Provisions Concerning the Collection, Extraction, Review, and Judgment of Electronic Data in the Handling of Criminal Cases

Supreme People's Court, Supreme People's Procuratorate, Ministry of Public Security

Provisions Concerning the Collection, Extraction, Review, and Judgment of Electronic Data in the Handling of Criminal Cases

These Provisions are formulated on the basis of the Criminal Procedure Law of the People's Republic of China, and other relevant laws so as to regulate the collection and extraction and review and judgement of electronic data, to raise the quality of criminal case handling.

I. General Provisions

Article 1: Electronic data is data that can prove case facts and that was formed during the course of the crime and stored, processed, or transmitted in digital form.

Electronic data includes, but is not limited to, the following information and electronic documents:

(1) Information published on web pages, blogs, micro-blogs, chat groups, Bbs, network drives and other web platforms;

(2) Correspondence information on mobile phone text messages, e-mail, instant messages, distribution groups, and other network application services;

(3) User registration information, identity verification information, electronic transaction records, communication records, login logs, and other such information;

(4) documents, images, a/v, digital certificates, computer programs, and other such electronic files.

Evidence recorded in digital form, such as witness testimony and victim statements, as well as the confessions or explanations of criminal suspects or defendants, are not electronic data. Where it is truly necessary, the collection, extraction, transfer, and review of such evidence may apply these Provisions by reference.

Article 2: Investigatory organs shall follow the legally prescribed procedures and obey relevant technical standards to fully, objectively and promptly gather and extract electronic data; people's procuratorates and people's courts review and judgement of electronic data shall rotate around its veracity, lawfulness, and relevance.

Article 3: People's courts, people's procuratorates and public security organs have the right to gather and collect electronic data from relevant workplaces and individuals in accordance with law. Relevant units and individuals shall truthfully provide it.

Article 4: Where electronic data relates to state secrets, commercial secrets or personal privacy, it shall be kept confidential.

Article 5: One or more of the following measures shall be employed to protect the integrity of electronic data that is to serve as evidence:

(1) Seizure or sealing of the electronic data's original storage medium;

(2) Computing integrity check values for the electronic data;

(3) Producing or storing backups of the electronic data;

(4) Freezing the electronic data;

(5) Video-recording of activities related to the collection or extraction of the electronic data;

(6) Other methods of protecting the integrity of the electronic data.

Article 6: Electronic data collected or extracted during the preliminary investigation, as well as electronic data extracted online, may be used as evidence.

II. The gathering and extraction of Electronic Data

Article 7: The collection and extraction of electronic data shall be carried out by two or more investigators. Methods for collecting evidence shall comply with relevant technical standards.

Article 8: Where in collecting or extracting electronic data, the original storage media can be seized, they shall be sealed and seized, and a record made of the sealing of the electronic data's original storage medium

The sealing of the original storage medium of electronic data shall ensure that there is no way to add, delete or modify the electronic data without releasing the seal. Pictures shall be taken before and after the sealing of the original storage medium, clearly reflecting the seal or sealing tape.

Sealing of media with wireless communications functions such as mobile phones shall employ measures such as signal blocking, cutting off signals, or cutting the power supply.

Article 9: In any of the following circumstances, where there is no way to seize the original storage medium, electronic data may be extracted, but the reasons why the original storage medium could not be seized shall be noted in the record, along with circumstances such as the original storage medium's location or the source of the electronic data, and integrity check value computed for the electronic data:

(1) it is inconvenient to seal the original storage medium;

(2) the data is extracted from computer memory, network transmission data, or other such electronic data that is not stored in a storage medium;

(3) the original storage media is located outside mainland China;

(4) other situations where there is no way to seize the original storage medium.

Electronic data for which the original storage medium is outside the mainland or which is on a remote computer information system, may be extracted online through the networks.

When necessary, to further ascertain the circumstances, remote network inquiries may be conducted of remote computer information systems. Where it is necessary to employ technical investigation measures to conduct remote inquests, strict approval formalities shall be carried out in accordance with law.

Article 10: Where for objective reasons there is no way, or it is unsuitable, for electronic data to be collected or extracted in accordance with the provisions of articles 8 and 9, methods such as printing, photographing, or recording may be used to fix the evidence, and have the reasons explained in the records.

Article 11: Where there are any of the following circumstances, electronic data may be frozen upon the approval of the responsible party at a public security organ or a chief procurator at the county level or above:

(1) The amount of data is large, and there is no way, or it is inconvenient, to extract;

(2) The extraction time is long and might cause the electronic data to be tampered with or destroyed;

(3) the electronic data can be more intuitively displayed through network applications;

(4) Other situations where freezing is necessary.

Article 12: In the freezing of electronic data, a written notification of assistance in freezing shall be drafted indicating information such as the network application account number of the frozen electronic data, and it shall be given to the person holding the electronic data, the network service providers, or relevant departments to assist in handling. Where releasing frozen electronic data, a written notice for assistance in releasing the freeze shall be drafted and given to the person holding the electronic data, the network service providers, or relevant departments, to assist in handling.

