The Chain of Custody in International Cyber Law

by

Justyna Sarkowicz

CyJurII Theorist

on 3 November 2025

Abstract

The concept of chain of custody is a fundamental principle in acquiring, preserving, and presenting digital evidence in criminal proceedings. This article examines the role and importance of the chain of custody in the context of international cyber law, emphasizing its impact on the admissibility and credibility of digital evidence. The paper provides a detailed analysis of the 2001 Budapest Convention on Cybercrime, which obliges states to secure, store, and exchange electronic data while maintaining their integrity. Case law from the International Criminal Tribunal for the former Yugoslavia (ICTY), U.S. federal courts, and the Court of Justice of the European Union (CJEU) illustrates the practical application and judicial review of the chain of custody in international law. The conclusions emphasize that maintaining an unbroken and properly documented chain of custody is crucial to ensuring the integrity, admissibility, and credibility of digital evidence in international cybercrime investigations.

1. Introduction

A chain of custody (CoC) is the chronological documentation that proves evidence has been handled correctly from collection to court, ensuring its authenticity and integrity. It tracks who had possession of the evidence, when, and what they did with it, and a failure to maintain this record can render the evidence inadmissible in court. In the context of cyber law, this term refers to digital evidence, which, due to its intangible nature, susceptibility to modification, and difficulty in verifying its authenticity, requires particularly rigorous procedures for storing and documenting its origin.

Maintaining the integrity of the chain of custody is a condition for the admissibility of evidence in court, and its violation can lead to the exclusion of evidence from the procedural materials. The CoC process is vital for digital evidence to guarantee it has not been tampered with and is "as originally acquired". 

Key aspects of a chain of custody

• Documentation - a CoC requires a detailed, chronological paper trail of every step evidence takes, including collection, transport, analysis, and storage. 

• Integrity - the primary purpose is to prove that the evidence is authentic and has not been altered. 

• Accountability - it establishes a clear record of who handled the evidence, preventing unauthorized access or tampering. 

• Admissibility - a broken or failed chain of custody can prevent evidence from being used in court, as its integrity cannot be verified. 

• Digital evidence - special procedures are needed for digital evidence, which may include techniques like checksums, digital signatures, and encryption to ensure integrity. 

2. Chain of custody in the context of digital evidence in International Cyber Law

Digital evidence encompasses all electronically recorded data that can be used in criminal proceedings. Because it can be easily copied, deleted, modified, or encrypted, the chain of custody in this regard rests on three pillars:

1. Source identification – determining the origin of data, device, IP address, or user; 

2. Preservation of integrity – using hashing techniques (e.g., SHA-256) to confirm that data has not been altered; 

3. Documentation of handling – recording all activities related to the storage, analysis, and transfer of data between authorities.

In international cyber law, the chain of custody takes on particular importance because investigations often span multiple jurisdictions. Evidence may be stored on servers in different countries, and accessing it requires cooperation between law enforcement agencies based on international conventions and agreements. There is no uniform, formal definition of the "chain of custody" in the legal sense in international cyber law. However, there are guidelines and standards in international instruments that serve a functional definitional role.

The most important instrument in this regard is the Council of Europe Convention on Cybercrime (Budapest, 2001) – referred to as the "Budapest Convention" . The Convention requires states to ensure the prompt preservation of computer data and the conduct of investigations in accordance with the rules of evidence applicable in the States Parties. The Budapest Convention introduced for the first time in international law the obligation to preserve and protect digital evidence in a way that guarantees its authenticity. Particularly important are:

• Article 14 – Preservation of Stored Computer Data - it imposes an obligation to secure data stored in computer systems in a way that ensures their integrity, which is crucial for their subsequent admissibility as evidence in court proceedings.

• Article 15 – Conditions and Safeguards - It sets out the conditions and safeguards that must be met when applying the measures provided for in the Convention, including ensuring the integrity of evidence and respect for human rights.

