1.  This is a submission in response to the Committee's Notice of 25 November 2005. It seeks to assist by providing some technical background to two issues:

—  the examination of computer disks and encrypted material thereon; and

—  how telephone interception takes place and related issues of disclosure and admissibility.

  2.  It is hoped that this will enable the Committee to have more informed exchanges with witnesses from the relevant agencies and ministries, particularly in relation to timescales, resources and practicalities of disclosure.

QUALIFICATIONS

  3.  A full CV appears as Appendix I [not printed]. I am a Research Fellow at the London School of Economics specialising in information security and digital evidence. I have acted as an expert witness in many cases involving digital evidence since 1985—these have included Official Secrets, Terrorism, narcotics trafficking, paedophilia, fraud, large-scale software piracy, murder and global computer misuse. I am Joint Lead Assessor for Computer Examination in the scheme run by the Council for the Registration of Forensic Practitioners.[62] I am an external examiner for the Master's course at the Centre of Forensic Computing at RMCS Shrivenham and have provided training to the Crown Prosecution Service and to police intelligence analysts as well as advice to the main high tech law enforcement training centre in Bedfordshire. I am the author of Directors' and Corporate Advisors' Guide to Digital Investigations and Evidence published by the Information Assurance Advisory Council.[63] I was a Specialist Advisor to the Trade and Industry Select Committee before and during its scrutiny of the Electronic Communications Bill (HC 862/Session 1998-99)[64] which was the original locus of legislation on encryption—later transferred to the Regulation of Investigatory Powers Act, 2000. During my work for the Select Committee I visited the then interception facilities at the National Criminal Intelligence Service (NCIS).

  4.  For the avoidance of doubt, this is a personal submission.

EXAMINATION OF COMPUTER HARD DISKS

  5.  Reliable techniques and procedures for the forensic examination of the hard-disks from computers have been established for over 15 years. The first Good Practice Guide published by the Association of Chief Police Officers (ACPO) appeared in 1998; the current version is the Third Edition.[65] It enunciates principles and provides detail to address evidence preservation, continuity and auditability. Hard-disks are carefully copied in their entirety ("imaged") so as to include apparently empty sectors which might contain deleted material and examination, both by investigators and defence experts, then takes place on copies of the original.

  6.  There are well-established products to handle both the initial imaging and the subsequent analysis.[66] Types of analysis include: examination of substantive files, extraction and display of all potential picture files, email, Internet activity, the use of computers to search for words and distinctive patterns (such as for credit cards), etc across, the entirety of a disk, the development of chronologies of activity. There are extensive opportunities to recover deleted material—and these too are subjected to the same forms of analysis.

  7.  Once a computer is in the hands of an examiner it is usually possible within a few hours to establish whether there is likely to be material of interest—based on indications of the computer's sophistication in terms of configuration and usage, other information obtained at the time of seizure and other intelligence.

  8.  A fuller examination might take, though we are in "length of a ball of string" territory here, about 20 hours. The results at this time would certainly more than enough for an initial interview and/or arguments for applications for continued detention.

  9.  Production of exhibits in evidential form and formal witness statements might take longer.

  10.  Although hard-disk sizes are increasing all the time, it should be remembered that computers are used to search the contents at great speed; it is possible to index the entire contents of several hard-disks in a case and thereafter get almost instant results from specific searches.

POLICE RESOURCES

  11.  However all these timings depend on the availability of appropriate skilled and equipped technicians. Based on membership of the First Forensic Forum and the Digital Detective Bulletin Board, I estimate there to be approximately 5-700 competent examiners in the UK though the numbers in current direct police employment are probably only 200-250. Numbers vary considerably between similar police forces—Kent employ 16 specialists, Essex two. The largest single category of investigation relates to images of child abuse. Large-scale recent cases have created long delays before hard-disks can be examined. There are currently limited ring-fenced funds for computer forensics, not universally applied, but this scheme is likely to end sometime in 2006. When SOCA comes into formal existence, NHTCU which provides the lead for training standards will be part of it, but will no longer be part of the police, though the regional forces and the Met (with its specialist ant-terrorist unit) will be "police".

