If we are to use evidence from digital devices such as smartphones, PCs, corporate machines and the cloud we need it to be reliable. But some of the methods used to achieve this can violate privacy as a digital forensic examiner may initially have unlimited access and not know in advance what is relevant and what is not. Digital examinations can be highly intrusive.
This is a review of the law and practices. Focused reform is needed but demands to "stop digital strip searches" are over-simplistic. A way forward is to distinguish the situation where the entire content of a device is downloaded for the purpose of data preservation - freezing the scene at a definite point in time - and the later situation when reasons and justifications for detailed examination become clearer. I make some recommendations.
The conflicts between providing reliable evidence from computer devices while supporting the privacy and human rights of their owners - complainants, accuseds and wholly innocent third parties - has been an issue of important but limited debate – until now. The National Police Chiefs’ Council (NPCC) and the Crown Prosecution Service (CPS) announced they had agreed on a Victim’s Consent to Access form. It resulted in a noisy campaign centred around the particular problems of investigations of rape, with protagonists speaking of “digital strip search” and the Association of Police and Crime Commissioners (APCC), asking for the form to be withdrawn.
I have been examining computers and computer-like devices and giving related expert evidence since the mid-1990s. I have written about the conflicts with privacy before, most recently in the wake of the 2018 inquiry into Disclosure of Evidence in Criminal Proceedings by the House of Commons Justice Select Committee but it seems a good time to update and expand. Reforms in law and procedure are needed, but they are not the ones most commonly being demanded.
Importance of Digital Evidence
The importance of digital forensics parallels the importance of computers and digital devices in our lives. Police say that the average UK home contains 7.4 digital devices most of which contain stored files but also software, configuration and system data which can be interpreted. The smartphone in particular has its very intimate relationship with its owner 60/60/24/7/365 and is recording activities second by second. Others put the figure even higher, the Internet Advertising Bureau UK cites 8.3 devices per home and Gartner suggest that by 2020 each of us may have 5.1 connected devices on our person. Digital evidence in one form or another appears in not less than 70% and up to 90% of crown court cases.
Evidential Reliability
If you are going to use digital evidence it has to be reliable if miscarriages are to be avoided. A key feature, as with other forms of evidence, is that it is capable of being tested. As with other forms of physical evidence the way in which it is processed is critical to its reliability. Police, lawyers and forensic practitioners refer to particular stages: Identification of sources likely to be helpful, Acquisition, Preservation, Analysis, Continuity, Disclosure to the Defence, Presentation in Court.
· Acquisition: to ensure that the process of seizure does not alter or corrupt original material
· Preservation: to take care that once in police custody potential evidence does not become altered or corrupted by accident
· Analysis: examination and possible conclusions by a forensic practitioner together with a report that will go before the court and be available for testing by the defence
· Continuity: also known as chain of custody, so that when an item is presented in court there is a complete explanation and set of records to show how it has been handled since acquisition
· Disclosure to the Defence: since the Criminal and Investigations Act 1996 (CPIA) prosecutors have had a duty to “disclose” to the defence – to make them aware of anything uncovered during an investigation which might strengthen the defence case or weaken the prosecution case. Another feature of CPIA is that defendants are penalised if they fail to produce a defence case statement setting out their general approach. The prosecutor’s duty to disclose is continuous and that includes making further disclosure dependent on the detail provided in the defence case statement. Police and forensic examiners are under a duty to “reveal” their activities to the prosecutor to enable disclosure to be made
· Presentation in Court: court appearance of witnesses supporting their exhibits and findings from their examination of seized items, and to be available for cross-examination
Digital evidence has particular features. In addition to sheer volumes on even modest devices is its very high level of volatility. Simply viewing the contents of a file, or even asking for a directory of files will cause alterations. These may occur within the file or in its associated metadata such as time and date stamps or in log and configuration files. (For Windows geeks: in the Registry among other places).
Forensic Image Copies
For a quarter of a century it has been the practice when dealing with evidence from digital devices that a “forensic image copy” is made of the device at as early an opportunity as possible. (The procedures have been updated to deal with smart phones and acquisition from cloud-based services). This is done the several reasons. First, executed properly and using specialist hardware, software and a standardised procedure, data does not become altered in the course of acquisition. Second, direct examination of a device is highly undesirable because in the course of it data will inevitably get altered; all examinations take place on the copy not the original. The original is available if necessary for reversion and checking. Third, in continuity terms it provides an explicit physical link between a device and the person responsible for it so that there can be attribution of its contents. Fourth, it is all too easy for individual emails, social media postings, webpages, photographs, et cetera to be subject to forgery. But it is extremely difficult to forge an entire hard disk or the memory in a phone because indications of the existence of a file can be found in several different locations on a device all of which would need to known about and then adjusted. Fifth, the forensic image will capture aspects of a disk or memory card which may not be immediately visible but which optimise the opportunities to recover deleted data (which may have rendered so deliberately but may also be a function of normal use and over-writing). Lastly, and this relates to subsequent examination and disclosure: if there are accusations that the prosecution have cherry-picked or suffered from “confirmation bias” – only seeing what their expectations have persuaded them to see – the existence of the forensic image means that such mistakes can be corrected.
