Home | Computer Misuse Act 1990 | Expert Evidence | Expert Determination | Michael J L Turner | Services | Contact

Computer Evidence

Michael J L Turner MA FBCS CITP MAE FEWI

Home > Cases > Patel > Article
E-mail Michael Turner e-mail Michael Turner
Print friendly page Print-friendly CV
E-mail this site Tell a colleague!

Case of Vatsal Patel

The following text of an article by Michael J L Turner published in Computers and Law, New Series Volume 5 Issue 1, April 1994, is archived at:

http://www.computerevidence.co.uk/Cases/Patel/Articles/Patel.htm


R v Vatsal Patel - the Computer Misuse Act 1990, s3(1)

The trial in July 1993 of programmer Vatsal Patel on three charges of unauthorised modification under the Computer Misuse Act, s 3(1) provides an interesting example of a s 3 case and insight into the current treatment of computer evidence in criminal trials generally.

Background

In January 1991 Dun & Bradstreet (D&B) at High Wycombe initiated a software development project to meet the business information requirements of its Austrian associate company. It was decided to develop a bespoke system from scratch, using up-to-date hardware and software, and a small team was formed for this purpose. In the first phase of the project, the company's business information requirements were assessed and the database structure was designed. In the second phase, the development team was expanded to include programmers working on screen and report designs.

Two of these programmers were contract staff, one of whom was Vatsal Patel. He joined the project team on 27 January 1992, his contract was twice extended at D&B's request and was terminated on 31 July 1992. The development platform was a local area network running OS/2, Microsoft LANManager, SQLServer, and a development tool, CONFIGURATOR/2.

Unauthorised Modification

In May 1992 D&B's development team had begun to experience "losses" - the product of all their software development work was held as a set of database tables and these simply began to disappear. By the end of June, development work had to be stopped. In early July the operating system and database software were upgraded and the software development network was reconfigured; the losses of project data stopped and the project continued.

However on 20 July the losses recommenced and were so frequent that development work had to be stopped altogether. In the following week, the development network was reconfigured again but the losses increased in severity with all the development work being lost within seconds every time the system was restored.

Microsoft were consulted and gave all their software a clean bill of health. D&B had to consider the possibility that the losses resulted from deliberate acts of sabotage. Examination of a system audit trail showed a DROP TABLE command originating from a particular networked PC. This diagnosis was puzzling because the particular PC was not in use and had been turned off. Closer inspection showed that the PC was in fact turned on, with the display screen turned off, and that it was running a detached process. At this point it was decided to alter the access security permissions so as to disable the DROP TABLE command.

By Thursday 30 July a pair of "wrecking programs" had been identified on the same networked PC, which was the one normally used by Vatsal Patel. One of the programs was called VAT, his nickname. D&B decided to notify the police who agreed to attend the following day, which was the last day of Vatsal Patel's contract. It was decided to set a two-pronged trap - the network was to be monitored from other PCs to observe whether the wrecking programs were initiated from the Vatsal Patel's PC and two plain clothes detectives were to keep him under visual observation from a nearby office.

In the event, the trap was not sprung The wrecking program was not initiated and the visual observation was inconclusive. After Vatsal Patel had left the office, it was found that the wrecking programs were no longer present where they had been found earlier, but they were found in a new directory "SHIT", apparently created at 12:27 pm on 31 July 1992. At this stage the police took possession of the PC used by Vatsal Patel and subsequently instructed data recovery specialists to examine the hard disk of the PC.

A week later Vatsal Patel was invited to go for a drink to celebrate the completion of the project. He was arrested and charged with unauthorised modification of computer material under s 3(1), which he denied. The police subsequently searched his home and retrieved a quantity of programming material.

The Trial

At his trial, which took place before Judge John Slack at Aylesbury Crown Court in July 1993, Vatsal Patel pleaded not guilty to all three charges. In a voir dire, the admissibility, under s 69 of and Sch 3 to the Police and Criminal Evidence Act 1984, of several of the prosecution's computer documents was challenged, on the grounds that there were real doubts as to whether the computer was working properly at the material time. Reference was made to the recent House of Lords decision, R v Shephard [1993] 1 All ER 225.

In particular, the prosecution wished to rely on file time-stamps, which were admitted to be inaccurate but which were at alleged to be 54 minutes slow. The judge ruled that the contemporaneous computer documents were admissible.