  12.  The Committee should ask tough questions about the resources available and associated time delays.

DEFENCE ACCESS

  13.  Copies of hard disks from which material is extracted are themselves evidence and are made available to defence experts. "Unused" material is available under regular disclosure arrangements. The detail can be seen in the current CPS Disclosure Manual. [67]Where hard-disks contain sensitive material a defence expert may be asked to provide undertakings in addition to those implicit in the role; undertakings may be re-inforced with a related court order. In rare circumstances a defence expert may have to work at designated law enforcement premises; there may then be significant additional cost implications for the Legal Aid fund. My own experience is that while negotiations for access are sometimes difficult, they usually end in a mutually satisfactory conclusion.

ENCRYPTED MATERIAL

  14.  The existence of encrypted material on a hard-disk is normally self-evident, if not immediately readable. Normally software providing the means to encrypt and decrypt will also be found.[68] It is possible to hide data on a hard-disk and/or within files on a hard-disk—the general name for this steganography. Techniques exist to detect steganography even if immediate decoding is not possible. Such detection is normally not a very lengthy process, once the initial suspicion has been formed.

  15.  Plainly the existence of encryption and steganography on a hard-disk without reason and/or production of decoding facilities are grounds for suspicion and application for extended detention.

  16.  Techniques for decryption, depending on circumstances, fall into four broad categories:

—  some encryption facilities are relatively easily broken either for lack of complexity or poor implementation. Decryption facilities for these are available commercially and it is reasonable to suppose that the National Technical Assistance Centre (NTAC), the main regular law enforcement body for this activity, has all of these and more. Times to decrypt may vary from near-instantaneous to a few hours;

—  where stronger encryption facilities are in use, a forensic examination of the hard-disk of computers used to originate or receive the material may provide clues in the form of "in clear" versions of encrypted material and passwords/keys;

—  whilst most people using encryption prefer to rely on established products, it is possible that every now and then new packages may be encountered. It is not possible to put a figure on the time required to "break", though as above, forensic examination of associated hard-disks may provide clues. But few "new" encryption systems turn out to be robust;

—  failing this, brute force or modified brute force methods such as dictionary attacks (successive trying of potential passwords) may have to be deployed using extensive computing resources. This may take significant amounts of time and may fail.

  17.  I hope the Committee will seek from relevant witnesses information about:

—  quantities of encrypted material encountered in relation to overall computer evidence obtained; and

—  figures for the various qualities of encryption and time to decrypt using the classification above.

INTERCEPTION COMMISSIONER REPORT

  18.  I draw attention to the most recent Report from the Interception Commissioner (2004).[69] At para 7 he says:

However, the use of information security and encryption products by terrorist and criminal suspects is not. as I understand, as widespread as had been expected when RIPA was approved by Parliament in the year 2000. Equally the Government's investment in the National Technical Assistance Centre—a Home Office managed facility to undertake complex data processing—is enabling law enforcement agencies to understand, as far as necessary, protected electronic data.

  19.  A curiously identical statement appears in the 2004 Report of the Intelligence Services Commissioner.[70]

THE LAW AND ENCRYPTED MATERIAL

  20.  Part III of the Regulation of Investigatory Powers Act 2000 (RIPA) provides powers for investigators to issue notices requiring disclosure of "protected", that is, encrypted data[71] and for punishment for failure to do so.[72] The specified penalty on conviction is two years.

  21.  The Committee would do well to probe why this existing legislation has never been enacted. My own understanding is that Home Office officials drafted detailed proposals which covered not only stored data (as on a hard-disk or CD) but also data in transmission. While this second is desirable in terms of completeness of coverage it appears the proposals conflicted with actual practices employed inter alia by the secure networks used for high value financial transactions. Discussions became bogged down in detail and little attempt was made to produce legislation and regulations limited to stored data, which would have had few problems of implementation and addressed the largest and most obvious category of encrypted material of interest to investigators.