Smart phones are even more vulnerable to volatility problems than regular computers. When powered up they are constantly awaiting the arrival of regular phone calls and SMS messages; they are also in contact with Internet based data sources either via the phone network or local Wi-Fi services. The data sources include social media and other messaging services, notifications of all kinds, the ability to conduct worldwide web browsing and also to receive numerous updates associated with various apps. Many phones also can connect to the outside world and acquire data via Bluetooth. The existence of a GPS signal may also cause data content alterations. Most smartphones have cameras and microphones.
The forensic image provides essential provenance, authentication and continuity. It freezes the scene at a particular point in time and forms the basis of any evidence that is produced - and contested - at trial. The procedures were first written up in the ACPO Good Practice Guide to Computer-based Evidence in the 1980s and have been many times updated since.
Evidence Seizure
Because of the volatility issue it is important that the forensic image is captured at the earliest possible moment. This applies to accuseds, complainants and any third parties (which might include businesses and other organisations as well as individuals).
The accused will have had little choice but to give up their digital devices. PACE (Police and Criminal Evidence Act, 1984) section 1 covers powers to stop and search, section 8 empowers a “justice of the peace” to authorise entry and search of premises, sections 19-22 cover powers of seizure and how they apply to computerised information.
Complainants and third parties will usually have to give their consent unless they too have been the subject of an explicit warrant. Police requests have to be compliant with the General Data Protection Directive (GDPR) and the UK implementation in the Data Protection Act 2018. Part 3 covers law enforcement processing and we will look at some of the protections shortly.
Evidence Preservation
But is important to stress that the forensic image copy is about evidence preservation and can be separated from the tasks of examination and analysis. This is an area which could be made much clearer when it comes to dealing with privacy issues.
In practical terms preservation is achieved by the use of a digital fingerprint of the forensic copy image. This involves the use of a small item of widely-available software – it creates a fingerprint consisting of a string of apparently random characters (a cryptographic hash), even the slightest alteration in the copy image (or any other file subject to the process) will result in a different fingerprint being created. A subsequent user of the file simply uses the same digital fingerprint software to check that nothing has changed. The standard software used to generate forensic copy images also creates a fingerprint at the end of the copy generating process.
It is also worth pointing out that the product of a forensic image copying exercise is not immediately readable without access to specialist software. The copy is simply a series of initially opaque files. It is possible, in the case of computer hard disks and memory cards, to use the forensic image copy to create a clone of the original onto similarly-sized hard-disks or memory cards but the more usual practice is to use the practitioners’ specialist tools such as EnCase, FTK, X-Ways and others to carry out detailed examination.
Triage
At this early stage no one will be able to determine what is going to be relevant. Will any potential evidence be in email, a regular SMS message, the fact that phone calls had been exchanged, records of web browsing, photos, or the use of any of a number of messaging and social media services that eventually proves to be important?
Indeed one of the practical problems faced by the police is that the sheer quantity of devices which may need to be examined can be overwhelming; as a result they have attempted to develop triage systems to prioritise which devices should be seized and which can be safely discarded.
There are significant implications here for the obligation to disclose. The last thing a police investigator or prosecutor wants is that a defendant says that important potential evidence has never been captured or not captured in a timely fashion and is now lost. Defence counsel will then ask the judge to rule that a fair trial cannot now take place. We will consider practical disclosure to the defence in a little while.
Examination and Analysis
It is only when actual examination commences that the privacy of the owner and others of a specific device becomes an issue. In the first instance the examiner of a forensic image copy will have complete access to everything on that device. In practice, partly because of the operation of the law (which we will discuss shortly) but mostly because of the sheer volume of material, the examiner will be guided by the steer given by whoever is the officer in the case (OIC). The OIC will have initial expectations and suspicions and will communicate that to the examiner. The examiner will then use experience to determine which parts of the original device will be subject to scrutiny.
