House of Lords - Science and Technology

Select Committee on Science and Technology Fifth Report

CHAPTER 3 DIGITAL IMAGES

3.1 We decided that our study should be centred on photographic-like images and was bounded on one side by documents and on the other by closed circuit television (CCTV) and video. We have discussed the background to current law in Chapter 2. In this chapter we examine some of the issues which go towards proving the accuracy of an image and assessing its weight. We look also at some suggestions for establishing requirements for the use of images in court, any need to provide information or warnings to those who use them, and we make recommendations.

Proving the accuracy and assessing the weight of evidence

3.2 Authentication is the process of convincing the court that a document (which would include a digital image) is what it purports to be: of proving the origin of the image and that it has not subsequently been altered (or, where alteration has occurred, proving the nature of the alteration). Even though an image has been authenticated, however, the court will still need to determine its weight as evidence, its probative value. This depends both on the degree of authentication and the extent to which the image provides evidence of the fact in question. For example:

An image which appeared to show the defendant in the act of committing a crime, but for which there was no explanation as to its origin or other authentication, would have a very low probative value[15]. Conversely, an identical image originating from a police CCTV camera for which a detailed audit trail could be produced would have a much higher probative value. The greater degree of authentication of the second image increases its weight as evidence.

However, if the image were so blurred as to be unrecognisable, or if the court were not convinced that any enhancement processes which purported to reveal the identity of the defendant were reliable, it would give little or no weight to the image as evidence, irrespective of how well it was authenticated. A factor which would clearly increase an image's weight as evidence is compliance with relevant standards, such as the BSI standard for image storage in computer memory of the "Write Once Read Many Times" (WORM) type[16] (See Box 4).

3.3 The fact that a document is a copy may reduce its weight as evidence, unless there is sufficient authentication evidence to convince the court that it is an accurate copy. This authentication evidence would normally be in the form of an audit trail connecting the original image with the computer record which is to be adduced in evidence and recording what has occurred to that record in the interim (eg Mr Sommer, Q 115). As with paper records, the necessary degree of authentication may be proved through oral and circumstantial evidence, if available, or via technological features of the system or the record (see Box 4). Oral evidence will concentrate largely on the management and operational procedures applied to the computer record. Ideally these should be assessed by the lawyer in advance to ensure that a satisfactory audit trail can be produced. Circumstantial evidence will cover a wide variety of matters, including the record's consistency with other documents which make up a linked transaction. Technical evidence might come from system logs, particularly if they are designed specifically with this end in mind, or through embedded features of the record itself such as watermarks and digital signatures; although these are only of any real use for authentication if the encryption key is outside the control of the person adducing the evidence[17].

Box 4: Image authentication

The digital processing of images, the potential for image modification and the problem of defining what is an original make it difficult to establish with ease that an image is authentic. This is a critical step if an image is to be used as evidence. There are two elements to establish authenticity: to have an 'audit trail' which records everything that happens to the image from capture to its presentation in court; and/or to have a technological solution which brands or 'watermarks' the image at the time of capture and can subsequently show it is authentic.

Audit trail

Audit trail methodology is already used with other forms of evidence to ensure that it has been treated fairly, that any processing it has undergone (eg in a forensic laboratory) is well documented, that its location is always known and that all those who have had contact with it have the necessary authorisation. This is all common sense and similar controls would be expected for digital images. If an image is generated by a system dedicated to the enforcement of law then it is possible to start the audit trail at the moment of image capture, but if an image is from elsewhere, for example a photograph from a member of the public or even a CCTV video from a private surveillance system operator, then the audit trail may only start once the image is presented (or seized) by which time it may have already been modified. The courts deal with such problems with all evidence, but the ease with which digital images can be modified, the availability of the technology and the skills to do this, and the low awareness of the potential problem, should raise extra concerns.

WORM memory

Most CCTV systems and enforcement cameras make a recording onto video tape in either real time or a limited number of frames per second basis. The video recorders and tapes can be kept in physically secured areas with limited access to reduce the possibility of tampering. Further security can be achieved if a second recording is also made onto a WORM ('write once read many times') memory device at the same time. A WORM memory is something to which computer data can be written only once. An indelible recording is made which cannot be overwritten with other data. The data can, however, be read as many times as wished. The most easily recognisable WORM memory is a CD or CD ROM: a plastic disc coated in reflective material into which pits have been etched physically. The laser in a CD player will read the information stored in this etching, but cannot change or delete the etchings.

Recording on to a WORM will provide an image for comparative purposes which cannot be altered. However, the expense of such systems, the extra storage capacity required, the non-reusable nature of the WORM storage media, and the need to ensure that only certain people get access to the secure copy (eg the police when an investigation is started) means that such systems are probably inappropriate for wider use.