INTERCEPTION

  22.  Interception of the content of telephone calls, emails, etc is admissible in common law but excluded by statute—currently section 17 RIPA 2000. Consensual interception is admissible and so is interception material lawfully acquired outside UK jurisdiction. The aim of the current policy is said to safeguard methods and facilities and was explained in a Home Office consultation paper of June 1999.[73] The general effect is to allow interception warrants but to deny their existence for court proceedings—this applies to both prosecution and defence. The detail of how this is handled appears in the CPS Disclosure Manual[74] and I hope that the Committee will press the CPS and others hard to assess its effects—the Manual acknowledges many difficult areas of judgement.[75] The Committee should also review carefully the relevant Attorney General's Guidelines in relation to section 18 of RIPA.[76]

  23.  Communications/traffic data—who called whom, when and for how long— is admissible under Part I Chapter II RIPA 2000. Such evidence is often produced in conspiracy trials to demonstrate a common purpose among a number of people. Commercially available software packages to identify patterns aid this exercise and produce persuasive graphics.[77] Data traffic also includes details of which cellphones were registered to which specific base stations thus bringing the geographic locations of individuals into evidence—this is called cellsite analysis.

  24.  There are frequent occasions when the production of evidence based on data traffic together with other evidence before the court makes it wholly obvious that interception has taken place, though neither prosecution nor defence are allowed to refer to it.

THE TECHNOLOGY OF TELEPHONE INTERCEPTION

  25.  There is nothing complicated or secret in the principles of how interception of landline and cellular phones take place. Two elements are required: the voice component (by placing simple circuitry across the line or by capturing digitally) and the "traffic" component—who called whom, when and for how long—which is part of the regular record of the telecommunications company for revenue collection and quality of service purposes and already admissible.

  26.  Good practice, along the lines used for preserving hard-disk evidence, suggests that the voice and the traffic components (referred to in the literature as the IRI, Intercept-Related Information) should be forensically inextricably linked as a test against tampering and editing. The details, as adopted by very large numbers of jurisdictions and also used in international law enforcement, are explained in a technical document published by the European Telecommunications Standards Institute (ETSI) Security Techniques Advisory Group dated 2001.[78] There is no reason why a Good Practice Guide, similar to that for computer evidence[79] should not be devised and published; indeed it would probably be less complex and concentrate on continuity and auditability.

  27.  It might be helpful to take in turn each of the claimed arguments against making interception evidence admissible:

—  sensitive methods would be disclosed The existence of regular interception facilities can hardly be secret—they are referred to in the legislation and the annual reports of the Surveillance Commissioner[80] and the ETSI documents are public. Defence lawyers are not able to embark on fishing expeditions but must comply with the rules emerging from the Criminal Procedures and Investigations Act, 1996 (as amended, particularly by the Criminal Justice Act 2003[81]). Specific disclosure would only follow a detailed and consistent defence case statement. The prosecution have the ability to question the quality and bona fides of a defence expert and there are opportunities to seek undertakings and court orders in respect of defence experts. This is already done in terms of hard-disk evidence. It is unlikely that defence experts would need to enquire about overall capacity to intercept (which probably should be kept secret) as their questions will be focused on the reliability and integrity of specific tendered evidence and related "unused" material. Whilst overwhelmingly most interception will use regular methods there may be a few instances in which unorthodox techniques are deployed and which it is desired to keep secret—but the authorities can still make use of the Public Interest Immunity (PII) certificate mechanisms—judicial and ministerial—to exclude these.[82] Applications for PII certificates can also be made where it is desired to disguise the role of co-operation from other national intelligence and law enforcement agencies;

—  there would be significant additional overheads RIPA already requires that detailed records are kept of interception warrants and their usage.[83] Without such records the Interception Commissioner cannot do his work.[84] Data storage problems would be significantly less than those resulting from the seizure of hard-disks;

—  the privacy of innocent 3rd party individuals would be placed at risk It is certainly true that, if interception becomes admissible in order to demonstrate the integrity of an interception some innocent conversations involving third parties will need to be retained for the duration of criminal proceedings either as evidence or as "unused" for the purposes of disclosure obligations. The current practice[85] is to destroy any such material as soon as possible. But the position is no different for emails found on computer hard-disks. Since such emails have been received by the computer owner they are not "intercepted" for the purposes of Part I Chapter 1 RIPA and so are admissible. Prosecution and Defence experts will see these as part of the process of checking the integrity of the disk evidence preservation process. But, unless they are relevant, no one else will and both experts will be under duties of confidentiality imposed by their job functions and by duty to the courts.

