This copy Submission is archived at:

http://www.computerevidence.co.uk/Papers/LJAuld/BCSComputerEvidenceSubmission.htm


The British Computer Society

Expert Panels: Legal Affairs Expert Panel

Submission to the Criminal Courts Review, Lord Justice Auld

Royal Courts of Justice
Strand, London, WC2A 2LL

March 2000
1 Scope of submission
The scope of this submission by The British Computer Society is two-fold:

1.1 Computer Evidence
Commentary on problems arising from current criminal court practice and procedure relating to computer evidence, and proposals intended to improve the fairness and efficiency of the criminal justice process in dealing with such evidence.

This part of our submission deals with how the criminal justice process needs to adjust to accommodate changing forms of evidence that are relevant to both traditional crimes and the new forms of e-crime.

We suggest that this part of our submission can also be seen as a special case of how the criminal justice process generally needs to adjust to accommodate novel forms of evidence.

1.2 Expert evidence on Computer Evidence
Commentary on problems arising from current criminal court practice and procedure relating to expert evidence regarding computer evidence, and proposals intended to improve the fairness and efficiency of the criminal justice process in dealing with such expert evidence.

This part of our submission deals with how the criminal justice process needs to adjust to accommodate changing demands for expert evidence that are relevant to both traditional crimes and the new forms of e-crime.

We suggest that this part of our submission can also be seen as a special case of how the criminal justice process generally needs to adjust to accommodate demands for expert evidence that involve novel science.

2 The British Computer Society ("BCS")
2.1 Who is BCS?
The British Computer Society is the leading professional and learned Society in the field of computers and information systems. Formed in 1957, it has over 38,000 members world-wide. The Society is concerned with the development of computing and its effective application. Under its Royal Charter, granted in 1984, it also has responsibilities for education and training, for public awareness, and above all for standards, quality and professionalism. The BCS is recognised as the authoritative voice of those seeking excellence in computing and the guardian of best practise. This positioning ensures the BCS is called upon to provide advice, information and expertise to Parliament, Government and the IT industry. The BCS has made previous submissions to Reviews and Consultations by Government and Parliament, on such diverse matters as VAT, PAYE and SSP and checking the procedures for creating random numbers for Premium Savings Bonds. It has also acted as an independent assessor with regard to the security and privacy of the Censuses of 1971 to 1991.

2.2 BCS Legal Affairs Committee
The BCS also played an active role in the formulation of legislation relating to data protection (Data Protection Act), software copyright (Copyright, Designs and Patents Act 1988 and the amendments implementing the Software Directive) and computer misuse (Computer Misuse Act 1990). The Legal Affairs Committee was established to continue this tradition in legal matters and has instigated this submission.

2.3 Computer Evidence Taskgroup
The Computer Evidence Taskgroup of the BCS Legal Affairs Committee has prepared this submission. It comprises of BCS Members who have extensive experience of acting as experts in criminal cases, predominantly, but not exclusively, for defendants.

3 Computer evidence in Criminal cases
3.1 Scope
The range of criminal cases involving computer evidence is already very broad and can only be expected to widen with the rapid development of personal computing and the Internet. One commentator believes that:

"The time will come when evidence in a computer will be everyday evidence involved in every aspect of every crime that we see."
DS Simon Janes, Association of Chief Police Officers, Computer Crime Committee, BBC2 Newsnight, 13 July 1998

We anticipate that the new Regulation of Investigatory Powers Bill (if enacted) will further increase the proportion of criminal cases involving computer evidence (for example, evidence of telephone calls emanating from telephone switches).

3.2 Examples of Computer evidence in Criminal cases
Many commentators distinguish:
  • criminal cases where computer evidence is adduced as a result of defendants using computers, from
  • criminal cases where computer evidence is adduced when defendants are charged with crimes against computers
Examples of criminal cases where computer evidence has been adduced as a result of defendants using computers include:
  • Murder (e.g. Dr Shipman's patient medical records)
  • Fraud / Deception
  • Forgery
  • Theft
  • Blackmail
  • Obscene Publications
  • Protection of Children Act (e.g. Operation Cathedral)
  • Representation of the People Act
  • VAT and tax frauds
  • Conspiracy to pervert the course of Justice
  • Official Secrets
  • Narcotics trafficking
  • Data Protection
Most criminal cases where computer evidence is adduced when defendants are charged with crimes against computers are brought under the Computer Misuse Act 1990 or the Theft Act 1968.

4 Problems with criminal cases involving computer evidence
Criminal courts are generally unfamiliar with the subject of computer evidence. They may be unaware of many of the difficulties, problems and potential pitfalls relating to computer evidence that are regularly experienced.

