Four years ago in these pages I wrote an article about the challenges of managing evidence from computer devices of all kinds. Now I get an invitation to do an update – and I have been surprised to realise how much has changed.
The earlier article had begun with the demographics of computer ownership and usage, the key reason why digital evidence now appears in a very wide number of civil and criminal cases, not necessarily as the central focus but as an essential element. Everywhere an individual goes extensive digital footprints are being created; all can become evidence and if not, may need to be disclosed. Digital evidence can show actions, intentions, indications of research, even the physical movements of individuals over time. The abundance of potential digital evidence presents both opportunities for lawyers – the possibility of much detail about a sequence of events – but also a number of challenges: the material has to be located, formally and safely acquired, preserved, analysed, properly interpreted and then presented in palatable form to a court. Often several different strands have to be brought together and combined with more traditional source of evidence.
Less than a decade ago “computer evidence” was more-or-less limited to printouts of the formal transaction records of a business plus the examination of computer hard disks to recover deleted files. Parallel with the recording of events on computers directly linked to individuals are records created by third parties such as ISPs, banks, other financial institutions and many large organisations.
Typical “simple” issues are whether important emails were sent and received, allegations about forged documents, inferences that can be drawn from the way in which a computer device has been used over a specific period of interest – and in particular social media activity, web searches and browsing.
Of course there are cases where digital evidence is at the heart – in civil matters, pirated intellectual property, stolen customer databases, purloined websites. In criminal matters there is the whole arena of cybercrime – global system attacks, malware, extortion, cyber frauds, and the distribution of indecent images. But digital evidence can be peripheral though important in many other criminal matters – my own list of instructions as expert includes murders, firearms offences “cash for crash” insurance scams, harassments, narcotics trafficking, conspiracy to defraud, terrorism, money laundering, art fraud, VAT carousels – almost every type of crime barring the opportunistic purely physical “street” type.
Demographics and the Multiple Internet Identities Problem
As in 2102, demographics provide useful pointers. Levels of easy availability of Internet access have shown only small increase, but as we approach 90% that is only to be expected. It is the way that people get online and how much time they spend which is interesting as it indicates where potential evidence may be located. The following figures are from Office of National Statistics and Ofcom. Smartphones have overtaken laptops as the most popular device for getting online. Two thirds of people (66%) now own a smartphone, using it for nearly two hours every day to browse the internet, access social media, bank and shop online. In 2102 it was only 39%. 54% of UK households have at least one tablet; it was only 2% in 2011. In 2005 the average Internet user spent 10 hours per week online, it is now over 30 hours. The average number of SMS text messages sent is 120.
But another consequence of this is that most Internet users have multiple Internet identities, not only several email addresses and several registrations to social media (ONS says social networking is used by 61% of adults, and of those, 79% did so every day or almost every day) but also several different devices for accessing the Internet – an office PC, a home PC (multiple PC how ownership is not unusual), a tablet, at least one smartphone. There are over 90 million active mobile phone contracts, for a population of just over 60 million (There are 33 million fixed landlines, residential and business). We don’t have reliable statistics for the numbers of social media postings and messages, or for the use of other Internet-based services for exchanging messages. Police say that in a typical home raid, not one on a cybercriminal or geek, the discovery of six relevant devices is quite common. Smartphones and tablets can also be used via a wide variety of public Wi-Fi hotspots – transport hubs, coffee shops and the like, raising problems of where and how their activity can tracked.
The multiple Internet identity problem is increasingly grave for law enforcement and the security and intelligence agencies as they try to trace the activities of individuals of interest but only slightly less so for civil litigators. The number of devices and communication routes means that the amount of material that has to be examined has significantly multiplied. And all of these devices will need to be considered to meet disclosure obligations.
Difficulties of cell phone and tablet preservation
The increased use of cellphone and tablets creates additional problems for evidence preservation. With a conventional desktop or laptop PC preservation consists of making an exact copy (a forensic image) of the hard disk – it will contain everything of any value including the possibility to recover deleted files. But smartphones and their close relative the tablet don’t have hard disks which can be removed; the data is held in various locations on the device, and not all of these are easily accessible because the manufacturers and mobile phone companies lock them down, partly to prevent damage but also to protect their financial interests. The specialist companies that provide forensic analysis software must provide constant updates as new apps or new versions of old apps appear.
There is further trap. Many businesses have gone the Bring Your Own Device (BYOD) route which lets employees access corporate facilities on their own smartphones and laptops. The advantage to the business is that they can now have staff availability 24 hours a day. There are some security risks but also the potential for arguments how far an employer can demand access to what might be regarded as “private” material.
