
Criminal Defence for AI and Digital Evidence in Criminal Process
Criminal defense against digital evidence generated or manipulated by AI: deepfakes, synthetic voice, algorithmic expert evidence and predictive model bias.
Last updated:
Spanish criminal law faces a paradigmatic change: artificial intelligence has entered forensic evidence, both on the prosecution's side (predictive models, facial recognition, algorithmic analysis of evidence) and on the criminals' side (deepfakes, synthetic voice, AI forgeries). Modern criminal defense requires contradictory technical capacity over each piece of evidence of algorithmic origin: it is no longer enough to argue the law; one must be able to discuss the model, the data and the method. This page is the gateway to the area; each vector also has its own detailed analysis.
The New Evidentiary Standard in the AI Era
The EU AI Regulation (2024/1689) has established risk categories and transparency obligations affecting the forensic use of models. When an investigation or accusation relies on AI, the defense can demand four guarantees: (1) traceability of the model used —which algorithm, which version, which training data—; (2) a bias audit and the error rate applicable to the specific profile; (3) reproducibility of the result by an independent expert with documented methodology; and (4) significant human supervision, not merely formal. The absence of any of these elements compromises the admissibility of the evidence and opens the way to its exclusion under the clause of Article 11.1 LOPJ. Unlike traditional evidence, algorithmic evidence is not validated by the appearance of reliability, but by its capacity to be subjected to effective contradiction.
Deepfakes: Detection and Challenge
The first major front is synthetic audiovisual content. A deepfake submitted as prosecution evidence may have been fabricated or altered through generative adversarial networks (GAN) or diffusion models, and its challenge requires specific forensic expert evidence: frequency analysis, search for generation artifacts, biometric inconsistencies and verification of metadata and of the watermarks that Regulation 2024/1689 imposes on synthetic content. On the opposite side, when the deepfake is the instrument of the offense (sextortion, slander, impersonation), we represent the victim by exercising the private prosecution. We develop this vector on the page on challenging deepfakes as criminal evidence.
Voice Impersonation and Vishing
AI voice cloning has made accessible attacks that previously required sophisticated means: with a sample of a few seconds, a synthetic voice is generated capable of sustaining a credible call. The result is CEO fraud, family impersonation in fake emergencies and telephone banking fraud. The defense —both of the accused and of the affected company or individual— relies on contradictory acoustic expert evidence and on the analysis of the attack vector and the bank's diligence. We address it at length in AI vishing and voice impersonation.
Audit of Algorithmic Models
When the prosecution relies on a model —facial recognition, automated analysis of image, audio or text— the evidence is only admissible if it is traceable, reproducible and supervised. The defense can demand the full documentation of the model and commission an independent algorithmic expert report that reproduces the result, audits the dataset and contrasts the error metrics. The provider's trade secret is not an absolute shield against the right of defense when the evidence is decisive. This line is developed in algorithmic expert evidence.
Bias in Predictive Investigation
Finally, when the very decision to investigate stems from a predictive model —territorial predictive policing, hotspots or individual recidivism profiling— the defense can question the very origin of the suspicion. Models trained on historical complaint data inherit and amplify prior biases, which affects the reasonable indication, the proportionality of the measures and the presumption of innocence. We analyze the procedural and constitutional exclusion strategies in bias in predictive models.
The exclusionary rule: how and why unlawful digital evidence is thrown out
The cornerstone of any challenge to digital and algorithmic evidence is Article 11.1 of the Organic Law of the Judiciary: evidence obtained, directly or indirectly, in breach of fundamental rights produces no effect. Applied to a phone extraction, the geolocation of a handset, an interception of messaging or a report generated by an artificial-intelligence system, this means that access carried out outside the legal safeguards does not become valid evidence simply because its content is incriminating. The defence does not dispute the data itself, but the manner in which it was obtained.
