The trial in July 1993 of programmer Vatsal Patel on three charges
of unauthorised modification under the Computer Misuse Act, s 3(1)
provides an interesting example of a s 3 case and insight into the
current treatment of computer evidence in criminal trials generally.
In January 1991 Dun & Bradstreet (D&B) at High Wycombe initiated
a software development project to meet the business information
requirements of its Austrian associate company. It was decided to
develop a bespoke system from scratch, using up-to-date hardware
and software, and a small team was formed for this purpose. In the
first phase of the project, the company's business information requirements
were assessed and the database structure was designed. In the second
phase, the development team was expanded to include programmers
working on screen and report designs.
Two of these programmers were contract staff, one of whom was Vatsal
Patel. He joined the project team on 27 January 1992, his contract
was twice extended at D&B's request and was terminated on 31 July
1992. The development platform was a local area network running
OS/2, Microsoft LANManager, SQLServer, and a development tool, CONFIGURATOR/2.
In May 1992 D&B's development team had begun to experience "losses"
- the product of all their software development work was held as
a set of database tables and these simply began to disappear. By
the end of June, development work had to be stopped. In early July
the operating system and database software were upgraded and the
software development network was reconfigured; the losses of project
data stopped and the project continued.
However on 20 July the losses recommenced and were so frequent
that development work had to be stopped altogether. In the following
week, the development network was reconfigured again but the losses
increased in severity with all the development work being lost within
seconds every time the system was restored.
Microsoft were consulted and gave all their software a clean bill
of health. D&B had to consider the possibility that the losses resulted
from deliberate acts of sabotage. Examination of a system audit
trail showed a DROP TABLE command originating from a particular
networked PC. This diagnosis was puzzling because the particular
PC was not in use and had been turned off. Closer inspection showed
that the PC was in fact turned on, with the display screen turned
off, and that it was running a detached process. At this point it
was decided to alter the access security permissions so as to disable
the DROP TABLE command.
By Thursday 30 July a pair of "wrecking programs" had been identified
on the same networked PC, which was the one normally used by Vatsal
Patel. One of the programs was called VAT, his nickname. D&B decided
to notify the police who agreed to attend the following day, which
was the last day of Vatsal Patel's contract. It was decided to set
a two-pronged trap - the network was to be monitored from other
PCs to observe whether the wrecking programs were initiated from
the Vatsal Patel's PC and two plain clothes detectives were to keep
him under visual observation from a nearby office.
In the event, the trap was not sprung The wrecking program was
not initiated and the visual observation was inconclusive. After
Vatsal Patel had left the office, it was found that the wrecking
programs were no longer present where they had been found earlier,
but they were found in a new directory "SHIT", apparently created
at 12:27 pm on 31 July 1992. At this stage the police took possession
of the PC used by Vatsal Patel and subsequently instructed data
recovery specialists to examine the hard disk of the PC.
A week later Vatsal Patel was invited to go for a drink to celebrate
the completion of the project. He was arrested and charged with
unauthorised modification of computer material under s 3(1), which
he denied. The police subsequently searched his home and retrieved
a quantity of programming material.
At his trial, which took place before Judge John Slack at Aylesbury
Crown Court in July 1993, Vatsal Patel pleaded not guilty to all
three charges. In a voir dire, the admissibility, under s
69 of and Sch 3 to the Police and Criminal Evidence Act 1984, of
several of the prosecution's computer documents was challenged,
on the grounds that there were real doubts as to whether the computer
was working properly at the material time. Reference was made to
the recent House of Lords decision, R v Shephard 
1 All ER 225.
In particular, the prosecution wished to rely on file time-stamps,
which were admitted to be inaccurate but which were at alleged to
be 54 minutes slow. The judge ruled that the contemporaneous computer
documents were admissible.
The defence then argued that there were particular grounds to doubt
the accuracy of the evidence contained in the key exhibit prepared
by the data recovery specialist. This document, which summarised
the file allocation table (FAT) entries for the hard disk of the
defendant's PC, had been produced using proprietary image-copying
software on a local area network. After hearing evidence from both
the data recovery specialist and the expert for the defence, the
judge ruled that this document was also admissible and that any
doubts as to its accuracy would go to weight.