The most commonly used specialised digital forensics analysis tools offer the examiner an integrated environment in which to view files of all kinds including their metadata and to carry out complex searches. Typically the contents of an entire device are indexed so that the result of search requests are obtained almost instantly; often, where several devices have been seized, a master index – and hence a search capability – can operate over all the devices simultaneously. Some of the programs even allow examiners to devise their own specialised search procedures – to identify credit card numbers or particular glossaries of terms as used by particular communities of criminal. Use is also made of databases of hashes (digital fingerprints) of known “bad” files such as those associated with the sexual exploitation of children and terrorism.
There is no point in denying that accidental viewing of material that most people would consider private and which turn out to be wholly irrelevant to an investigation can and does take place. I can recall a computer seized from a suspected dealer in firearms; photos were scrutinised on the basis that there might be pictures of the accused with guns – what I found were pictures of him having sex (of an entirely normal kind) with a woman who was either his wife or regular partner. I can remember another case in which someone was accused as a co-conspirator in a gold bullion hijacking; he was found not guilty but his computer showed that he was a heavy user of escort services, which he might have wished to have concealed from his wife. In both these and other cases no reference was made to these “private” activities and in each instance I suspect that only I and one other person, another examiner, was ever aware of their existence.
Perhaps I should also say that digital forensic examiners are highly unlikely to know the owners of the devices they are asked to investigate, or any of their acquaintances. One aspect of “privacy” must be concern that private and confidential information becomes known to the world at large or at least to acquaintances.
In practice actual examination in a non-urgent case may not take place for some considerable time. This is a function of the lack of funding and resource available for digital forensics. "Urgent" cases will include situations where there is a threat to life, where there is an ongoing investigation and where co-conspirators may need to be identified and future events forecast and perhaps forestalled. Another “urgent” element may be that legislation requires that an accused is charged or brought before court within a particular timeframe. Almost everything else is “non-urgent”; that will include situations involving rape or collections of pictures of the sexual exploitation of children and where no further harm is expected. Delays of six or more months are not uncommon. This can cause considerable distress. Digital forensic examiners in the publicly funded criminal justice system are poorly paid compared with their colleagues who specialise in civil disputes or have transferred their skills into more general aspects of cyber security. Even the leading digital forensic units, those that deal with the most interesting cases, have an unfortunately high turnover of staff.
Another limitation on privacy violation is that the rooms in which digital examinations take place are normally subject to strict physical access controls. Non-specialist staff are present only by invitation. The main reason for this is that a frequent task in digital forensics involves indecent images of children. There is a strict liability offence of possession. – s 160 Criminal Justice Act 1988 – where the onus is on an accused to say that they can benefit from a very limited range of defences. There are also offences of “making” and “distributing” which also can be said to take place during an investigation. Examiners have to rely on the protections available under s 46 Sexual Offences Act 2003. The response is to make examination rooms secure against unauthorised viewing. It may be some comfort to those whose digital devices are being examined that free-for-all passing round of private information in a police canteen is very strongly discouraged by law.
Legal constraints on examination
The contents of a personally-owned computer or smartphone or a personally-run cloud service counts as personal data for the purposes of Data Protection legislation and although there are exceptions and provisions for law enforcement there are also significant limits. Almost certainly one of the drivers for the production of the Consent Form referred to at the beginning was the need to comply with the Data Protection Act 2018 (DPA 2018). This is the UK implementation of the General Data Protection Regulations (GDPR). Police count as data controllers and data processors.
Detailed coverage of the law is beyond the scope of this blog, but Part 3 of DPA 2018 covers “law enforcement processing”. Section 31 describes “law enforcement purposes” as “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.” Part 3 Chapter 2 sets out six principles, the first of which states that processing must be strictly necessary for a specified law enforcement purpose and that an appropriate policy document must be in place. Other principles include that data processed “must be adequate, relevant and not excessive in relation to the purpose for which it is processed.(third principle). The fifth principle says that such data “must be kept for no longer than is necessary for the purpose for which it is processed.” The sixth principle says: “that personal data processed for any of the law enforcement purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).”
Section 45 within Part 3 of DPA 2018 refers to the circumstances of the right of access by the “data subject” – in this instance the owner of digital device including a smartphone. Other sections include the right to rectify.
Part 6 of the Act covers the powers of the Information Commissioner to enforce the law including powers of inspection and the issuing of penalties. There are also criminal offences, detailed in sections 170-173 and sections 196 and 197. Section 200 requires the preparation and alteration of Codes of Practice issued under the Police and Criminal Evidence Act 1984.
Nearly all of these same limitations apply to those forensic examiners instructed by defence lawyers.
One area of ambiguity in the current law is the situation where a device is being examined for one specific purpose but there are indications of other separate and unexpected crimes; an example would be: during an examination of a device on suspicion of fraud there are also photos of children being sexually exploited. One would expect the police to investigate with a view to prosecution in these circumstances, but surely examiners and police should be declaring a separate investigation and requesting additional authority to pursue.