By way of background we attach copies of three articles from law journals relating to the subject of computer evidence in criminal cases.

4.1 Technical complexity
Criminal courts regularly underestimate the high level of technical complexity of cases involving computer evidence.

Broadly stated prosecution allegations are often inadequately specified in technical terms. Non-technical drafting of charges may result in the misuse of terms of art.

In our experience, attempts to "keep it simple for the jury" are generally misguided.

4.2 Quantity of evidence
Criminal courts can easily underestimate the vast quantities of computer evidence that may (often unwittingly) be adduced.

In current cases it is not unusual to find 100,000s of files stored on the hard disk drive of a single PC, and each file may be equivalent to a multi-page document; many cases involve multiple hard disk drives and/or multiple computers and/or computer networks.

4.3 Interpretation of data as evidence
A fundamental problem is the difficulty the criminal courts may have in understanding that all computer evidence is derived from binary data. That data cannot practically be examined or exhibited as evidence in a legal sense. It requires expert interpretation and "presentation" simply to be exhibited as evidence.

A sequence of binary bits may represent binary, binary coded, hexadecimal, numeric, alphanumeric, date/time or logical data; such a sequence of binary bits may be a fragment of a program or data file. The precise significance of any sequence of binary bits can only be determined by interpretation within a specific context.

These problems are seen most acutely when data that has been recovered from areas of storage not visible to, or accessible by, the ordinary computer user is exhibited as evidence. Such data may, for a period of time, be recoverable from deleted files and/or slack space by forensic methods. The examiner has to determine the precise significance of any sequence of binary bits out of context. The examiner has to make subjective decisions as to how to interpret the raw binary data. A further set of problems arises when the data has been obtained by collecting traffic as it moves across a network.

The fact that such subjective decisions of expert interpretation can only practically be made by using software does not alter the nature of such a decision. The fact that the expert interpretation is made using software, which may itself be unreliable, introduces further difficulties that may require a further level of investigation by the court.

The outcome of this dilemma is that multiple interpretations of the data are invariably possible. The prosecution in a criminal trial may be reluctant to countenance the possibility of such multiple interpretations.

An analogy may assist the Review. It is only in recent years that the English courts have moved away from requiring that all evidence be read out in court. We understand that this rule had been introduced at a time when a very high proportion of the population could not read. Today, the presentation and interpretation of computer evidence requires an equivalent modern safeguard.

4.4 Techno-Speculation
A universal source of delay and wasted resource is the confusion shown by witnesses and lawyers between fact, conjecture, speculation, assumption, inference and opinion on technical matters. This phenomenon is usually closely related to the reluctance to consider multiple interpretations described above.

The most common example is the confusion shown by technical witnesses and lawyers over the precise significance, and reliability as evidence, of the file date- and time-stamps recorded by a computer.

4.5 Mishandling of evidence
There are no agreed standards, rules or protocol for the handling of computer evidence. As a result, each trial has to work from first principles, resulting in duplicated effort and waste of resource.

In our experience, law enforcement investigators regularly mishandle computer evidence. Specific instances include:

a) failure to secure all of the necessary evidence
b) failure to secure the necessary evidence on a timely basis
c) failure to preserve the necessary evidence in a non-destructive manner
d) failure to secure the necessary raw computer data as "best evidence"
e) failure to prevent contamination of the evidence by careless handling procedures
f) failure to preserve and copy the evidence using a transparent process
g) failure to provide a copy of the evidence to the defence in a non-proprietary format, capable of being viewed using industry-standard operating systems, utility programs and media

As a result, defences may be seriously prejudiced. "Abuse of process" arguments regularly succeed.

We are aware of the existence of a document produced by the Association of Chief Police Officers (ACPO) which offers Guidelines for the Handling of Computer Evidence. The circulation of this document is limited to law enforcement agencies. It has never been subjected to outside review or Parliamentary scrutiny and it has not been published. Access to copies of this document is sometimes denied to the defence.

It is trivial to tamper with computer evidence. Tampering may leave no trace of any tampering having taken place. This makes it difficult to refute allegations of tampering with computer evidence.

Prosecutions are quite frequently abandoned before trial as a result of contamination of computer evidence by careless handling procedures.

4.6 Contested admissibility
The admissibility of computer evidence is frequently contested. The Defence may argue, often successfully, that the formal requirements (PACE S69) for certification have not been met, or that the reliability of the evidence is so low that it would be prejudicial to a fair trial (PACE S78).

Such arguments are rarely heard pre-trial, resulting in the need for a voir-dire on the first day of trial. These can be lengthy processes and can require much of the evidence to be heard before it is decided whether it can be put before the jury. This has the effect of delaying trials and inconveniencing juries and witnesses.