• Article 16 – Expedited Preservation of Stored Computer Data - The procedure for urgently securing data at the request of law enforcement agencies, including in cross-border situations, requires the documentation of every action, which is part of the chain of custody.

• Article 17 – Expedited Preservation and Partial Disclosure of Traffic Data - It concerns the rapid securing and partial disclosure of transmission data, which also requires ensuring the integrity of evidence.

• Article 18 – Production Order - It imposes the obligation to issue an order to produce data stored in computer systems, which involves the need to document the chain of custody of evidence.

• Article 19 – Search and Seizure of Stored Computer Data - Specifies procedures for searching and seizing data stored in computer systems, including requirements for documenting activities to maintain the integrity of evidence.

• Article 20 – Real-Time Collection of Traffic Data - It concerns the collection of transmission data in real time, which requires ensuring its integrity and appropriate documentation.

• Article 21 – Interception of Content Data - Specifies conditions and procedures for capturing content data, including requirements for ensuring the integrity of evidence.

Each of these articles introduces procedures that, in practice, shape the rules governing the chain of custody of digital evidence, ensuring its integrity and admissibility in court proceedings. 

In practice, this means that each state party to the convention should have procedures in place to ensure full documentation of the movement of digital evidence, including forensic imaging reports, data transfer protocols, and acknowledgments of receipt by other authorities.

Article 35 of the Budapest Convention is also crucial in the context of the chain of custody, although it does not directly address evidence preservation techniques.

Article 35 – 24/7 Network (Points of Contact) – Each State Party is obligated to establish a point of contact available 24 hours a day, 7 days a week, enabling rapid contact with law enforcement agencies of other countries in matters of cybercrime.

Importance of the chain of custody:

• Facilitates the rapid preservation of digital evidence in cross-border situations.

• Ensures coordination between authorities, minimizing the risk of compromising the integrity of evidence.

• Supports the continuity of the chain of custody, as every contact and procedure must be documented.

To sum up: Articles 14–21 define the main procedures for securing and obtaining digital evidence, and Article 35 supports cross-border coordination in practice, which is necessary to maintain a proper chain of custody.

3. Chain of custody in International Cyber Case Law

Case law confirms that maintaining the integrity of the chain of custody is fundamental to the validity of digital evidence. For example:

• Prosecutor v. Gotovina (ICTY, IT-06-90) – the Court found that the lack of proper documentation of the process of obtaining data from IT systems renders it inadmissible .

• U.S. v. Vayner (2014) – the US Second Circuit Court of Appeals ruled that evidence from a social networking site was rejected because a reliable chain of custody was not established .

• Google LLC v. CNIL (C-507/17) – the Court of Justice of the EU noted that, in the context of personal data protection, any processing of digital information requires full transparency and verifiability of the source, which is the essence of the chain of custody .

4. Conclusion

One of the greatest challenges facing the international chain of custody is the lack of uniform standards for the admissibility of digital evidence. Different countries have different requirements regarding: the legality of obtaining data (e.g., requiring a court order), data authenticity and integrity, and compliance with privacy protection principles (e.g., GDPR in the EU). Consequently, evidence obtained in one country may be deemed inadmissible in another. Therefore, in 2022, the Council of Europe adopted the Second Additional Protocol to the Budapest Convention, which regulates procedures for the rapid sharing of data between countries and between law enforcement authorities and private entities. .

The chain of custody in international cyber law is a fundamental mechanism for protecting the credibility of digital evidence. In an era of global cybercrime investigations, maintaining its integrity requires not only rigorous technical documentation but also the harmonization of international law, especially regarding data transfers between states. Looking ahead, it will be crucial to further develop legal instruments – such as the UN Convention against Cybercrime (New York, 2024) – that will ensure uniform standards for the chain of custody and the admissibility of digital evidence at the global level .

Keywords:

Chain of custody, Cyber Crime, International Law, Budapest Cybercrime, Digital Evidence