Website Compliance

Screenshots, Logs, or HAR Files: Which Evidence Holds Up in Court?

When privacy lawsuits land in court, the question is simple but critical: what counts as admissible digital evidence? Is a screenshot enough? Do logs stand up under cross-examination? Or is a HAR file, the raw network capture, what judges really trust? This guide explains, in plain English, how lawyers and compliance professionals can compare screenshots, logs, and HAR files to build courtroom-ready reports that actually persuade.

Author: Auditzo

Courtroom-ready evidence report hero banner showing compliance shield with website screenshot, log snippet, and HAR file JSON, symbolising CIPA, GDPR, and CCPA audits.

In privacy litigation, one question decides the strength of a case: which evidence format truly convinces a judge? Lawyers working under CIPA, GDPR, CCPA, or DPDP must show more than suspicion. They need artefacts that are legally admissible, technically robust, and courtroom-ready.

This blog compares three key formats, screenshots, logs, and HAR files, and explains how to use them together. For real examples of how these artefacts appear in expert reports, you can download a sample CIPA evidence report.

Why Evidence Format Matters in Privacy Litigation

Courts reject speculative harm

After Mitchener v. Meta, courts demand proof of actual tracking tied to the plaintiff. This means showing:

  • The user's own browsing data was captured.
  • Identifiers such as session IDs or advertising cookies linked the data to a user.
  • Tracking happened before consent was possible.

For background on how European regulators define valid consent, see CNIL's official guidance. To understand US context, the California DOJ Data Broker Registry illustrates how these vendors monetise captured signals.

Key takeaway: Screenshots, logs, and HAR files are not technical extras, they are the difference between dismissal and admissibility.

Evidence = storytelling for judges

Judges are not engineers. They want to know:

  • What happened? For example: a Facebook Pixel fired instantly.
  • When? Within 2 seconds of load, before consent.
  • Why does it matter? Because it exposed routing and signalling data, exactly what CIPA defines as trap-and-trace information.
"When I see a screenshot with no banner and a tracker firing with an ID attached, it stops being theoretical, it becomes a legal fact." - Senior Auditor, Auditzo

Note: The most persuasive pleadings layer evidence: screenshots for clarity, logs for identifiers, and HAR files for sequence.

Infographic showing evidence journey: user visits website, pre-consent trackers fire, evidence captured as screenshot, log, HAR, leading to courtroom-ready proof.

Screenshots: Visual Proof with Limits

Screenshots are usually the first artefact law firms collect. They show what a client saw and what trackers loaded. Used well, they set the stage for forensic analysis.

What screenshots prove

  • UI state evidence: e.g. a missing cookie banner.
  • Captured calls: DevTools Network panel revealing domains such as google-analytics.com or connect.facebook.net.
  • Cookies/storage: Application tab showing IDs like _ga, _fbp, or _gcl_au.

Key takeaway: Screenshots prove visual state but lack sequence, timing, or payload content.

Why courts like screenshots

  • They are accessible and instantly understandable.
  • They provide a persuasive "smoking gun" moment.
  • Full-page captures showing no banner present are highly effective.

Why screenshots alone fail

  • Incomplete: They only show a single moment.
  • Challengeable: Defendants argue they are illustrative.
  • Thin metadata: No timestamps or identifiers unless paired with logs.

Analogy: A screenshot is like a CCTV still, it shows presence, not the entire route.

Best practice for screenshots

  • Capture full viewport, including address bar and timestamp overlay.
  • Pair every "no banner" screenshot with a corresponding Network call.
  • Add plain captions: "DevTools → Network (T+2.0s): Facebook Pixel loaded, no consent UI visible."
  • Cross-reference with logs for forensic weight.

Key takeaway: Screenshots persuade judges visually but must be backed by logs and HAR files.

Logs: The Forensic Backbone

Logs carry the forensic weight. They capture what laws like CIPA define as dialling, routing, addressing, or signalling information. That's why they're central to compliance litigation.

Types of logs lawyers use

  • DNS logs (e.g. Wireshark): Show which domains were contacted and when, e.g. bat.bing.com or analytics.tiktok.com.
  • Proxy logs (e.g. Fiddler): Reveal GET/POST payloads, Google CIDs, TikTok IDs, or Facebook Pixel identifiers.
  • System/server logs: Provide first-party confirmation of sessions, referrers, and redirects.

Why logs matter in court

  • Timestamped proof: Logs demonstrate exactly when a tracker fired.
  • Identifiers: They include cookies and session IDs that tie data to a user.
  • Legal fit: CIPA recognises them as trap-and-trace evidence.

Example: A Fiddler capture showing a Bing Ads call transmitting a session ID, visitor ID, and full page URL, before any consent banner.

Challenges and counterpoints

  • Too technical: Raw lines overwhelm judges.
  • Misinterpreted: Without expert framing, they look like harmless pings.
  • Defence claim: "It's just browser chatter." Counter with payload details showing event names and IDs.
"A single proxy log with a page URL and a user ID is worth more than 20 screenshots, it proves what was sent, when, and under which identifier." - Senior Compliance Analyst

Analogy for lawyers

Logs are like phone records in wiretap cases. They don't reveal the content, but they show:

  • Who called
  • When it happened
  • Which identifiers were exchanged

Key takeaway: Logs elevate claims from "possible tracking" to proven trap-and-trace violations.

