Skip to main content

Electronic Evidence and Electronic Signatures: Chapter 10

Electronic Evidence and Electronic Signatures
Chapter 10
    • Notifications
    • Privacy
  • Project HomeElectronic Evidence and Electronic Signatures
  • Projects
  • Learn more about Manifold

Notes

Show the following:

  • Annotations
  • Resources
Search within:

Adjust appearance:

  • font
    Font style
  • color scheme
  • Margins
table of contents
  1. Cover
  2. Title Page
  3. Copyright Page
  4. List of Contributors
  5. A note on our Creative Commons licence
  6. Dedication
  7. Contents
  8. Software is reliable and robust
  9. Preface
  10. Acknowledgments
  11. Table of statutes
  12. Table of cases
  13. 1. The sources and characteristics of electronic evidence and artificial intelligence
    1. Digital devices
      1. Processors
      2. Mobile devices
      3. Embedded devices
      4. Software
      5. Data storage facilities
      6. Data formats
      7. Starting a computer
    2. Networks
      1. Types of network
      2. Cloud computing
      3. The Internet of Things
      4. The deep web and the dark web
      5. Common network applications
    3. Types of evidence available on a digital device
      1. Files
      2. Metadata
      3. Imaging
      4. System and program logs
      5. Temporary files and cache files
      6. Deleted or ‘lost’ files
      7. Simulations, data visualizations, augmented and virtual reality
      8. Encryption and obfuscated data
    4. Artificial intelligence and machine learning
      1. Simulations, data visualizations, augmented and virtual reality
      2. Transparency and explainability
      3. AI adversarial attacks
    5. Defining electronic evidence
      1. The dependency on machinery and software
      2. The mediation of technology
      3. Speed of change
      4. Volume and replication
      5. Storage and disclosure
    6. Concluding remarks
  14. 2. The foundations of evidence in electronic form
    1. Direct and indirect evidence
    2. Evidence in both digital and analogue form
    3. Metadata and electronic evidence
    4. Means of proof
      1. Testimony and hearsay
      2. Real evidence
    5. Documents and disclosure or discovery
    6. Visual reading of a document
    7. Authentication
    8. Best evidence
    9. Analogue evidence
    10. Digital evidence
    11. Civil proceedings
    12. Criminal proceedings
    13. Admissibility
    14. Weight
    15. Video and audio evidence
      1. Testimonial use in legal proceedings
      2. Identification and recognition evidence
    16. Computer-generated animations and simulations
      1. Computer-generated evidence in England and Wales: civil proceedings
      2. Computer-generated evidence in England and Wales: criminal proceedings
  15. 3. Hearsay
    1. The rule of hearsay exclusion and its rationale
    2. The right of confrontation
    3. Hearsay and electronic evidence
    4. Electronic evidence and real evidence
    5. Testimonial and non-testimonial use of information
    6. Implied assertions
    7. Civil proceedings and the requirement to give notice
    8. Criminal proceedings
      1. Telephone calls and messages
      2. Representations other than by a person
      3. Body-worn camera footage
      4. Business and other documents
      5. Judicial discretion to include hearsay
      6. Judicial discretion to exclude hearsay
    9. Concluding observations
  16. 4. Software code as the witness
    1. The classification of digital data
      1. Category 1: Content written by one or more people
      2. Category 2: Records generated by the software that have not had any input from a human
      3. Category 3: Records comprising a mix of human input and calculations generated by software
    2. Challenging the code to test the truth of the statement
  17. 5. The presumption that computers are ‘reliable’
    1. The purpose of a presumption
    2. Presumptions and mechanical instruments
    3. Judicial formulations of the presumption that mechanical instruments are in order when used
      1. Judicial notice
      2. A ‘notorious’ class
      3. Common knowledge
    4. Evidential foundations of the presumption
    5. How judges assess the evidence of devices controlled by software
    6. Mechanical instruments and computer-like devices
    7. The nature of software errors
      1. Why software appears to fail
      2. Classification of software errors
    8. The development, maintenance and operation of software
      1. Developmental issues and software errors
      2. Increasing the risk of errors through modification of software
      3. Security vulnerabilities
      4. Software testing
      5. Writing software that is free of faults
      6. Software standards
      7. Summary
    9. Challenging ‘reliability’
      1. Aviation
      2. Financial products
      3. Motor vehicles
      4. Emergency services
      5. Medical
      6. The Post Office Horizon scandal
      7. Banking
      8. Interception of communications
    10. Most computer errors are either immediately detectable or result from input errors
    11. Challenging the authenticity of digital data – trial within a trial
      1. A protocol for challenging software in devices and systems
    12. Reintroduction of the common law presumption
    13. The statutory presumption
    14. Challenging the presumption
      1. ‘Working properly’
    15. Concluding remarks
  18. 6. Authenticating electronic evidence
    1. Authenticity and authentication
      1. An example: email
      2. Digital evidence compared to past paradigms
      3. Admissibility and authentication
      4. The best evidence rule
      5. Identity and integrity
      6. Reliability
    2. Methods of authentication
      1. Self-authentication