In its review Evidence in Criminal Proceedings (Law Com 138), the Law Commission was concerned that advances in computer technology made it increasingly difficult to comply with PACE S69. The reality of our experience is that the PACE S69 admissibility hurdle (showing that the computer was operating properly and was not being used improperly) is so high that a competent challenge by the defence on technical grounds will often succeed in having the evidence ruled inadmissible.

The Law Commission has recommended that PACE S69 be repealed. When that happens the present Presumption of unreliability will be replaced by a Presumption of reliability.

We accept that PACE S69 will be abolished. However, we believe it would be dangerous to allow PACE S69 to be repealed, without first having implemented:
  • a protocol for the handling of computer evidence in the criminal courts, or
  • a PACE Code of Practice providing the same sort of detailed requirements as those used, for example, in the conduct of a physical search of premises
4.7 Assumption of reliability
In practice, criminal courts often assume that if evidence is adduced from a computer, "it must be reliable". We believe that assumption to be unwarranted. Most computer evidence adduced in criminal trials originates from Personal Computers. In our view, PC operating systems and file systems are inherently insecure and evidence from PCs is therefore likely to be unreliable.

4.8 Reliance on a single stream of evidence
In the light of the problems described above, it is our experience that prosecutions that rely on a single document or a single stream of computer evidence are generally doomed to fail.

A common example of a single document is a computer file containing a single word-processed document, such as a letter. Similarly, an example of a single stream of evidence would be a series of computer files, each containing a single word-processed document, such as the contents of a draft version of a letter.

Using the previous example, multiple streams of evidence might include:
  • file attributes, including date- and time-stamps of the same series of files
  • file properties maintained by the word-processing package
  • log entries showing when user IDs were logged on
  • log entries showing when the word-processing package was in use
  • log entries showing when documents were printed, as well as
  • the series of computer files

We believe that courts should adopt the position that in order to be persuaded of the truth of a particular sequence of events, it will normally be necessary to adduce multiple streams of computer evidence.

4.9 Technical expertise of the courts
Criminal courts rarely have access to adequate technical expertise to assist them to understand the issues relating to computer evidence. As a result, the courts may be denied an opportunity to fully address the real issues or to fully assess the significance of the computer evidence.

4.10 Inequity in case preparation resources
Cases resulting from major investigations typically reveal massive quantities of computer evidence and may rely on large numbers of lengthy and detailed statements from technical witnesses.

Defences are often prejudiced by the impossibility of obtaining commensurate levels of funding of resources, or indeed by extreme difficulty in obtaining any funding of resources at all. At the moment the obtaining of funding depends initially on the granting of a legal aid certificate but thereafter the level of funding is determined by local Area Committees who often lack any relevant expertise. In the future, with the development of contracted Legal Aid solicitors on more-or-less fixed budgets, there is the danger that many such solicitors will simply decline to take on defence cases that involve complex computer evidence.

We believe that such gross imbalances in case preparation resources are inequitable.

4.11 Possible misuse of criminal court process
We note with concern a small but growing number of cases involving computer evidence, which may not belong in the criminal court process.

Two examples are software counterfeiting cases (brought typically by Trading Standards departments at the behest of powerful software publishers) and cases concerning confidential data, documents or designs.

In both types of case, the underlying dispute is between commercial organisations over intellectual property rights. We are concerned that such criminal cases are sometimes brought in order to save the cost of a civil case falling on the commercial organisation. Indeed in some current cases, criminal actions were only instigated when it became apparent that existing civil actions were doomed to fail.

A greater criticism arises where the prosecution evidence is largely provided by the commercial organisation and its employees. Not only has there been little or no police investigation of the evidence, but the commercial organisation can be selective about if, when and what evidence it provides to the defence.

We believe that such essentially civil cases may constitute a misuse of the criminal court process, or at least a waste of resources.

5 Problems of expert evidence in criminal cases involving computer evidence
Criminal cases involving computer evidence often require expert evidence. Experts usually work closely with counsel and an important aspect of their work is the education of counsel and the court. In this respect the work of a "computer expert" is significantly different from that of many other experts, whose role may be simply to provide one expert report.

5.1 What are the expert's duties?
The duties of an expert in the criminal courts are relatively unclear. The definitions provided by CPR and recent case law have clarified the experts' duties in the civil courts. The fact that the criminal court system remains thoroughly adversarial is believed to contribute to the confusion over the duties of an expert. For example, there is generally absolutely no technical co-operation between experts for the Prosecution and Defence and little effective use is made of experts' meetings to assist the courts. As a result, experts in the same case often consider different evidence.