One or more of the following methods shall be employed when freezing electronic data:

(1) Calculating integrity check values for electronic data;

(2) Locking network application accounts;

(3) Other measures to prevent the addition, deletion, or modification of electronic data.

Article 13: In the retrieval of electronic data, a written notification of retrieval of evidence shall be drafted, indicating the relevant information about the electronic data to be collected, and notice given to the person holding the electronic data, the network service providers, or relevant departments for enforcement.

Article 14: A record shall be made of the collection or extraction of electronic data, recording the cause of action, the object of the case, its content, and the time, place, means, and process by which the electronic data was extracted, and a list of the electronic data attached, indicating its character, category, document format, integrity check value, and other such information, and the investigators and the holder of the electronic data (provider) are to sign or affix a seal; where the holder of the electronic data (provider) is unable to sign or refuses to sign, it shall be noted in the record and a witness shall sign or affix a seal. Where there is capacity, a video recording shall be made of such activities.

Article 15: The collection or extraction of electronic data shall be based on the provisions of the Criminal Procedure Law, with persons meeting the requirements serving as witnesses. Where for objective reasons there is no way to have personnel who meet the requirements serve as witnesses, the situation shall be noted in the record, and a video record made of relevant activities.

Where electronic data is collected or extracted from multiple computer information systems at the same scene, a single witness may be used.

Article 16: Original storage medium or extracted electronic data that have been seized may be reviewed through means such as recovery, cracking, statistics, correlations, or comparisons. When necessary, investigative tests may be conducted.

In the inspection of electronic data, the process of opening the storage medium of electronic data shall be recorded, and the storage medium of electronic data shall be inspected by connecting it to the inspection equipment through write-protection devices; where conditions permit, a backup of electronic data shall be produced for inspection; where write-protection devices cannot be used and a backup cannot be produced, the reasons shall be noted and relevant activities shall be video recorded.

A record shall be drafted for the inspection of electronic data, on the inspection's methods, process and results, and relevant personnel will sign it or affix a seal. Where investigative tests are carried out, an investigative test record shall be drafted on the tests' conditions, process and results and the test participants will sign it or affix a seal.

Article 17: Where specialized issues involved in electronic data are difficult to determine, forensic evaluation establishments are to issue an appraisal opinion, or an establishment designated by the Ministry of Public Security is to issue a report. An establishment designated by the Supreme People's Procuratorate may also issue a report in a case that is directly handled by a people's procuratorate.

The specific measures are to be formulated separately by the Ministry of Public Security and the Supreme People's Procuratorate.

III. Transmission and Display of Electronic Data

Article 18: Original storage media or electronic data that is collected or extracted shall be transferred sealed along with the case, and a backup of the electronic data made and sent along as well.

For web pages, documents, images, and other electronic data that can be directly displayed, a printout need not be transferred with the case; where people's courts and people's procuratorates are unable to directly display electronic data, because of equipment limitations or other such reasons, the investigating organs shall transfer printouts together with the case or attach display tools or an explanation of display methods.

For frozen electronic data, a list of the frozen electronic data with the category, document format, frozen subject, main points of evidence shall be transferred, and relevant internet application accounts noted, and viewing tools and an explanation on the methods shall be attached.

Article 19: For electronic data that cannot be directly displayed such as programs, tools or computer viruses used for intruding on or unlawfully controlling computer information systems, an explanation of the nature, function and other circumstances of the electronic data shall be attached.

The investigating organs shall issue an explanation of issues such as the volume of data statistics and the equivalence of data.

Article 20: Where public security organs request the people's procuratorates conduct a review to approve arrest of a criminal suspect, or transfer a case in which investigation has concluded for review for prosecution, they shall transfer electronic data and other such evidence with it to the people's procuratorate. Where during the course of reviewing to approve arrest or review for prosecution, people's procuratorates discover that electronic data that should have been transferred was not transferred, or that transferred electronic data does not meet relevant requirements, they shall notify the public security organs to send supplements, or supplement and correct.

In public prosecutions, where people's courts discover that electronic data that should have been transferred was not transferred, or that transferred electronic data does not meet relevant requirements, they shall notify the people's procuratorate.

Public security organs and people's procuratorates shall transfer the electronic data or supplement with relevant materials within three months of receiving the notice.

Article 21: Where the electronic data submitted to the court by the prosecution or the defense needs to be displayed, it can be shown, played or demonstrated with the help of multimedia equipment, depending on the specific types of the electronic data. When necessary, persons with special knowledge may be employed to perform operations, and to give an explanation of relevant technical questions.

IV. Review and Judgment of Electronic Data

Article 22: Review of whether electronic data is authentic shall focus on the following content:

(1) Whether the original storage medium was transferred; are there explanations given when the original storage medium could not be sealed, or it was impractical to transfer, and are situations noted, such as the collection and extraction process, and the storage location of the original storage medium or the source of the electronic data.