      2. System authentication
      3. Digital certification
      4. Digital forensics
      5. Extrinsic and circumstantial evidence
      6. Judicial notice
      7. Digital evidence in archival systems
    3. Technological authentication
      1. Digital signatures
      2. Blockchain
    4. Challenges to the authenticity of evidence in digital form
      1. The cloud
      2. The Internet of Things
      3. Digital preservation
      4. Migration and format changes
    5. The business records exception to the rule against hearsay
      1. The business records exception
      2. Authentication of digital business records
    6. Conclusion
  19. 7. Electronic signatures
    1. The purpose of a signature
    2. Dictionary definitions
    3. The manuscript signature
    4. Statutory definition of signature
    5. The functions of a signature
      1. The primary evidential function
      2. Secondary evidential functions
      3. Cautionary function
      4. Protective function
      5. Channelling function
      6. Record-keeping function
    6. Disputing a manuscript signature
      1. Defences
      2. Evidence of the manuscript signature
      3. Intention to authenticate and adopt the document
    7. The electronic signature
    8. Forms of electronic signature
      1. Authority, delegation and ratification
      2. Forged signatures
    9. Evidence of intent to sign
      1. The automatic inclusion of the signature
      2. Partial document with separate signature page
    10. The Electronic Communications Act 2000
      1. The definition of an electronic signature
      2. The elements of an electronic signature
      3. Liability of a certification service provider
      4. The power to modify legislation
      5. Regulation of Investigatory Powers Act 2000
    11. Electronic sound
    12. The ‘I accept’ and ‘wrap’ methods of indicating intent
      1. Click wrap
      2. Browse wrap
      3. ‘I accept’
    13. Personal Identification Number (PIN) and password
    14. Typing a name into an electronic document
      1. Acts by a lawyer as agent
      2. Interest in real property
      3. Loan of money
      4. Employment
      5. Contract
      6. Guarantees and debt
      7. Public administration, the judiciary and the police
      8. Statute of Frauds
      9. Wills
      10. Constitution of a legal entity
      11. Amending boilerplate contractual terms
    15. The name in an email address
      1. Limitation Act 1969 (NSW)
      2. Statute of Frauds
      3. Legal fees arrangement
      4. Civil Law Act
    16. A manuscript signature that has been scanned
      1. Mortgage redemption
      2. Writing
      3. Employment
    17. Biodynamic version of a manuscript signature
      1. Electoral register
      2. Contract formation
    18. Digital signatures
      1. Technical overview of digital signatures
      2. Algorithms and keys
      3. Control of the key
      4. Disguising the message
      5. Public key infrastructure
      6. Difficulties with public key infrastructure
      7. Authenticating the sender
      8. The ideal attributes of a signature in electronic form
      9. Methods of authentication
      10. Types of infrastructure for asymmetric cryptographic systems
      11. Management of the key and certificate
      12. The duties of a user
      13. Internal management of a certification authority
      14. Barriers to the use of the public key infrastructure
      15. Risks associated with the use of digital signatures
      16. What a digital signature is capable of doing
      17. What no form of electronic signature is capable of doing
      18. The weakest link
      19. The burden of managing the private key
      20. Evidence and digital signatures
      21. ‘Non-repudiation’
      22. Certifying certificates
      23. The burden of proof
      24. The recipient’s procedural and due diligence burden
      25. The sending party: the burden of proof of security and integrity
      26. Burden of proof – the jitsuin
      27. Burden of proof – summary
  20. 8. Encrypted data
    1. Encryption
    2. Methods to obtain encrypted data
      1. Breaking the encryption without obtaining the key
      2. Obtaining the key
    3. Compelling disclosure in England and Wales
      1. Protected information
      2. Notice requiring disclosure
      3. Obligations of secrecy and tipping off
      4. Circumventing the procedure
    4. The privilege against self-incrimination
      1. England and Wales
      2. The USA
      3. Canada
      4. Belgium
    5. Concluding observations
  21. 9. Proof: the technical collection and examination of electronic evidence
    1. Accreditation of the digital forensics discipline
    2. Guidelines for handling digital evidence
    3. Handling electronic evidence
      1. Identifying electronic evidence
      2. Gathering electronic evidence
      3. Gathering of data following legal retention or reporting obligations
      4. Copying electronic evidence
    4. Forensic triage
      1. Preserving electronic evidence
    5. Analysis of electronic evidence
      1. Tools
      2. Traces of evidence
    6. Reporting
    7. Analysis of a failure
    8. Anti-forensics and interpretation of evidence
      1. Data destruction
      2. Falsifying data
      3. Hiding data
      4. Attacks against computer forensics
      5. Trail obfuscation
    9. An intellectual framework for analysing electronic evidence
    10. Conclusions and future considerations
  22. 10. Competence of witnesses
    1. The need for witnesses
    2. Separating data reliability from computer reliability
    3. Lay experts as witnesses
    4. Qualification of witnesses
  23. Appendix 1: Draft Convention on Electronic Evidence
  24. Appendix 2: Cumulative vignettes
  25. Index

