People v. N.T.B.

Annotate this Case

Download PDF

The summaries of the Colorado Court of Appeals published opinions constitute no part of the opinion of the division but have been prepared by the division for the convenience of the reader. The summaries may not be cited or relied upon as they are not the official language of the division. Any discrepancy between the language in the summary and in the opinion should be resolved in favor of the language in the opinion. SUMMARY October 3, 2019 2019COA150 No. 18CA1613, People v. N.T.B. — Evidence — Admissibility — Authentication — Hearsay — Machine-generated Records — Hearsay Exceptions — Records of Regularly Conducted Activity A division of the court of appeals addresses the admissibility of evidence from a cloud storage account. First, the division holds that an investigating detective could provide sufficient background to authenticate records produced in response to a search warrant served on the cloud storage and internet service providers under CRE 901. Second, the division agrees with the trial court that because these records include statements that constitute hearsay, and because the prosecution had not listed a custodian to provide necessary foundation under CRE 803(6), they were inadmissible. The division distinguishes cases dealing with the admissibility of electronic communications, such as emails and Facebook postings. COLORADO COURT OF APPEALS 2019COA150 Court of Appeals No. 18CA1613 El Paso County District Court No. 16CR4823 Honorable Robert L. Lowrey, Judge The People of the State of Colorado, Plaintiff-Appellant, v. N.T.B., Defendant-Appellee. RULING APPROVED Division III Opinion by JUDGE WEBB Dunn and Lipinsky, JJ., concur Announced October 3, 2019 Daniel H. May, District Attorney, Oliver Robinson, Deputy District Attorney, Tanya A. Karimi, Deputy District Attorney, Colorado Springs, Colorado, for Plaintiff-Appellant No Appearance for Defendant-Appellee ¶1 Evidence stored in an account on a remote cloud server raises novel questions of authentication and the business-records exception to the hearsay rule. The district attorney appeals the trial court’s pretrial order dismissing all charges against N.T.B.1 The court held that the prosecutor failed to present a witness to authenticate records of the cloud storage custodian and internet service provider, which were necessary to link N.T.B. to sexually exploitative material stored in the cloud. And even if the prosecution could have authenticated these records, the court held that they contained inadmissible hearsay. Because the prosecutor provided no basis for admitting them under the business-records exception, the trial court refused to admit them. We agree with the district attorney that the prosecutor proffered sufficient evidence of authenticity but reject his contention that the documents were not hearsay. Therefore, we approve the trial court’s ruling. I. Background ¶2 Dropbox flagged a cloud-storage account that it suspected contained child pornography. The company provided the National 1 N.T.B. has not entered an appearance in this court. 1 Center for Missing and Exploited Children with a video and an account identification number, an email address, account activity log, and internet protocol (IP) address tied to the upload. 2 The Center forwarded this information to local police. ¶3 The police served a search warrant on Dropbox, which produced everything stored in the account, and viewed the original video. They also viewed other videos that they believed contained sexually exploitative material, along with two still pictures of N.T.B., all of which were in the account. 3 The police traced the IP address to Comcast, the internet service provider, which identified a physical address for the internet account in response to a search warrant. The account was owned by N.T.B.’s then-girlfriend and his roommate. People v. Garrison, 2017 COA 107, ¶¶ 23-29, ¶ 24 n.3, explains that an IP number is a unique address assigned to a computer connected to the internet, and how an IP address can be traced to a residential address with information provided by an internet service provider. See also United States v. Miller, No. CV 16-47-DLB-CJS, 2017 WL 2705963, at *1 (E.D. Ky. June 23, 2017) (explaining how cloud storage providers identify suspected child pornography through “hashing” technology and report their findings to the Center). 3 The videos, photographs, and activity log are not in the appellate record. 