Kiosks
The use of mobile phone extraction kiosks is a potential weakness as far as privacy is concerned. They were developed to meet the twin challenges of ever-increasing quantities of devices and data to be examined and the shortage of highly skilled human examiners. They offer a first-stage downloading and examination facility which can be used after relatively modest levels of training. Police officers have to select from a limited number of physical connectors and thereafter the kiosk is able to detect the type of phone and provide opportunities for downloading standard types of data such as phone call records, SMSs, photos, substantive files, and the popular messaging and social media services. The typical kiosk is plug-and-play.
One of the key drivers for kiosk deployment has been the challenges of decision-making in triage – how does a police officer during a search decide which of many digital devices should be seized and how many can safely be left behind?
There are several concerns. Although kiosks are designed for first-stage activities lack of police resource and training can mean that they may be the only form of digital forensic analysis and there is no second stage carried out by a trained and experienced analyst. (Increasingly digital forensic processes are supposed to be accredited and conform to international standards but the speed of change in the technologies and applications used in mobile phones means that the software in the kiosks needs constant updating; as a result appropriate levels of testing for reliability are likely to be bypassed in order to meet operational needs). A related problem is that important evidence may simply not be found.
But the greatest worry is the impact on privacy. The procedural and legal constraints referred to above as they apply to more traditional forms of digital forensic examination may simply be being bypassed in the interest of operational convenience. The important separation of data preservation from data examination can easily be lost. At the same time there seems to be only a limited opportunity for police officers to follow the data protection obligations of limiting their examination to material which is strictly relevant to a specific purpose. In effect users of such kiosks have unlimited access to very large aspects of the contents of a smart phone.
It is currently unclear to me what remedial and restricting steps are being taken by police forces to develop privacy-aware protocols for the use of kiosks.
Disclosure to Defence
As we have seen CPIA 1996 imposes an obligation on the prosecution to disclose material collected in the course of an investigation which might undermine prosecution arguments and assist the defence. This is material which is referred to as “unused”, as opposed to material which is formally served on the defence and the court as part of the prosecution case. Among other things section 23 of the Act requires that there should be a detailed Code of Practice.
What is disclosed will depend heavily on the defence case statement. Section 6A (introduced in 2003) says:
(1) For the purposes of this Part a defence statement is a written statement—
(a) setting out the nature of the accused’s defence, including any particular defences on which he intends to rely,
(b) indicating the matters of fact on which he takes issue with the prosecution,
(c) setting out, in the case of each such matter, why he takes issue with the prosecution,
(ca) setting out particulars of the matters of fact on which he intends to rely for the purposes of his defence,
(d) indicating any point of law (including any point as to the admissibility of evidence or an abuse of process) which he wishes to take, and any authority on which he intends to rely for that purpose.
In terms of digital evidence there may be a case for producing only a selection of files and in so doing the supporting privacy by limiting material to what is “relevant”. However if a defence case statement suggests that there may be files and other material which the prosecution have failed to consider or if there is a concern that there has been tampering of evidence or that the actual process of data preservation has been faulty then it is highly likely that the defence will demand access to an entire forensic image copy. A forensic examiner may also claim that full analysis is only possible using the same or similar tools to those deployed by the prosecution and that as a result access to the full image copy is the best way for the quality and reliability of prosecution work can be tested. It is not practically possible to redact parts of a forensic image copy. The actual details of the extent of disclosure may be the subject of negotiation between prosecution and defence and, where they are unable to agree, they may need to take their arguments before the court.
Once in the hands of the defence a number of legal restrictions apply. Sections 17 and 18 of CPIA 1996 impose a duty of confidentiality, breach of which is a contempt of court. In effect material can only be referred to as it applies to specific charges that a defendant faces or if there is a likelihood of further charges. Thus although a defence lawyer and people appointed by him to examine a forensic image copy may be able to see private but irrelevant material they cannot use it or refer to it.
Defence lawyers are data controllers for the purpose of the Data Protection Act 2018 and examiners / experts they employ are data processors and possibly also data controllers. As a result all the restraints referred to above as they apply to police investigations of digital devices apply to them also.
Rape cases
The specific safeguards are in the Youth Justice and Criminal Evidence Act 1999. This is the Act which among other things provides for “ Special measures directions in case of vulnerable and intimidated witnesses” (Part 2 Chapter 1). Section 41 provides for “restriction on evidence or questions about complainant’s sexual history”. An accused – and their lawyer – can only introduce such evidence by the permission of the court. The court will hear such arguments before trial, often in a preliminary hearing , and a judge will limit the evidence to specific circumstances. Section 41 (5)(b) says that if used the sexual history must go “no further than is necessary to enable the evidence adduced by the prosecution to be rebutted or explained by or on behalf of the accused.”
