You are here: Parliament home page > Parliamentary business > Publications and Records > Committee Publications > All Select Committee Publications > Commons Select Committees > Home Affairs > Home Affairs
Select Committee on Home Affairs Minutes of Evidence

Examination of Witnesses (Questions 120-139)

PROFESSOR ROSS ANDERSON, MR DAVID LATTIMORE AND MR PETER SOMMER

14 FEBRUARY 2006

  Q120  Steve McCabe: In your evidence you say it takes 30 minutes to image and one of the other witnesses says it is a process that often happens overnight. That sounds to me like quite a variation and I am not an expert like Mr Hayman.

  Mr Sommer: Let me tell you what is involved. With the regular products you can look at about two gigabytes a minute and with a standard computer you pick up from the high street at the moment you are talking about 80 gigabytes hard disc, so it will take you 40 minutes to do the imaging. There is an exception and that is if it is a lap-top computer where you cannot pull the hard disc out it will take a great deal longer. I know Mr Lattimore reasonably well. We have not discussed our respective submissions. Maybe we will have a disagreeable appearance of argument in front of you.

  Q121  Steve McCabe: But 30 minutes would be your expert advice to the Committee, would it?

  Mr Sommer: I think you can get going on a preliminary exercise in 30 minutes but not an exhaustive exercise. It seems to me it is the preliminary exercise you are concerned with in terms of your inquiry. It is not getting final evidence you are concerned with but rather that it is enough to get to a charge.

  Mr Lattimore: With imaging computers it varies greatly from the type of hard disc, the amount of data on the disc, the software you are using to image with and the hardware you are using to image with. There are lots of factors involved. I have a technician whose sole job is to image computers daily and we have computers in every day of the week and most of the computers he images do take overnight imaging. They may finish at four o'clock in the morning or three o'clock or eleven o'clock, but we do leave them overnight to image. We have always used previewing as a form of investigation, but invariably what we find at the end of the day is we then go on to image that computer. An initial investigation is only to say whether we have got something there or not. Invariably all our computers are imaged because at a later date somebody will want a copy of that image.

  Professor Anderson: The point that I was making in my submission is that the amount of data that the police sees, and also in civil matters, is going up very, very rapidly and the police are falling further and further behind. A PC may have 80 gigabytes at the moment whereas a few years ago it would have been a few gigabytes and I would think that in 10 years' time when the police raid someone's home they might find dozens or perhaps hundreds of computing gadgets on which data can be stored. It is common nowadays, for example, for people to back up their data on devices like an iPod and so in future when you raid somebody's house you will seize their iPod and see if there are data files on it. This business is going to be more complex and the police require a step change in their capabilities in this regard.

  Mr Lattimore: In one case last week we had a person who had five computers submitted from his home address and nine hard drives and all these hard drives had been to his work address and used in the machine there as well. To do that amount of data is very, very time consuming.

  Q122  Steve McCabe: With the exception of Mr Sommer, the other two witnesses are suggesting that the police case for 12 hours is not that ridiculous. Mr Sommer said that Mr Hayman did not understand it and he should go on one of these courses. In the police evidence they talk about a minimum of 12 hours to try and access this data.

  Mr Lattimore: If you asked me to do an investigation and give an opinion in 12 hours, I would be happy with the evidence I had given.

  Mr Sommer: It is purely imaging he is talking about, not the investigation.

  Mr Lattimore: It all depends on the hardware you are dealing with and the software and what is on the hard drive because it can vary. A 200 gigabyte hard drive may only take 20 minutes if there is very little data on it, but if there is a lot of data on it it might take overnight.

  Q123  Steve McCabe: Do you know what role the information obtained from computers plays in charging suspects as opposed to simply building the case?

  Mr Sommer: It depends entirely on the circumstances. It will vary considerably. Sometimes the computers are at the heart of it and sometimes they are entirely peripheral. That applies to any form of crime in which computers are involved as well as the terrorist cases. I currently am instructed in three terrorist cases and in one of them the computer evidence is really fairly peripheral, but there are a lot of other types of evidence in terms of what was located. The computer evidence may slightly strengthen or slightly weaken the police case but in other instances it can be absolutely at the heart of it, particularly if you are charging people with a conspiracy where you have to infer a common purpose and you will tend not to write convenient letters to each other saying "Let us conspire to X, Y and Z". You then have to say there is a pattern of behaviour or a pattern of surveillance of targets or whatever it is which tells us that something might be going on and people are working together. So there is absolutely no straightforward answer to your question. I understand why you are putting it but there is no easy answer.

  Professor Anderson: In conspiracy cases critical evidence may come from traffic data obtained from phone companies. There are some particular types of offences where material from the machine in question is critical to charging decisions, child pornography being an obvious case.

