The International Criminal Court has modernized the collection of evidence faster than it has modernized the authentication of evidence. That gap, between enthusiastic embrace of digital submission infrastructure and an underdeveloped framework for forensic-grade verification, has become one of the most consequential unresolved problems in contemporary international criminal procedure. Wars are now documented through smartphones, satellite imagery, Telegram channels, and open-source investigations of a sophistication unimaginable a decade ago; the Office of the Prosecutor receives hundreds of thousands of digital submissions annually through platforms built for the task. And, working with Eurojust, the Office of the Prosecutor has issued guidance to civil society organizations for documenting those crimes. The evidentiary framework governing those submissions, however, remains substantially anchored in assumptions developed for an analog world.
Article 69’s admissibility standard turns on relevance and probative value rather than formal authentication requirements; judges hold broad discretion to admit and weigh evidence reflecting the practical realities of conflict-zone investigation (Rome Statute art. 69). That flexibility was a deliberate response to evidentiary scarcity, and it served the Court well when the challenge was obtaining any reliable record at all. The challenge today is qualitatively different. In Ukraine, Gaza, Bangladesh, Sudan, and Venezuela, digital evidence is not scarce; it is overwhelming in volume, heterogeneous in provenance, and acutely vulnerable to manipulation. The Court’s evidentiary flexibility, once a virtue, now risks becoming a liability precisely where the stakes are highest.
Cybersecurity and digital forensics professionals operate in a different register, through chain-of-custody procedures (cryptographic integrity verification, write-blocked acquisition, and reproducible methodologies) designed to ensure evidence can be traced and authenticated throughout its lifecycle. These are not bureaucratic formalities; they are technical preconditions for trusting digital evidence in adversarial proceedings where sophisticated parties have both capability and incentive to manipulate it. The ICC has largely not imported these disciplines, and the result is a Court processing evidence at industrial scale while lacking the authentication standards forensic-grade reliability demands. Intake, in other words, has outpaced integrity.
In this article, I advance two arguments that converge on a single conclusion. As lex ferenda, I contend that the ICC should adopt formal authentication standards modeled on established frameworks, including NIST’s digital forensics guidance, the Berkeley Protocol, and Europol’s evidence guidelines. As lex lata, my view is that Article 69, read with the Rules of Procedure and Evidence and the e-Court Protocol, already supplies doctrinal authority for more rigorous authentication than current practice reflects, and that where the framework is genuinely inadequate, it should be formally supplemented. None of this impugns the Court’s institutional good faith; OTPLink, Project Harmony, and the e-Court Protocol reflect genuine modernizing commitment, but intake infrastructure, however necessary, is not sufficient. The harder task, and the one this article addresses, is ensuring that the evidence flowing through those pipelines is forensically trustworthy by the time it reaches a judge.
II. The ICC’s Existing Framework: Functional but Under-Specified
Having identified the gap between intake and authentication, it is necessary to examine what the existing framework actually requires. Article 69(4) permits the Court to rule on admissibility “taking into account, inter alia, the probative value of the evidence,” with no per se authentication requirement and no chain-of-custody rule (Rome Statute art. 69); Rule 63(2) reinforces this with a civil law tradition of judicial discretion to “assess freely all evidence” (ICC Rules of Procedure and Evidence r. 63). Article 69(7) supplies the statute’s primary exclusionary rule, but addresses the manner of collection rather than the integrity of evidence once collected. ICC jurisprudence remains sparse; in Al Mahdi, the first case in which open-source evidence played a central role, the Chamber admitted heavily corroborated material without requiring forensic certification, an outcome defensible on the facts but a permissive precedent that travels poorly to higher-volume, more contested situations (Prosecutor v. Al Mahdi).
The Court’s modernization initiatives are substantial, and worth taking seriously before they are criticized. OTPLink, launched May 2023 (ICC OTPLink Launch Statement), had received 74,803 submissions comprising over 400,000 files by October 2024 (ICC OTP Annual Report 2024). Project Harmony supplies AI infrastructure for pattern identification, translation, and transcription (Evans and Hazim, Just Security). The e-Court Protocol, predating both, requires under Regulation 26 “a reliable, secure, efficient electronic system” to “ensure authenticity, accuracy, confidentiality and preservation,” specifying file format and metadata standards (ICC e-Court Protocol). These are meaningful achievements, but they organize evidence rather than authenticate it: the Protocol’s metadata fields address document management rather than the forensic categories (hashes, acquisition logs, and custody chains) that establish evidentiary integrity. Pattern recognition applied to forensically unverified evidence produces efficiently processed evidence of uncertain provenance, not authenticated evidence.
My lex lata case begins with what “probative value” already implies. On my reading, evidence that cannot be shown authentic, unaltered, or accurately attributed is not probative of the facts it purports to establish, however dramatic its content; a video whose metadata has been stripped and whose acquisition history cannot be traced is not probative in the sense Article 69(4) contemplates, because the Court cannot assess what it documents, where, or when. This reading is reinforced by the e-Court Protocol’s own authenticity commitments and by the accused’s Article 67 right to challenge evidence against him (Rome Statute art. 67), a right substantively hollow if the OTP cannot produce the acquisition log and hash value that would make a challenge meaningful.
