Digital evidence authentication is now a core law enforcement responsibility as deepfakes and other AI-generated content make video, audio, and image files easier to challenge in court. Officers, investigators, prosecutors, and agency leaders must document provenance, preserve metadata, maintain chain of custody, and understand when warrants are required before reviewing provider-flagged files.
Video evidence once seemed inherently credible. Captured by surveillance, recorded by a phone, or flagged by an internet service provider, it appeared the hard work was done: Find the file, preserve it, present it.
That assumption is no longer safe.
Deepfake technology and public awareness of it have changed law enforcement work in clear and subtle ways. The obvious problem: Digital images, audio, and video can be manipulated in ways that are hard to detect. But there’s a subtler, often more dangerous problem, too: As awareness of deepfakes spread, people may now claim real evidence is fake. This effect, called the “liar’s dividend,” is becoming important for officers, investigators, prosecutors, and police leaders to understand.
Concerns over manipulated photos in digital images have existed for years. Now, with hosted cloud storage and web-based email managed by private companies, new questions arise. Do existing search-and-seizure laws adequately cover the complexities of digital evidence under these companies’ terms of service? How will courts treat hashing technology, a digital fingerprint of a file, when a provider finds possible child sex abuse material (CSAM)? The “liar’s dividend” and the doubts it raises will affect how video evidence provenance is established.
Two recent appellate decisions illustrate these issues: Matter of M.S. (M.H.) from the New York Court of Appeals and United States v. Maher from the 2nd Circuit. These cases have different facts and legal questions, yet they highlight the same operational reality. In the era of digital deception, officers cannot assume a file speaks for itself. Nor can they assume that identifying and collecting digital evidence falls within existing search-and-seizure rules. How the evidence was created, where it came from, how it was handled, and what the police did to inspect it may matter as much as what the evidence seems to show.
That is not just a trial issue for prosecutors. It starts with a seizure and continues through each step of handling, review, documentation, and testimony. The laws pertaining to digital evidence will continue to evolve as the law catches up with the technology. Until the law settles, knowing the relevant laws in your jurisdiction is critical. While this article focuses primarily on two decisions applicable to New York, the issues raised by the cases are relevant to all officers, regardless of jurisdiction.
“Provenance matters. Chain of custody matters. Metadata matters. Original source devices matter.”
Inadequate Authentication
Matter of M.S. (M.H.), 2026 NY Slip Op 00825 (N.Y. Feb. 17, 2026)
The term “liar’s dividend” describes a simple but powerful problem*. As society becomes more aware that deepfakes exist, dishonest people gain a new defense. They can deny real evidence by claiming it was digitally fabricated or altered. The more public discussion there is about deepfakes, the easier it becomes for bad actors to cast doubt on authentic evidence.
In policing, so much modern evidence is digital. Body-worn camera footage, surveillance video, Ring/Nest camera clips, phone extractions, social media posts, emailed images, cloud-stored files, and cyber tip reports — all now sit in an environment where authenticity can be challenged. In practical terms, this means an officer or investigator cannot stop at “we have the video.” The question now is, “Can we prove this is what we say it is, and can we explain how we know that?”
The New York Court of Appeals’ decision in Matter of M.S. (M.H.) should get the attention of anyone who works in child abuse cases, digital evidence cases, or family offenses.
The case involved videos that appeared to show a mother’s live-in boyfriend sexually abusing her 14-year-old daughter. The videos were not found on any family devices. Instead, they were discovered in 2022 during an FBI investigation into a different suspect, B.W., who reportedly told an FBI agent he had hacked into home security cameras in 2019 and saved clips from one family’s camera feed. Law enforcement later linked the family in the videos to the mother, M.H., her daughter, M.S., and the boyfriend, D.K. Police also found that the layout of the living room appeared to match the room seen in the videos, and they located items in the home that appeared to match items depicted in the footage. Still, the daughter denied abuse during her interview, and the videos were never found on the family’s own devices.
Family court admitted the videos and found abuse, and the appellate division affirmed. The court of appeals reversed.
The court of appeals first discussed a prior decision in which they set forth two ways that video evidence may be authenticated:
- Testimony of a witness to recorded events or of an operator, installer, or maintainer of the equipment that the videotape accurately represents the subject matter depicted, or
- Testimony by an expert or layperson establishing that the video accurately and truthfully represents what was before the camera.
The court held the videos were not properly authenticated. It emphasized the evidence’s strange provenance. The clips came from a third-party hacker, not the original source. There was a lengthy gap between when the videos were created and when law enforcement recovered them. There was also no testimony from the creator of the recordings or the person who extracted the clips. The court was also unpersuaded by the FBI agent’s testimony, noting he saw no signs of tampering but was not qualified as an expert in video authentication and was not asked about forensic methods to detect manipulation. In the court’s view, matching furniture, rooms, and household details was not enough. In the deepfake era, real-world background details do not necessarily prove the actions depicted actually occurred.