  Mr Lattimore: I would tend to agree with both Peter and Professor Anderson. Out of all the computers I investigate, 70 or 80% of them are relevant to the charge.

  Q124  Chairman: When you say relevant to the charge, do you mean needed before the charge is made?

  Mr Lattimore: Yes, the data on the computer is relevant to the investigation. I deal with a lot of fraud cases along with various law enforcement agencies and they come to me with their computers and that data is used to prepare those charges. The one thing the police miss is the intelligence that is available on these computers. I know from all my years of investigating computers that nobody has taken this on board because the computer is a wealth of intelligence that is missed all the time these days. They have not got the time to deal with it, that is the problem.

  Q125  Steve McCabe: I do not think anyone doubts its value, I think we were simply trying to establish whether it was central to the charge and it sounds like the answer is it could be but it might not be. If decryption and analysis was the subject where the greatest weight was placed in determining a period of detention pre-charge, how long do you think that detention period would need to be?

  Professor Anderson: In the case of decryption, there are still a few products around where the act of searching for a key may take time, but this is largely a thing of the past. Encryption products nowadays tend to be either good or useless, and if they are good then you either guess the password or you give up. In the future world, for which I hope we are legislating rather than the world that is in the past, I think you can reckon that the majority of the effort will be put into the analysis stage rather than into technical aspects such as seizing the evidence, bagging it, imaging it, decrypting it and so on and so forth, but the human effort will be the limiting factor. Hopefully if the tools become better that will be the main thing that you will have to worry about, ie how long an analyst can usefully work on the data before he either stops finding stuff or simply becomes weary and gives up.

  Mr Sommer: I have been following this as a parliamentary issue for rather a long time. When the legislation that is now in Part 3 of the Regulation of Investigatory Powers Act began its life in Parliament it was part of the Electronic Commerce legislation and I was the Trade and Industry Select Committee's specialist adviser then and I did a great deal of thinking about how it was supposed to work. At the time one of the things that the members asked the then Director of the National Criminal Intelligence Service was how big a problem it was and whether he had any statistics and when he was pressed he said they did not have statistics but that it was going to be a huge problem. They then asked for more detail and they came up with one case. I had predicted along with everybody else that encryption was going to become a much bigger problem than in fact it appears to have done. Let me give you an interesting analogy. If you look at Internet paedophilia, National Crime Squad Operation Cathedral looked into the group called the Wonderland Club and the very sophisticated people using encryption. I worked on the case professionally. Some of the encryption could not be broken. At the end of that all of us involved in that said it was a big, big problem. Fast forward to the famous Operation Ore which started up with 7,200 suspects who had subscribed to paedophile sites and whose database was held in a computer held in Texas. Out of those 7,200 suspects—and I purposely got an informal figure from the National Crime Squad last week—there have only been 20 instances where encryption has been a serious problem. It may well be that although it is there as a problem, operationally it is a little less big than it was. I hope you will ask the Home Office and the National Technical Assistance Centre, the people who do the job, for their statistics. In my written submission I describe certain types of encryption and I hope you will get some statistics from them in the way the Trade and Industry Select Committee failed to do a few years ago.

  Chairman: We will follow that up.

  Q126  Mr Clappison: Could you tell us how easy it is in your experience to identify the presence of encrypted material and how effective the police's forensic tools are for dealing with it?

  Mr Sommer: The first thing you do when you start examining a computer is to say what programmes are installed and where is all the data held. If someone has got encrypted material on their machine the first thing you are going to be seeing is an encryption or decryption programme which as an experienced person you will know about. Often those programmes are not deployed but they are there if you start looking for them. What you find with a lot of the encryption programmes is that the first few characters in the encrypted file are always the same and you can search for those signatures. By doing a rough exercise and saying "Is there encrypted material on this computer?" though you may not be able to decrypt it you do get a fairly quick sense. Looking at steganography, which is the technique of hiding information inside pictures, which in my experience is more talked about than actually seen, again there are some very interesting steganography detection programmes. You can detect it fairly quickly. You know whether it is going to be there. That may then, if you were going to introduce properly Part 3 of RIPA, give you a basis for asking for the key or punishing somebody who is willfully declining to give you the key.

  Q127  Mr Clappison: You have just told us that encrypted material is not as widespread as people once feared that it might be, but the sophisticated encryption which you have just told us about, how frequent a problem is that in your experience?

  Mr Sommer: It seemed to be rather less than people imagined. I work mostly for the defence, but I talk to a lot of prosecutors and the police and various other services because there is a fairly free interchange at a certain sort of level. My impression is that it is not as big as most of us thought it was going to be, but you must ask the Home Office witnesses yourself as they will have a much better overview.

  Q128  Nick Harvey: How frequent is it to find the key to sophisticated encryption through the carelessness of the user?

