17. Memorandum submitted by Peter
1. This is a submission in response to the
Committee's Notice of 25 November 2005. It seeks to assist by
providing some technical background to two issues:
the examination of computer disks
and encrypted material thereon; and
how telephone interception takes
place and related issues of disclosure and admissibility.
2. It is hoped that this will enable the
Committee to have more informed exchanges with witnesses from
the relevant agencies and ministries, particularly in relation
to timescales, resources and practicalities of disclosure.
3. A full CV appears as Appendix I [not
printed]. I am a Research Fellow at the London School of Economics
specialising in information security and digital evidence. I have
acted as an expert witness in many cases involving digital evidence
since 1985these have included Official Secrets, Terrorism,
narcotics trafficking, paedophilia, fraud, large-scale software
piracy, murder and global computer misuse. I am Joint Lead Assessor
for Computer Examination in the scheme run by the Council for
the Registration of Forensic Practitioners.
I am an external examiner for the Master's course at the Centre
of Forensic Computing at RMCS Shrivenham and have provided training
to the Crown Prosecution Service and to police intelligence analysts
as well as advice to the main high tech law enforcement training
centre in Bedfordshire. I am the author of Directors' and Corporate
Advisors' Guide to Digital Investigations and Evidence published
by the Information Assurance Advisory Council.
I was a Specialist Advisor to the Trade and Industry Select Committee
before and during its scrutiny of the Electronic Communications
Bill (HC 862/Session 1998-99)
which was the original locus of legislation on encryptionlater
transferred to the Regulation of Investigatory Powers Act, 2000.
During my work for the Select Committee I visited the then interception
facilities at the National Criminal Intelligence Service (NCIS).
4. For the avoidance of doubt, this is a
5. Reliable techniques and procedures for
the forensic examination of the hard-disks from computers have
been established for over 15 years. The first Good Practice
Guide published by the Association of Chief Police Officers
(ACPO) appeared in 1998; the current version is the Third Edition.
It enunciates principles and provides detail to address evidence
preservation, continuity and auditability. Hard-disks are carefully
copied in their entirety ("imaged") so as to include
apparently empty sectors which might contain deleted material
and examination, both by investigators and defence experts, then
takes place on copies of the original.
6. There are well-established products to
handle both the initial imaging and the subsequent analysis.
Types of analysis include: examination of substantive files, extraction
and display of all potential picture files, email, Internet activity,
the use of computers to search for words and distinctive patterns
(such as for credit cards), etc across, the entirety of a disk,
the development of chronologies of activity. There are extensive
opportunities to recover deleted materialand these too
are subjected to the same forms of analysis.
7. Once a computer is in the hands of an
examiner it is usually possible within a few hours to establish
whether there is likely to be material of interestbased
on indications of the computer's sophistication in terms of configuration
and usage, other information obtained at the time of seizure and
8. A fuller examination might take, though
we are in "length of a ball of string" territory here,
about 20 hours. The results at this time would certainly more
than enough for an initial interview and/or arguments for applications
for continued detention.
9. Production of exhibits in evidential
form and formal witness statements might take longer.
10. Although hard-disk sizes are increasing
all the time, it should be remembered that computers are used
to search the contents at great speed; it is possible to index
the entire contents of several hard-disks in a case and thereafter
get almost instant results from specific searches.
11. However all these timings depend on
the availability of appropriate skilled and equipped technicians.
Based on membership of the First Forensic Forum and the Digital
Detective Bulletin Board, I estimate there to be approximately
5-700 competent examiners in the UK though the numbers in current
direct police employment are probably only 200-250. Numbers vary
considerably between similar police forcesKent employ 16
specialists, Essex two. The largest single category of investigation
relates to images of child abuse. Large-scale recent cases have
created long delays before hard-disks can be examined. There are
currently limited ring-fenced funds for computer forensics, not
universally applied, but this scheme is likely to end sometime
in 2006. When SOCA comes into formal existence, NHTCU which provides
the lead for training standards will be part of it, but will no
longer be part of the police, though the regional forces and the
Met (with its specialist ant-terrorist unit) will be "police".
12. The Committee should ask tough questions
about the resources available and associated time delays.
13. Copies of hard disks from which material
is extracted are themselves evidence and are made available to
defence experts. "Unused" material is available under
regular disclosure arrangements. The detail can be seen in the
current CPS Disclosure Manual. Where
hard-disks contain sensitive material a defence expert may be
asked to provide undertakings in addition to those implicit in
the role; undertakings may be re-inforced with a related court
order. In rare circumstances a defence expert may have to work
at designated law enforcement premises; there may then be significant
additional cost implications for the Legal Aid fund. My own experience
is that while negotiations for access are sometimes difficult,
they usually end in a mutually satisfactory conclusion.
14. The existence of encrypted material
on a hard-disk is normally self-evident, if not immediately readable.