10

Competence of witnesses

Stephen Mason and Lynne Townley

The need for witnesses

10.1 Concern is sometimes expressed over the competence, knowledge and qualifications of the witness giving evidence as to the trustworthiness of digital data as evidence. In Wood (Stanley William), the Lord Chief Justice explained this as follows:

This computer was rightly described as a calculating tool. It did not contribute its own knowledge. It merely did a sophisticated calculation which could have been done manually by the chemist and was in fact done by the chemists using the computer programmed by Mr. Kellie whom the Crown called as a witness. The fact that the efficiency of a device is dependent on more than one person does not make any difference in kind. Virtually every device will involve the persons who made it, the persons who calibrated, programmed or set it up (for example with a clock the person who set it to the right time in the first place) and the person who uses or observes the device. In each particular case how many of these people it is appropriate to call must depend on the facts of, and the issues raised and concessions made in that case.1

Stephen Mason and Lynne Townley, ‘Competence of witnesses’, in Stephen Mason and Daniel Seng (eds.), Electronic Evidence and Electronic Signatures (5th edn, University of London 2021) 488–499.

1(1983) 76 Cr App R 23 at 27.

10.2 The complexity of a computer, whatever the nature of the device (whether a hand-held device or a mainframe computer), will give rise to issues of authentication, but a wider range of challenges may also be raised:

1. There may be a question about the accuracy or otherwise of the human input. Where the accuracy of the information is challenged, two factors will be pertinent: whether the human beings responsible for inputting the information entered the correct information; and, regardless of the conclusions reached in answering the first point, whether the software harboured an error or a malicious code that acted to change the information that was entered by humans. In the first instance, evidence from those that were responsible for entering the data, if they can be found, will need to be called. In the second instance, the evidence of a suitably knowledgeable digital evidence professional or a suitable technician who is highly familiar with the system will be necessary.

2. The ‘reliability’ of the underlying operating system and application software may be at issue. This is a separate question to the first type of challenge, and will require a witness with different skills to the witnesses required in the first example. Here, it may be necessary to call the manufacturer of the hardware, or the developer of the operating system or application, or failing that, an expert in the specific operating or application software.

3. The mechanisms developed to ensure a system operates properly and efficiently may be at issue. A good example is that of bank ATMs. It is a notorious fact that attacks on ATMs are successful without the use of the card issued to the customer. Because these systems are subject to outward-facing threats, the range of experts will be wider when challenges of this nature are made, and will include experts who work in a bank as well as experts who are familiar with the weaknesses of bank ATM systems.

10.3 The precise nature of the evidence to be given will be governed by the nature of the challenge by the defence in any one case. The observations made by the Lord Chief Justice in Wood (Stanley William) were later elaborated by Steyn J, as he then was, in R v Minors, specifically including an observation underlying the rationale for admitting such evidence without adding to the burden of the prosecution:

The law of evidence must be adapted to the realities of contemporary business practice. Mainframe computers, minicomputers and microcomputers play a pervasive role in our society. Often the only record of a transaction, which nobody can be expected to remember, will be in the memory of a computer. The versatility, power and frequency of use of computers will increase. If computer output cannot relatively readily be used as evidence in criminal cases, much crime (and notably offences involving dishonesty) will in practice be immune from prosecution. On the other hand, computers are not infallible. They do occasionally malfunction. Software systems often have ‘bugs’. Unauthorised alteration of information stored on a computer is possible. The phenomenon of a ‘virus’ attacking computer systems is also well established. Realistically, therefore, computers must be regarded as imperfect devices.1

1R v Minors (Craig), R v Harper (Giselle Gaile) [1989] 1 WLR 441 at 443.

Separating data reliability from computer reliability

10.4 In the case of R v Minors, the appellant tendered a passbook with false entries purporting to show there was more money held in the account than the £1 that was actually recorded. An auditor, a member of the audit investigation department of the Alliance and Leicester Building Society who had 14 years’ relevant experience and regularly worked with the particular computer, produced the computer record of the complete history of the appellant’s account. The last four (forged) entries in the account book were not recorded in the computer printout. The evidence of the computer printout was relevant to the question whether there was, in fact, a balance of only £1 in the account. For technical reasons that no longer apply, it was held that the evidence of the building society auditor was wrongly admitted under the provisions of the Police and Criminal Evidence Act (PACE) 1984 that prevailed at the time.

10.5 In this case, it is pertinent to note that the auditor was properly qualified to testify as to the ‘reliability’ of the computer. However, it is suggested that the ‘reliability’ of the computer was not in issue in this case. The issue was whether the information entered into the computer was accurate, and if so, how the accuracy or otherwise of the information could be proved. The ‘reliability’ of the computer was a separate issue. All the auditor would be doing in such circumstances was to provide evidence as to how the information was transcribed from the passbook to the computer, and whether the methods used by the building society were capable of providing the assurance that the information was accurate.

10.6 In the case of R v Harper,1 it was alleged that the appellant presented a stolen Capital Card when travelling on a London Transport bus. The relevant sequence of events were as follows. In February 1985 a batch of cards were stolen at Alexandra Palace railway station; appropriate entries were made by an employee in the ‘Lost Book’ at the station; the relevant entries were transferred to a computer belonging to British Rail at King’s Cross railway station, and the entries were further transferred from this computer to a computer at Waterloo railway station owned by London Regional Transport. At trial, the prosecution relied on a computer printout from the Waterloo computer to show that the card was stolen. The printout was produced by a revenue protection official who worked at Baker Street station. The judge admitted the evidence, but it was held on appeal that it was incorrect to do so because the witness could not, from her own knowledge, testify to the ‘reliability’ of the computer, and also that the requirements of s 68 of PACE 1984 had not been satisfied.2

1R v Minors (Craig), R v Harper (Giselle Gaile) [1989] 1 WLR 441, [1989] 1 All ER 208, [1988] 12 WLUK 161, (1989) 89 Cr App R 102, [1989] Crim LR 360, (1989) 133 SJ 420, [1989] CLY 546.

2Section 68 of the Police and Criminal Evidence Act 1984 was repealed by the Criminal Justice Act 1988, Schedule 16.