In itself, a recording on a WORM is also no guarantee that an image is free of modifications: the data could be copied to a computer, altered, and then copied back to a second identical device leaving no evidence of impropriety unless there was some other way of distinguishing the first WORM from the second.

3.4 A number of cases where the authentication of computer records was at issue have come before the courts, and where there has been no suggestion that the records might have been altered deliberately or accidentally, the authentication requirements have been met by evidence from those responsible for operating the computer system in question[18]. In R v. Spiby[19] the English Court of Appeal was prepared to presume that a computer was recording evidence accurately when its operator (a hotel manager) testified that he was unaware of any problems in operation, in the absence of any evidence from the defendant that there was any question of malfunction, and in R v. Shepherd[20] a store manager's testimony was held by the House of Lords to be sufficient for the same reasons.

3.5 This evidence will not be necessary in civil proceedings if the authenticity of the image is admitted during discovery under Rules of the Supreme Court, Order 27 rule 4(1) which provides that where lists of documents are exchanged a document which is asserted on the list to be a copy is presumed to be a true copy unless its authenticity is specifically disputed by the other party. If the document is disputed, however, oral evidence as to authenticity will be required.

3.6 Of considerable interest to us was that no defence teams in the United Kingdom had, as yet, ever requested an audit trail be produced in any case where video images were being used by the prosecution (eg Liberty Q 4). This may change as defendants and their lawyers become more familiar with the technology.

Some implications for handling digital images

3.7 Modern offices employ sophisticated data processing technology for document handling. If a form is sent off to a building society, bank or insurance company, it may be imaged and thereafter handled by networked computers. This is done for reasons of business efficiency (eg to speed up processing and to reduce the need for file storage space in the office). Any document can be available instantaneously throughout the organisation and it does not get lost (eg Abbey National system Q 320). When text is examined, be it on hammered vellum or a computer screen, certain fundamentals have to be in place. Put simply, it has to be verified that it is what it purports to be. Traditionally, verification has been through the use of an authenticating mark or signature. In the digital age, something rather more complex is often required: for documents this can be a digital signature which incorporates encryption, making the signature unique to the specific document and its originator; and for other images an electronic watermark may be used (various authenticating technologies are discussed in Box 4).

3.8 Some witnesses, including the Association of Chief Police Officers in Scotland (p 154) and the Crown Prosecution Service (p 165) were in favour of images incorporating some form of watermark or other authentication (added at the time of image capture) to increase their utility in

Watermarks

Watermarks provide an extra level of security to an image in addition to an audit trail if they are added at source as the image is being captured by the camera. With a conventional image the watermark (eg an identifying code or logo) would need to be visible in the scene and may thus obscure other vital information. In a digital image it is possible to hide the watermark within the image data with a form of encryption: although the watermark can be present in all parts of theimage (down to pixel scale), the image looks normal and the watermark can be viewed only with the appropriate decryption key. It would also be possible to encrypt the whole image so that it is meaningless to anyone viewing it without the appropriate equipment and decryption key.

Two types of invisible watermark are envisaged and are being developed by companies including CRL IBM, NEC and others (see IBM evidence for detailed description of watermarking technology). The first (a permanent watermark or 'tattoo') will help copyright owners monitor the use of their material. The watermark is hidden within the image and will remain with the image (or image segment) if it is copied, modified or otherwise processed (ie the watermark is almost impossible to destroy or remove from the image no matter what is done to it). For evidential use this would allow copyrighted materials to be identified, and it might also be useful for identifying the source of images which have undergone significant modification. The second type of watermark is the fragile watermark which is destroyed by any processing or modification attempt other than just viewing the image. This could have significant potential for authenticating images used in evidence: an image which should have a watermark but does not, or has a damaged one, would have low evidential value without other corroboration.

The main limitation of all watermarks is that ideally they should be applied by the camera and thus the camera manufacturers have to install software which will do this. Only if watermarking becomes the norm for cameras where images might be used for evidential purposes, or if there is overwhelming demand from customers, are manufacturers likely to adopt such technology. There are also problems with the export/import and use of certain levels of encryption technology which might be used to generate watermarks.

Digital signature

Digital signatures can be used for authenticating messages and documents sent electronically and, equally, could be adapted for authenticating images. The American Bar Association (Digital Signature Guidelines: http://www.abanet.org/scitech/ec/isc) describes digital signatures as using public key cryptography and a 'hash function' derived from the message itself. The hash function is an algorithm created from enough of the message data to ensure that it could only be created from those data. The message and the hash function are then encrypted with the sender's private encryption key to make a digital signature which is unique. The receiver decodes the message with a related version of the encryption key previously given to the intended recipient by the sender (or held by a trusted third party). The message is verified by computing the hash function again and comparing it with the original.