The dissents were compelling. They argued the circumstantial evidence was overwhelming and that the majority had created an unworkable standard. One dissent noted that the videos included highly specific items, such as sex toys, later found in the boyfriend’s locked bedroom. No one “faking” a video could have known about these items. Another warned that the majority’s approach could force child victims to testify or require expensive expert testimony. This could happen even when the forgery theory is unsupported and speculative.
Reasonable people can debate which side had the better argument. But for law enforcement, the lesson is straightforward. If your case depends heavily on digital media, you need to be prepared to prove more than what the video seems to show. You need to prove where it came from, how it got to you, what happened to it along the way, and why it can be trusted.
Regardless of your jurisdiction, there are some universal takeaways from this case. Provenance matters. Chain of custody matters. Metadata matters. Original source devices matter. In some cases, expert help may be needed to investigate and document authenticity.
While your jurisdiction may have a test for the authenticity of digital video evidence that differs from the one used by the New York Court of Appeals, proper authentication is still critical. The powerful circumstantial facts that support authentication in this case make it an outlier, as the dissent noted. Your jurisdiction may not be as stringent as the court in this case, but it’s important to highlight the issues with authenticating current and developing technology.
Hash Technology Versus the Private Search Doctrine
United States v. Maher, 120 F.4th 297 (2nd Cir. 2024)
If Matter of M.S. is about authenticity, United States v. Maher is about the Fourth Amendment. While this case is from the 2nd circuit, the case provides a good overview of the underlying issues. In a subsequent section below, we will explain the rift in federal circuit courts over this issue.
First, I need to touch on two areas important to the case: Google’s hash-matching technology and the private search doctrine.
Google’s terms of service state the company “may” review content to determine whether it is illegal or violates policies. They use two different processes. First, when an image or video file is uploaded to the platform, the file is “hashed,” resulting in a digital fingerprint. This fingerprint is compared to a database containing the fingerprints of known CSAM. If the system finds a match, the file is flagged in Google’s detection system and a cyber tip is sent to the National Center for Missing and Exploited Children (NCMEC) without further human review. (Note that 99.72% of Google’s cyber tips are made using this automated process.)
Files that don’t get caught by the hash-matching process may be further analyzed by Google’s AI-enabled content analysis system. According to Google, their systems are able to “flag new content that is very similar to patterns of previously confirmed CSAM.” These files are reviewed by the company’s specialized content reviewers to confirm whether they do, in fact, contain images of sexual abuse. These newly identified images are then reported to NCMEC, as per U.S. law.
Searches done by private people — that is, individuals or entities not acting as government agents — are generally not subject to the restrictions of the Fourth Amendment, which protects against unreasonable searches and seizures by the government. The private search doctrine is a legal principle that authorizes police to conduct warrantless searches if it is certain they will not learn anything more than what was already revealed in a prior private search conducted by a non-governmental party.
In Maher, Google used its automated hash-matching technology to flag a file uploaded to one of the defendant’s Gmail accounts. The file matched the hash value of an image previously identified by Google as CSAM. Google reported the file to the NCMEC, which then forwarded it to the New York State Police. No one at Google visually examined the file; the identification was purely algorithmic. A state police investigator opened the file and visually inspected it without first obtaining a warrant. That visual examination supported later search warrants that led to the seizure of thousands of images and videos.
The district court denied Maher’s motion to suppress the evidence subsequently obtained by the police, ruling that the private search doctrine applied. The 2nd Circuit disagreed, holding this warrantless visual inspection violated the Fourth Amendment.
The court drew an important distinction between what Google’s automated system knew and what the investigator learned by opening the file. The hash match revealed the file’s digital fingerprint matched that of a previously identified image. But the hash match did not reveal the specific visual details of the image in the defendant’s file. Once the investigator opened the file and reviewed it, law enforcement learned more than the private party had. That exceeded the scope of the private search doctrine and required a warrant. The court also rejected the argument that Google’s terms of service wiped out the defendant’s reasonable expectation of privacy as against the government.
The government still prevailed because the court applied the good-faith exception. At the time of the search, existing law had not clearly established that a warrant was required in this exact circumstance. So, the evidence was not suppressed. But the constitutional holding remains significant: A provider’s automated flagging can create strong probable cause, but it does not necessarily authorize officers to open and inspect a file without a warrant.
For investigators in the 2nd circuit, this is a bright warning light. When you receive a cyber tip or other provider report based on automated detection, do not assume that because the provider flagged it, you are free to open it. In many cases, the safer and smarter course is to treat the report as probable cause and get a warrant first. Hash-matching technology provides strong probable cause, so you are likely to get the warrant. Never again will the good-faith exception be applied to a case like this in the 2nd Circuit, as this case now puts law enforcement on notice.