The consequence is twofold. First, directly unlawful evidence is removed from the body of proof. Second, the doctrine of the connection of unlawfulness comes into play: derived evidence drawing on that tainted source may carry the same defect where the legal link the courts require to be examined case by case is present. A serious technical defence therefore first identifies the act that infringed the fundamental right and then maps which later findings depend on it. This is not a boilerplate objection: it is the difference between an algorithmic data point reaching trial or being kept out of it.
Chain of custody, authenticity and integrity: the data reaching trial must be the data that was seized
Digital evidence is not assessed by its mere existence, but by its traceability. The chain of custody documents who handled the device or data, when, with what tool and under what conditions it was preserved until analysis. In the computing environment this safeguard is embodied, among other means, in the calculation and comparison of hash values proving that the copy examined is identical to the original and that the content was not altered between seizure and examination. Where cloning, sealing or storage show gaps, breaks or an absence of witnesses, the authenticity and integrity of the material are called into question.
The challenge sharpens with data processed through artificial intelligence. A result that has passed through a facial-recognition, voice-analysis or pattern-detection model is no longer the raw data but an inference: it matters to know what went in, what transformations were applied and what error margin the system operates with. The defence may require that the provenance of the input material, the version of the algorithm and the methodology be documented, because without that traceability it is impossible to verify that the output reflects reality rather than an artefact of the model itself. A result that cannot be reproduced or audited can hardly meet the standard of a trial with full guarantees.
Adversarial expert evidence, presumption of innocence and the burden of proof on the algorithm
Article 24 of the Spanish Constitution guarantees the presumption of innocence and a trial with full guarantees, and from this flow two demands when facing algorithmic evidence. The first is that the burden of proof lies with the prosecution: it is not for the defence to prove that the system erred, but for the party invoking the result to establish its reliability. The second is the right to adversarial expert evidence: the defence may bring its own expert, cross-examine the prosecution's expert and challenge both the method and the conclusions of the automated report.
The specific problem with many artificial-intelligence systems is their opacity. If the model's inner workings, its training data or its false-positive rate are not accessible, the real possibility of contradiction is undermined, and with it the right to a defence. An algorithmic output presented as a closed conclusion, with no way to audit how it was reached, is not full proof: at most it is an indication to be weighed with caution, cross-checked against other elements and never a substitute for the court's own reasoning. The defence works to have that result examined for what it is, a tool subject to error, and not as an unappealable technical verdict.
Interferences with communications and devices: the LECrim framework and the limits of deepfakes and the money mule
Much digital evidence arises from interferences that are lawful only with a legal basis. The secrecy of communications under Article 18.3 of the Constitution requires, as a rule, a reasoned and proportionate judicial authorisation to intercept electronic communications, under Articles 588 bis a) and following and 588 ter of the Criminal Procedure Act; the search of mass data-storage devices is governed by Article 588 sexies, with its heightened duty to give reasons because of the volume of personal data such devices hold. A disproportionate, generic or judicially unauthorised interference opens the door to the exclusionary rule.
It is worth marking the boundaries of neighbouring offences without confusing procedure with substance. With synthetic intimate images a gap remains: Article 197.7 was designed for the dissemination of real images obtained with consent and later shared without it, so an image entirely generated by artificial intelligence, not derived from a real capture, may not fit cleanly within that offence and may shift toward protection of honour, the moral integrity of Article 173 or the civil route. In fraud, a transfer of assets achieved through computer manipulation is computer fraud under Article 249.1.a, distinct from ordinary fraud under Article 248; and the so-called money mule or account intermediary sits on the line between intentional money laundering, the contingent intent of someone who foresees the unlawful origin of the funds and the negligent form of Article 301.3, the distinction turning on proven actual knowledge rather than automatic presumptions.
