A discussion on database authentication – NC Court of Appeals

State v. Hicks. Eric Hicks was convicted of manufacturing meth. He appealed the conviction.

His arrest came after a tip top a school resource officer about a meth lab, and a safety check on his children by officers during which they saw plastic bottles used in meth production in plain view with his trash cans. Then, police obtained a search warrant and found many more drugs and equipment. The crime lab tested the substances found in the home and determined they were, in fact, meth.

What is interesting to me is this:

Officer Lee testified he searched for Defendant’s name on the National Precursor Log Exchange (“NPLEx”) database after he left Defendant’s residence. NPLEx is a “federal public registry” used to track an individual’s pseudoephedrine purchases. He explained pseudoephedrine is “the main ingredient of methamphetamine.” NPLEx was established “to make sure that people don’t buy more [pseudoephedrine] than their allowed limits every month.”

On appeal, Hicks argued the trial court erred in several ways, including by admitting Officer Lee’s testimony about the NPLEx database. He argued that the report from the NPLEx database was not authenticated and was inadmissible heasay. The state argued that these were properly authenticated business records under Rule 803(6).

The court explained:

Our Supreme Court held business records stored on computers are admissible if:

(1) the computerized entries were made in the regular course of business, (2) at or near the time of the transaction involved, and (3) a proper foundation for such evidence is laid by testimony of a witness who is familiar with the computerized records and the methods under which they were made so as to satisfy the court that the methods, the sources of information, and the time of preparation render such evidence trustworthy.

State v. Springer, 283 N.C. 627, 636, 197 S.E.2d 530, 536 (1973). “There is no requirement that the records be authenticated by the person who made them.” Crawley, 217 N.C. App. at 516, 719 S.E.2d at 637-38 (citation omitted). “The authenticity of such records may be established by circumstantial evidence.” Id. at 516, 719 S.E.2d at 637 (citation omitted).

Hicks argued that the records needed to be authenticated by someone affiliated with the database or the company that maintains it. The court disagreed, finding instead that Officer Lee had sufficient knowledge of the system to authenticate the record. The court cited State v. Sneed, 210 N.C. App. 622, 630-31, 703 S.E.2d 455, 461 (2011), which held that a detective could authenticate the NCIC database.

While both of these records came from databases designed for crime-fighting, I question how far this logic should extend. If a police officer is familiar with a private database, or even just databases and data acquisition in general, can that officer authenticate records he obtained through that knowledge? Should there be some check on the police work? What about in the civil context. Should an employee at Company A that regularly uses Company B’s database and understands how input to the database is obtained be able to authenticate Company B’s business records? I’m not sure I have the answers.

In this case, it wouldn’t have mattered anyway:

Presuming the report from the NPLEx database were not admissible under the business record exception to the hearsay rule, admission of the report was harmless error.