Takeaways for Agencies
Provenance is not a technical afterthought. It is central. The cleaner and more complete your understanding of where a file came from and how it moved, the better positioned you are to defend it.
If you recover digital media, document exactly how and where it was obtained. Preserve the original versions whenever possible. Reports and documentation must be thorough. How was the file received? Who first viewed it? Was it opened before a warrant, and if so, was proper consent given? Was it original or forwarded? Was metadata preserved? Was the device or platform source identified? These details can decide whether evidence is admitted, suppressed, or given little weight. Whenever possible, only let properly trained officers secure any digital evidence.
For video, be sure to obtain the original source format in which it was recorded. Some cases may require digital forensics expertise or close consultation with the prosecutor earlier than they once did. Even if the codec (the device or system used to compress, transmit, and play back a file) is proprietary, modern forensic video software can still examine it. Avoid unnecessary viewing, copying, or manipulation. Understand that screenshots, forwarded clips, and edited segments may present authentication problems later. If such a forensic examination had been done in a Matter of M.S. (M.H.), it, along with the strong circumstantial evidence, may have saved the case.
The entire file’s life cycle matters. If the source is a social media platform, cloud provider, hacked account, third-party forwarding source, or anonymous tipster, you need to ask early whether you are dealing with original evidence, copied evidence, clipped evidence, or something with a compromised chain of custody. You also need to separate two questions that are often conflated: Is this file likely authentic, and what legal authority do I need before I inspect it more closely? If the source is a third-party provider, it will be critical to determine how the evidence can be authenticated.
For supervisors and agency leaders, this is a training issue. Officers need more than general reminders to “follow policy.” These are no longer niche issues for computer crimes units. Patrol, detectives, school resource officers, special victims’ investigators, internal affairs investigators, and command staff all need a working understanding of them.
An Issue for the Supreme Court of the United States
A hash match is powerful, but it is not magic. It can establish strong probable cause, but it does not automatically authorize a warrantless visual search by law enforcement. Maher makes that clear, at least here in the 2nd Circuit, which now joins the 4th circuit in United States v. Lowers (170 F.4th 134 (4th Cir. 2026)), and the 9th circuit in United States v. Wilson (13 F.4th 961 (9th Cir. 2021)).
As of now, two other circuits have directly ruled opposite of Maher, which could make this issue ripe for evaluation by the Supreme Court of the United States. Both the 5th circuit in United States v. Reddick (900 F.3d 636 (5th Cir. 2018)) and the 6th circuit in United States v. Miller (982 F.3d 412 (6th Cir. 2020)), ruled that the “virtual certainty” of hash value matching confirmation of CSAM allowed for the warrantless examination of the files under the private person search doctrine.
A third circuit, the 7th circuit in United States v. Blocker (2026 WL 1217809 (May 5, 2026)), also recently disagreed with the conclusion of Maher, Lowers, and Wilson regarding the conditions of a service provider’s terms of service. Contrary to those cases, the 7th circuit ruled the service provider’s terms of service — in this case, Dropbox — gave them consent to search the user’s files and, under certain circumstances (such as finding CSAM), report it to the proper authorities. While the case did not address the impact of hash matching, the privacy issue will need to be clarified by the U.S. Supreme Court at some point.
An excellent article further explaining this issue and the technology involved can be found on the Lexipol blog: CSAM and Hash-Matching — Tech Tool for Catching Creeps. If you are not sure what United States Court of Appeals you are in, you can access a map here; If you are in a circuit that has not yet rendered an opinion on these issues, your best course of action may be to get a warrant before opening any images reported as CSAM.
Timely legal analysis on law enforcement-related cases: SUBSCRIBE NOW!
Readiness Means Being Able to Prove the Truth
The larger lesson here is the same one we see in other areas of policing. Readiness is not just equipment, staffing, or tactics. It is the ability to operate effectively in the actual environment.
Today, that environment includes a world where digital media can be manipulated, where real evidence can be attacked as fake, and where courts are scrutinizing both authenticity and constitutional process with increasing care. Officers and agencies that fail to adapt will find themselves losing cases they thought were strong. Worse, they may make preventable mistakes that damage victims, undermine investigations, and erode public trust.
The answer is not to become paralyzed or cynical about digital evidence. The answer is to become better at handling it.
In the era of digital deception, truth still matters. But in court, truth increasingly has to be authenticated, preserved, and lawfully obtained with far more precision than before. Police agencies that understand this will be far better prepared for the digital evidence challenges already reaching courtrooms.
*The phrase “liar’s dividend” appears to have first appeared in the article, “Deep Fakes: A Looming Challenge for Privacy,” by Bobby Chesney and Danielle Citron, published in the California Law Review in 2019.
- Blog Articles
