Computer Expert Witness?

A recent case before the Court of Appeal (Criminal Division) gives a surprisingly wide interpretation of expert witness on the operation of a computer system.

Stubbs (Paul Matthew) [2006] EWCA Crim 2312 concerns the qualification of expert witnesses and the admissibility and weight to be given to the evidence of an expert who is in some way associated with a financial institution through which a fraud has been perpetrated.  The defendant was a password reset clerk employed by HSBC. AT&T had an account at HSBC from which large sums of money were stolen. The defendant was convicted of conspiracy to defraud.  In part, his appeal concerned a challenge to an expert witness, a Mr. Roddy, who was an HSBC employee, on the footing that while he could give evidence about the setup within HSBC and the way the system (the Hexagon system) was intended to operate he lacked technical expertise in relation to the functioning of computers.  It was further objected that, as an HSBC employee and a member of the technical team trained on the Hexagon system, he lacked objectivity.  The trial judge admitted Mr. Roddy as an expert witness.

 

The Court of Appeal held that the trial judge properly applied the test in Bonython [1984] SASR 45 according to which the judge must decide (1) whether the subject matter of the opinion falls within the class of subjects upon which expert evidence is permissible; and (2) whether the witness has acquired by study or experience sufficient knowledge of the subject to render his opinion of value in resolving the issue before the court.  The Court held that both tests were satisfied.  As to objectivity, arguably the more important issue, the Court followed Gokal (unreported 11 March 1999), holding that the extent of the witness’ independence goes to weight not admissibility. In this case there were no features of the evidence of the witness that could support a case of conscious bias or lack of objectivity.

 

The case may surprise in that an acknowledged expert, Michael Turner (who appeared for the defence, felt unable to draw any conclusions from the evidence of the operation of the system and yet the court was happy with positive evidence from those so closely involved in the system. It is to be hoped that HSBC has tightened up its procedures since the events (which occurred in 2002) as the case throws a depressing light on aspects of its security. Not the least worrying is the fact that the defendant password reset clerk, who was said to be involved in a conspiracy that netted over £11 million, was described as of low intellect and was placed in the position only because he had failed all the tests of capacity to act as a customer service representative.

 

  1. The main passage of the judgment concerning these issues is as follows (at [40] to [60]):
  1. The objection taken at trial to the admissibility of Mr Roddy's evidence related to only a part, though a vital part, of that evidence. It was accepted that he could give evidence about the set-up within HSBC and the manner in which the Hexagon system was designed to operate. It was contended, however, that his detailed account of the actual activity within the system at the material times (the input and resetting of passwords, etc.) amounted to inadmissible opinion evidence. The topic required expert evidence and Mr Roddy lacked the necessary expertise: he had neither qualifications nor experience in relation to the technical aspects of the functioning of computers. It was further submitted that Mr Roddy lacked the necessary independence to be an expert witness, in particular because of the commercially catastrophic effect of one of HSBC's employees conceding on oath that the system suffered weaknesses or was open to attack in various ways. It was argued that the court should not allow the opinion evidence of such a person in respect of the operation and reliability of a computer system that he was in effect paid to defend.
  1. The objection advanced had further detailed facets to it, extending for example to what Mr Roddy said about the proper functioning of the computer system and of the NEDAP security system at the material times. In the light of the way in which the case was presented on appeal, however, we think it sufficient to concentrate on the central points to which we have already referred. In any event we are satisfied that any additional matters could not assist the appellant if he did not succeed on the central points.
  1. The evidence about Mr Roddy's qualifications and experience was as follows. He had completed an A level and a City & Guilds qualification in computing and had then gone to Stafford University to study computer science. After two years, he went to work for HSBC and did not complete his degree. By the time of the trial he had been at HSBC for seven years, involved in the technical support for various e-banking products, starting with Hexagon and then managing and training the technical support teams. In particular, he had been a member of the technical team trained on the Hexagon system. He had become manager of the technical support team and then the helpdesk manager dealing with customer account issues. He had overall responsibility for both the technical staff and customer service representatives for the HSBC e-banking system. Although the evidence given on the voir dire was not in precisely the same terms as that subsequently given before the jury, the nature and limitations of Mr Roddy's relevant knowledge were summarised in this way in the judge's summing up (tr.12A-B):

"… he conceded that he is not an IT specialist in any wider sense. He is not a programmer or a computer designer. And while technical problems would be solved by others, this is what he said really about his expertise, he said: 'I'm good on how the system worked in practice'."