5.2 Who is an expert?
There is currently little or no agreement about who is an expert on computer evidence. A salient example is the question, When does a technical witness of fact become an expert?

At present there is no form of assessment or registration of experts.

The work of an expert in the criminal courts is unattractive, particularly given the levels of remuneration available to IT professionals. As a result it is difficult to attract and retain adequate level of technical expertise.

5.3 Problems facing experts on computer evidence
All experts face particular problems in criminal cases involving computer evidence. For example, difficulty, delay and cost are frequently incurred in:

a) examining evidence protected by security password or encryption
b) obtaining access to necessary hardware, media, software, or reference data that has been outdated by the pace of technological change
c) obtaining disclosure of proprietary technical or security information, or access to software protected by licence protection mechanisms
d) linking disparate sources of computer evidence on different media or incompatible file formats
e) linking multiple streams of computer evidence
f) making extremely complex evidence comprehensible to a jury

5.4 Problems facing defence experts on computer evidence
Defence experts face particularly difficult problems in criminal cases involving computer evidence. For example, difficulty, delay and cost are frequently incurred in:

a) rectifying the absence of technical data identifying the computing environment in which the evidence was seized
b) assessing the relevance of vast quantities of computer evidence
c) establishing precisely what steps were taken to secure, preserve and/or copy the evidence
d) distinguishing evidence that has been produced from data recovered from undeleted files and/or slack space from evidence produced from intact files
e) linking disparate sources of computer evidence due to incompatible or inconsistent exhibit numbering systems
f) attempting to obtain software licences needed to examine proprietary forensic file formats
g) applying to the courts to obtain specifications of proprietary forensic software used to handle and/or investigate the evidence
h) applying to the courts to obtain adequate access to disks which contain pornographic and paedophile material. Solicitors employed by police forces sometimes seek to set restrictive terms, usually requiring that defence experts attend at Police locations or that they are supervised by police officers during the examination. One argument made for this is that possession of paedophile material is a strict liability offence; though there is little doubt that an expert would be able to use the defence provided in s 160 CJA, 1988. Experts need long-term access to copies of entire disks seized from suspects as they will be checking configuration files, time-and-date stamps and other material against witness statements, proofs, and non-computer evidence. Little of this can be done at a police station and the presence of police officer can violate the expert / instructing solicitor privilege
i) having to fund the acquisition of computer hardware and/or software for no other reason than for its use in a single case
j) dealing with unnecessary requests from law enforcement agencies to agree confidentiality undertakings
k) dealing (unpaid) with applications for Legal Aid


6 Proposals
We have considered the problems identified above relating to computer evidence and expert evidence on computer evidence. We now make the following outline proposals for consideration by the Review:

6.1 Legal principles
As non-lawyers, we propose that the Review should adopt the following high-level principles in criminal cases involving computer evidence:

1. Acceptance that computer evidence needs to be treated differently from traditional sources of evidence on paper
2. Distinguishing between raw, unprocessed data and processed computer evidence. Such a distinction may have the effect of resuscitating (or reformulating) a Best Evidence rule for computer evidence
3. Distinguishing between evidence that has been produced from data recovered from undeleted files and/or slack space from evidence produced from intact files
4. Acknowledgement that multiple streams of computer evidence will normally be needed to persuade the courts of the truth of a particular sequence of events
5. Ensuring that prosecution allegations are drafted in specific, technical terms<

6.2 Handling of Computer Evidence
We propose that the Review should develop a protocol for the handling of computer evidence, based on "best practice" principles. "Handling" includes securing, preserving and copying evidence. We propose and strongly recommend that the protocol should then be adopted as a Code of Practice, for example under PACE.

The protocol would need to be comprehensive and subject to regular review. Known specific issues to be addressed include:

a) Technical Identification of all forensic software used for securing, preserving and copying evidence in an investigation
b) Independent scrutiny and quality certification of all forensic software used for securing, preserving and copying evidence in an investigation
c) Recording and automatic disclosure of all the steps taken for securing, preserving and copying evidence in an investigation in a forensic audit trial.
d) Image copies to be produced in native file system formats (that is, not in formats which are proprietary to the forensic software supplier, encoded or compressed)
e) Image copies also to be produced in formats capable of being viewed using industry-standard operating systems, utility programs and media

We anticipate that the drafting of such a protocol would represent a substantial body of technical work. We offer to co-operate with the Review by assisting further with the work needed.