2 2 ¶4 Next, the police executed a search warrant on their shared residence, where one detective interviewed N.T.B. He admitted to owning a Dropbox account associated with his work email address, which was the email address that Dropbox had provided, and watching pornography that others shared with him over Snapchat. But he did not confirm the account number. ¶5 The prosecution charged N.T.B. with three counts of sexual exploitation of a child under section 18-6-403(3)(b.5), C.R.S. 2019, based on his possession or control of pornographic videos in the account. ¶6 Before jury selection on the morning of trial, N.T.B. moved in limine to exclude all records obtained from Dropbox and Comcast, but not the videos. He argued that these documents were business records that contained hearsay, which would be admissible only if authenticated under either CRE 803(6) or by a certification that complied with CRE 902(11). The prosecutor had neither endorsed a records custodian to testify concerning the requirements of CRE 803(6) nor provided an affidavit and notice under CRE 902(11). ¶7 The prosecutor responded that the records could be authenticated under CRE 901(b)(1) and (4) based on testimony from 3 the investigating detective and distinctive information that connected N.T.B. to the Dropbox account obtained through the search warrants. He asserted that the records were not hearsay because “[t]here [was] no declarant” and that N.T.B. had admitted to owning a Dropbox account associated with his work email address. ¶8 After hearing arguments from defense counsel and the prosecutor, which included a proffer of the investigating detective’s anticipated testimony, and taking a short recess to research the issue, the court ruled that the records would not be admissible at trial. It explained that “[t]here was no one to authenticate th[e] documents”; additionally, the court held that these documents were business records which contained hearsay. 4 And because the At one point, the court indicated, “[The prosecutor] has posed the notion that you can authenticate documents otherwise under [CRE] 901, specifically [Rule] 901(4). I suppose arguably that under [Rule] 901(b)(4) to 901(b)(1), testimony that the matter is what it is claimed to be . . . . Authentication can be accomplished by sufficient evidence to show that something is what it purports to be . . . .” A bit later, in the court’s analysis of People v. Marciano, 2014 COA 92M-2, which was “the closest opinion [the court] found to the issue raised” in this case, the trial court adopted the Marciano court’s business records rationale for exclusion. 4 4 prosecutor had not endorsed a custodian to testify nor provided an affidavit and notice, the trial court would not admit them. ¶9 The prosecutor conceded that without this evidence, the case could not be proven, and only twelve days remained before the speedy trial deadline would lapse. Then the court granted N.T.B.’s motion to dismiss and sealed the case. II. Jurisdiction and Standard of Review ¶ 10 Section 16-12-102(1), C.R.S. 2019, allows the prosecution to appeal a “final order” in a criminal case “upon any question of law.” An order that dismisses one or more counts of a charging document before trial constitutes a final order. Id.; see also People v. Gabriesheski, 262 P.3d 653, 656-57 (Colo. 2011) (requiring appeals under section 16-12-102(1) to comply with the final judgment requirement of C.A.R. 1). And an evidentiary ruling may be appealed if the trial court made its ruling based on an allegedly erroneous interpretation of the law. People v. Welsh, 176 P.3d 781, 791 (Colo. App. 2007); see also Gabriesheski, 262 P.3d at 658 (“[I]t is enough here that [the prosecution’s issues] posed questions of law and arose from decisions of a criminal court that had become final, within the contemplation of section 16-12-102(1) . . . .”). 5 ¶ 11 “Because we must always satisfy ourselves that we have jurisdiction to hear an appeal, we may raise jurisdictional defects sua sponte, regardless of whether the parties have raised the issue.” People v. S.X.G., 2012 CO 5, ¶ 9. We review questions of law de novo. See People v. Ross, 2019 COA 79, ¶¶ 2-10, 26. ¶ 12 The trial court held the Dropbox and Comcast records were business records that it could not admit without testimony or an affidavit from the custodians. See CRE 803(6), 902(11). The court made no findings of fact and did not weigh the evidence proffered by the prosecutor. Instead it relied entirely on its interpretation of the rules of evidence and relevant case law. So, while the district attorney is appealing an evidentiary ruling, that posture does not preclude appellate jurisdiction under section 16-12-102(1) when the question presented focuses on the proper application of the controlling legal standard. Welsh, 176 P.3d at 792; see People v. McLeod, 176 P.3d 75, 76 (Colo. 2008) (holding that a trial court’s interpretation of the rape-shield statute presented an appealable question of law under section 16-12-102(1)); see also People v. Medina, 25 P.3d 1216, 1223 (Colo. 2001) (whether a statement constitutes hearsay is a legal conclusion). 6 ¶ 13 In sum, we have jurisdiction to hear this appeal. III. Law ¶ 14 Principles of relevancy, authenticity, and hearsay govern the admissibility of computer-generated records. People v. Huehn, 53 P.3d 733, 736 (Colo. App. 2002). A. Relevancy ¶ 15 Only relevant evidence is admissible. CRE 402. Relevant evidence is evidence “having any tendency to make the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence.” CRE 401. B. Authenticity ¶ 16 Authenticity is also a threshold requirement for admissibility. People v. Baca, 2015 COA 153, ¶ 26. The proponent may satisfy this requirement by presenting extrinsic evidence to show that the proffered evidence is what the proponent claims it to be under CRE 901. Huehn, 53 P.3d at 736. The burden to authenticate presents a low bar; “only a prima facie showing is required[.]” People v. Glover, 2015 COA 16, ¶ 13 (quoting United States v. Hassan, 742 F.3d 104, 133 (4th Cir. 2014)). Once the proponent 7 meets this burden, the actual authenticity of the evidence and the effect of any defects go to the weight of evidence and not its admissibility. CRE 104; see People v. Lesslie, 939 P.2d 443 (Colo. App. 1996). ¶ 17 CRE 901 does not definitively establish the nature or quantity of proof required to authenticate evidence. The trial court must make a fact-specific determination of whether the proof advanced is sufficient to support a finding that the item in question is what its proponent claims it to be. See Colo. Citizens for Ethics in Gov’t v. Comm. for Am. Dream, 187 P.3d 1207, 1213 (Colo. App. 2008) (“Whether a proper foundation has been established is a matter within the sound discretion of the trial court . . . .”). CRE 901(b) contains a nonexhaustive list of methods to authenticate by extrinsic evidence. The list includes testimony by a witness with personal knowledge of the proffered evidence. CRE 901(b)(1). ¶ 18 As relevant here, where a law enforcement investigator possesses personal knowledge that proffered evidence was produced in response to a search warrant, courts have allowed the investigator to authenticate that evidence. See, e.g., United States v. Whitaker, 127 F.3d 595, 601 (7th Cir. 1997) (holding that the 8 prosecution properly authenticated computer records seized during the execution of a search warrant through the testimony of the officer who retrieved them); United States v. Sliker, 751 F.2d 477, 488 (2d Cir. 1984) (allowing an investigating officer to authenticate bank documents obtained through a search warrant); see also People v. Marciano, 2014 COA 92M-2, ¶ 28 (cases from other jurisdictions with similar rules of evidence are instructive for interpreting Colorado Rules of Evidence). ¶ 19 Proponents tend to rely on CRE 901 to authenticate electronic communications such as emails, texts, and messages sent through social media platforms like Facebook. See People v. Heisler, 2017 COA 58, ¶¶ 15-23 (text messages); Glover, ¶¶ 21-34 (Facebook messages); People v. Bernard, 2013 COA 79, ¶¶ 7-13 (emails). ¶ 20 But unlike emails, texts, and social media messages, cloud-based files lack many of the readily identifiable characteristics that often make authentication under CRE 901 possible. Specifically, files uploaded to remote servers are not necessarily shared with other users, which forecloses the opportunity for a recipient to authenticate them. And cloud storage providers may not require detailed profiles of their users, which 9 eliminates another avenue to corroborate ownership of the account’s contents. 5 See generally Lorraine v. Markel Am. Ins. Co., 241 F.R.D. 534, 556-59 (D. Md. 2007) (discussing authentication issues for electronically stored information, and noting that “courts ‘should . . . consider the accuracy and reliability of computerized evidence’ in ruling on its admissibility.”) (citation omitted).6 C. Hearsay ¶ 21 Authenticity does not guarantee admissibility. See People v. Morise, 859 P.2d 247, 250 (Colo. App. 1993) (“[T]he mere fact that a document is authentic does not mean that it is also competent evidence of the facts contained in that document.”); see also Fed. R. Evid. 901(b) advisory committee’s note to 1972 proposed rules Dropbox, for example, only requires a name, email address, and password to create a free account. See Dropbox, Create an Account, https://perma.cc/BX5T-S6KR. 6 See also Scott A. McDonald, Authenticating Digital Evidence from the Cloud, Army Law. 40, 48 (2014) (concerning cloud storage, in “the absence of an acknowledgement of authorship and authenticity from a party with relevant knowledge . . . counsel should consider gathering additional circumstantial evidence of authenticity to satisfy the requirements of [Rule] 901”); Scott Moss & Ann England, Evidentiary Foundation and ESI, in Colo. Bar. Ass’n CLE, Information Security & Document Management 2/20 (July 25, 2018) (noting that presence on the internet does not suffice to establish authenticity; “the proponent must show that it came from the person or entity alleged to be the author or owner”). 5 10 (“[C]ompliance with requirements of authentication . . . by no means assures admission of an item into evidence, as other bars, hearsay for example, may remain[.]”). ¶ 22 As relevant here, authentic evidence may be excluded on the basis that it is hearsay. See CRE 802. Hearsay “is a statement other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted.” CRE 801(c). Still, not all computer-generated records constitute hearsay. Even if a party introduces a computer-generated record to prove the truth of its contents, that record may not constitute hearsay if the computer created the record automatically without human input or interpretation. People v. Hamilton, 2019 COA 101, ¶¶ 24-26. ¶ 23 In contrast to the low threshold for authentication, under which a court allows the jury to weigh questionably authentic evidence, a hearsay objection presents a binary choice — courts must exclude hearsay unless its proponent satisfies an exception. Glover, ¶ 37. ¶ 24 Our rules of evidence recognize exceptions to the general prohibition against admitting hearsay for certain inherently reliable 11 out-of-court statements. See CRE 803. One such exception allows