Investigatory Powers Bill

Written evidence submitted by Ted Marynicz (IPB 45)

1. I carry out research in the area of Digital Forensics, that is the collection of forensically sound evidence from digital devices, such as computers and mobile phones that can be used in criminal proceedings. I have 35 years’ experience in IT and the IT security field.

2. My main concern with the Investigatory Powers Bill is regarding the use of Equipment Interference (EI) warrants and where these are seen to over-lap with Digital Forensic Investigations.

3. The draft Bill allows for deployment of two types of EI:

- A targeted equipment interference warrant described in section 88(2) of the Act.

- A bulk equipment interference warrant described in section 154 of the Act.

4. One of the first steps in examining and analysing a forensic copy of a device (e.g. computer or mobile phone) is in ensuring that the device is not infected with malware (e.g. a computer virus) or, if it has been infected, with identifying the exact version and nature of the malware that is present. Of course, a single device may have been infected with multiple instances of malware.

5. The presence of malware on a device can result in a suspicion that the evidential results of actions that are left on that device are a result of the actions of the malware and not the actions of the user. For example, a defence could claim that alleged access to a certain website was the result of actions of the malware present on the device and not as a result of direct control by the user. This can raise reasonable doubt over whether the user of the device was the actual instigator of the actions attributed to them.

6. Whilst I hope that it will be the case that there is the intention of putting in place procedures to ensure that any device being subjected to forensic examination is a 'known' device as far as targeted EI is concerned, I cannot at present see how this might apply in the instance of the bulk (i.e. non-targeted) deployment of EI. This raises the main question - on what basis would a digital forensic investigator be able to recognise a piece of malware as being a government sanctioned EI?

7. With the presence of government sanctioned EI on a device, the forensic examiner would be required to investigate all possible implications surrounding the behaviour of that EI and how it may have impacted on the forensic results left as evidence on the device.

8. This would be a requirement placed on both sides - the prosecution and defence - in a case. Discovery may require the government agency who have developed the EI (e.g. GCHQ) to disclose the precise nature and effects of the EI in question.

9. With malware found 'in the wild' there is a large body of work, based on detailed research, that describes how each variant of malware can be identified, the effects it is capable of and the traces it leaves behind. It may be beyond the wishes of GCHQ, for example, for their EIs to be subject to such forensic investigation. Indeed, they may see it as counter-productive.

April 2016

 

Prepared 6th April 2016