Falling Costs of Data Storage, Higher Internet Speeds
There is another multiplier which affects the amount of data that may be associated with an individual or organisation – and hence may need to be examined. The cost of data storage halves every 18 months or so. Typical domestic PCs now come with a 1000GB hard disk, an external 2000GB usb disk costs £60, a 32GB USB stick £8. Most mature PC owners will probably have several older machines as well. All may hold evidence or need to be disclosed. The data stores will be larger and go back further. The same maths applies to corporate data and the material held on such popular products as Microsoft Exchange Server.
Internet speeds have become faster; 50 mbps is no longer unusual for domestic installations, 4G mobile is 15 mbps. Higher speeds encourage more activity.
The effect of these multipliers is that technicians have to be able to scan ever larger quantities of data, but the speed of their ability to do so has not increased in line. Civil disclosure obligations can be addressed partly by agreements on “predictive coding” products which develop rules based on sample documents and then search the data stores for similar files. The parties agree to rely on the predictive coding product. But this is more difficult for criminal matters. Here there has been the development of “triage” products, which can automatically look for the most obvious types of evidence using specialised scripts. But they are best used as a way of pointing to devices which merit further detailed attention – from a human being.
Data from remote locations
Back in 2012, the practical problems of retrieving data from remote computers, once a legal basis, if access was public or by inter or ex parte order, were largely limited to getting reliable extracts from large databases and downloading entire websites.
Today that list has to include the ability to collect evidentially sound postings from a variety of social media sites and to handle “the cloud”. Social media postings may involve defamation, harassment and incitement.
For large organisations cloud-based services are an extension of age-old out-sourcing, the main differences being that facilities and capacity can be bought on a hour-by-hour as-wanted basis rather than having a fixed annual contract, and most cloud services are accessible where-ever there is an Internet connection. In most civil cases access by opponents is a matter for the disclosure process.
But what has changed, particularly for individuals, is the near-ubiquitous availability of no- or low-cost consumer cloud services. Google, Microsoft, Apple and many larger ISPs offer reasonable levels of storage for nothing. Indeed the most recent versions of Word, PowerPoint and Excel point the user to Microsoft’s cloud when saving a file. The problem for litigator and investigators is to identify all the places where files may be stored, and then seek the passwords for access.
For the practitioner at the criminal bar there are further unwelcome problems. The first is the reduction in fees for publicly-funded work. More experienced digital forensics experts are, if they accept legal aid work at all, cherry-picking on the basis of technical interest rather than on defence need. Police and CPS demand competitive tenders which tend to drive those suppliers who apply to offering only the most basic and easy of assignments. Suppliers will shortly need to be certified under the Forensic Regulators’ scheme before they get work. The cost of certification is non-trivial and many are complaining that many of the boxes that need to be ticked apply more readily to DNA labs. The more skilled technicians and experts concentrate on civil work – or recognise how easily they can transfer to roles in the well-paid cyber security industry.
Streamlined Forensic Reporting[i], also being rolled out, holds the promise of shorter simpler prosecution reports, with money saved if the defendant pleads early. But if he doesn’t, the detailed report will still have to be written and served. However there is increased use of formal Meetings between Experts under CPR 19.6 which have the potential to save time and money; but training is needed for participants to understand the ground rules
During 2016 it is expected that Parliament will discuss a new Investigatory Powers Bill. This will update many features and definitions within RIPA and also put on a statutory footing law enforcement and Agency powers to carry out “equipment interference”, hacking. “EI” has become more important now that interception is less productive as a result of the easy deployment of encryption – the police need to get inside computers to read the files. The protocols and Codes of Practice for law enforcement have yet to be written. There are also likely to be arguments about the extent to which government can compel companies to assist in decrypting files and data streams. Cell-site analysis is now very well-established but familiarity with how to handle IP address data is not.
I will conclude with much the same message as in my 2012 article. The potential quantities, complexity and constant novelty mean that counsel have to adapt their case management skills to anticipate the many unexpected problems that may arise in terms of the identification, acquisition, analysis, interpretation and presentation of digital evidence.
If I revisit this subject in another four years’ time I anticipate I might be talking about the Internet of Things, where very large numbers of domestic, office and industrial devices are all connected to and controllable from, the Internet. Many examples are available now.
is Professor of Digital Evidence and Birmingham City University but earns most of income in expert witness and consultancy work. He has just completed a role as Expert Advisor to the Lords and Commons Committee reviewing the Investigatory Powers Bill.
More details can be found at www.pmsommer.com.