The British Computer Society
Expert Panels: Legal Affairs Expert Panel
Submission to the Criminal Courts Review, Lord Justice Auld
Royal Courts of Justice
Strand, London, WC2A 2LL
March 2000
1 Scope of submission
The scope of this submission by The British Computer Society is two-fold:
1.1 Computer Evidence
Commentary on problems arising from current criminal court practice and
procedure relating to computer evidence, and proposals intended to improve
the fairness and efficiency of the criminal justice process in dealing with
such evidence.
This part of our submission deals with how the criminal justice process
needs to adjust to accommodate changing forms of evidence that are relevant
to both traditional crimes and the new forms of e-crime.
We suggest that this part of our submission can also be seen as a special
case of how the criminal justice process generally needs to adjust to accommodate
novel forms of evidence.
1.2 Expert evidence on Computer Evidence
Commentary on problems arising from current criminal court practice and
procedure relating to expert evidence regarding computer evidence, and proposals
intended to improve the fairness and efficiency of the criminal justice
process in dealing with such expert evidence.
This part of our submission deals with how the criminal justice process
needs to adjust to accommodate changing demands for expert evidence that
are relevant to both traditional crimes and the new forms of e-crime.
We suggest that this part of our submission can also be seen as a special
case of how the criminal justice process generally needs to adjust to accommodate
demands for expert evidence that involve novel science.
2 The British Computer Society ("BCS")
2.1 Who is BCS?
The British Computer Society is the leading professional and learned Society
in the field of computers and information systems. Formed in 1957, it has
over 38,000 members world-wide. The Society is concerned with the development
of computing and its effective application. Under its Royal Charter, granted
in 1984, it also has responsibilities for education and training, for public
awareness, and above all for standards, quality and professionalism. The
BCS is recognised as the authoritative voice of those seeking excellence
in computing and the guardian of best practise. This positioning ensures
the BCS is called upon to provide advice, information and expertise to Parliament,
Government and the IT industry. The BCS has made previous submissions to
Reviews and Consultations by Government and Parliament, on such diverse
matters as VAT, PAYE and SSP and checking the procedures for creating random
numbers for Premium Savings Bonds. It has also acted as an independent assessor
with regard to the security and privacy of the Censuses of 1971 to 1991.
2.2 BCS Legal Affairs Committee
The BCS also played an active role in the formulation of legislation relating
to data protection (Data Protection Act), software copyright (Copyright,
Designs and Patents Act 1988 and the amendments implementing the Software
Directive) and computer misuse (Computer Misuse Act 1990). The Legal Affairs
Committee was established to continue this tradition in legal matters and
has instigated this submission.
2.3 Computer Evidence Taskgroup
The Computer Evidence Taskgroup of the BCS Legal Affairs Committee has prepared
this submission. It comprises of BCS Members who have extensive experience
of acting as experts in criminal cases, predominantly, but not exclusively,
for defendants.
3 Computer evidence in Criminal cases
3.1 Scope
The range of criminal cases involving computer evidence is already very
broad and can only be expected to widen with the rapid development of personal
computing and the Internet. One commentator believes that:
"The time will come when evidence in a computer will be everyday evidence
involved in every aspect of every crime that we see."
DS Simon Janes, Association of Chief Police Officers, Computer Crime Committee,
BBC2 Newsnight, 13 July 1998
We anticipate that the new Regulation of Investigatory Powers Bill (if enacted)
will further increase the proportion of criminal cases involving computer
evidence (for example, evidence of telephone calls emanating from telephone
switches).