  Mr Sommer: You point your finger at one of the main techniques that is used. With people using sophisticated techniques you probably are not going to be able to break the system. You can forensically examine a computer and you may find the key or you may find part of the stuff is encrypted in plain text form. It is one of the most important techniques that you use.

  Q129  Nick Harvey: Would bringing in Part 3 of RIPA help?

  Mr Sommer: I think it would. Obviously there are broader issues which I am not here to discuss that are human rights aspects to do with people not being forced to self-incriminate. At a practical level, bearing in mind the way Part 3 is supposed to work, if it does go before a jury and if you say you have lost your key the jury have to decide whether you really have lost the key. It would be an important tool if only because you would be able to disrupt a suspect. I think you need to explore why Part 3 has not been brought in and that was basically because the Home Office was overambitious in producing its detailed proposals. There is very little difficulty in terms of legislating for stored data, in other words data found on a hard disc. They also wanted to introduce it for data in transmission, but you then run into problems with the techniques used by the financial services industry when they use what are called session keys, ie every time you transact the key changes and nobody knows what the key is at any one time, so forcing disclosure becomes difficult. What should have been done and maybe still should be done is to try and do the easy stuff because it is going to be helpful and we will leave it to some sort of think-tank people to come up with a solution to the more complicated stuff.

  Mr Lattimore: The problem with Part 3 is that if I was a suspect and I had encrypted data on my computer I would quite happily go to court and take the two years because I know I am going to be out in a year's time. A terrorist or a paedophile is going to take the two years, that is the big problem.

  Mr Sommer: You are still disrupting the terrorist's units, which is an important element of what Alex Carlile said to you earlier on.

  Professor Anderson: I tend to be slightly sceptical about this. Okay, it may provide holding charges to get people that you cannot get on any other basis but, given the extremely low prevalence of encryption use by bad guys, quite frankly you would be better getting after them for tax evasion or social security fraud. I am not sure that it is a good use of the senior management time in the Home Office pursuing such a small and specialist matter.

  Q130  Nick Harvey: Have you any other suggestion for plugging gaps in this area of legislation?

  Mr Sommer: Remove the bar on the interception of telephone evidence.

  Q131  Chairman: No, in terms of computer data.

  Mr Sommer: Trying to interpret Parts 1 and 2 of RIPA, whether it is content or communications data, is becoming increasingly difficult because of the problem of legal interpretation. The legislation has been drafted in terms of making a distinction between the voice component and the traffic component—who contacts whom, when and for how long—and it makes it much more difficult when you are dealing with e-mails or web-based e-mails or voiceover Internet protocol or things like that. There are going to be problems which are completely unavoidable.

  Q132  Nick Harvey: Could this be updated with the right technical advice?

  Mr Sommer: Updated in what terms?

  Q133  Nick Harvey: To try and address these moving targets that you are describing.

  Mr Sommer: I think it is going to be impossible. If you look at the behind the scenes discussions about interpretation in terms of Part 1 and Part 2, the affected Internet Service Providers and if you look at what you type into a web browser when it is content and when it is traffic data, there are suggestions and understandings but they have not been tested in court yet.

  Q134  Nick Harvey: How helpful are manufacturers of encryption software? Can they provide a key to anything that is generated using their products or is it possible for someone else to develop encryption and maybe sell it on in a way that the manufacturer cannot determine?

  Professor Anderson: I think what you have to watch out for here is that from later this year the encryption landscape is going to change with the release of Microsoft Vista, the next generation of Windows operating system, which will support the use of a chip called a TPM which manufacturers are putting on PC motherboards. What this means is that by default your hard disc will be encrypted using a key that you cannot physically get at. This is being done for a number of commercial reasons: firstly, to do digital rights management on downloaded music and films and, secondly, by the software vendors so that they can lock the customers in tightly and charge more for their products. An unfortunate side effect of this from the point of view of law enforcement is that it is going to be technically fairly seriously difficult to dig encrypted material out of systems if people have set it up competently. One issue that was in fact discussed at APIG here a couple of weeks ago is whether there might in the medium term be some kind of obligation placed on computer vendors, hardware vendors like Intel or software vendors like Microsoft, to see to it that `back door' keys be made available. Certainly if I were running the appropriate department in the Home Office I would be getting into conversations with Microsoft about this issue now rather than in November when the product is shipped.

  Q135  Mrs Dean: How widespread are the skills needed to decrypt computers? How much training is necessary to bring someone up to the required standard? Can one expert supervise a team of less skilled analysts?

