators.
The strategies that I recommend comes from the 30 years of policing, most of which were from units that dealt with medium to large scale operations. My viewing lens is from a Canadian perspective, but I would think the same challenges I faced were similar to most of the law enforcement professionals in other democratic countries.
I like to use two analogies in my training modules to explain some critical components in investigating events. Both of them are simple and drive home the point in multiple ways.
The first analogy is a rock thrown into a still pond. The rock is the information you have gathered from your investigation. When you throw that rock into a quiet pond, it creates ripples in the water that expand outward. The more rocks you throw into the pond, more ripples are made, and they will undoubtedly intersect with each other. That intersection of information may turn out to be the evidence that you were looking for to corroborate your investigative theory.
An example of this would be if a tip came into the police that Person A was a drug dealer, and he lived at Location B. You as the investigator conducted police computer database checks and confirmed that Person A lived at Location B. Your next logical step would be to conduct physical surveillance at Location B, and observed Person A dealing drugs. The two rocks in this story were the information about Person A and Location B. The intersection of confirming that Person A lived at Location B corroborated the tip information. This observations of Person A dealing drugs provided you the grounds for an arrest.
The other analogy is a common one in courthouses all over Canada, and the U.S. That analogy is “fruits of the poisonous tree.” This doctrine is used in the criminal courts to identify evidence (the “fruits” of your investigation), that was obtained and has been determined to be tainted. If the evidence was tainted, it might be excluded. The goal of a defence attorney is to have evidence excluded, as evidence is what convicts people.
So what do these analogies have to do with a strategy of disclosure?
My policing career mantra and now my training mantra is “it’s not the day you found the evidence, it’s the day you testify on how you found the evidence that matters.”
An investigator has to be aware of how they obtained the information, and how the disclosure of that information two years from now will impact the overall investigation. That vision of how the disclosure of your evidence will play out in the future will help you prepare for today. A well-formulated strategy will assist investigators in the long run.
Like most law enforcement members, past and present, I lived my career using acronyms. For disclosure strategies, I came up with the acronym U.I.O.D.
· Understand — what information is considered to be confidential/privileged/protected.
Knowing the case law and speaking with your crown/district attorney about what information falls into the above categories.
· Identify — create and put in place a process to identify information to be vetted.
I would mark up my notebook with annotations marking things to be vetted for disclosure and why it was being marked (such as confidential/privileged).
· Organize — a consistent system to organize all information for disclosure
A naming convention for all information to be saved as, digital vetting tool applications.
· Disclose — track the evidence that has been disclosed, review.
Consistent and trackable disclosure practices to the crown/district attorney
The justice system is based on fairness to all, not tipped over in the favour for the police only. Fairness comes with the fact that ALL of the information that the police have about that particular investigation, is up for disclosure to the accused person.
The most important part of a disclosure strategy is understanding what categories of information need to be vetted. A case could fall apart if the investigator were not aware that particular pieces of evidence should have been protected and it was missed by the reviewing eyes of the crown/district attorney.
Some of the most sensitive information that comes into the possession of law enforcement is from confidential human sources (CHS) and anonymous tips. A CHS and tipsters can provide information that point the police toward a particular person or a crime. That information can be very detailed and, in some circumstances, only known to that source.
Those rocks of information need a certain approach at the beginning to ensure it remains protected. The mere act of setting up surveillance at Location B, could in the end identify the CHS if that source was the only one to know about it. Every step taken after learning of information from sources needs to be flushed out to identify the risk to the source if a particular action is taken. Sometimes, the risk to the source overrides the action you want to take.
I could go on into great detail about what are some common categories of information that should be vetted on first blush, but I will leave that for another time.
Justin: How do you approach vetting online evidence before submitting to the court?
Nick: My approach to online evidence is not much different than any other evidence. I follow the U.I.O.D. strategy I mentioned above, with some variations.
I categorize online evidence into two streams. One stream deals with publicly available online information and online information that I gathered from engaging with the subject.
If the request for an online investigation came from another investigator, I would seek to UNDERSTAND what information they gave me was meant to be protected if they had not already IDENTIFIED it. The information is the rock I would throw into the pond.
My online investigation evidence would be ORGANIZED in categories of information types. The categories would help me in the vetting process as I would know what information would need to be vetted out for DISCLOSURE.
Search engine queries would not typically need be vetted unless the search query information was protected (the rock I threw in the pond).
If I was logging into a social media network using an investigative account, and my sole purpose was to review publicly available information on the subject, I would vet the investigative account information. The vetting was to protect the use of this account in ongoing and future investigations.
The other stream I had mentioned, when the investigator engaged with the subject either by friending/following or communicating with the subject by messaging them, is a different subject entirely in my opinion and experience.
That engagement could and would under most circumstances be considered an undercover operation and with that flows disclosure protocols no different than real-world undercover ops. Everything would be potentially up for disclosure including the devices used by the investigator and a forensic extraction of those devices to capture all interactions with the subject.
Justin: Do you have any war stories of how an online investigation was blown because of improper vetting/disclosure practices?
Unfortunately, I can’t speak to any online investigation that was blown from the practice, but I have a few that were in jeopardy of falling off the rails because of vetting/disclosure. In those instances, we were able to identify a category of information that would have identified yet to be charged people and closed the loop quickly without the fairness of the accused being affected.
With the vast amount of information that is now compiled in investigations, the fruits of that, the evidence, is being scrutinized with the intention of having it excluded. Following a strategy that helps you keep that evidence from falling off the tree is what you should be thinking about in the beginning.
Some excellent insights here from Nick for sure.
If you have some thoughts on vetting and court disclosure hit me with it here: firstname.lastname@example.org