10.7 This decision must be right. However, it is suggested that the ‘reliability’ of the computer was not relevant given this set of facts. The fatal problem in this instance was a break in the continuity of evidence, because the ‘Lost Book’ held at Alexandra Palace railway station was missing at the time of the trial. The witness may have been competent to give evidence of the procedures used to register and disseminate the knowledge of the loss of Capital Cards. However, on these facts, because there were so many separate connections in the chain, the prosecution ought to have obtained evidence from each person responsible for the process by which lost or stolen cards were brought to the attention of the relevant authority, and how the information was disseminated.1

1See ‘Evidence obtained from a computer’ (1992) 56 Journal of Criminal Law 44 for a comparison between Minors and Shephard and ‘touching wood’; Colin Tapper, ‘Reform on the law of evidence in relation to the output from computers’ (1995) 3(1) Intl J L & Info Tech 85. In Odex Pte. Ltd. v Pacific Internet Ltd [2007] SGDC, rev’d on other grounds, [2008] SGHC 35, [2008] 3 SLR 18, the lawyers could not even identify the correct person to prepare a witness statement; George Wei, ‘Pre-commencement discovery and the Odex litigation: copyright versus confidentiality or is it privacy?’ (2008) 20 SAcLJ 591; and Daniel Seng, ‘Evidential issues from pre-action discoveries: Odex Pte Ltd v Pacific Internet Ltd’ (2009) 6 Digital Evidence and Electronic Signature Law Review 25.

Lay experts as witnesses

10.8 In the case of R v Spiby (John Eric),1 the defence argued, unsuccessfully, that the sub-manager of a hotel could not discharge the burden under s 69 of PACE 1984 to show that the computer was working ‘properly’. It was submitted that only a service engineer or an expert on the use of the particular computer system would have been able to say whether the machine was working ‘correctly’.2 Taylor LJ agreed with the decision of the trial judge, and considered that the positive evidence of the sub-manager that the device was working was sufficient in this instance. This cannot be correct. Only a service engineer or a suitably qualified professional with knowledge of the particular computer system would be in a position to determine whether the device was working ‘properly’. The sub-manager was only competent to give evidence of his reliance on the output of the device for the purpose of submitting a record of the telephone calls made from particular extensions in the hotel and recorded by the machine – that is, for the purpose of billing customers for the calls made. An assertion that the output is considered reliable because the hotel relies on the output of the device does not prove the device is ‘reliable’. These are separate questions.

1[1990] 3 WLUK 150, (1990) 91 Cr App R 186, Times, 16 March 1990, Independent, 2 April 1990, Daily Telegraph, 30 March 1990, [1990] CLY 785. See Solomon E. Salako ‘R v Spiby Revisited’ (1991) 1(1) LTJ 29.

2Colin Tapper, ‘Evidence from computers’ (1974) 8 Georgia Law Review 562, 595. Professor Tapper noted, at fn 193, 596, that ‘An interesting trial dilemma regarding foundation testimony is that too much of a showing of error control may cause a jury to find the system so fraught with error that the system would be presumed to be unreliable, while too little testimony on that matter would cause a similar result’. Unfortunately, it does not follow that the latter result occurs.

10.9 Compare this case with the decision in United States of America v Linn.1 A computer printout of telephone calls was admitted into evidence. The appellant argued that the printout was not admissible because it was an untrustworthy record generated by a computer. The appellant suggested that the Director of Communications of the Sheraton hotel ‘did not understand the distinctions between “menus”, “data bases”, and computer “code”, she was “confused and inadequately trained”, and thus without personal knowledge of the way in which the computer printout was generated’.2

1880 F.2d 209 (9th Cir. 1989).

2880 F.2d 209 (9th Cir. 1989) at 216.

10.10 No evidence was offered to indicate why the content of the printout was considered to be unreliable or why it was relevant that the witness failed to understand how the printout was generated. Beezer CJ rejected the submission as frivolous. He pointed out that the telephone record was generated automatically and it was retained in the ordinary course of business; thus such records were considered business records under the relevant Federal Rules of Evidence.

10.11 In this case, two separate issues were conflated: first, the witness was not an expert witness and therefore not qualified to give the evidence, and second, the witness failed to understand the underlying working of the computer that produced the printout. If the ‘reliability’ of the computer was in issue, the appellant ought to have alleged the content of the printout could not be trusted, and have given sufficient reasons for the burden to fall to the prosecution to demonstrate the computer was working correctly.

10.12 It was not considered necessary for a computer expert to provide evidence that a till roll connected to a computer was ‘working properly’ in R v Shephard (Hilda)1 under the provisions of s 69 of PACE 1984. The oral evidence of a store detective, who demonstrated how the prices of goods were added to the till roll, was considered sufficient by the members of the Court of Appeal and the House of Lords. It should be noted that the store detective was only capable of demonstrating the method by which the prices of goods were added to the till, not whether the software accurately replicated the list of goods purchased. In giving judgment in the Court of Appeal, Lloyd J said of the evidence given by the store detective:

On the evidence in the court below in the present case, there was no doubt about the functioning of the computer. Mrs. McNicholas who gave detailed evidence as to how the cash tills worked, and explained the link with the central computer, was asked in chief

‘Q. And what about the master computer? Did that malfunction?

A. Touch wood, no. I have never known it break down since we have had it.’

She was not cross-examined on the point. In addition, she has spent, as we have said, many hours examining the particular till rolls. She would have been the first to notice if there had been any internal evidence of malfunction. In those circumstances it was legitimate for the court to infer that the computer was operating properly.2

1[1993] AC 380, [1993] 2 WLR 102, [1993] 1 All ER 225, [1992] 12 WLUK 273, (1993) 96 Cr App R 345, (1993) 157 JP 145, [1993] Crim LR 295, (1993) 143 NLJ 127, (1993) 137 SJLB 12, Times, 17 December 1992, Independent, 21 January 1993, [1993] CLY 636 (spelt ‘Shepherd’ in All ER and Crim LR); but see the highly relevant comments in ‘Evidence obtained from a computer’ (1992) 56 Journal of Criminal Law 44 in comparing the decision in this case against the decision in R v Minors (Craig), R v Harper (Giselle Gaile) [1989] 1 WLR 441; ‘Admissibility of computer print-outs’ (1993) 57(3) Journal of Criminal Law 277.

