Digital Evidence: Beware of Assuming Too Much

Stephen Mason highlights some of the lessons lawyers should learn from Operation Ore

Lawyers have to be careful about assumptions based on generalisations, especially when dealing with evidence in digital format. For instance, the case of State of Connecticut v Julie Amero is a classic example of what can go grievously wrong in the legal process through lack of awareness.[1]

Abusive Images of Children

A high priority is rightly given to detecting, investigating and prosecuting people for offences relating to abusive images of children. At the turn of the century, police forces in the UK conducted investigations into over 7,000 people under the name of Operation Ore, and secured over 2,000 convictions. This operation was instigated as a result of the prosecution and conviction of Thomas and Janice Reedy (the Landslide trial - named after their company) in the United States for operating a web site selling access to abusive images of children.[2] After the trial, a copy of the database setting out details of the payments received by Landslide was shared with a number of police forces across the world. This information formed the initial evidence for the purposes of the investigations that subsequently took place.

One aspect of the work undertaken by the police in the UK concerned the fact that there was systematic fraud taking place against Reedy. Charge backs occurred against stolen credit cards, and Reedy tried to prevent this without success. Some of those prosecuted claimed that they did not use their credit card to obtain access to child pornography. There was evidence to suggest that thieves used stolen credit card numbers to steal money by 'buying' access to the illegal web sites hosted by Reedy.[3] Dr Paul Grout, a senior accident specialist at Hull Royal Infirmary, was one of those accused of obtaining access to child pornography. No abusive images of children were found on his computers. He produced alibi evidence from the diary on his computer to demonstrate that at the time of the alleged links to the Landslide web site, he was not at a computer terminal. In this instance, His Honour Judge David Bentley QC withdrew the case from the jury.[4]

Incorrect Assumptions

In some instances, it was assumed that, if a credit card number was in the Landslide database, it therefore followed that the person whose credit card number was used had paid for abusive images of children. For instance, Brian Cooper, a computer manager living in Brighton, used his credit card to buy bicycle parts from a US web site. His card details were obtained by Akip Anshori, an Indonesian, who then used the information to subscribe to the Landslide web site. In this way, Anshori was able to obtain money from Landslide until Mr Cooper alerted his credit card provider to the unauthorised payments. Mr Cooper proved that he had complained to his credit card company at the time the money was debited from his account. The police also failed to find any abusive images of children on his computers. In this instance, the Sussex police apologised to him and his family for causing so much distress.[5]

In another case, Jeremy Clifford was charged with making and being in possession of indecent images of children. The images were found in the temporary cache folder with random names such as "FX7RA". Images of this nature generally appear in the form of advertisements, and the user of the computer will not necessarily have clicked on them, nor will they be aware that they are on the machine. Such files cannot be viewed or recovered by an ordinarily computer user. Mr Clifford's trial was listed at St Albans Crown Court on 15 April 2005. The prosecution offered no evidence, and he was formally acquitted. He subsequently initiated legal action for malicious prosecution and misfeasance in public office. After a trial, Mr Justice Cranston concluded that there was no civil liability,[6] although Mr Clifford's appeal was successful.[7]

Court of Appeal Hearing: O'Shea

The appeal in the case of O'Shea v The Queen[8] was publicised as if it represented a public enquiry into the entire operation conducted by the police. It was not. It was merely an appeal by one man on a single main ground: that a forensic examination of the computer records from Landslide indicated that the appellant was the victim of misappropriation of identity. In considering the evidence in relation to this theory, the members of the Court of Appeal concluded, in the words of Stanley Burnton LJ (at [49]), that it was 'pure conjecture, unsupported by any evidence relating to those transactions' and determined that the conviction was safe. This conclusion was based on the following observations, amongst the others listed at [50]–[59]:

1.      There was no evidence that the webmaster had access to the data concerning the appellant that were used in the transactions.

2.      The evidence at trial was that the appellant checked his credit card statements and had protested at the wrongful debiting of his credit card account on other occasions in relation to amounts that were similar to the Landslide payments (but those had gone unquestioned).

3.      There was no evidence to prove that the hypothetical fraudulent webmaster had obtained access to the Freeserve proxy servers.