  1. The judge also heard on the voir dire from an acknowledged computer expert called by the defence, Mr Michael Turner, who said inter alia that he was unable to provide a report because of a lack of information: the appellant's workstation had not been retained or imaged; there was no computer running the 2002 version of the Hexagon system which could be analysed; he had been provided with no information as to how the HSBC computers operated or produced the audit logs relied on by Mr Roddy; and he did not have the underlying data from which he could safely reach any conclusion.
  1. In his ruling the judge pointed to the existence of a presumption as to the integrity of the computer system, in the absence of any evidence to raise the issue of reliability. He said that Mr Turner had assisted the court in appreciating what areas of evidence could not be addressed by Mr Roddy. He said that the test he was applying was that in R v Bonython [1984] SASR 45. On the first basis of objection, Mr Roddy's expertise, he stated:

"I am satisfied that the operation of the Hexagon computer system is appropriate for expert testimony and could not be understood without it. And having heard Mr Roddy cross-examined on the voir dire, I am also satisfied that Richard Roddy has clearly demonstrated sufficient knowledge of the subject to render his opinion of value in resolving issues of fact which a jury in this case would have to decide.

Whether a jury in the light of questioning of Mr Roddy would feel able to accept any opinion he may express will, of course, be a matter for the jury …."

  1. As to the objection relating to independence, the judge ruled that that was a matter going to weight and that the jury would be well able to discern the presence or lack of the qualities of impartiality, objectivity and integrity to which the defence had referred.
  1. In challenging the judge's ruling, Mr Winter took us to the activity reports in relation to which Mr Roddy expressed the opinions to which objection is primarily taken. The judge heard evidence on the voir dire to the effect that the activity reports presented in a readable format the data that had been taken from the central computer in electronic form by the IT support teams. Mr Winter accepted before us that he could not have argued that the material was not a proper representation of the primary data, even though there were some points on continuity. His criticisms were directed not to the activity reports themselves but to the evidence that Mr Roddy gave in relation to them.
  1. Of particular importance was Mr Roddy's evidence that the activity reports all related to the same session, which had the reference number 'CC000051' and had been registered to the staff delegate identification PWRD on the morning of 24 July 2002. A session number would be allocated upon a user's log-on at a particular terminal. If all the transactions took place within one continuous session and there were legitimate transactions admittedly carried out by the appellant during that session just before and just after the illegitimate transactions, the prosecution could argue with force that the illegitimate transactions must have been carried out from the same terminal; and this also provided strong support for the argument that they must have been carried out by the appellant.
  1. Mr Winter submitted that Mr Roddy did not have the expertise to give such evidence that the activity reports all related to a single session. The fact that they had the same number did not mean that it was a single session. There was evidence from the admitted expert, Mr Danbury, that concurrent log-ons (so as to target and hijack a live session) were not possible; but that left open the possibility of non-concurrent log-ons to the system under the same session number. This was something that Mr Roddy had not investigated and did not have the technical qualifications to investigate or to answer questions about.
  1. Among the various points made by Mr Winter were these:

i) The activity reports themselves do not show when log-ons and log-offs occurred. For example, they do not show the undoubted log-off by the appellant at about 17.20. This leaves open the possibility that he had previously logged off at about 17.00, just before the illegitimate activity.

ii) There was no evidence about the appellant's log-on in the morning. Further, although Mr Roddy said that the computer timed out if the session was idle for a period, the evidence was not clear as to how long it needed before a timed log-off occurred. One would have expected a timed log-off when the appellant left the appellant at lunchtime, but there was nothing to show whether there had been a log-off followed by a fresh log-on by the appellant after lunch. In short, there was simply no evidence about when or how the appellant's CC000051 session was created.

iii) Mr Roddy gave evidence that, once a session ended, the next session would not be given the same number again: the number reverted to a pool of numbers available to be allocated by the computer to new sessions. He said in cross-examination that there was a 1 in 100,000 chance of it being reallocated to a different session on the same day. Yet there was evidence of three instances the previous day in which session numbers had been reallocated to other sessions after discontinuance of the session to which they were originally allocated. Mr Roddy was unable to say how this could have happened.

iv) There were other pointers to the illegitimate activity having been carried out by someone other than the appellant. The illegitimate activity involved a random attack on five companies beginning with the letter 'A', whereas the appellant would have known or could have discovered the primary delegate identification for all the companies and would not have needed to do things in this way. Moreover, on two occasions in the course of the illegitimate activity the user deployed a shortcut that was never used by the appellant in the course of his legitimate transactions. The vulnerability of the system to attack by members of staff was illustrated by the fraud perpetrated by Mr Kareer earlier the same year, involving as it did the use of other people's terminals in their absence.