courts to admit business records that meet criteria intended to ensure trustworthiness. See Henderson v. Master Klean Janitorial, Inc., 70 P.3d 612, 617 (Colo. App. 2003) (“The business records exception is founded on a presumption of accuracy that exists because the information is reported by persons trained in the importance of precision and checked for its correctness, and because of the accuracy demanded by the nature of the business.”). Hearsay subject to the business-records exception is [a] . . . report, record, or data compilation, in any form, of acts [or] events . . . made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of regularly conducted business activity, and if it was the regular practice of that business activity to make the . . . report, record, or data compilation . . . . CRE 803(6). ¶ 25 Examples of computer-generated records that have satisfied the business-records exception include invoicing data from billing software, activity records of an automated teller machine (ATM), credit card statements, and checking account statements. State ex rel. Coffman v. Robert J. Hopp & Assocs., LLC, 2018 COA 69M, ¶ 74 12 (invoicing data); Marciano, ¶¶ 24-31 (checking account statements); Huehn, 53 P.3d at 737-38 (ATM records); People v. Berger-Levy, 677 P.2d 351, 351-52 (Colo. App. 1983) (credit card statements). ¶ 26 Business records may contain statements made by third parties. Courts do not grant the same presumption of reliability to these statements because the third party does not have a duty to the business to report the information accurately. Henderson, 70 P.3d at 617. Still, third-party statements contained in business records are admissible under the business-records exception when the third party’s information is provided as “part of a business relationship” between the business and third party, and evidence shows that the business “substantially relied” on the information. People in Interest of R.D.H., 944 P.2d 660, 665 (Colo. App. 1997). But in Glover, ¶ 21, a division of this court held that Facebook messages were not admissible as a third-party statement in a business record because “even though an arguable business relationship exists between Facebook and its users, there was no evidence presented that Facebook substantially relies for any business purpose on information contained in its users’ . . . communications.” 13 IV. Application A. Relevancy ¶ 27 Although the videos are not in the record, the probable cause affidavit describes the sexually explicit content of six of them and observes that the females depicted appear to be between five and thirteen years old. Thus, the relevancy of the Dropbox and Comcast records that identify the account containing the videos and connect N.T.B. to that account could not be disputed. See § 18-6-403(3)(b.5) (proscribing possession of or control over sexually exploitive material “for any purpose”). B. Authenticity ¶ 28 The district attorney asserts that the trial court “found the Dropbox records would not be admissible because there was no one to authenticate” them, but that it erred “in failing to consider the prosecution’s argument” about authentication. Whether the investigating officer’s testimony provided a sufficient foundation from which the jury could reasonably find that the Dropbox and Comcast records were what the prosecution purported — 14 documents generated by these entities — presents a close question. 7 ¶ 29 The scant record shows that the trial court analyzed the pertinent rules and acknowledged that the prosecution might have authenticated the Dropbox and Comcast records under either CRE 901 or CRE 902. Thus, contrary to the district attorney’s characterization, the trial court did consider the authentication argument. ¶ 30 Turning to the merits of the argument, we agree with the district attorney that the investigating officer’s proffered testimony sufficed to support a finding that the records were what the prosecution asserted them to be, although we do so on different grounds than those argued by the district attorney on appeal. See Thyssenkrupp Safway, Inc. v. Hyland Hills Parks & Recreation Dist., 271 P.3d 587, 589 (Colo. App. 2011) (An appellate court may affirm The district attorney’s brief focuses exclusively on the Dropbox records, but because the Comcast record provides a step in the link between N.T.B. and the sexually exploitive material stored on Dropbox, we include it in our analysis, which applies equally to the Comcast records. 