Normally software providing the means to encrypt and decrypt will
also be found.
It is possible to hide data on a hard-disk and/or within files
on a hard-diskthe general name for this steganography.
Techniques exist to detect steganography even if immediate decoding
is not possible. Such detection is normally not a very lengthy
process, once the initial suspicion has been formed.
15. Plainly the existence of encryption
and steganography on a hard-disk without reason and/or production
of decoding facilities are grounds for suspicion and application
for extended detention.
16. Techniques for decryption, depending
on circumstances, fall into four broad categories:
some encryption facilities are relatively
easily broken either for lack of complexity or poor implementation.
Decryption facilities for these are available commercially and
it is reasonable to suppose that the National Technical Assistance
Centre (NTAC), the main regular law enforcement body for this
activity, has all of these and more. Times to decrypt may vary
from near-instantaneous to a few hours;
where stronger encryption facilities
are in use, a forensic examination of the hard-disk of computers
used to originate or receive the material may provide clues in
the form of "in clear" versions of encrypted material
whilst most people using encryption
prefer to rely on established products, it is possible that every
now and then new packages may be encountered. It is not possible
to put a figure on the time required to "break", though
as above, forensic examination of associated hard-disks may provide
clues. But few "new" encryption systems turn out to
failing this, brute force or modified
brute force methods such as dictionary attacks (successive trying
of potential passwords) may have to be deployed using extensive
computing resources. This may take significant amounts of time
and may fail.
17. I hope the Committee will seek from
relevant witnesses information about:
quantities of encrypted material
encountered in relation to overall computer evidence obtained;
figures for the various qualities
of encryption and time to decrypt using the classification above.
18. I draw attention to the most recent
Report from the Interception Commissioner (2004).
At para 7 he says:
However, the use of information security and
encryption products by terrorist and criminal suspects is not.
as I understand, as widespread as had been expected when RIPA
was approved by Parliament in the year 2000. Equally the Government's
investment in the National Technical Assistance Centrea
Home Office managed facility to undertake complex data processingis
enabling law enforcement agencies to understand, as far as necessary,
protected electronic data.
19. A curiously identical statement appears
in the 2004 Report of the Intelligence Services Commissioner.
20. Part III of the Regulation of Investigatory
Powers Act 2000 (RIPA) provides powers for investigators to issue
notices requiring disclosure of "protected", that is,
and for punishment for failure to do so.
The specified penalty on conviction is two years.
21. The Committee would do well to probe
why this existing legislation has never been enacted. My own understanding
is that Home Office officials drafted detailed proposals which
covered not only stored data (as on a hard-disk or CD) but also
data in transmission. While this second is desirable in terms
of completeness of coverage it appears the proposals conflicted
with actual practices employed inter alia by the secure
networks used for high value financial transactions. Discussions
became bogged down in detail and little attempt was made to produce
legislation and regulations limited to stored data, which would
have had few problems of implementation and addressed the largest
and most obvious category of encrypted material of interest to
22. Interception of the content of telephone
calls, emails, etc is admissible in common law but excluded by
statutecurrently section 17 RIPA 2000. Consensual interception
is admissible and so is interception material lawfully acquired
outside UK jurisdiction. The aim of the current policy is said
to safeguard methods and facilities and was explained in a Home
Office consultation paper of June 1999.
The general effect is to allow interception warrants but to deny
their existence for court proceedingsthis applies to both
prosecution and defence. The detail of how this is handled appears
in the CPS Disclosure Manual
and I hope that the Committee will press the CPS and others hard
to assess its effectsthe Manual acknowledges many
difficult areas of judgement.
The Committee should also review carefully the relevant Attorney
General's Guidelines in relation to section 18 of RIPA.
23. Communications/traffic datawho
called whom, when and for how long is admissible under
Part I Chapter II RIPA 2000. Such evidence is often produced in
conspiracy trials to demonstrate a common purpose among a number
of people. Commercially available software packages to identify
patterns aid this exercise and produce persuasive graphics.
Data traffic also includes details of which cellphones were registered
to which specific base stations thus bringing the geographic locations
of individuals into evidencethis is called cellsite analysis.
24. There are frequent occasions when the
production of evidence based on data traffic together with other
evidence before the court makes it wholly obvious that interception
has taken place, though neither prosecution nor defence are allowed
to refer to it.
25. There is nothing complicated or secret
in the principles of how interception of landline and cellular
phones take place. Two elements are required: the voice component
(by placing simple circuitry across the line or by capturing digitally)
and the "traffic" componentwho called whom, when
and for how longwhich is part of the regular record of
the telecommunications company for revenue collection and quality
of service purposes and already admissible.