6.3 Agreed Bundle of Computer Evidence
We propose that the Review should consider introducing the concept of an Agreed Bundle of Computer Evidence, at least for cases involving large amounts of computer evidence. The attributes of such an Agreed Bundle would include:

a) a single-source, consolidated repository for all the raw, unprocessed data relied on as sources of evidence by the Prosecution and Defence
b) a single-source, consolidated repository for all the evidential exhibits relied on by the Prosecution and Defence
c) Items in the Agreed Bundle of computer evidence should be indexed/referenced using a single indexing/referencing system. Such an index to the computer evidence repository should be maintained in a database or spreadsheet format
d) Copies of the Agreed Bundle on read-only media and/or online access to the Agreed Bundle should be made available to the court, lawyers and experts

6.4 Witness Statements
We propose that the Review should consider adopting the following changes in practice:

a) Witnesses should unequivocally state whether they are giving evidence as a lay witness, lay technical witness or expert.
b) Witnesses should clearly distinguish fact, conjecture, speculation, assumption, inference and opinion
c) Witnesses should state what alternative interpretations they have considered

6.5 Use of Experts
Similarly for experts, we propose that the Review should consider adopting the following changes in practice:

a) Experts should clearly distinguish fact, conjecture, speculation, assumption, inference and opinion in reports
b) Experts should state what alternative interpretations they have considered

In the context of a regime of more pro-active case management (see 6.7 below), we propose that greater use should be made of pre-trial meetings of experts; we recognise the difficulties that may arise under the adversarial procedure and that instructing solicitors may need to be closely involved.

In principle, we support the current moves towards the assessment and registration of experts in the criminal courts. In practice, we have reservations about how such assessment and registration will be achieved.

6.6 Equity in case preparation resources
We propose that the Review should seriously consider means of ensuring equity in the resources available for the preparation of cases involving computer evidence. We are not suggesting that defence budgets should necessarily be at parity with prosecution budgets. At the very least, we believe that it is relevant for the criminal court to receive evidence from the prosecution of the resources expended in a criminal investigation, when considering applications arising from a denial of Legal Aid.

6.7 Earlier case management in the criminal courts
In the light of the reforms brought about under CPR, we propose that the Review should consider adopting a more pro-active approach to criminal case management. Earlier case management would be effective in dealing with procedural issues well in advance of the trial, such as:

a) limiting the scope of evidence
b) limiting the scope of expert evidence
c) the use of electronic case management systems (including the Agreed Bundle described at 6.3 above)
d) agreement on glossaries, visual aids/charts and/or demonstrations to illustrate complex technology and networks
e) voir-dire arguments on admissibility of computer evidence
f) review of quality control of computer evidence
g) voir-dire arguments on reliability of computer evidence, arising from f)

Under f) above, we are proposing that the Review consider introducing, at least on an experimental basis, some form of independent quality control procedures during the criminal investigation, with the defence having access to the quality control information. The quality control principles we have in mind here are based on the techniques used in the development of life-critical systems. We invite the Review to consider whether or not the procedures that can lead to the loss of a citizen's liberty need to be to the same high standards.

If our proposal (see 6.2 above) for a PACE Code of Practice, incorporating a protocol for the handling of computer evidence were to be adopted, then that would provide the necessary quality control standard.

We believe that our proposals on changing the composition of criminal courts in the circumstances defined at 6.8 below would be particularly effective in terms of the management of these issues.

6.8 Composition of criminal courts
We propose that the Review should seriously consider changing the composition of criminal courts in cases where:

a) the charges relate to offences against computers under Computer Misuse Act 1990, or
b) there is a substantial quantity of relevant computer evidence, or
c) there are significant differences between technical witnesses or experts on the interpretation of computer evidence, or
d) there are serious challenges to the admissibility or reliability of computer evidence

so as to allow the courts a greater understanding of the technical issues arising from the computer evidence.

In such circumstances, the criminal court tribunal could comprise of:
  • a judge, lay jury and a court-appointed expert, or
  • a judge, lay jury and a technical assessor, or
  • a judge and a technical assessor, or
  • a judge and a technical jury
We acknowledge the force of the arguments for retaining the lay jury rehearsed by those opposed to the arguments made by Roskill in 1986 in respect of Fraud trials. We also have concerns about how such court-appointed experts and assessors would be identified, selected and appointed.

On that basis, we make no recommendation of any specific composition. Indeed, we propose that a range of compositions should be available.

7 Further consultation
We would be pleased to expand on any of the points raised in this submission. Please address any request for further information to:

Michael J L Turner MA FBCS FCIArb MAE MEWI
Convenor, Computer Evidence Taskgroup,
Legal Affairs Committee, The British Computer Society
Telephone: 01981 241020 Fax: 01981 241021
Email: michael_turner@computerevidence.co.uk