A particular feature of rape trials is that in the absence of third-party witnesses or indications of adverse physical impact on bodies or clothing, the court is faced with one person's word against another. This, in addition to possible lack of sympathy on the part of investigating police officers, is why so few complaints mature into convictions. A jury has to be "sure" - beyond a reasonable doubt - to find guilt. Smartphone and other digital evidence has the potential to provide additional elements for a jury to take into consideration.
What happens in practice
The law is clear enough and, with some exceptions so are the procedures. However as the reports of the Commons Justice Select Committee Disclosure of evidence in criminal cases (H859) in 2018 and the Lords Science and Technology Select Committee Forensic science and the criminal justice system: a blueprint for change (HL paper 333) in 2019 make clear resources for digital examination are under severe strain.
Indeed the entire criminal justice system is under severe strain. Overall expenditure on forensic science in general was £120m in 2008 but only £50m in 2019, of which the police budget was £12.3m. The National Audit Office estimates that between 2010/11 and 2018/9 overall police funding fell by 19%. The Crown Prosecution Service staff budget fell from £738M in 2010-11 to £291m in 2015-16, a cut of more than 60%. Cuts to legal aid funding (via the Legal Aid Authority) were introduced in the Legal Aid, Sentencing and Punishment of Offenders Act 2012 (LASPO). One impact is that defendants must now pass a means test before legal aid is available. Both barristers and solicitors have suffered cuts in fees with the result that many lawyers are leaving the publicly-funded sector. The Commons Justice Select Committee made this the subject of another report: Criminal Legal Aid (HC1069).
The best-selling book The Secret Barrister: Stories of the Law and How It's Broken turns these statistics into a lively but dispiriting description of what happens in practice.
My own experience and, apparently that of witnesses to the various select committee reports, is that the most important cases are dealt with properly by police, CPS and prosecutors. They are high profile, likely to be reported in the media and will attract the attention of the best legal professionals. The real difficulty is in “routine” Crown Court trials. None of these cases are of course routine to complainants or, for that matter, to defendants. But they are to the police, the Crown Prosecution Service, prosecution and defence lawyers and forensic examiners.
It is here where the pressures of lack of funding result in deficiencies in the handling digital evidence and the unnecessary violation of privacy are most likely to appear and where remedy may be most difficult.
Proposals
These are some areas that merit attention:
- Separate out data preservation from data examination. Data preservation can be justified to ensure that the "scene" on a digital device at a particular point in time in reliably frozen. Individuals who are anxious about a "digital strip search" can be re-assured that data examination will only take place later against defined purposes. This may require changes to the substantive law and will require revised Codes of Practice and procedures under the Police and Criminal Evidence Act, 1984 and elsewhere.
- Where digital devices have been seized in the course of a legitimate search of premises or street stop-and-search, an additional authorisation should be required before examination of digital devices take place, though without prejudice to the need to preserve data (see above). In emergency situations authorisations could be obtained after the event. Where an examination reveals the possibility of separate and unexpected wrong-doing, further additional authorisation, accompanied by explanations and justifications should be required.
- The precise mechanism for authorisation to examine is up for discussion. One route would be to require that a senior police officer of appropriate rank and not otherwise involved in an investigation authorises after evaluating explanations why a data examination is necessary. This in part echoes the procedures that were until recently used for law enforcement to obtain retained communications data (who called who, when, for how long and in the case of cellphones, approximate location but not the content of a call) from telephone companies and Internet Service Providers. (Under Parts 3 and 4 of the Investigatory Powers Act, 2016). Alternatively there could be a separate body to authorise, similar to the Office for Communications Data Authorisations (OCDA) which is a sister organisation to the Investigatory Powers Commissioner's Office (IPCO).
- Review the current Consent Form covering voluntary provision of digital devices
- Set a clear policy that data from digital devices will only be retained for so long as there is a proven need. Make inspections for compliance a function of the Information Commissioner's Office (ICO).
- Review the circumstances in which digital forensic kiosks are used
- Develop further awareness training for police, CPS staff and lawyers
- Examine the budgets available for access to digital forensic expertise, both those employed in the public criminal justice system and those in private practice.
- Review the advice published to assist victims of rape. At the moment victims are told to preserve evidence on clothing, to refrain from washing and what to expect from a medical inspection. The advice also ought to include references to smartphones and other digital evidence.
1.