We all know that mobile devices have many apps that work with each other (e.g. messaging apps are often linked to other apps for pictures or documents) and that even save backups that may be available even if messages themselves are unrecoverable (such as in “downloads” folders). If the Puerto Rico Department of Justice limits evidence gathering to the Telegram app, the process may not be encompassing of additional evidence sources. In the 889 page leaked Telegram chat, a participant says they should move to Signal, another secure messaging platform. This should already be a strong indicator to suggest that the search should be broader in scope.
Ideally the devices should be retained, turned off and stored in special containers that do not allow their manipulation from afar. We find troubling the possibility that they are simply examined and let go without creating backup copies of the entire devices. Prudency would dictate creating full copies of everything in a given device. The process of creating backup copies should be documented well and representatives of the device owners should be able to participate. Additionally those backups made by the devices during their normal operation would also be requested from the device manufacturers, and operating system makers (e.g. Google for Android devices, and android mobile phone manufacturers; Apple for iphones) as well as any third party services (e.g. dropbox, box, etc.). Activity logs from mobile phone providers (e.g. ATT, TMobile, Claro) should be requested too. At a minimum steps should be taken so that any of those third parties put litigation holds on their systems and preserve information that may be later requested through appropriate legal means. We won’t go into a lengthy discussion on how this may be done under Puerto Rico or federal law but there are legal avenues to address these challenges.
What concerns us is that in their urgency to produce something that can be given to the press to show that they are working and care about this case, the Department of Justice is not properly handling evidence. It would be shameful to discover that only some texts are extracted, and a report is published singling out whatever texts the examiner thought were relevant without giving any defense attorneys the opportunity to conduct their own examinations of copies of images of those devices. It would be even worse to find out that by the mere act of looking into phones, not into backups, the primary sources were altered and thus their probative value could be questioned. This would result in that whenever any accusations are introduced in court defense attorneys will have a field day claiming issues related to lack of chain of custody or context of text messages not being used because certain information was not recoverable from devices or similar situations. The criteria on what queries were made and their rationale should be very clear.