This is an addendum to my earlier submission dated 7 December 2005 in response to the Committee's Notice of 25 November 2005. The Committee decided to extend the period for submissions so that they could gather wider views on such technical aspects as time required to examine computers, issues of encryption, mobile telephony and arguments about returning intercept material into regular admissibility.

  The addendum is prompted by some of the remarks made in the submission of AC Andy Hayman of the Metropolitan Police Anti-Terrorist Branch.

  I hope the Committee will feel able to accept this addendum and find it useful.

  1.  Time taken to examine computer material In his "theoretical case study" AC Hayman says: "The High Tech Crime Unit say that every computer hard drive seized during that period of time takes a minimum of 12 hours to image for the assessment teams at Paddington to then provide to the interviewing officers". In fact there is no need, in the first instance, to image a hard-disk in order safely to carry out a preliminary assessment of its contents—which is what is needed for interview. The most popular computer forensics product used in the UK, EnCase has a "preview" facility which prevents a hard-disk of interest being written to while it is being examined; the examiner can still recover deleted files and carry out sophisticated searches. Alternative means of previewing disks include the use of specially set-up Compact Disks[87] and specialist hardware which absorbs any attempt at writing to a suspect disk[88]. In all these circumstances the disk is available for examination within a few minutes. Imaging only becomes necessary when the hard-disk is to become evidence but is not necessarily needed in the early days of an investigation.

  2.  In any event 12 hours for a single disk is something of an exaggeration. Modern imaging products claim rates of up to 5GB/per minute— so that even a comparatively large hard-disk of 120 GB would be imaged in 30 minutes. The only real problems are with some laptops where direct access to a hard-disk may be difficult. AC Hayman may like to consult more closely with his technicians.

  3.  Elsewhere AC Hayman says: "The examination and decryption of such vast amounts of data takes time, and needs to be analysed before being incorporated into an interview strategy. This is not primarily a resourcing issue, but one of necessarily sequential activity of data capture, analysis and disclosure prior to interview." Whilst recognising much of what of what he says it would be productive for the Committee to enquire whether the police are using the quickest methods of dealing with large quantities of potential disk-based evidence—and weighing the costs that these might imply against the costs, tangible and reputational, of holding suspects for long periods without trial. In particular, my own experience is that in situations where large numbers of computers are seized, only a small proportion of them turn out to be relevant in terms of an enquiry. Thus, it should be possible to use numbers of relatively lower-skilled investigators and technicians to eliminate the irrelevant and filter upwards those of potential interest.

  4.  Audio Probe Evidence. I also wish to add a little to my observations about the admissibility of intercept evidence. Use is made in terrorism, narcotics and trafficking of audio probes, in other words, bugs. This evidence is admissible, though a warrant for intrusive surveillance is required. [89]Many of the arguments adduced to prolong the inadmissibility of communications intercept evidence apply with more force to bugs—publicity about technical capabilities and danger to individual technicians[90] in terms of having to go into hostile locations in order to set up the equipment. As I have sought to show, where domestic terrorism is concerned, there is little secret about how intercepts are carried out (at points provide by telephone companies) or how (by technicians throwing a switch or two). But bugs need to be planted and the precise capabilities of bugs in terms of sensitivity, distance between bug and listening point and life (dependent on batteries or other form of power) are not well known. The police are usually able to persuade judges to grant Public Interest Immunity certificates and this may be a pointer to how they would deal with defence disclosure requests in respect of techniques of interception.

27 January 2006

88   eg Voom Technologies ShadowDrive. Back

89   Under s 32 RIPA 2000. Back

90   See the remarks of Baroness Park, Hansard 7 March 2005, and indeed on other occasions: http://www.publications.parliament.uk/pa/ld200405/ldhansrd/pdvn/lds05/text/50307-41.htm. Back