3.2 Examples of Computer evidence in Criminal cases
Many commentators distinguish:
- criminal cases where computer evidence is adduced as a result of defendants
using computers, from
- criminal cases where computer evidence is adduced when defendants
are charged with crimes against computers
Examples of criminal cases where computer evidence has been adduced as a
result of defendants using computers include:
- Murder (e.g. Dr Shipman's patient medical records)
- Fraud / Deception
- Forgery
- Theft
- Blackmail
- Obscene Publications
- Protection of Children Act (e.g. Operation Cathedral)
- Representation of the People Act
- VAT and tax frauds
- Conspiracy to pervert the course of Justice
- Official Secrets
- Narcotics trafficking
- Data Protection
Most criminal cases where computer evidence is adduced when defendants are
charged with crimes against computers are brought under the Computer Misuse
Act 1990 or the Theft Act 1968.
4 Problems with criminal cases involving computer evidence
Criminal courts are generally unfamiliar with the subject of computer evidence.
They may be unaware of many of the difficulties, problems and potential
pitfalls relating to computer evidence that are regularly experienced.
By way of background we attach copies of three articles from law journals
relating to the subject of computer evidence in criminal cases.
4.1 Technical complexity
Criminal courts regularly underestimate the high level of technical complexity
of cases involving computer evidence.
Broadly stated prosecution allegations are often inadequately specified
in technical terms. Non-technical drafting of charges may result in the
misuse of terms of art.
In our experience, attempts to "keep it simple for the jury" are generally
misguided.
4.2 Quantity of evidence
Criminal courts can easily underestimate the vast quantities of computer
evidence that may (often unwittingly) be adduced.
In current cases it is not unusual to find 100,000s of files stored on the
hard disk drive of a single PC, and each file may be equivalent to a multi-page
document; many cases involve multiple hard disk drives and/or multiple computers
and/or computer networks.
4.3 Interpretation of data as evidence
A fundamental problem is the difficulty the criminal courts may have in
understanding that all computer evidence is derived from binary data. That
data cannot practically be examined or exhibited as evidence in a legal
sense. It requires expert interpretation and "presentation" simply to be
exhibited as evidence.
A sequence of binary bits may represent binary, binary coded, hexadecimal,
numeric, alphanumeric, date/time or logical data; such a sequence of binary
bits may be a fragment of a program or data file. The precise significance
of any sequence of binary bits can only be determined by interpretation
within a specific context.
These problems are seen most acutely when data that has been recovered from
areas of storage not visible to, or accessible by, the ordinary computer
user is exhibited as evidence. Such data may, for a period of time, be recoverable
from deleted files and/or slack space by forensic methods. The examiner
has to determine the precise significance of any sequence of binary bits
out of context. The examiner has to make subjective decisions as to how
to interpret the raw binary data. A further set of problems arises when
the data has been obtained by collecting traffic as it moves across a network.
The fact that such subjective decisions of expert interpretation can only
practically be made by using software does not alter the nature of such
a decision. The fact that the expert interpretation is made using software,
which may itself be unreliable, introduces further difficulties that may
require a further level of investigation by the court.
The outcome of this dilemma is that multiple interpretations of the data
are invariably possible. The prosecution in a criminal trial may be reluctant
to countenance the possibility of such multiple interpretations.
An analogy may assist the Review. It is only in recent years that the English
courts have moved away from requiring that all evidence be read out in court.
We understand that this rule had been introduced at a time when a very high
proportion of the population could not read. Today, the presentation and
interpretation of computer evidence requires an equivalent modern safeguard.
4.4 Techno-Speculation
A universal source of delay and wasted resource is the confusion shown by
witnesses and lawyers between fact, conjecture, speculation, assumption,
inference and opinion on technical matters. This phenomenon is usually closely
related to the reluctance to consider multiple interpretations described
above.
The most common example is the confusion shown by technical witnesses and
lawyers over the precise significance, and reliability as evidence, of the
file date- and time-stamps recorded by a computer.
4.5 Mishandling of evidence
There are no agreed standards, rules or protocol for the handling of computer
evidence. As a result, each trial has to work from first principles, resulting
in duplicated effort and waste of resource.