  Professor Anderson: Once we achieve maturity in this field you will see a hierarchy of skills in the police and elsewhere. At present and over the last 20 or 30 years the police have tended to see computer experts as being a breed apart. You had a detective constable here and a detective superintendent there whose hobby happened to be computers rather than yachting and so he got called in when there was some complex business going on. That is not going to wash in the modern world because computers are everywhere, in our lives, in our homes, in our businesses. In future, rather than thinking of the computer expert as the guy in a white coat with a degree and a Home Office licence and all the rest of it, you are going to have to see basic computer skills embedded at all levels in the police force and elsewhere, amongst civil litigators for example, because this issue affects civil as well as criminal matters, and then there will be a hierarchy of people with perhaps slightly more expertise, people who do regular retraining of detective constables and then higher up there will be the PhD grade people who are involved in designing the next generation of tools. At present we do not have anything like that ecology of forensic expertise.

  Mr Sommer: I agree broadly with Ross's analogy. I think the situation may be slightly better than he is describing. If we look at the people at the National Technical Assistance Centre, I know a number of them, they do not talk a great deal about their work, but I have known them in previous jobs and I have also seen their academic work and articles they have written. These are broadly speaking people who are highly adept at using tools that have been created by others. If you go back to Ross's reference to a hierarchy, there are people who have come out of law enforcement and who do this sort of work and operate at the second layer; in other words they use tools created by others very, very intelligently and that is probably the greatest need. At the top level, when you have got something that is really new and really difficult, Doctoral level as opposed to Masters level, then I suspect they have to go to Cheltenham or there are a few private sector places where they can get it. NTAC, even if you know the people socially, is not an organisation that chats a great deal about itself, but I do hope from your position as a parliamentary select committee you can ask them about these issues based on the background that we are able to give you here today.

  Mr Lattimore: I was involved in NTAC. I am not going to go into too much detail about it. I set it up with a number of other people and I was operational in there for a number of years and our success rate was very, very good, but it is not just a matter of brute forcing encryption, there is a lot of work that goes in by a team of people that all work together, all with different skills and that is the way forward for dealing with encryption in the future.

  Q136  Mrs Dean: If the police had twice as many computers and skilled operators, would it mean that they could achieve the results twice as quickly as they do now?

  Mr Lattimore: No. The police would never ever be able to deal with this type of encryption because (a) they have not got the time and (b) they have not got the hardware to deal with it because you do need specialist hardware which most police forces cannot afford to purchase and that is the beauty of NTAC.

  Q137  Mrs Dean: So what you are saying is that there are the resources available but the police have not called on them, are you not?

  Mr Lattimore: Some police forces call upon them and some do not. Some see it as they have failed in what they are doing. Some used to use us all the time and our success rate was in the 70% range which was very, very good.

  Q138  Mrs Dean: Do the police need to reassess their approach to decrypting computers, and is the volume of evidence available, or potentially available, on computers effectively unmanageable?

  Mr Sommer: I think that sort of exaggerates the position. What we are trying to do is avoid making these sweeping statements. There are situations when life is jolly difficult, but then that is no different from any other sort of crime when a police officer may feel there is a bit of evidence if only he could find it. The fact that they can see it there is a small part.

  Q139  Chairman: I want to pursue this point because this is at the heart of our inquiry. You have been very helpful in explaining more about the processes and the issues. I think all three of you in different ways have made it clear that the technical issue of decryption itself does not justify the 90-day detention period because it is the analysis of what you get from the computer that is most important to the possibility of laying charges. Could each of you just briefly say from your knowledge of this field whether you think the difficulties in the process of decrypting and analysing information provides support to the idea of an extended period of pre-charged detention in terrorist cases and, if so, how long? That is the crux of the issue. You have set out the issues and how it works very clearly for us. Does this justify the case for an extended period of pre-charged detention? Professor Anderson, you were very clear in your evidence that encryption per se did not justify the 90-day detention period. If you take the process of encryption and analysis, in your view does it justify extending the period of pre-charge detention and, if so, how long?

  Professor Anderson: I do not think it makes a very strong case. I do not have huge experience of terrorist cases; I have only been instructed in one of them. I have done a number of other crime cases and a large number of complex civil cases. In my experience people take as much time as they have got. Even if you have got a civil case that drags on for months and months and months, the work is always done in a rush just before the deadline to submit papers. I think that if a case is to be made for extended time limits then perhaps what the Committee should consider is whether there is any noticeable difference in outcomes between Scotland, which has got very, very tight time limits at all parts of the judicial process, England and countries like, let us say, France and Spain which can be very much more dilatory. My view tends to be, based on my experience of these things, that you work for a certain amount of time on a heap of data and then you run out of ideas or you run out of puff or you run out of money. Whether your two weeks of intensive work forms part of the 110 days that you have in Scotland or part of the two years that you have in England or part of the five years that you have in Italy probably does not make much difference to the amount of work that is involved.

 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index
© Parliamentary copyright 2006
Prepared 3 July 2006