Chain of custody is the difference between a takedown that holds and a counter-notice that undoes it. Under 17 U.S.C. § 512(g), the uploader can force restoration of content within ~14 business days of a takedown unless the copyright owner files a federal action — and that action requires evidence that meets Federal Rules of Evidence 901 (authentication) and 902 (self-authentication). For NCII cases that escalate to criminal prosecution under the TAKE IT DOWN Act, the evidentiary bar is even higher.
This guide explains what courts actually accept in 2026, what they routinely reject, and the practical custody log template Shield uses for every NCII case.
What "chain of custody" means in a digital case
Three legal elements compose a credible digital chain of custody:
- Identity — the evidence is the precise item alleged to be in dispute, not a substitute or representation of it.
- Integrity — the evidence has not been altered since collection. Usually demonstrated by a cryptographic hash recorded at the time of capture and verified at the time of trial.
- Continuity — every handoff between collection and trial is documented: who held it, when, where, and what they did with it.
Federal Rules of Evidence 901 (authentication) requires the proponent to produce "evidence sufficient to support a finding that the item is what the proponent says it is." Rule 901(b)(9) covers process or system — exactly the case for hash-verified MHTML captures and timestamp-anchored screenshots.
The evidence formats that work in 2026
| Format | What it captures | Strengths | Weaknesses |
|---|---|---|---|
| Screenshot (PNG) | Visible pixels at one moment | Easy to capture, low friction | Easy to forge; no hash of source; loses layout context |
| MHTML (.mht) | Full page state: HTML, CSS, embedded images, scripts | Reconstructs the page exactly; hashable; widely accepted | Some browsers (Safari) save it inconsistently; CDN-cached assets may not embed |
| Video screen capture | Full motion of page interactions | Captures multi-step behavior (login walls, modal popups) | Large files; hashes are brittle (compression-frame dependency) |
| RFC 3161 timestamp + hash | Cryptographically verifiable time-binding | Strongest time authentication; eIDAS-recognized in EU | Cost (free tier exists); two-step process |
| Notarized remote affidavit | Sworn statement of how evidence was captured | Lay out-of-court statement admissible under FRE 902(9) if certified | Personal expense; not always necessary |
| Third-party capture service | Same as MHTML but with a vendor-managed custody ledger | Page Vault, Truepic, Memory.com | Vendor's records are evidence; subscription cost |
The five-step custody log
This is the template we use internally. Each row is a custody event:
- Capture. Date/time of capture (UTC), tool used, URL, browser version, OS, MHTML filename, SHA-256 hash of the file, the wall-clock source (NTP or vendor TSA).
- Storage. Where the file was stored after capture: encrypted vault path, retention policy, who has access.
- Inspection. Who viewed the file, when, why, and what they did (annotate, redact, copy).
- Export. Anyone who received a copy (counsel, agency, court), with date, channel (encrypted email, secure portal), and hash at the moment of export.
- Verification. Periodic re-hash to confirm integrity (scheduled), with any discrepancy recorded.
Each event row carries the names of the actor, the date/time, the action, and a rehash of the artifact at the moment of the action.
Hashing: SHA-256 vs. perceptual
Two categories matter and they do different things:
- Cryptographic hash (SHA-256, SHA-3, BLAKE2b). A fingerprint of the exact bytes. If even one pixel changes, the hash changes. This is what proves integrity — the file you have today is exactly the file you captured yesterday.
- Perceptual hash (pHash, dHash, PhotoDNA). A fingerprint of the visual content rather than the bytes. Two images that look the same to a human get the same perceptual hash even if they differ by file format, color shift, or minor edit. This is what platform StopNCII.org matching runs on — it has to catch re-uploads that have been resized or color-shifted to evade exact hashing.
Both matter and they complement each other. For evidentiary integrity, use SHA-256. For leakage detection, use perceptual hashing.
The MHTML: best-practice capture
- Open Chrome or Firefox on a clean profile (no extensions).
- Navigate to the URL.
- Wait for full load — no skeleton states, no lazy-loaded images unrendered.