Transition to HAR Files

So far, we've seen:

  • Screenshots: persuasive but incomplete.
  • Logs: timestamped and forensic but technical.

What's missing is a single artefact that replays the entire session, every request, redirect, and cookie. That artefact is the HAR file. In the next section we'll treat HAR as your black box recorder and explain how to align it with screenshots and logs for maximum courtroom impact.

If you want to see how full reports are structured, Auditzo's courtroom evidence case studies show real examples of bundled screenshots, logs, and HAR replays that have been used in litigation.

Compliance audit workflow diagram showing capture of HAR, DNS, proxy logs, syncing evidence, plain English narration, and final courtroom report.

HAR Files: The Black Box of Tracking

If screenshots are photographs and logs are phone bills, HAR files are the flight data recorders of online tracking. A HAR (HTTP Archive) records every request, response, header, and cookie in a browsing session. Unlike screenshots or single log entries, it captures the entire sequence.

Why HAR files matter in court

  • Timeline accuracy: HARs show exactly when trackers fired, often within 2–3 seconds of page load, before consent.
  • Payload visibility: They reveal parameters like page URL, page title, and advertising IDs (Google CID, TikTok _ttp).
  • Identifier persistence: HARs confirm cookies such as _ga or _fbp were set without consent.
  • Vendor attribution: Requests to domains like connect.facebook.net or analytics.tiktok.com tie data to known brokers.

Example: A HAR capture may show:

https://www.google-analytics.com/g/collect?dl=https://www.sample-website.com/&dt=sample-website%20Homepage&cid=983745612&sid=1692894900

Courtroom narration: "Within two seconds of visiting sample-website, Google Analytics received the full page URL and a unique client/session ID, before any consent was shown."

Weaknesses to anticipate

  • HARs are too technical for most judges.
  • Defence may argue they are editable, counter with DNS logs and timestamped screenshots.
  • They require expert explanation in plain English.
"On their own HARs overwhelm, but paired with logs and screenshots they close every gap. They become devastating in court." - Senior Auditor, Auditzo

Key takeaway: HAR files act as the black box, replaying the full session. Used with logs and screenshots, they eliminate speculation.

Comparative Matrix: Which Evidence Holds Up Best?

Below is a courtroom-friendly comparison of the three formats:

Evidence Type What It Proves Courtroom Strength Weakness Best Use Case
Screenshots No banner, visible tracker calls Accessible to judges and jurors Incomplete, can be challenged Demonstrate absence of consent
Logs (DNS/Proxy) Routing, signalling, identifiers Timestamped forensic proof Technical, needs expert framing Show pre-consent trap-and-trace
HAR Files Full session replay, payloads Most persuasive forensic record Technical, editable without sync Comprehensive audit reports

Note: Courts rarely accept a single artefact in isolation. Triangulation, screenshots, logs, and HAR files used together, is the gold standard.

Case Law Insights: Why Format Matters

Mitchener v. Meta (2023)

This decision dismissed speculative harms, stressing that plaintiffs must prove their own data was captured. Screenshots alone were insufficient; HAR payloads and log identifiers met the evidentiary bar.

CIPA §638.51 and Trap-and-Trace

The statute defines illegal interception as capturing:

  • Connection origin: referrers, DNS lookups.
  • Connection destination: outbound tracker calls.
  • Routing/signalling info: cookies, IDs, event names.

Example: DNS logs showing resolution of analytics.tiktok.com, paired with a HAR payload logging a PageView, and a screenshot proving no banner present, collectively meet the standard of trap-and-trace interception.

For detailed statutory interpretation, see the IAPP's evidence standards and the GDPR portal on consent obligations.

Key takeaway: Courts expect plaintiffs to show who was contacted, when, and with what identifier. HAR + logs + screenshots make this airtight.

GPT-Style Q&A (Micro-Blocks)

Q: Are screenshots enough to prove GDPR or CIPA violations?

A: Not alone. They must be paired with logs and HAR files to show timing and identifiers.

Q: Can HAR files be admitted in court?

A: Yes. HAR is a recognised forensic export. With synced logs and screenshots, authenticity challenges collapse.

Q: Do DNS logs prove illegal tracking?

A: DNS shows contact occurred. HAR payloads prove what was transmitted. Both are needed.

Q: What convinces judges fastest?

A: Triangulated bundles: screenshots for clarity, logs for identifiers, HAR files for the full sequence.

Q: How should evidence be presented?

A: As a layered narrative: screenshot → log entry → HAR replay, with captions in plain legal English.

Compliance checklist banner with shield icon and CTA text ‘Download a Sample CIPA Evidence Report’ for law firms.

Conclusion: Persuasion Through Triangulation

Screenshots persuade the eye, but are fragile alone. Logs persuade the expert, offering identifiers and timestamps. HAR files persuade the court, providing a full forensic replay.

Key takeaway: The winning formula is triangulation, combine all three. That is how strong CIPA, GDPR, and CCPA cases survive judicial scrutiny.

"The most effective cases show a judge: no consent banner, a timestamped log call, and a HAR replay. That combination has survived motions to dismiss across jurisdictions." - Auditzo Litigation Support

For law firms building active claims, don't rely on screenshots alone. See how a complete bundle looks in practice: Download a sample CIPA evidence report and review a courtroom-ready package combining screenshots, logs, and HARs into one plain-language narrative.