7 15 a trial court’s ruling on “any grounds that are supported by the record.”). ¶ 31 The district attorney’s brief leans heavily on the holding in Glover that Facebook messages may not be authenticated and admitted under CRE 803(6) or CRE 902 because they were not business records of Facebook. But the argument that “the Dropbox records . . . are similar to the Facebook entries” only goes so far. ¶ 32 True, the pictures of N.T.B. and N.T.B.’s email address are arguably like Facebook messages insofar as they are all user-generated. But N.T.B. specifically objected to “the written documents” — i.e., the account identification number, the account activity log, and the IP address used to make the uploads — which were generated by Dropbox and Comcast and not the account user. On this point, we distinguish the business records at issue here from the Facebook messages in Glover. ¶ 33 But recall that CRE 901 is a flexible standard. The type and quantity of evidence necessary to authenticate a particular piece of evidence will always depend on context. For electronically stored information that lacks an acknowledgement or other indicia of authorship, persuasive authority suggests that the prosecution 16 should present evidence of accuracy and reliability to satisfy the requirements of CRE 901. See Lorraine, 241 F.R.D. at 558-59; Scott A. McDonald, Authenticating Digital Evidence from the Cloud, Army Law. 40, 48 (2014). ¶ 34 In this case, the prosecution proffered such evidence. The prosecutor made an offer of proof that the investigating detective would testify that he caused search warrants to be issued and served on Dropbox and Comcast; these entities provided him with the records in response to the warrants; and N.T.B. acknowledged to the detective that he owned a Dropbox account tied to his work email address. So, the investigating detective had sufficient personal knowledge indicating that the Dropbox and Comcast records were authentic. See CRE 901(b)(1). ¶ 35 Even so, the court properly recognized that the prosecution must overcome the hearsay objection. C. Hearsay ¶ 36 The Dropbox account identification number, activity log, and associated IP address, as well as the Comcast records connecting the IP address to the physical address where N.T.B. resided, were offered for the truth of the information. Through these records, 17 Dropbox and Comcast asserted that these accounts existed, the Dropbox account was associated with N.T.B.’s email address, videos had been uploaded into that account at various times from a specific IP address, and the IP address was assigned to a Comcast account at a residential street address. Simply put, what these records say provided essential links between N.T.B. and the videos in the Dropbox account. ¶ 37 Recall, the district attorney asserts that these records do not constitute hearsay because “[t]here [was] no declarant.” To the extent the district attorney is arguing that Dropbox and Comcast created the records automatically without human input or interpretation, this argument falls short for two reasons. First, as indicated, the Dropbox and Comcast records were not included in the record on appeal. When material portions of the record are omitted, we presume that they support the trial court’s ruling. See People v. Duran, 2015 COA 141, ¶ 12. Second, and more importantly, the prosecutor’s proffer before the trial court did not identify any basis for concluding that the records had been 18 generated automatically. 8 Thus, the records provided by Dropbox and Comcast may have included human-generated input and interpretation. ¶ 38 The district attorney argues that the trial court “misapplied the law” by holding that the Dropbox and Comcast records were business records “because they are content created by users, not the business” and because the substance of that content is not something upon which Dropbox “substantially relies.” But Dropbox — not N.T.B. — generated the account identification number and account activity log in which it recorded the IP address. Like bank and credit card statements in Marciano and Berger-Levy, these records were a compilation of data created in the regular course of Dropbox’s business. ¶ 39 On this basis, the records at issue here can be distinguished from the Facebook messages in Glover. There, the court relied on the party-admission exception to overcome the defendant’s hearsay Consistent with People v. Hamilton, 2019 COA 101, this opinion does not preclude a party from offering evidence to show that computer records were generated automatically. 8 19 objection. By contrast, N.T.B. admitted only to owning a Dropbox account associated with his work email address. ¶ 40 So, the trial court correctly analogized the account number, activity log, and IP address to computer-generated account statements that other divisions have analyzed as business records in Robert J. Hopp & Assocs., Huehn, Berger-Levy, and Marciano. And without testimony or an affidavit from the custodians showing that the records were made in the regular course of business, inputted accurately within a reasonable amount of time, and transmitted by a reliable person with knowledge, the trial court properly excluded these records. ¶ 41 The second part of the district attorney’s argument — that Dropbox and Comcast do not “substantially rely” on their records — misapplies that legal test. This facet of the business record analysis applies only to information generated by a third-party. And of course, to maintain the integrity of numerous separate accounts, Dropbox and Comcast must rely on unique account numbers and IP addresses. ¶ 42 In the end, the trial court correctly held that the Dropbox and Comcast records contained inadmissible hearsay, essential to the 20 prosecutor’s “possesses or controls” theory, which it could not admit without testimony from the records custodians or an affidavit. V. Conclusion ¶ 43 We approve the trial court’s ruling. JUDGE DUNN and JUDGE LIPINSKY concur. 21

Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.