- Hit Ctrl+S, choose "Webpage, Complete" (Chrome) or "Web Page, complete" (Firefox). Save as
.mhtmlor.htmwith associated folder. - Hash both the
.mhtmland the folder (often the assets matter as much as the HTML). - Submit to a TSA: e.g., FreeTSA returns an RFC 3161 timestamp token binding your hash to wall-clock time. Store the token alongside the file.
- Move the file to your encrypted vault. Update the custody log.
When challenge comes, you can produce the MHTML, re-hash it (verifying it matches the captured hash), and present the TSA token showing it existed at the time you claim.
What courts reject in 2026
The most common evidentiary failures in NCII / DMCA cases:
- A screenshot without provenance. Without a hash, a URL, and a custody log, a defendant argues the screenshot could be fabricated or edited.
- A "link" with no capture. The naked URL disappears when the host removes the content. The plaintiff has nothing to authenticate.
- Self-modifying evidence. Pages that change content based on user-agent, geolocation, or time-of-day. The court cannot reproduce the plaintiff's view. Address this by capturing user-agent + header state in the MHTML/Save operation.
- Hearsay through service providers. When the only record of an NCII image is a third-party screenshot shared informally, it is hearsay. Workarounds: business records exception, FRE 902(11)/(12), or testimony from the third party.
Anonymity and the unmasking process
If the uploader is anonymous and you need to identify them to litigate, you can use the DMCA subpoena procedure under 17 U.S.C. § 512(h):
- File a complaint under seal that names "John Doe" as the defendant.
- Issue a § 512(h) subpoena to the host or ISP for the subscriber's identity.
- Use the identity to amend the complaint with the real name.
- Effectively serve.
This requires a federal complaint, which means you need an attorney. The DMCA unmasking process is well-tested and accepted in every U.S. district court.
Need counsel-referral for chain-of-custody issues?
Shield packages chain-of-custody packets that satisfy FRE 901/902 for every case file and can refer you to attorneys experienced with § 512(h) unmasking and federal NCII litigation. Get in touch →
What Shield produces, by case stage
- Capture stage: SHA-256 hash, MHTML, TSA timestamp, full-page screenshot.
- Storage stage: Encrypted vault with retention policy and per-file access log.
- Notice stage: Per-finding evidence packet attached to every DMCA dispatch.
- Counter-notice stage: Litigation-ready custody log export.
The same packets feed into FBI ic3.gov complaints and FTC 48-hour-rule enforcement actions.
Frequently asked questions
Do screenshots hold up in court?
On their own, rarely. Screenshots are easy to fabricate and easy to alter. They become credible when paired with (a) a verifiable URL, (b) a hash of the captured image, (c) a timestamp from a trusted source (NTP server, RFC 3161 timestamp authority, or third-party service like Page Vault / Truepic), and (d) a chain-of-custody log. With those, a screenshot can satisfy Federal Rules of Evidence 901 (authentication) and in some cases 902 (self-authentication).
Is an MHTML file admissible?
Yes. An MHTML preserves the full page state — HTML, CSS, embedded images, scripts, headers — in a single file. Courts have admitted MHTML captures in DMCA and trade-secret cases for over a decade. The file itself can be hashed, the hash recorded, and the original page reconstructed if challenged.
What is the minimum evidence I need for a counter-notice dispute?
Three things: (1) the URL of the infringed work, (2) the URL of your original work, (3) a perjury-attested statement that you are the copyright owner. For NCII contested cases the addition is digital chain of custody — anything that lets you show the URL existed at a specific time, contained the depicted content, and has not been altered. A signed notarial statement (remote online notarization is widely accepted) substantially strengthens your position.
Should I use blockchain or a timestamp authority?
Both strengthen authentication. RFC 3161 trusted timestamps from a TSA vendor (FreeTSA, Certilogy) bind a hash to wall-clock time and are accepted in the EU under eIDAS. Blockchain anchoring is valid but does not establish time by itself — the time-stamping authority still matters. For most NCII cases a trusted timestamp plus hash is sufficient.
What happens if I lose the originals?
A counter-notice dispute where you cannot produce the original work (the file you have rights to) is almost certainly lost. Keep original media in at least two locations — encrypted cloud + cold storage — and verify hashes of those copies periodically. If originals are lost, the dispute collapses.