III. Why Digital Evidence Requires Cybersecurity-Level Authentication
Having established that the existing framework permits more rigor than it currently delivers, I turn now to why that rigor is necessary in the first place. Physical evidence has inherent characteristics that constrain manipulation: altering it requires access, leaves traces, and often produces detectable artifacts. A digital file, by contrast, is a sequence of bits that can be copied perfectly, altered without physical trace, and redistributed instantaneously. The same properties that make digital evidence operationally valuable make it forensically vulnerable. Several features distinguish the digital case: perfect replication divorces provenance from physical characteristics; metadata, the principal carrier of evidentiary information, is technically alterable by any actor in the transmission chain; timestamps can be forged or misconfigured; platforms recompress files, stripping native metadata; generative AI has lowered the barrier to convincing fabrication; and adversarial actors in conflict zones have both capability and incentive to introduce manipulated content. None of this is theoretical: the Flame malware, discovered in 2012, demonstrated that the MD5 hash function then in common use could be exploited to forge digital signatures, a lesson that authentication frameworks must continue to absorb as the move from MD5 and SHA-1 toward SHA-256 and SHA-3 illustrates (Krebs on Security, Flame Analysis).
Five live situations make the stakes concrete:
- Ukraine is the most volumetrically acute: the nonprofit Mnemonic archived and verified more than 500,000 videos within eight weeks of the 2022 invasion, much of it passed through intermediaries whose original metadata has likely been stripped (Princeton JPIA);
- Palestine compounds technical authentication with political contestation (ICC, Situation in the State of Palestine);
- Bangladesh involves evidence gathered almost entirely without forensic infrastructure, by refugee communities documenting the Rohingya crisis on personal devices (ICC, Situation in Bangladesh/Myanmar);
- Venezuela illustrates institutional adversarialism, where government non-cooperation forecloses direct verification (ICC, Situation in Venezuela I).
- And Sudan adds a temporal dimension: evidence collected today in the Darfur and post-2023 conflicts may not reach trial for years, so today’s collection standards determine tomorrow’s reliability (Human Rights Watch, Sudan Crisis Documentation).
It seems to me that the deeper structural point is this: the ICC’s evidentiary flexibility developed to address scarcity, and digital evidence has reversed that problem along two axes at once. Scarcity has become abundance, and fragility has become manipulability. Physical evidence deteriorates; digital evidence does not, but it is acutely susceptible to falsification and misattribution in ways physical evidence is not. The task is no longer merely obtaining evidence from atrocity zones; it is verifying that the evidence obtained remains trustworthy, and Article 69 as currently practiced does not explicitly provide the tools to do so.
If the diagnosis is that authentication has lagged intake, the remedy must specify what authentication actually requires. A cybersecurity-informed framework, in my view, draws on four reference points:
- NIST SP 800-86 (NIST SP 800-86);
- The Berkeley Protocol (Berkeley Protocol);
- Europol’s evidence guidelines (Europol’s SIRIUS Project, facilitating cross-border access to electronic evidence) in addition to new European Commission E-evidence rules coming into force in August of 2026;
- And domestic (U.S.) authentication jurisprudence, adapted rather than imported wholesale.
Forensic acquisition begins with cryptographic hashing. A SHA-256 hash generated at collection functions as a tamper-evident seal: any subsequent alteration, even a single bit, changes the hash and makes tampering detectable (NIST FIPS 180-4). Write-blocked acquisition prevents the acquisition process itself from corrupting timestamps and file-system metadata (NIST SP 800-86). The ICC should require, as a condition of evidentiary weight, an acquisition log recording the source device, the date and time, the tools used, the acquiring investigator’s identity, and the SHA-256 hash. Where conditions precluded formal procedure, the framework should require documentation of those conditions and the chain of transmission instead. The standard should be graduated, not binary: fuller documentation earns greater weight.
In addition to acquisition, chain of custody, the documented record of every person who has accessed evidence and every operation performed on it, is foundational to forensic practice and currently underdeveloped at the ICC for cloud-hosted and platform-derived evidence. The e-Court Protocol’s institutional record-keeping tracks where a file sits in the Court’s systems; it is not forensic custody, which tracks what happened to the evidence itself. The reformed framework should require immutable, cryptographically chained audit logs (Lone and Mir, Digital Forensics and Blockchain), and, for evidence collected by civil society actors without institutional infrastructure, documentary evidence of the transmission chain consistent with the Berkeley Protocol’s existing guidance (Berkeley Protocol).
Metadata, data about data, is often as evidentially significant as content itself: EXIF fields can supply device identity, GPS coordinates, and capture timestamps that corroborate and locate a recording, but platforms like X, Facebook, and Telegram routinely strip this data on upload. The framework should require forensic metadata extraction at receipt and a clear taxonomy distinguishing original files, documented derivatives, known edits, and platform-compressed copies, with a provenance score reflecting the completeness of documentation rather than treating all submissions as equivalent.