The prosecution case was that the alleged damage was caused by
the "wrecking programs"; that they were written with intent by the
defendant on the PC workstation he used; that they were initiated
by the defendant; that they were deleted and moved to the "SHIT"
directory at a time when the defendant was at his PC workstation;
and that a similar program had been found in the search of his home.
It was also alleged that the losses of development work had cost
D&B £90,000 and that the defendant's motive was to prolong his lucrative
programming contract with D&B.
The defence ran along classic "Whodunit?" lines. Although there
was no documentary evidence linking the wrecking programs with the
alleged losses, for which there were many other potential causes,
it was conceded by the defence that the wrecking programs had the
potential to cause the alleged damage. Even if the court were to
accept that such a link existed, there was no persuasive evidence
that the wrecking programs had been written by the defendant and
initiated by him. If the defendant was as clever as he was portrayed
by the prosecution, it was suggested that he would hardly have named
the wrecking programs using his own nickname and left them in a
prominent position, when evidence had been given of the ease with
which they could have been erased without trace. It followed that
someone else must have been the perpetrator, and the defendant had
During cross-examination of the prosecution witnesses, it emerged
- the development project was already late when the Defendant
joined the development team
- losses had occurred before the wrecking programs were allegedly
- the development platform was far from stable
- there had been hardware faults during this period
- computer security procedures on the development LAN were non-existent
- other members of the development team used the defendant's PC
- other members of the development team were aware of the peer
to peer facilities in LANManager
- other members of the development team were aware of how file
timestamps and date-stamps could be altered
- at the critical time when the prosecution alleged that the Defendant
created the "SHIT" directory, the police had been unable to see
whether the defendant was using his PC
- the "similar wrecking program" found in the search of the defendant's
home was in fact a recognised programming technique
A director of the defendant's employment agency gave evidence for
the defence that the defendant was highly employable and that, at
the end of July 1992, he had been offered a prestigious new contract
to start immediately at a higher rate of pay. The defendant denied
that the wrecking programs were anything to do with him.
At the end of a six-day trial, the jury found Vatsal Patel not
guilty on all three counts
This case is a salutary warning to all those software managers
who cannot plead ignorance of the need to design and implement a
comprehensive security regime, yet choose instead to allow anarchy
to prevail. The absence of the most elementary security precautions
in this development environment was quite breathtaking. For this
reason, the decision by the CPS to initiate the prosecution was
In the DTI report reviewing the introductory period of the Computer
Misuse Act 1990 (Dealing with Computer Misuse, 1992), the fear of
financial embarrassment and damage to a company's reputation was
cited as a major reason for employers' reluctance to pursue prosecutions
under the Act. It was therefore a bold decision by D&B to report
the incidents to the police and to support the prosecuting authorities
throughout these proceedings.
Contrary to the view that evidence of the actual unauthorised modification
would always have to be adduced in s 3 cases (see Sean Doran in
Archbold News: Issue 4, 1993), this trial proceeded without
any such documentary evidence being adduced. No before and after
evidence of the "lost" database table files had been preserved and
this also undoubtedly weakened the prosecution case. This weakness
was compounded by the prosecution's failure to record and preserve
other essential evidence relating to configuration change control
records version levels, activity logs, audit trails, or security
In spite of the ruling in this case, any document prepared by data
recovery techniques as a prosecution exhibit in a criminal trial
must be viewed with grave suspicion. In my opinion there remain
good grounds for mounting a technical challenge to the admissibility
of all such evidence.
The court appeared to have almost no difficulty in grasping the
technical issues despite the fact that nearly all the witnesses
were computer professionals and that there was some fairly impenetrable
documentation. With competent technical support, counsel who were
not computer specialists were also confident.
As in so many criminal cases involving the reliability of computer
evidence, the unreliability of file datestamps and timestamps was
of central importance in this case. Where the authenticity of documents
is questioned, similar arguments also apply in a wide range of civil