26. Good practice, along the lines used
for preserving hard-disk evidence, suggests that the voice and
the traffic components (referred to in the literature as the IRI,
Intercept-Related Information) should be forensically inextricably
linked as a test against tampering and editing. The details, as
adopted by very large numbers of jurisdictions and also used in
international law enforcement, are explained in a technical document
published by the European Telecommunications Standards Institute
(ETSI) Security Techniques Advisory Group dated 2001.
There is no reason why a Good Practice Guide, similar to
that for computer evidence
should not be devised and published; indeed it would probably
be less complex and concentrate on continuity and auditability.
27. It might be helpful to take in turn
each of the claimed arguments against making interception evidence
sensitive methods would be disclosed
The existence of regular interception facilities can hardly be
secretthey are referred to in the legislation and the annual
reports of the Surveillance Commissioner
and the ETSI documents are public. Defence lawyers are not able
to embark on fishing expeditions but must comply with the rules
emerging from the Criminal Procedures and Investigations Act,
1996 (as amended, particularly by the Criminal Justice Act 2003).
Specific disclosure would only follow a detailed and consistent
defence case statement. The prosecution have the ability to question
the quality and bona fides of a defence expert and there
are opportunities to seek undertakings and court orders in respect
of defence experts. This is already done in terms of hard-disk
evidence. It is unlikely that defence experts would need to enquire
about overall capacity to intercept (which probably should be
kept secret) as their questions will be focused on the reliability
and integrity of specific tendered evidence and related "unused"
material. Whilst overwhelmingly most interception will use regular
methods there may be a few instances in which unorthodox techniques
are deployed and which it is desired to keep secretbut
the authorities can still make use of the Public Interest Immunity
(PII) certificate mechanismsjudicial and ministerialto
Applications for PII certificates can also be made where it is
desired to disguise the role of co-operation from other national
intelligence and law enforcement agencies;
there would be significant additional
overheads RIPA already requires that detailed records are
kept of interception warrants and their usage.
Without such records the Interception Commissioner cannot do his
Data storage problems would be significantly less than those resulting
from the seizure of hard-disks;
the privacy of innocent 3rd party
individuals would be placed at risk It is certainly true that,
if interception becomes admissible in order to demonstrate the
integrity of an interception some innocent conversations involving
third parties will need to be retained for the duration of criminal
proceedings either as evidence or as "unused" for the
purposes of disclosure obligations. The current practice
is to destroy any such material as soon as possible. But the position
is no different for emails found on computer hard-disks. Since
such emails have been received by the computer owner they are
not "intercepted" for the purposes of Part I Chapter
1 RIPA and so are admissible. Prosecution and Defence experts
will see these as part of the process of checking the integrity
of the disk evidence preservation process. But, unless they are
relevant, no one else will and both experts will be under duties
of confidentiality imposed by their job functions and by duty
to the courts.
28. So far we have simply been concerned
with interception of telephoneslandline and cellular. Because
the "voice" and "traffic data" elements are
so obviously separate it is easy to understand how to handle the
distinction made in RIPA
between content and communications data. But interception in the
data world of the Internet means, in the instance, capturing all
the data packets associated with an Internet identity and then
attempting to filter them according to whether they appear to
be "traffic data" (for example the "header"
in terms of email) or "content" (the message itself).
There is little clarity, for example, with how one would make
the distinction in web-based email such as Hotmail and the facilities
offered by large Internet Service Providers (ISPs) such a BT Internet.
The problem becomes even greater as conventional telephony is
replaced by Voice over Internet Protocol (VoIP) telephony and
the use of Instant Messaging grows.
29. It is obviously beyond the scope of
your current enquiry to investigate such matters: there are significant
cost and regulatory implications to ISPs but my immediate point
is that increasingly there will be disputes about interpretation
of RIPAand these disputes will inevitably require disclosure
of material which may later be declared inadmissible for being
"content", an impossible situation.
30. My arguments refer to interception for
any type of crime, not just terrorism. Any review of the law would
need to consider, among other things, whether authority for warranting
should be transferred away from the Secretary of State to the
judiciary and also the extent to which interception material alone,
without additional corroboration, should ever be sufficient to
permit a conviction.
7 December 2005
62 http://www.crfp.org.uk/ Back
Available for download from: http://www.nhtcu.org/media/documents/publications/ACPO_Guide_for_computer-based_electronic_evidece.pdf Back
For example, EnCase, AccessData FTK, Sleuthkit Back
The software provides the means to encrypt and decrypt-the individual
encryption key for each session is also required. Back
S 49 ff, RIPA 2000. Back
S 53 RIPA 2000. Back
Apparently no longer on the Home Office website. Back
For example, Analyst's Notebook by I2. Back
Who refers to the sites he visits and provides statistical information:
Part 5. Back
RIPA 200 Part 1 Chapter 1. Back
Home Office Draft Code of Practice. Back
Specifically ss 20 and 21(4)(a). Back