Finally, OSINT verification, increasingly the primary evidentiary resource in several situations, has historically been credited in proportion to the reputation of the investigating organization rather than to a forensic standard, an arrangement that does not scale against expanding manipulation capability. A rigorous framework requires documented, reproducible methodology across geolocation, chronolocation, reverse image analysis, satellite cross-correlation, deepfake screening (Content Authenticity Initiative, C2PA Standard), account provenance analysis, and archival preservation. The animating principle is reproducibility: a second investigator should be able to replicate the workflow and its conclusions, the standard Daubert demands of expert testimony domestically (Daubert v. Merrell Dow Pharmaceuticals).
It is instructive to consider how domestic legal systems have already worked through versions of this problem. Federal Rule of Evidence 901 requires the proponent of digital evidence to demonstrate it has not been altered, and federal courts routinely require hash verification and custody testimony to satisfy that burden (FRE 901); Daubert’s requirements of testing, peer review, known error rates, and general acceptance describe the methodological rigor I am proposing for ICC OSINT analysis (Daubert v. Merrell Dow Pharmaceuticals). The cybersecurity profession has independently arrived at comparable practices, codified in NIST SP 800-86 (NIST SP 800-86), SANS guidelines, and electronic evidence rules adopted by the Council of the European Union in 2023 and about to be enforced as of August 2026.
Wholesale importation, however, would be a mistake. Conflict zones make forensic acquisition physically impossible, witness safety can be incompatible with full provenance documentation, and urgency may require collection before ideal conditions exist. The appropriate response, I think, is a graduated framework specifying the forensic ideal as baseline, calibrating evidentiary weight to documentation actually achieved, and requiring investigators to document the conditions that precluded compliance, already implicit in Article 69’s balancing test. The Berkeley Protocol supplies the most developed existing model and should serve as the ICC’s adopted baseline, supplemented by the acquisition and custody requirements set out above (Berkeley Protocol).
Three objections merit consideration before the argument closes. The first, and most serious, is that rigorous standards would exclude evidence from victims and under-resourced civil society organizations documenting atrocities without forensic training. The objection is not frivolous, and any reform that ignores it will not survive contact with the Court’s participatory commitments. My answer is structural: the framework affects evidentiary weight, not threshold admissibility. A smartphone recording submitted without metadata or custody remains admissible under Article 69; its weight is assessed in light of the documentation gap, the existing logic of probative value balancing made explicit and technically informed rather than left to untrained judicial intuition.
The second objection concerns institutional capacity: the ICC may lack resources to implement comprehensive standards, and imposing them on resource-constrained partners may be unreasonable. This identifies a real constraint, but not, I think, a principled defense of the status quo; the answer is capacity-building, not indefinite deferral.
The third, more technical objection, notes that deepfake detection tools are themselves of uncertain, evolving reliability. True enough, and it counsels against treating any single tool as a definitive oracle; the durable requirement is documentation of method and tooling, letting the framework evolve without rule revision at every iteration. The appropriate posture, on my view, is collaborative: partnership with the cybersecurity and forensics communities, consultation with civil society organizations already practicing OSINT authentication, and investment in victim communities’ capacity to document evidence in ways that support rather than undermine eventual authentication.
VII. The Future Legitimacy of Digital Justice Depends on Verifiable Digital Evidence
I began by observing that the Court has modernized the collection of evidence faster than it has modernized the authentication of evidence. That gap has only widened. The proliferation of generative AI, the sophistication of state-sponsored information operations, and the routine stripping of metadata by digital platforms create conditions in which evidence that appears reliable may not be, and the absence of forensic standards allows that unreliability to pass undetected. These are the operating conditions of every live ICC situation today, not abstract risks. As lex lata, Article 69, read with Article 67 and the e-Court Protocol’s authenticity commitments, already supplies doctrinal authority for more rigor than current practice delivers, requiring interpretive commitment rather than treaty amendment. As lex ferenda, that authority should be supplemented by explicit, binding standards calibrated to conflict-zone realities while meeting the reliability international criminal justice demands.
The situations examined in Part III make these stakes concrete: digital evidence is often the primary available record of alleged crimes, and the Court’s capacity to discharge its accountability mandate depends on establishing that record as verifiably authentic rather than merely voluminous or efficiently processed. The Court has invested substantially in evidence intake; the comparable investment in authentication is overdue, and the broader stakes extend to institutional legitimacy itself. A Court relying on digital evidence without visible authentication standards remains vulnerable to the charge that its determinations reflect insufficient method rather than grounded fact-finding; a Court that adopts and visibly implements standards grounded in the authoritative practice of the cybersecurity and forensics professions can credibly claim otherwise. What I have tried to establish here is that the Court must decide whether digital evidence will remain merely admissible, subject to discretionary assessment by judges without formal forensic standards, or become demonstrably trustworthy from the moment of capture to the moment of judgment. The integrity of the Court’s accountability project depends on that choice, and the time to make it is before the cases built on inadequately authenticated evidence reach trial.