Did You Really Post a Picture of Yourself Committing a Crime?
Authentication of Social Media
Wade V. Davies
Original Post: “Did You Really Post a Picture of Yourself Committing a Crime?: Authentication of Social Media,” Tennessee Bar Journal, November 2018, Vol. 54, No, 11, www.tba.org/journal/did-you-really-post-a-picture-of-yourself-committing-a-crime
Social media provides a fertile source for evidence in criminal cases. Suspects give prosecutors unbelievable gifts with incriminating, threatening and otherwise unbelievably stupid admissions posted online. On the other hand, defense counsel find impeachment gems on witnesses’ social media accounts — even the portions anyone can view.
Malik Farrad learned the hard way that posting on Facebook is a bad idea. Although Mr. Farrad made significant mistakes that landed him back in prison, his mistakes can teach trial lawyers important lessons about getting social media postings into evidence (or keeping them out) through a study of the Sixth Circuit’s opinion.
Mr. Farrad’s case stands out because his Facebook postings alone got him convicted of being a felon in possession of a weapon. Farrad got out of prison in 2013 and went home to Johnson City. Johnson City police quickly got tips Farrad was involved with firearms — a serious violation for a felon, under 18 U.S.C. Section 922(g).
Unfortunately for Farrad, he opened a Facebook account. An undercover officer sent him a Facebook friend request, which he accepted!  That means the officer could see additional photographs posted on Mr. Farrad’s account. One of those photos showed three handguns on a closed toilet lid. Officers used this information to get a search warrant, which was served electronically on Facebook. Facebook produced additional photos from Mr. Farrad’s account, including pictures that, according to the Sixth Circuit’s description, show a person who looks like Farrad holding what looks like a gun. That’s it. That is what sent Farrad back to prison — for 188 months. There was no physical evidence; Farrad did not make any admissions; there was no testimony from witnesses who had seen him with a firearm. An officer offered expert testimony that the guns in the photographs were firearms and not toys.
Although Farrad might not teach us much about good judgment, the Sixth Circuit’s opinion teaches a lot about how to use social media postings.
There have been several attempts to make it easier to get digital evidence admitted. Federal Rule of Evidence 902(11) was created to make it easier to get business records — including electronic documents — admitted. Now qualifying business records under Federal Rule of Evidence 803(6) are self-authenticating and do not require a custodian to come to court if there is a proper certification. Similarly, certified records generated by an electronic process or system and certified electronic data do not require a witness to authenticate them at trial.
But here is the main lesson from Farrad: those rules don’t work unless the certification shows that the particular records satisfy the exception. The government took the position in Farrad that the Facebook records were business records under Federal Rule of Evidence 803(6) and were self-authenticating under 902(11). The government was allowed to introduce the incriminating photographs of Farrad with a certification from a Facebook employee “who attested that the records provided by Facebook — including search results for basic subscriber information, IP logs, messages, photos, [and] other content and records for malik.farrad — were made and kept by the automated systems of Facebook in the course of regularly conducted activity as a regular practice of Facebook and made at or near the time the information was transmitted by the Facebook user.” 
The problem with the government’s argument, though, is that Facebook didn’t create the photographs. Facebook had no knowledge of the circumstances by which they were taken, created or posted.
The Sixth Circuit noted that no opinion in the circuit has spoken to the proper standard for assessing the admissibility of photographs taken from social media. 
As a general rule, then, the Sixth Circuit emphasized that photographs from social media must be authenticated the old-fashioned way. There must be sufficient evidence to support a finding that the photograph is what the proponent claims it is. A records custodian affidavit is not enough. (In Farrad, the court deemed the error harmless because there had been sufficient testimony to admit the photographs under Rule 901(a)).
Farrad does not mean, however, that social media evidence would never be self-authenticating. Facebook and other providers do create business records that might be extremely important. There is a massive amount of data created by the providers, including the IP address from which the material was posted, the time, location, times of deletion that would be records created by the providers in the ordinary course of business. That type of information should be admissible with a 902(11) certificate, even if the document posted by the user requires traditional authentication.
In my opinion (and not addressed by any court as far as I know) there is a huge question as to whether anything produced by Facebook could reasonably be deemed authentic. In addition to previous breaches, in September 2018, Facebook admitted that security flaws allowed unauthorized access to 50 million Facebook accounts, including the accounts of top executives Mark Zuckerberg and Sheryl Sandberg. Even more importantly, this access might have opened up access to many other sites that allow people to sign in based on Facebook credentials. I would not rely on a Facebook records custodian. Remember, Rule 902(11) has a notice provision “so that the party has a fair opportunity to challenge them.” I would consider such a challenge with any social media evidence.
1. United States v. Farrad, 895 F.3d 859, 864 (6th Cir. 2018).
2. Id. at 864-65.
3. Id. at 865.
5. Id. at 870.
6.Id. at 864.
7. F.R.E. 902(13)&(14).
8. Farrad, 895 F.3d at 865-66 (internal quotations omitted).
9. Id. at 877.
10. The New York Times, Sept. 28, 2018, “Facebook Security Breach Exposes Accounts of 50 Million Users,” www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html