Is it possible to prove a certain email has been sent using a certain computer?

  • I can understand that an SMS can be traced to the mobile phone which it has originated from and the phone owner has no chance in court but to claim that someone else has used his phone but what about an email from a PC?

    Most emails are being sent using a browser and a web interface let alone the fact that you hardly find a PC outside a NAT. Add to that most laptops are connected via WiFi.

    It seems very easy to claim that I have not sent email X and email address Y is not mine. IP address? it means nothing, I am sharing it with lots of people, it might be my wife who sent that email from her laptop or it might be my neighbors who hacked my WiFi.

    How can an expert defeat such claims in court in front of a judge?

    Sometimes in the email headers you can see the IP of the first client that submitted the message to the first email server. However, that can be forged and that also may be a NAT so that's not what I would call "proof".

    Was the 'alleged' email sent/composed via a desktop client (outlook) or a web interface (gmail)? This will help narrow things a lot.

    What does computer in this context mean? A specific user on that computer? Or just any user on a given machine?

  • Experts are experts. What an expert says stands in court as long as:

    • He is an expert.
    • The other party cannot provide another expert, who says that the first expert is wrong, and says it in a more convincingly expertish way.

    In practice, a email will be reputed to have been sent from a given PC if the context makes it a lot more plausible than any alternative explanation. Context elements include IP addresses registered from the SMTP server side, ease (or lack thereof) to assume that IP address on the client side (WiFi or not WiFi, accessible wires...), presence or absence of log files on the PC... and, more often than not, whether the purported sender admits to the deed or not.

    Take note that perjury is a serious offence, so people tend not to deny sending emails when what is at stake (e.g. a commercial dispute) is "less serious" than the consequences of being caught in the act of lying to the judge. The crucial point is that proving whether an email was really sent by some specific individual is a complex matter in both ways: it is hard to convincingly pinpoint on the perpetrator, but it is equally hard to make sure that it will never be decisively proven.

    This reproduces the security model of handwritten signatures. It is, in fact, not very difficult to imitate the signature of somebody else; it is also quite hard to actually verify that a signature is proper or not. But handwritten signatures happen in the physical world, with pens and human hands, so they tend to leave traces -- what I call contextual elements. You can repudiate your own signature, but it is risky, because you cannot be sure that nobody saw you, or you did not leave a fingerprint on the pen, or any other of a million possible incriminating details. And trying to repudiate your own signature is severely punished. Therefore, it is often preferable to recognize the signature as your own and assume the consequences.

    In the case of emails, the same mechanism is at work. Though actual proofs are often flimsy elements (log entries and so on), denying having sent an email that you did send is risky, and felt as risky, especially since it involves computers (computers are beyond the "magical horizon" of most people). So most cases involving emails end up with producing a few log file entries (that could, indeed, be faked in a great many ways), and the sender crumbling under the steady gaze of the judge.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used