2R v Shephard (1991) 93 Cr App R 139 at 143.

10.13 In rejecting the need for a computer expert to sign a certificate where oral evidence has been given that was open to cross-examination, Lord Griffiths offered the following comments in the House of Lords:

Documents produced by computers are an increasingly common feature of all business and more and more people are becoming familiar with their uses and operation. Computers vary immensely in their complexity and in the operations they perform. The nature of the evidence to discharge the burden of showing that there has been no improper use of the computer and that it was operating properly will inevitably vary from case to case. The evidence must be tailored to suit the needs of the case. I suspect that it will very rarely be necessary to call an expert and that in the vast majority of cases it will be possible to discharge the burden by calling a witness who is familiar with the operation of the computer in the sense of knowing what the computer is required to do and who can say that it is doing it properly.1

1[1993] AC 380 at 387 B–D; followed in Public Prosecution Service v McGowan [2008] NICA 13, [2009] NI 1.

10.14 Lord Griffiths went on to say:

The computer in this case was of the simplest kind printing limited basic information on each till roll. The store detective was able to describe how the tills were operated, what the computer did, that there had been no trouble with the computer and how she had also examined all the till rolls which showed no evidence of malfunction either by the tills or by the central computer.1

1[1993] AC 380 at 387E; the Crown Prosecution Service cites this decision by the House of Lords as if a lay person has any knowledge of the complexities of a computer system: ‘The House of Lords has held that a store detective is competent to produce till rolls produced by a store’s computer where the store detective was familiar with the operation of the tills and can say that the store had no difficulties caused by the operation of the computer’, https://www.cps.gov.uk/legal-guidance/computer-records-evidence.

10.15 Dr Stephen Castell was engaged as an expert witness in litigation regarding a major electronic point of sale computer system for a national retailer in 1994, and he remarked that a centralized computer connected to remote tills in store branches is far from being a computer of the simplest kind.1

1‘Letter to the Editor’, Computer Law and Security Report (May–June 1994), 158.

10.16 At the same time as this case was being heard in England, the Court of Appeals of Nebraska heard an appeal in the case of State of Nebraska v Ford.1 The appellant was convicted of theft from hotel rooms. The hotel used a system controlled by a computer, by which both those staying at the hotel and members of staff gained entry to a room by way of a card with machine-readable code. A number of thefts from rooms were linked to the recorded use of a card issued to Ford. When challenged, Ford admitted to being in the rooms at the time, but not to theft. The prosecution adduced the business records under the hearsay exception, which provides that the evidence can be admitted if the activity recorded is of a type that regularly occurs in the course of the day-to-day activity of the business; and the record was made at or near the time of the events recorded, and the record is authenticated by a qualified witness. The defence challenged the qualifications of the witness, Glenda Willmon, the general manager of the hotel, who explained how the system worked. Connolly J, who gave the judgment for the court, rejected the submission by the defence that the witness was not suitably qualified. The judge said that it did not matter whether the witness could discuss the components or engineering principles of the computer.2 This must be right. Unless there is a challenge to the accuracy of the evidence tendered that results from a computer or computer-like device, it does not necessarily follow that a person familiar with a computer system cannot give evidence of the output of the system.

1501 N.W.2d 318 (Neb.App. 1993).

2501 N.W.2d 318 at 321.

10.17 The view that an expert is not always required to attest to the proper working of a computer was repeated in Darby (Yvonne Beatrice) v DPP.1 In this case, a police constable operating a speed-measuring device testified to the proper operation of the device, even though the device acted to corroborate his own testimony. In undertaking this task, the police constable merely outlined how the device was used, not whether it was accurate. Similarly, in R. v Dean (Jeanette), R. v Bolden (Robert Allen),2 Lt Cdr Quigley, a Maritime Law Enforcement and Liaison Officer at the Department of State, contacted the Coast Guard Command Center at US Coast Guard headquarters in Washington, DC to request a search of the vessel Battlestar. A search was made of the Marine Safety Information System, which was a database containing information on all US vessels. The Command Center also searched the databases of four coast states, and no record of this vessel was found. One ground of appeal centred on the submission that there was no evidence from the people who carried out the searches and the computers were operating properly, and as a result, the evidence was not admissible under s 69 of PACE 1984. The members of the Court of Appeal disagreed. It was considered that Lt Cdr Quigley could give evidence of the ‘reliability’ of the computers, because there were no reported problems with the databases, and searches on three separate occasions for the same name failed to bring up the name of the vessel. Dyson J gave judgment, and commented that: ‘the fact that searches on three separate occasions produced the same result provided strong support for the conclusion that the computers were operating properly on each occasion.’3

1[1994] 10 WLUK 343, [1995] RTR 294, (1995) 159 JP 533 (DC), Times, 4 November 1994, [1994] CLY 674.

2[1998] 2 WLUK 562, (1998) 2 Cr App R 171, [1998] CLY 984.

3(1998) 2 Cr App R 171 at 178E.