(2) Whether electronic data has a digital signature, digital certificate or other special identifiers;

(3) Whether the collection or extraction of electronic data could be reoccurred;

(4) Whether there are explanations for circumstances such as additions, deletions, revisions of electronic data;

(5) Whether the integrity of electronic data can be guaranteed.

Article 23: Validation of electronic data's integrity shall be conducted on the basis of corresponding methods;

(1) Review of the seizure or sealing of the original storage medium;

(2) Review of the collection or extraction process for electronic data, and review of video recordings.

(3) Comparing integrity check values for electronic data;

(4) Conduct a comparison with electronic data backups;

(5) Review access logs after freezing;

(6) Other methods.

Article 24: Review of whether the collection or extraction of electronic data is lawful, shall focus on the following content:

(1) Whether the collection or extraction of electronic data was carried out by two or more investigators, and whether the methods of evidence gathering complied with technical standards;

(2) Whether there are attached records and lists for the collection and extraction of electronic data, and they have been signed or had a seal affixed by investigators, the person in possession of the electronic data (provider), and witnesses; whether the reason has been noted where there person in possession (provider) has not signed or affixed a seal; and whether information such as the specifications, type and file formats of electronic data is clear.

(3) Whether relevant provisions we followed in having eligible persons serve as witnesses, and whether relevant activities were video recorded.

(4) Electronic data review of whether the electronic data storage media has been through write-protection equipment to enter into procuratorate equipment; and where there is capacity, whether a backup of the electronic data has been made and a review conducted of the backup; and where there is no way to make a backup and no way to use write protected equipment, whether a video is attached.

Article 25: A comprehensive judgment on the determination of the sameness of criminal suspects' or defendants' online identities and real identities may be done through verification of IP addresses, network activity records, possession of internet terminals, relevant witness testimony, as well as the criminal suspects' or defendants' statements and explanations.

A comprehensive judgment on the determination of the relation between criminal suspects or defendants and storage media may be done through verification relevant witness testimony, as well as the criminal suspects' or defendants' statements and explanations.

Article 26: Where public prosecutors, parties or defenders and agents ad litem have objections to the evaluation opinion on electronic data, they may apply to the people's court to notify the evaluator to appear in court to testify. Where people's courts find that the forensic evaluator must appear, the forensic evaluator shall appear in court to testify.

Where upon notice from the people's court, evaluators refuse to appear in court to testify, the evaluation opinion must not be the basis of the verdict. The people's court shall issue a notice to the judicial administrative organs or relevant departments when evaluators refuse to appear in court to testify without a legitimate reason,

Public prosecutors, parties and defenders or agents ad litem may apply to the court to notify persons with expert knowledge appear in court, to put forward opinions on expert evaluators' evaluation opinions.

For reports on specialized issues involved in electronic data, apply paragraph 3 above by reference.

Article 27: Where the procedures for collecting or extracting electronic data has the following defects, it may be admitted upon supplementation or the issuance of a reasonable explanation; if it cannot be supplemented or a reasonable explanation cannot be made, it must not be the basis of a case verdict:

(1) Failure to transfer in a sealed state;

(2) Records or lists do not have the signature or seal of investigators, the holder of electronic data (provider), or witnesses upon them;

(3) Unclear notation of electronic data's name, type, format and so forth;

(4) There are other blemishes.

Article 28: Electronic data that has any of the following conditions must not serve as the basis for a verdict:

(1) electronic data that is tampered with, forged, or where its authenticity cannot be determined;

(2) electronic data that has additions, deletions, modifications or other such circumstances, impacting the veracity of the electronic data;

(3) Other situations where there is no way to ensure the veracity of electronic data.

V. Supplementary Provisions

Article 29: The meaning of the following terms as used in these Provisions:

(1) "Storage media" refers to carriers that are capable of storing electronic information, such as electronic devices, hard drives, optical drives, USB flash drives, memory sticks, memory cards, and memory chips.

(2) "Integrity Check Values" refers to a set data value to prevent alteration or destruction of data by utilizing specialized calculations methods such as has algorithms to perform calculations on electronic data, the outputs of which are used to verify the integrity of data.

(3) "Remote Network Inquiries" refers to investigative activities using networks to conduct inquiries of remote computer information systems; to discover or extract electronic data related to crimes, to record the status of computer information systems, determine the nature of cases, analyse the crimes, confirm the direction and scope of investigation, so as to break cases under investigation, and provide leads and evidence for criminal proceedings.

(4) "Digital signatures" refer to data values that are used to verify the source and integrity of electronic data and are obtained by computing electronic data with specific algorithms;

(5) "Digital certificates" refer to electronic documents that contain digital signatures and authenticate the source and integrity of electronic data.

(6) "Access logs" refers to detailed records of access and operations that are automatically produced by computer information systems so as to review whether electronic data has been added to, deleted, or modified.

Article 30: These Provisions take effect on October 1, 2016. Wherepreviously released normative documents differ from these Provisions, these Provisions control.