Penalties & Consequences: Criminal Defence for AI and Digital Evidence in Criminal Process
| Type / Scenario | Criminal Penalty |
|---|---|
| Evidence nullity (Art. 11.1 LOPJ) | If the AI evidence violates fundamental rights or is not reproducible: nullity and exclusion. |
| Atypicality due to reasonable doubt | When evidentiary weight rests mainly on contradicted AI: acquittal due to presumption of innocence. |
| Mitigation for induced error | If the accused was a victim of AI manipulation (deepfake used against them): mitigating factor 21.6 CP or exemption. |
* Penalties shown are indicative. The actual penalty depends on case circumstances, applicable mitigating and aggravating factors.
Defense Strategy: Criminal Defence for AI and Digital Evidence in Criminal Process
Double Expert Report
Technical and legal-deontological expert reports evaluating both technical solidity and procedural guarantees.
Forensic Pre-Constituted Evidence
Securing original evidence before any algorithmic processing to preserve counter-evidence.
Dataset Challenge
When the AI used has documented biases, challenge the result showing the bias weight in the specific case.
Cybercrime in Spain: Hacking, Phishing & Digital Fraud — Defence Guide
Cybercrime encompasses illegal access to computer systems (Art. 197 bis CP), computer damage and ransomware (Art. 264 CP), phishing and digital fraud (Art. 249.1.a CP), and the production or distribution of hacking tools (Art. 197 ter). Spain's prosecution of cybercrime has intensified dramatically, with specialised units in the National Police (BIT) and Guardia Civil (GDT) leading investigations. Defence requires a unique combination of criminal law expertise and advanced technical knowledge.
Penalty Table: Cybercrime
| Offence | Article | Description | Penalty |
|---|---|---|---|
| Illegal access to systems | Art. 197 bis | Unauthorised access breaching security measures | 6 months – 2 years |
| Interception of data | Art. 197 bis.2 | Intercepting non-public data transmissions | 3 months – 2 years |
| Production/supply of hacking tools | Art. 197 ter | Creating or distributing tools designed for cybercrime | 6 months – 2 years |
| Computer damage (basic) | Art. 264.1 | Deleting, damaging or making data inaccessible | 6 months – 3 years |
| Aggravated damage (critical infrastructure) | Art. 264.2 | Affecting essential services or critical infrastructure | 2 – 5 years prison |
| Cyber fraud (phishing) | Art. 249.1.a | IT manipulation to obtain unlawful transfer of assets | 6 months – 3 years |
Key Defence Strategies
IP Attribution Challenge
An IP address does not identify a person. Shared Wi-Fi networks, VPNs, Tor exit nodes and NAT configurations mean multiple users may share one IP. The prosecution must prove the accused was the actual user at the relevant time.
Chain of Digital Custody
Digital evidence is extremely fragile. If the police failed to image the hard drive with a write-blocker, if hash values don't match, or if evidence was handled improperly, the defence can seek exclusion of the entire digital evidence chain.
Authorised Security Testing
Ethical hacking and penetration testing carried out with the system owner's authorisation is legal. If the defendant had a written engagement contract, bug bounty agreement or responsible disclosure policy, there is no criminal offence.
Lack of 'Breaching Security Measures'
Art. 197 bis requires that security measures were breached. If the system had no password, no firewall, or the access point was public, the element of 'breaching security' may be absent, negating the offence.
Key Case Law
The Supreme Court confirmed that 'access' requires effectively entering the system, not merely attempting it. The prosecution must prove: (1) access occurred, (2) it was unauthorised, and (3) security measures were breached. Port scanning alone does not constitute the offence.
The Court ruled that ransomware attacks may constitute a concurrent offence of computer damage (Art. 264) and extortion (Art. 243 CP). The encryption of data satisfies the 'damage' element even if data is technically recoverable upon payment.
In phishing operations, the Court distinguished between the organiser and the 'money mule' (account holder). The mule's liability depends on proof of knowledge that the funds were illicit. Wilful blindness may suffice, but mere negligence does not.
Why Choose Us?
Need a criminal defense lawyer for this type of offense? Here's how we work:
Do you need specialised legal assistance?
The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.