  1. For all those reasons, submitted Mr Winter, Mr Roddy did not have a proper basis for saying that there was one continuous session and did not have the expertise to answer the questions raised by the defence on this issue. He was not qualified to give the evidence he did about the nature of the activity shown by the activity reports. His evidence should have been confined to telling the jury how the system was ordinarily designed to operate. A properly qualified expert should have been called to show how it did in fact operate and to say whether what was shown by the activity reports did form part of a single session. The defence were at the additional disadvantage that, because the data had not been properly secured, it was not possible for the defence expert to reach any conclusion on the subject.
  1. A further strand of Mr Winter's submissions concerned Mr Roddy's independence. The implications for the bank if an operation moving £16 billion per day was vulnerable to fraud placed Mr Roddy, as an employee of the bank, under great pressure. He conceded that he might have been subject to a subliminal lack of objectivity in his task. He ought not to have been placed in this position. Expertise and independence go hand in hand. In this case Mr Roddy had neither quality, which created a truly dangerous situation. Without this part of his evidence, there would have been no case against the appellant.
  1. In granting leave to appeal, the Full Court said that it had some concerns as to whether Mr Roddy's evidence could truly be described as expert evidence. Having had the benefit of full argument, however, we are satisfied that the judge was entitled to rule as he did.
  1. The judge said that he was applying the test in Bonython. There is no suggestion that he was wrong to apply that test. In Bonython it was said that there are two questions for the judge to decide: (1) whether the subject matter of the opinion falls within the class of subjects upon which expert testimony is permissible; and (2) whether the witness has acquired by study or experience sufficient knowledge of the subject to render his opinion of value in resolving the issues before the court.
  1. It is not in dispute that the judge was right to give an affirmative answer to the first question, holding that the operation of the Hexagon system was a subject appropriate for expert testimony. In our judgment he was also right to give an affirmative answer to the second question, holding that Mr Roddy had acquired sufficient knowledge of the subject to render his opinion of value in resolving the issues before the court concerning the operation of the Hexagon system. This was an assessment properly made after hearing Mr Roddy's evidence on the voir dire. The extent of Mr Roddy's experience of the Hexagon system, as summarised above, enabled him to give valuable assistance on the interpretation of the data taken from the central computer and set out in the activity reports. It was accepted that he was not an IT specialist in any wider sense and that his technical knowledge of the system was limited. But this did not preclude his being regarded as an expert to the extent indicated by the judge.
  1. There was no attempt to hide or downplay the limitations in the evidence that Mr Roddy was able to give. They were explored in depth in cross-examination, and both Mr Roddy and the Crown made important concessions. For example, as appears from the summing up, in the light of the evidence about the reallocation of session numbers, Mr Roddy "conceded that he could not say that the logon reference numbers served to identify a single session, on a single and particular workstation, by a single particular operator, because it clearly does happen that session reference numbers were being reallocated" (tr. 20A-B). Such matters were placed clearly before the jury. They were relevant to the question whether they should accept and place weight on Mr Roddy's evidence, but they did not mean that it was wrong to treat Mr Roddy as an expert witness in the first place.
  1. Likewise the judge was in our view right to hold that Mr Roddy's position within HSBC, coupled with the importance of the case to HSBC, went only to the weight of his evidence and did not render such evidence inadmissible.
  1. It was held in R v Gokal (judgment of the Court of Appeal, Criminal Division, 11 March 1999), in relation to the evidence of a prosecution investigator who was accepted at trial to be an expert, that the extent of his independence could go only to weight, not to admissibility. Mr Winter submitted that the position in the present case was materially different, in that Mr Roddy represented the victim of the fraud and there was also an issue concerning his expertise. He submitted that given the centrality of Mr Roddy's evidence on the question whether the illegitimate activity had been carried out as part of the same session as the legitimate activity, it was important that any expert witness should observe the requirements laid down in National Justice Compania Naviera SA v Prudential Assurance Co Ltd (The 'Ikarian Reefer') [1993] 2 Lloyd's Rep 68, for example that the evidence should be seen to be the independent product of an expert uninfluenced by the exigencies of litigation.
  1. We take the view that the differences between this case and Gokal are not material. Expertise and independence are separate issues, and we have dealt already with the question of Mr Roddy's expertise. As to independence, we do not accept that his employment with HSBC and the importance of the case to HSBC disqualified him from giving expert evidence. Although he made a very fair concession about the risk of subliminal lack of objectivity, our attention has not been drawn to any feature of his evidence that could support a case of conscious bias or lack of objectivity. In any event it was a matter for the jury to determine whether there was any conscious or unconscious bias or lack of objectivity that might render his evidence unreliable. This was, as the judge said, a matter going to weight rather than admissibility. The circumstances did not warrant a refusal by the judge to admit the relevant parts of Mr Roddy's evidence at all.
  1. Accordingly we reject the first and main ground of appeal.

 

Click here for the full judgment.

 

Published: 2006-10-24T00:00:00

    0 comments

      Please wait...