In our experience, law enforcement investigators regularly mishandle computer
evidence. Specific instances include:
a) failure to secure all of the necessary evidence
b) failure to secure the necessary evidence on a timely basis
c) failure to preserve the necessary evidence in a non-destructive manner
d) failure to secure the necessary raw computer data as "best evidence"
e) failure to prevent contamination of the evidence by careless handling
procedures
f) failure to preserve and copy the evidence using a transparent process
g) failure to provide a copy of the evidence to the defence in a non-proprietary
format, capable of being viewed using industry-standard operating systems,
utility programs and media
As a result, defences may be seriously prejudiced. "Abuse of process" arguments
regularly succeed.
We are aware of the existence of a document produced by the Association
of Chief Police Officers (ACPO) which offers Guidelines for the Handling
of Computer Evidence. The circulation of this document is limited to law
enforcement agencies. It has never been subjected to outside review or Parliamentary
scrutiny and it has not been published. Access to copies of this document
is sometimes denied to the defence.
It is trivial to tamper with computer evidence. Tampering may leave no trace
of any tampering having taken place. This makes it difficult to refute allegations
of tampering with computer evidence.
Prosecutions are quite frequently abandoned before trial as a result of
contamination of computer evidence by careless handling procedures.
4.6 Contested admissibility
The admissibility of computer evidence is frequently contested. The Defence
may argue, often successfully, that the formal requirements (PACE S69) for
certification have not been met, or that the reliability of the evidence
is so low that it would be prejudicial to a fair trial (PACE S78).
Such arguments are rarely heard pre-trial, resulting in the need for a voir-dire
on the first day of trial. These can be lengthy processes and can require
much of the evidence to be heard before it is decided whether it can be
put before the jury. This has the effect of delaying trials and inconveniencing
juries and witnesses.
In its review Evidence in Criminal Proceedings (Law Com 138), the Law Commission
was concerned that advances in computer technology made it increasingly
difficult to comply with PACE S69. The reality of our experience is that
the PACE S69 admissibility hurdle (showing that the computer was operating
properly and was not being used improperly) is so high that a competent
challenge by the defence on technical grounds will often succeed in having
the evidence ruled inadmissible.
The Law Commission has recommended that PACE S69 be repealed. When that
happens the present Presumption of unreliability will be replaced by a Presumption
of reliability.
We accept that PACE S69 will be abolished. However, we believe it would
be dangerous to allow PACE S69 to be repealed, without first having implemented:
- a protocol for the handling of computer evidence in the criminal courts,
or
- a PACE Code of Practice providing the same sort of detailed requirements
as those used, for example, in the conduct of a physical search of premises
4.7 Assumption of reliability
In practice, criminal courts often assume that if evidence is adduced from
a computer, "it must be reliable". We believe that assumption to be unwarranted.
Most computer evidence adduced in criminal trials originates from Personal
Computers. In our view, PC operating systems and file systems are inherently
insecure and evidence from PCs is therefore likely to be unreliable.
4.8 Reliance on a single stream of evidence
In the light of the problems described above, it is our experience that
prosecutions that rely on a single document or a single stream of computer
evidence are generally doomed to fail.
A common example of a single document is a computer file containing a single
word-processed document, such as a letter. Similarly, an example of a single
stream of evidence would be a series of computer files, each containing
a single word-processed document, such as the contents of a draft version
of a letter.
Using the previous example, multiple streams of evidence might include:
- file attributes, including date- and time-stamps of the same series
of files
- file properties maintained by the word-processing package
- log entries showing when user IDs were logged on
- log entries showing when the word-processing package was in use
- log entries showing when documents were printed, as well as
- the series of computer files
We believe that courts should adopt the position that in order to be
persuaded of the truth of a particular sequence of events, it will normally
be necessary to adduce multiple streams of computer evidence.
4.9 Technical expertise of the courts
Criminal courts rarely have access to adequate technical expertise to
assist them to understand the issues relating to computer evidence. As
a result, the courts may be denied an opportunity to fully address the
real issues or to fully assess the significance of the computer evidence.