10.18 This conclusion ought to be reconsidered: the proposition should be that the database was searched on three occasions, and the failure to find an entry for the vessel enables the conclusion to be reached that the name of the vessel was not on the database.1 This is a different issue to whether the computer was ‘working properly’, or in preference, returning verifiably correct results: the computer may not have been working completely to the expectation of the user, because it might have had any number of problems that did not necessarily affect the effectiveness of the search facility. The effectiveness of the search of the database can be independent of the ability of the computer to return generally verifiably correct results. If the ‘reliability’ of the computer is challenged, it must be necessary to provide a reasonable basis upon which the claim is made, and there ought to be some evidence proffered to demonstrate that the results produced by the computer might be so unreliable as to affect the output used in evidence.

1R. (on the application of Sedgefield BC) v Dickinson [2009] EWHC 2758 (Admin), [2009] 10 WLUK 317, where a search of a database failed to reveal evidence of an entry, but this was insufficient to prove that the notification of a change of circumstances had not been received.

Qualification of witnesses

10.19 Where there is a reason that the content of the computer printout cannot be trusted, then the qualifications of the witness will be relevant, because of the nature of the evidence they will be required to give and be cross-examined upon. The degree of expertise required from a witness will vary according to the problem encountered. In DPP v Barber,1 the first two characters of each line on the printout were missing, although the accuracy of the information recorded on the printout was not affected. However, the magistrate declined to hear the evidence of a service engineer who was able to explain the nature of the problem because he was not a computer expert, and the evidence of what he had seen at a later date was not relevant to the state of the device at the time the printout was produced. The appeal was allowed because the evidence of the service engineer should have been received. This must be right, given that an ancillary part of the device was apparently not working properly, and the defect did not affect the accuracy of the data.

1[1998] 5 WLUK 294, (1999) 163 JP 457, [1999] CLY 886; ‘Effect of intoximeter’s defects’ (1999) 63(6) Journal of Criminal Law 527.

10.20 The two issues are further illustrated in R v Neville,1 where the Crown sought to adduce evidence of a computer printout showing telephone calls made on Neville’s mobile telephone in connection with the hiring of a tractor unit and the employment of a driver to transport a large quantity of stolen hi-fi equipment. The mobile telephone was hired from Talkland, a subsidiary of ICL. A different company, Racal, undertook the telephone operations. The software in the Racal computer issued instructions to record the date, time and duration of each call automatically, and these details were passed on to Talkland. The computer belonging to Talkland included software code that enabled it to produce an itemized bill for their customers. When the bill was paid, the printout was stored on microfiche. The Crown sought to adduce the microfiche into evidence (or, presumably, a printout of the contents recorded on the microfiche), and the judge admitted it after a trial within a trial. The Crown then called a witness, an employee of Talkland with no apparent qualifications, to give evidence that she had checked all relevant records and had no reason to believe that the telephone bill was inaccurate because of any improper use of either of the computers involved, including the Racal computer. She also stated that the computer at her place of work was working properly so far as her enquiries led. This cannot be correct. The witness might have had the competence to give evidence of the procedures within her knowledge to provide for the accuracy of billing information at Talkland,2 but was in no position (not being competent) to offer evidence of any material substance that the computers at Talkland were working properly, and certainly not in a position to offer the same evidence relating to the procedures at Racal, nor as to whether the computer belonging to Racal, of which she had no knowledge, never mind expert knowledge, was working properly.

1[1990] 11 WLUK 143, [1991] Crim LR 288, [1991] CLY 623.

2The evidence can be admitted under the provisions of s 117 of the Criminal Justice Act 2003.

10.21 Knowledge that is obtained from experience at work in the absence of formal qualifications is acceptable.1 However, it is not helpful when a police officer is entrusted to conduct a forensic examination of a mobile telephone without the relevant knowledge or expertise, as in R v Coultas (Kiera),2 or where a mobile telephone analyst provides evidence that is tantamount to expert evidence where the members of a jury are presented with the appearance of cell site analysis, and then invited to infer facts without any of the technical knowledge required to substantiate any conclusions.3 The degree of expertise required of a witness was the subject of the appeal in R. v Stubbs (Paul Matthew).4 The appellant was convicted of conspiracy to defraud, in that he was involved in fraudulent money transfers from HSBC Bank of around £11.8 million. The fraudulent activities were carried out using an online banking system called Hexagon. The appellant was a member of the password reset team, responsible for resetting customer passwords. The prosecution called Mr Richard Roddy, an employee of HSBC, to give evidence of the Hexagon system. Mr Roddy was not the only witness called to provide evidence of an expert nature. The defence objected at trial to the admissibility of parts of Mr Roddy’s evidence on the basis that he lacked the expertise and independence to give expert opinion on the matters in question. It was accepted that he could give evidence about the processes within HSBC and the manner in which the system was designed to operate. However, it was contended that his detailed account of the actual activity within the system at the material times amounted to inadmissible opinion evidence. Following a trial within a trial, the judge ruled Mr Roddy’s evidence to be admissible and declined to exclude it under s 78 of PACE 1984 or article 6 of the European Convention on Human Rights. The grounds of objection are set out in the judgment of Richards LJ:

48. Of particular importance was Mr Roddy’s evidence that the activity reports all related to the same session, which had the reference number ‘CC000051’ and had been registered to the staff delegate identification PWRD on the morning of 24 July 2002. A session number would be allocated upon a user’s log-on at a particular terminal. If all the transactions took place within one continuous session and there were legitimate transactions admittedly carried out by the appellant during that session just before and just after the illegitimate transactions, the prosecution could argue with force that the illegitimate transactions must have been carried out from the same terminal; and this also provided strong support for the argument that they must have been carried out by the appellant.