The defence then argued that there were particular grounds to doubt the accuracy of the evidence contained in the key exhibit prepared by the data recovery specialist. This document, which summarised the file allocation table (FAT) entries for the hard disk of the defendant's PC, had been produced using proprietary image-copying software on a local area network. After hearing evidence from both the data recovery specialist and the expert for the defence, the judge ruled that this document was also admissible and that any doubts as to its accuracy would go to weight.

The prosecution case was that the alleged damage was caused by the "wrecking programs"; that they were written with intent by the defendant on the PC workstation he used; that they were initiated by the defendant; that they were deleted and moved to the "SHIT" directory at a time when the defendant was at his PC workstation; and that a similar program had been found in the search of his home. It was also alleged that the losses of development work had cost D&B 90,000 and that the defendant's motive was to prolong his lucrative programming contract with D&B.

The defence ran along classic "Whodunit?" lines. Although there was no documentary evidence linking the wrecking programs with the alleged losses, for which there were many other potential causes, it was conceded by the defence that the wrecking programs had the potential to cause the alleged damage. Even if the court were to accept that such a link existed, there was no persuasive evidence that the wrecking programs had been written by the defendant and initiated by him. If the defendant was as clever as he was portrayed by the prosecution, it was suggested that he would hardly have named the wrecking programs using his own nickname and left them in a prominent position, when evidence had been given of the ease with which they could have been erased without trace. It followed that someone else must have been the perpetrator, and the defendant had been framed.

During cross-examination of the prosecution witnesses, it emerged that:

  • the development project was already late when the Defendant joined the development team
  • losses had occurred before the wrecking programs were allegedly first initiated
  • the development platform was far from stable
  • there had been hardware faults during this period
  • computer security procedures on the development LAN were non-existent
  • other members of the development team used the defendant's PC
  • other members of the development team were aware of the peer to peer facilities in LANManager
  • other members of the development team were aware of how file timestamps and date-stamps could be altered
  • at the critical time when the prosecution alleged that the Defendant created the "SHIT" directory, the police had been unable to see whether the defendant was using his PC
  • the "similar wrecking program" found in the search of the defendant's home was in fact a recognised programming technique

A director of the defendant's employment agency gave evidence for the defence that the defendant was highly employable and that, at the end of July 1992, he had been offered a prestigious new contract to start immediately at a higher rate of pay. The defendant denied that the wrecking programs were anything to do with him.

At the end of a six-day trial, the jury found Vatsal Patel not guilty on all three counts

Commentary

This case is a salutary warning to all those software managers who cannot plead ignorance of the need to design and implement a comprehensive security regime, yet choose instead to allow anarchy to prevail. The absence of the most elementary security precautions in this development environment was quite breathtaking. For this reason, the decision by the CPS to initiate the prosecution was always vulnerable.

In the DTI report reviewing the introductory period of the Computer Misuse Act 1990 (Dealing with Computer Misuse, 1992), the fear of financial embarrassment and damage to a company's reputation was cited as a major reason for employers' reluctance to pursue prosecutions under the Act. It was therefore a bold decision by D&B to report the incidents to the police and to support the prosecuting authorities throughout these proceedings.

Contrary to the view that evidence of the actual unauthorised modification would always have to be adduced in s 3 cases (see Sean Doran in Archbold News: Issue 4, 1993), this trial proceeded without any such documentary evidence being adduced. No before and after evidence of the "lost" database table files had been preserved and this also undoubtedly weakened the prosecution case. This weakness was compounded by the prosecution's failure to record and preserve other essential evidence relating to configuration change control records version levels, activity logs, audit trails, or security logs.

In spite of the ruling in this case, any document prepared by data recovery techniques as a prosecution exhibit in a criminal trial must be viewed with grave suspicion. In my opinion there remain good grounds for mounting a technical challenge to the admissibility of all such evidence.

The court appeared to have almost no difficulty in grasping the technical issues despite the fact that nearly all the witnesses were computer professionals and that there was some fairly impenetrable documentation. With competent technical support, counsel who were not computer specialists were also confident.

As in so many criminal cases involving the reliability of computer evidence, the unreliability of file datestamps and timestamps was of central importance in this case. Where the authenticity of documents is questioned, similar arguments also apply in a wide range of civil cases.

 


 

Copyright Michael J L Turner 1994 - 2017