4.10 Inequity in case preparation resources
Cases resulting from major investigations typically reveal massive quantities
of computer evidence and may rely on large numbers of lengthy and detailed
statements from technical witnesses.
Defences are often prejudiced by the impossibility of obtaining commensurate
levels of funding of resources, or indeed by extreme difficulty in obtaining
any funding of resources at all. At the moment the obtaining of funding
depends initially on the granting of a legal aid certificate but thereafter
the level of funding is determined by local Area Committees who often
lack any relevant expertise. In the future, with the development of contracted
Legal Aid solicitors on more-or-less fixed budgets, there is the danger
that many such solicitors will simply decline to take on defence cases
that involve complex computer evidence.
We believe that such gross imbalances in case preparation resources are
inequitable.
4.11 Possible misuse of criminal court process
We note with concern a small but growing number of cases involving computer
evidence, which may not belong in the criminal court process.
Two examples are software counterfeiting cases (brought typically by Trading
Standards departments at the behest of powerful software publishers) and
cases concerning confidential data, documents or designs.
In both types of case, the underlying dispute is between commercial organisations
over intellectual property rights. We are concerned that such criminal
cases are sometimes brought in order to save the cost of a civil case
falling on the commercial organisation. Indeed in some current cases,
criminal actions were only instigated when it became apparent that existing
civil actions were doomed to fail.
A greater criticism arises where the prosecution evidence is largely provided
by the commercial organisation and its employees. Not only has there been
little or no police investigation of the evidence, but the commercial
organisation can be selective about if, when and what evidence it provides
to the defence.
We believe that such essentially civil cases may constitute a misuse of
the criminal court process, or at least a waste of resources.
5 Problems of expert evidence in criminal cases involving computer evidence
Criminal cases involving computer evidence often require expert evidence.
Experts usually work closely with counsel and an important aspect of their
work is the education of counsel and the court. In this respect the work
of a "computer expert" is significantly different from that of many other
experts, whose role may be simply to provide one expert report.
5.1 What are the expert's duties?
The duties of an expert in the criminal courts are relatively unclear. The
definitions provided by CPR and recent case law have clarified the experts'
duties in the civil courts. The fact that the criminal court system remains
thoroughly adversarial is believed to contribute to the confusion over the
duties of an expert. For example, there is generally absolutely no technical
co-operation between experts for the Prosecution and Defence and little
effective use is made of experts' meetings to assist the courts. As a result,
experts in the same case often consider different evidence.
5.2 Who is an expert?
There is currently little or no agreement about who is an expert on computer
evidence. A salient example is the question, When does a technical witness
of fact become an expert?
At present there is no form of assessment or registration of experts.
The work of an expert in the criminal courts is unattractive, particularly
given the levels of remuneration available to IT professionals. As a result
it is difficult to attract and retain adequate level of technical expertise.
5.3 Problems facing experts on computer evidence
All experts face particular problems in criminal cases involving computer
evidence. For example, difficulty, delay and cost are frequently incurred
in:
a) examining evidence protected by security password or encryption
b) obtaining access to necessary hardware, media, software, or reference
data that has been outdated by the pace of technological change
c) obtaining disclosure of proprietary technical or security information,
or access to software protected by licence protection mechanisms
d) linking disparate sources of computer evidence on different media or
incompatible file formats
e) linking multiple streams of computer evidence
f) making extremely complex evidence comprehensible to a jury
5.4 Problems facing defence experts on computer evidence
Defence experts face particularly difficult problems in criminal cases involving
computer evidence. For example, difficulty, delay and cost are frequently
incurred in:
a) rectifying the absence of technical data identifying the computing environment
in which the evidence was seized
b) assessing the relevance of vast quantities of computer evidence
c) establishing precisely what steps were taken to secure, preserve and/or
copy the evidence
d) distinguishing evidence that has been produced from data recovered from
undeleted files and/or slack space from evidence produced from intact files