49. Mr Winter submitted that Mr Roddy did not have the expertise to give such evidence that the activity reports all related to a single session. The fact that they had the same number did not mean that it was a single session. There was evidence from the admitted expert, Mr Danbury, that concurrent log-ons (so as to target and hijack a live session) were not possible; but that left open the possibility of non-concurrent log-ons to the system under the same session number. This was something that Mr Roddy had not investigated and did not have the technical qualifications to investigate or to answer questions about.

50. Among the various points made by Mr Winter were these:

i) The activity reports themselves do not show when log-ons and log-offs occurred. For example, they do not show the undoubted log-off by the appellant at about 17.20. This leaves open the possibility that he had previously logged off at about 17.00, just before the illegitimate activity.

ii) There was no evidence about the appellant’s log-on in the morning. Further, although Mr Roddy said that the computer timed out if the session was idle for a period, the evidence was not clear as to how long it needed before a timed log-off occurred. One would have expected a timed log-off when the appellant left the computer at lunchtime, but there was nothing to show whether there had been a log-off followed by a fresh log-on by the appellant after lunch. In short, there was simply no evidence about when or how the appellant’s CC000051 session was created.

iii) Mr Roddy gave evidence that, once a session ended, the next session would not be given the same number again: the number reverted to a pool of numbers available to be allocated by the computer to new sessions. He said in cross-examination that there was a 1 in 100,000 chance of it being reallocated to a different session on the same day. Yet there was evidence of three instances the previous day in which session numbers had been reallocated to other sessions after discontinuance of the session to which they were originally allocated. Mr Roddy was unable to say how this could have happened.

iv) There were other pointers to the illegitimate activity having been carried out by someone other than the appellant. The illegitimate activity involved a random attack on five companies beginning with the letter ‘A’, whereas the appellant would have known or could have discovered the primary delegate identification for all the companies and would not have needed to do things in this way. Moreover, on two occasions in the course of the illegitimate activity the user deployed a shortcut that was never used by the appellant in the course of his legitimate transactions. The vulnerability of the system to attack by members of staff was illustrated by the fraud perpetrated by Mr Kareer earlier the same year, involving as it did the use of other people’s terminals in their absence.5

1R. v Oakley (Trevor Alan) [1979] 6 WLUK 43, (1980) 70 Cr App R 7, [1979] RTR 417, [1979] Crim LR 657, [1979] CLY 458, where a police officer, with 15 years’ experience in the traffic division, attended and passed a course as an accident investigator, having attended over 400 fatal road traffic accidents; R. v Murphy (William Francis) [1980] 3 WLUK 64, (1980) 71 Cr App R 33, [1980] RTR 145, [1980] Crim LR 309, (1980) 124 SJ 189, [1980] CLY 2295, where a police officer offered an opinion as to the nature of a collision.

2[2008] EWCA Crim 3261, [2008] 9 WLUK 352.

3R. v Turner (Andrew Neil) [2020] EWCA Crim 1241, [2020] 9 WLUK 308. On similar facts, a differently composed Court of Appeal determined the position correctly in R. v Calland (Sean Thomas) [2017] EWCA Crim 2308, [2017] 12 WLUK 706. (For some inexplicable reason, Calland was not cited in Turner.) On cell site analysis, see Matthew Tart, Iain Brodie, Nicholas Gleed and James Matthews, ‘Historic cell site analysis – overview of principles and survey methodologies’ (2012) 8(3–4) Digital Investigation185; R. P. Coutts and H. Selby, ‘Problems with cell phone evidence tendered to “prove” the location of a person at a point in time’ (2016) 13 Digital Evidence and Electronic Signature Law Review 76; Reg Coutts and Hugh Selby, ‘“Mobile ping data” – metadata for tracking’ (2017) 14 Digital Evidence and Electronic Signature Law Review 22; Matthew Tart, Sue Pope, David Baldwin and Robert Bird, ‘Cell site analysis: roles and interpretation’ (2019) 59(5) Science & Justice 558; Matthew Tart, ‘Opinion evidence in cell site analysis’ (2020) 60(4) Science & Justice 363.

4[2006] EWCA Crim 2312, [2006] 10 WLUK 328.

5[2006] EWCA Crim 2312 at [48]–[50], original emphasis.

10.22 In reaching the decision to admit the evidence, the trial judge applied the tests in R v Bonython.1 Richards LJ agreed that it was not in dispute that the first test was satisfied, because the Hexagon system was a subject for expert testimony, and he went on to say, of the second question:

In our judgment he was also right to give an affirmative answer to the second question, holding that Mr Roddy had acquired sufficient knowledge of the subject to render his opinion of value in resolving the issues before the court concerning the operation of the Hexagon system. This was an assessment properly made after hearing Mr Roddy’s evidence on the voir dire. The extent of Mr Roddy’s experience of the Hexagon system, as summarised above, enabled him to give valuable assistance on the interpretation of the data taken from the central computer and set out in the activity reports. It was accepted that he was not an IT specialist in any wider sense and that his technical knowledge of the system was limited. But this did not preclude his being regarded as an expert to the extent indicated by the judge.2

1[1984] SASR 45.

2R. v Stubbs (Paul Matthew) [2006] EWCA Crim 2312 at [55]. For how courts consider the qualifications of experts, see Sean E. Goodison, Robert C. Davis and Brian A. Jackson, Digital Evidence and the U.S. Criminal Justice System: Identifying Technology and Other Needs to More Effectively Acquire and Utilize Digital Evidence (RAND Corporation 2013), 13, and Peter Sommer, ‘Certification, registration, assessment of digital forensic experts: the UK experience’ (2011) 2(1) Digital Investigation 98.