4.      There was no evidence of large numbers of people challenging credit card debits.

New Evidence

The members of the Court of Appeal also considered new evidence from Terence Bates, identified as a computer expert. The only point he made of any relevance was that the transactions recorded against the appellant's name had been entered from a computer with a Freeserve IP address. It was not in dispute that O'Shea had an account with Freeserve. The appellant argued that this evidence was not conclusive of the fact that such a computer had been used to obtain access to the Landslide computer, because it was possible to disguise the IP address. However, this matter had been raised at the trial. The digital evidence specialist for the Crown agreed that it was possible for an internet user to disguise the IP address, but indicated that it was not possible to assume the IP address allocated to someone else. This meant that the recording by the Landslide computer was correct.

Mr Bates had been instructed before the trial, prepared a report for the trial, and was present at the trial. Stanley Burnton LJ described his additional evidence (at [43]), as 'mere assertion, unsupported by any published or other material or any reasoning.' Mr Bates' evidence was consequently considered with caution, given that he failed to raise this issue at the trial, denied having signed a confidentiality agreement relating to another case until the signed agreement was produced to him in court and, on 6 March 2008, he was convicted at Leicester Crown Court on four counts of making a false statement and one count of perjury as a result of his misrepresenting his qualifications when giving evidence.

Comments

Digital evidence has been with us for a long time – the popular take-up of machines arguably occurred when the banks decided to use machines to dispense cash in the 1960s, requiring a customer to carry a plastic token to effect transactions. Since the turn of the century, the widespread use of the Internet and mobile telephones mean that most lawyers now have to deal with evidence in digital format. Dealing with digital evidence can be straight forward in simple cases and where the parties agree the data. However, the issues raised can be more complex in criminal matters, as briefly illustrated above.

Not only must lawyers familiarise themselves with evidence in digital format, but it is imperative for the lawyer to understand the need to scrutinize the qualifications of digital evidence specialists. It is incumbent upon those teaching evidence to would-be lawyers to ensure the technical matters pertaining to digital evidence, including its characteristics, are included in the curriculum – not in the future, but now.[9] Education is central to dealing with digital evidence, and it is not forthcoming to the degree and extent it should be.

© Stephen Mason, 2011

Stephen Mason is a barrister and the general editor of Electronic Evidence (2nd edition, LexisNexis Butterworths, 2011): http://www.stephenmason.eu 



[1] (Docket number CR-04-93292; Superior Court, New London Judicial District at Norwich, GA 21; 3, 4 and 5 January 2007). For a detailed analysis of this case, see Stephen Mason, general editor, International Electronic Evidence (British Institute of International and Comparative Law, 2008), pp xxxvi–lxxv.

[2] United States of America v Reedy, 304 F.3d 358.

[3] Duncan Campbell, 'Sex, lies and the missing videotape', PC Pro, June 2007, 18 – 21; note also the Supplementary memorandum by Mr Jim Gamble dated 1 June 2007 submitted to the Science and Technology – Fifth Report (Session 2006-07, 24 July 2007) (the evidence is published in Volume II (HL Paper 165-II)), where Mr Gamble challenges some of the assertions made by Mr Campbell.

[4] 'Invisible predator' BBC, Inside Out – Yorkshire & Lincolnshire, Monday October 4, 2004.

[5] Duncan Campbell, 'Sex, lies and the missing videotape', PC Pro, June 2007, 19.

[6] Clifford v The Chief Constable of the Hertfordshire Constabulary [2008] EWHC 3154 (QB).

[7] Clifford v The Chief Constable of the Hertfordshire Constabulary [2009] EWCA Civ 1259.

[8] [2010] EWCA Crim 2879 (the case was originally cited [2009] EWCA Crim 2879 at www.bailii.org; both dates are used).

[9] Daniel Seng, 'Evidential issues from pre-action discoveries: Odex Pte. Ltd. v. Pacific Internet Ltd.' Digital Evidence and Electronic Signature Law Review, 6 (2009) 25 – 32.

Published: 2011-04-07T12:38:45

    1 comments

    • I totally agree. Personally I think shows TV shows like CSI/NCIS etc over dramatise the capabilities of digital forensics. It is sometimes very difficult to find the 'smoking gun' and I found that every now and then clients are disappointed with the outcome of an investigation due to a lack of 'real' evidence. Education is the key to understand the reality of the data. In some instances, for example when the computer is infected with malware like Zeus, it is extemely difficult to prove what happened or that the system was infected at the time. This is the complication of commercial malware used in crime. They are designed to leave almost no trace.
      Cary Hendricks, 17:37:31 27/04/2011
    Please wait...