e) linking disparate sources of computer evidence due to incompatible or
inconsistent exhibit numbering systems
f) attempting to obtain software licences needed to examine proprietary
forensic file formats
g) applying to the courts to obtain specifications of proprietary forensic
software used to handle and/or investigate the evidence
h) applying to the courts to obtain adequate access to disks which contain
pornographic and paedophile material. Solicitors employed by police forces
sometimes seek to set restrictive terms, usually requiring that defence
experts attend at Police locations or that they are supervised by police
officers during the examination. One argument made for this is that possession
of paedophile material is a strict liability offence; though there is little
doubt that an expert would be able to use the defence provided in s 160
CJA, 1988. Experts need long-term access to copies of entire disks seized
from suspects as they will be checking configuration files, time-and-date
stamps and other material against witness statements, proofs, and non-computer
evidence. Little of this can be done at a police station and the presence
of police officer can violate the expert / instructing solicitor privilege
i) having to fund the acquisition of computer hardware and/or software for
no other reason than for its use in a single case
j) dealing with unnecessary requests from law enforcement agencies to agree
confidentiality undertakings
k) dealing (unpaid) with applications for Legal Aid
6 Proposals
We have considered the problems identified above relating to computer evidence
and expert evidence on computer evidence. We now make the following outline
proposals for consideration by the Review:
6.1 Legal principles
As non-lawyers, we propose that the Review should adopt the following high-level
principles in criminal cases involving computer evidence:
1. Acceptance that computer evidence needs to be treated differently from
traditional sources of evidence on paper
2. Distinguishing between raw, unprocessed data and processed computer evidence.
Such a distinction may have the effect of resuscitating (or reformulating)
a Best Evidence rule for computer evidence
3. Distinguishing between evidence that has been produced from data recovered
from undeleted files and/or slack space from evidence produced from intact
files
4. Acknowledgement that multiple streams of computer evidence will normally
be needed to persuade the courts of the truth of a particular sequence of
events
5. Ensuring that prosecution allegations are drafted in specific, technical
terms<
6.2 Handling of Computer Evidence
We propose that the Review should develop a protocol for the handling of
computer evidence, based on "best practice" principles. "Handling" includes
securing, preserving and copying evidence. We propose and strongly recommend
that the protocol should then be adopted as a Code of Practice, for example
under PACE.
The protocol would need to be comprehensive and subject to regular review.
Known specific issues to be addressed include:
a) Technical Identification of all forensic software used for securing,
preserving and copying evidence in an investigation
b) Independent scrutiny and quality certification of all forensic software
used for securing, preserving and copying evidence in an investigation
c) Recording and automatic disclosure of all the steps taken for securing,
preserving and copying evidence in an investigation in a forensic audit
trial.
d) Image copies to be produced in native file system formats (that is, not
in formats which are proprietary to the forensic software supplier, encoded
or compressed)
e) Image copies also to be produced in formats capable of being viewed using
industry-standard operating systems, utility programs and media
We anticipate that the drafting of such a protocol would represent a substantial
body of technical work. We offer to co-operate with the Review by assisting
further with the work needed.
6.3 Agreed Bundle of Computer Evidence
We propose that the Review should consider introducing the concept of an
Agreed Bundle of Computer Evidence, at least for cases involving large amounts
of computer evidence. The attributes of such an Agreed Bundle would include:
a) a single-source, consolidated repository for all the raw, unprocessed
data relied on as sources of evidence by the Prosecution and Defence
b) a single-source, consolidated repository for all the evidential exhibits
relied on by the Prosecution and Defence
c) Items in the Agreed Bundle of computer evidence should be indexed/referenced
using a single indexing/referencing system. Such an index to the computer
evidence repository should be maintained in a database or spreadsheet format
d) Copies of the Agreed Bundle on read-only media and/or online access to
the Agreed Bundle should be made available to the court, lawyers and experts
6.4 Witness Statements
We propose that the Review should consider adopting the following changes
in practice:
a) Witnesses should unequivocally state whether they are giving evidence
as a lay witness, lay technical witness or expert.