10.23 The members of the jury were informed of the limitations in the evidence that Mr Roddy was able to give, and it was a matter for them to determine whether they should accept and place weight on his evidence. It was submitted that Mr Roddy’s evidence went to admissibility because he was an employee of HSBC and represented the victim of the fraud, and therefore he was not an independent witness. The court rejected this submission. Expertise and independence are separate issues, and it was pointed out that although he made a concession to his lack of objectivity, no attention was given to any feature of his evidence that would support a case of conscious bias or lack of objectivity. Richard LJ indicated:

In any event it was a matter for the jury to determine whether there was any conscious or unconscious bias or lack of objectivity that might render his evidence unreliable. This was, as the judge said, a matter going to weight rather than admissibility. The circumstances did not warrant a refusal by the judge to admit the relevant parts of Mr Roddy’s evidence at all.1

1[2006] EWCA Crim 2312 at [59]. In England and Wales, both the Civil Procedure Rules 2020, part 35 and the Criminal Procedure Rules 2020, part 19 make provision for a single joint expert in certain circumstances. Therefore, there is an onus on the parties to agree expert evidence where they can. For an analysis of the potential problems with this, see Peter Sommer, ‘Meetings between experts: a route to simpler, fairer trials?’ (2009) 5(3–4), Digital Investigation 146.

10.24 The technical evidence offered by Mr Roddy was not the only evidence of relevance that was led by the prosecution. There was supporting evidence for the prosecution case, for instance: the appellant left the building sometime after 17.00 and returned at 17.27. He claimed he returned to collect his umbrella and that it had been raining, yet the evidence from a CCTV located outside an office a few minutes away from the entrance revealed it was bright and sunny at the material time. The appellant also failed to produce relevant paperwork authorizing the change in passwords, lied during his internal interviews and the evidence he gave to the police when questioned was also inconsistent.

10.25 In addition to the evidence of Mr Roddy, the prosecution also called a Mr Alan Danbury, a computer expert who had been responsible for introducing the system into the UK in the early 1990s, and the manager of the support team until he retired in 2004. During the trial within a trial, the judge also heard evidence from a witness for the defence, a Mr Michael Turner. Mr Turner was not able to provide a report because of a lack of information for a variety of reasons, as set out by Richards LJ:

the appellant’s workstation had not been retained or imaged; there was no computer running the 2002 version of the Hexagon system which could be analysed; he had been provided with no information as to how the HSBC computers operated or produced the audit logs relied on by Mr Roddy; and he did not have the underlying data from which he could safely reach any conclusion.1

1[2006] EWCA Crim 2312 at [44].

10.26 These comments highlight the problems faced by the defence in attempting to elicit cooperation with the victim when legitimate questions need to be investigated to enable the cross-examination of prosecution witnesses to undermine the evidence they give. This is a particular problem when challenging a bank, because the defence has a legitimate interest in challenging the ability of a particular system to withstand an attack or an attempt at subversion. Conversely, the bank cannot, when confronted with evidence that fraud may have taken place, suspend the operation of the system or disrupt it in such a way as to cause it to stop working, no matter how short a time it would take. If a bank were required to pay more attention to the gathering of forensic evidence at a sufficient standard to satisfy criminal proceedings, then they, together with other organizations that may suffer similar attempts, will either be obliged to train employees, or call in suitably qualified experts to conduct an investigation at the time the suspicion is raised. Apart from the added cost and the marginal utility of taking such steps, the victim must decide at the time suspicion is raised whether the integrity of the system will be at issue, which in turn requires the victim to have hindsight of the future challenges.

10.27 In this case, a balance had to be struck between adducing evidence of the system and how it operated within the knowledge of the person responsible for it at the bank, and whether it was necessary to require a more in-depth analysis from a person expert in the relevant system. The dividing line between the need for an expert in the operation of the computer system to give evidence, and the evidence of someone who is familiar with the day-to-day operation of the system is a fine one, and it will depend on the nature of the case as to whether one expert is to be preferred over another.1 In many cases, as this particular prosecution illustrates, the expert evidence, both internal and external, will not be conclusive. The members of the jury can be appraised of the conflicting technical evidence, and will then be required to consider the technical evidence against the other evidence in reaching their decision. In this instance, it can be argued that the technical evidence, which was not conclusive, was supported by the inconsistencies in the appellant’s behaviour.

1In RTA v McNaughton [2006] NSWSC 115, a witness was not permitted or sufficiently expert to give evidence of the position a vehicle was in at the material time.

10.28 Arguably, there is a distinction between the competence, knowledge and qualifications of a witness tendered to give evidence of the trustworthiness of evidence in digital data. If the defence challenges the accuracy of the evidence, it will be necessary to call a witness with relevant competence, knowledge and suitable qualifications to give evidence. The decision in the case of R v Shephard must be right, but not because of the rationale offered by the members of the House of Lords. The defence did not challenge the truth of claims made by the witness, only the qualifications of the witness to testify. From the law reports, it appeared that the witness had sufficient knowledge to offer the evidence he did. Had the defence challenged the system that the till roll was connected to, and questioned whether the entire system was trustworthy, including what, if any, errors had been found in operating it across a number of shops connected to a central server, then the witness would not have been competent or qualified to give evidence.

Annotate

Next Chapter
Appendix 1
PreviousNext
All rights reserved
Powered by Manifold Scholarship. Learn more at
Opens in new tab or windowmanifoldapp.org