THE TECHNOLOGY OF DATA INTERCEPTION

  28.  So far we have simply been concerned with interception of telephones—landline and cellular. Because the "voice" and "traffic data" elements are so obviously separate it is easy to understand how to handle the distinction made in RIPA[86] between content and communications data. But interception in the data world of the Internet means, in the instance, capturing all the data packets associated with an Internet identity and then attempting to filter them according to whether they appear to be "traffic data" (for example the "header" in terms of email) or "content" (the message itself). There is little clarity, for example, with how one would make the distinction in web-based email such as Hotmail and the facilities offered by large Internet Service Providers (ISPs) such a BT Internet. The problem becomes even greater as conventional telephony is replaced by Voice over Internet Protocol (VoIP) telephony and the use of Instant Messaging grows.

  29.  It is obviously beyond the scope of your current enquiry to investigate such matters: there are significant cost and regulatory implications to ISPs but my immediate point is that increasingly there will be disputes about interpretation of RIPA—and these disputes will inevitably require disclosure of material which may later be declared inadmissible for being "content", an impossible situation.

LEGISLATIVE IMPLICATIONS OF ADMITTING INTERCEPTION

  30.  My arguments refer to interception for any type of crime, not just terrorism. Any review of the law would need to consider, among other things, whether authority for warranting should be transferred away from the Secretary of State to the judiciary and also the extent to which interception material alone, without additional corroboration, should ever be sufficient to permit a conviction.

7 December 2005

http://www.parliament.the-stationery-office.co.uk/pa/cm199899/cmselect/cmtrdind/648/64802.htm;

http://www.parliament.the-stationery-office.co.uk/pa/cm199899/cmselect/cmtrdind/187/18707.htm

http://www.cps.gov.uk/legal/section20/chapter_a.html#210

63   http://www.iaac.org.uk/Portals/0/Evidence%20of%20Cyber-Crime%20v08.pdf Back

64   http://www.parliament.the-stationery-office.co.uk/pa/cm199899/cmselect/cmtrdind/862/86202.htm; Back

65   Available for download from: http://www.nhtcu.org/media/documents/publications/ACPO_Guide_for_computer-based_electronic_evidece.pdf Back

66   For example, EnCase, AccessData FTK, Sleuthkit Back

67   http://www.cps.gov.uk/legal/section20/chapter_a.html Back

68   The software provides the means to encrypt and decrypt-the individual encryption key for each session is also required. Back

69   http://www.official-documents.co.uk/document/hc0506/hc05/0549/0549.pdf Back

70   http://www.official-documents.co.uk/document/hc0506/hc05/0548/0548.pdf Back

71   S 49 ff, RIPA 2000. Back

72   S 53 RIPA 2000. Back

73   Apparently no longer on the Home Office website. Back

74   http://www.cps.gov.uk/legal/section20/chapter_a.html#148 Back

75   http://www.cps.gov.uk/legal/section20/chapter_e.html Back

76   http://www.cps.gov.uk/legal/section20/chapter_a_annex_i.html Back

77   For example, Analyst's Notebook by I2. Back

78   http://webapp.etsi.org/exchangefolder/es-201671v020101p.pdf Back

79   http://www.nhtcu.org/media/documents/publications/ACPO_Guide_for_computer-based_electronic_evidece.pdf Back

80   Who refers to the sites he visits and provides statistical information: http://www.official-documents.co.uk/document/hc0506/hc05/0549/0549.pdf Back

81   Part 5. Back

82   http://www.cps.gov.uk/legal/section20/chapter_a.html#049, Back

83   RIPA 200 Part 1 Chapter 1. Back

84   http://www.official-documents.co.uk/document/hc0506/hc05/0549/0549.pdf Back

85   Home Office Draft Code of Practice. Back

86   Specifically ss 20 and 21(4)(a). Back