b) Witnesses should clearly distinguish fact, conjecture, speculation, assumption,
inference and opinion
c) Witnesses should state what alternative interpretations they have considered
6.5 Use of Experts
Similarly for experts, we propose that the Review should consider adopting
the following changes in practice:
a) Experts should clearly distinguish fact, conjecture, speculation, assumption,
inference and opinion in reports
b) Experts should state what alternative interpretations they have considered
In the context of a regime of more pro-active case management (see 6.7 below),
we propose that greater use should be made of pre-trial meetings of experts;
we recognise the difficulties that may arise under the adversarial procedure
and that instructing solicitors may need to be closely involved.
In principle, we support the current moves towards the assessment and registration
of experts in the criminal courts. In practice, we have reservations about
how such assessment and registration will be achieved.
6.6 Equity in case preparation resources
We propose that the Review should seriously consider means of ensuring equity
in the resources available for the preparation of cases involving computer
evidence. We are not suggesting that defence budgets should necessarily
be at parity with prosecution budgets. At the very least, we believe that
it is relevant for the criminal court to receive evidence from the prosecution
of the resources expended in a criminal investigation, when considering
applications arising from a denial of Legal Aid.
6.7 Earlier case management in the criminal courts
In the light of the reforms brought about under CPR, we propose that the
Review should consider adopting a more pro-active approach to criminal case
management. Earlier case management would be effective in dealing with procedural
issues well in advance of the trial, such as:
a) limiting the scope of evidence
b) limiting the scope of expert evidence
c) the use of electronic case management systems (including the Agreed Bundle
described at 6.3 above)
d) agreement on glossaries, visual aids/charts and/or demonstrations to
illustrate complex technology and networks
e) voir-dire arguments on admissibility of computer evidence
f) review of quality control of computer evidence
g) voir-dire arguments on reliability of computer evidence, arising from
f)
Under f) above, we are proposing that the Review consider introducing, at
least on an experimental basis, some form of independent quality control
procedures during the criminal investigation, with the defence having access
to the quality control information. The quality control principles we have
in mind here are based on the techniques used in the development of life-critical
systems. We invite the Review to consider whether or not the procedures
that can lead to the loss of a citizen's liberty need to be to the same
high standards.
If our proposal (see 6.2 above) for a PACE Code of Practice, incorporating
a protocol for the handling of computer evidence were to be adopted, then
that would provide the necessary quality control standard.
We believe that our proposals on changing the composition of criminal courts
in the circumstances defined at 6.8 below would be particularly effective
in terms of the management of these issues.
6.8 Composition of criminal courts
We propose that the Review should seriously consider changing the composition
of criminal courts in cases where:
a) the charges relate to offences against computers under Computer Misuse
Act 1990, or
b) there is a substantial quantity of relevant computer evidence, or
c) there are significant differences between technical witnesses or experts
on the interpretation of computer evidence, or
d) there are serious challenges to the admissibility or reliability of computer
evidence
so as to allow the courts a greater understanding of the technical issues
arising from the computer evidence.
In such circumstances, the criminal court tribunal could comprise of:
- a judge, lay jury and a court-appointed expert, or
- a judge, lay jury and a technical assessor, or
- a judge and a technical assessor, or
- a judge and a technical jury
We acknowledge the force of the arguments for retaining the lay jury rehearsed
by those opposed to the arguments made by Roskill in 1986 in respect of
Fraud trials. We also have concerns about how such court-appointed experts
and assessors would be identified, selected and appointed.
On that basis, we make no recommendation of any specific composition. Indeed,
we propose that a range of compositions should be available.
7 Further consultation
We would be pleased to expand on any of the points raised in this submission.
Please address any request for further information to:
Michael J L Turner MA FBCS FCIArb MAE MEWI
Convenor, Computer Evidence Taskgroup,
Legal Affairs Committee, The British Computer Society
Telephone: 01981 241020 Fax: 01981 241021
Email: michael_turner@computerevidence.co.uk
|