A white paper has recently been published regarding the evidential value of e-mail. The events that led up to the publication arose from the case of R v Rowe and Bhatt (Canterbury Crown Court, UK, Feb 2003) in which it was alleged that a number of e-mails and other computer documents relied upon by the prosecution had in fact been forged.
The defence team was able to set up a simulated Internet connection and - in realtime - forge e-mails that appeared identical to those produced by the prosecution. Large quantities of other computer material was also shown to have been produced up to two years after the dates on which they were claimed to have been created.
There was concern at the readiness with which the prosecution had accepted the e-mail evidence, even though it existed only on paper. There was also concern that the police investigation had not thought it appropriate to make any attempt to recover the electronic audit trail that would have been highly relevant and could easily have affected the outcome of the case. The white paper was an attempt to highlight these crucial issues relating to the production of e-mail in court and to raise the awareness of all parties in dealing with the issues of e-mail veracity.
The guidelines by which all police forces acquire, handle and present digital evidence were issued originally by the Association of Chief Police Officers (ACPO). In that absence of any statutory rules, these have become the de facto 'bible' of forensic examiners. Sadly, the original incarnation dealt almost exclusively with the acquisition of hard drives and made no mention of e-mail and other network-based digital evidence. At the conclusion of the white paper, the suggestion was made that perhaps it was time for ACPO to consider this area of evidence and include some new guidelines relating specifically to the need to capture the audit trail of e-mails.
Since the publication of the white paper, ACPO have published an updated set of guidelines, in association with the National High Tech Crime Unit (NHTCU). The document is a much more detailed affair than the previous version and is an attempt to bring the guidelines up to date in the rapidly changing world of IT.
For police eyes only
Unfortunately there are a number of current issues in the world of computer forensic evidence that do not appear to have been addressed.
The original ACPO guidelines were for police eyes only. The new version makes the concession that other bodies - such as defence experts - also have a crucial role and that the guidelines should apply to both sides of the legal process. They do nothing to clarify the fact however, and in total they present a confusing and contradictory picture. Not only does the document contain several internal inconsistencies, it seems to fly in the face of the recently enacted Sexual Offences (Protected Material) Act 1998.
This position is perhaps best described by example: In the section entitled 'Control of Paedophile Images' under the paragraph 'defence access' the document states:
"In no circumstances is access to take place of any such material except at law enforcement premises."
And later:
"There is no defence to the making of such an image and therefore no further copy is made specifically for the use by the defence should they make such a request, the only exception is by order of the trial judge..."
In practice there are major logistical and cost implications involved in the examination of such material at police premises by defence experts. The computer forensic industry abounds with tales of police officers taking this advice to the nth degree, issuing statements such as "You cannot have access to the material", or "If you remove the hard drive I will arrest you."
The police are rightly concerned with the fact that there is no statutory defence to possession, and there is no national standard for accreditation of defence examiners to whom the police can pass such material with a clear conscience, hence some tend to err rather too heavily on the side of caution.
It is now a fundamental requirement enshrined by European Jurisprudence that each side of a contested case should have equal access to materials which could assist their argument. It seems questionable that the provisions mentioned within this article are in breach of those central principles.
The strictures are laid down in Article 6 of the European Convention on Human Rights (ECHR) and in particular Article 6(3) d which states that everyone charged with a criminal offence will have certain minimum rights, one of which is to "examine or have examined witnesses against him and to obtain the attendance of witnesses on his behalf under the same conditions as witnesses against him."
Article 6 is a fundamental right within the convention and subsequent case law has developed the mantra that a defendant in criminal proceedings must have a "reasonable opportunity of presenting his case to the court under conditions which do not place him at a substantial disadvantage vis-à-vis his opponent" (See Kaufman vs Belgium 50DR98 at 115).
A further paragraph of the ACPO/NHCTU guide states:
"The defence will not always need access to a forensic computer image."
There can be few occasions when this would be the case in practice. Much useful digital evidence is often information found in 'unused material' and given vast quantities of data that computer hard drives hold it is even more important that they are examined in full. Quite often in these cases, the presence of the material is not in dispute, but often the actual identity of the user or the knowledge of its presence will be. These facts can normally only be determined by a full examination of all the digital evidence as well as the more traditional brand.
At this point, the document then goes on to discuss meetings between defence and prosecution to decide whether a copy is needed, despite the previous dire warnings regarding the fact that there is no defence to the act and that it can only ever be ordered by the trial judge. There will surely be few situations in which such a copy would not be so ordered, if in the defence expert's opinion he/she respectfully informs the judge that it is necessary in order to provide the best and fairest defence.
In summary then, this will be the norm rather than the exception, and would imply an increased workload for the judiciary as the issuing of a copying order in all cases would appear to be the only way to ensure a fair defence. This is an unsatisfactory state of affairs and leaves all parties in an unnecessarily confrontational situation.
Enter the Sexual Offences (Protected Material) Act 1997. This appears to address the problem of disclosure in such cases and provides a statutory obligation to the prosecution to disclose such material to the defendant's legal representative. Its main provisions are similar to those of the Criminal Procedure and Investigation Act (1996) but it has a specific remit to deal with sensitive sexual material.
While the defendant himself is prohibited from gaining access to the material, his legal representative is permitted to do so provided that a number of conditions exist. The condition relates to the secure storage, handling and subsequent disclosure of such material and allows the legal representative to pass the material to other parties in relation to the proceedings. This would allow a bona fide forensic examiner to then provide a full analysis and expert opinion for the defence from the familiar surroundings of his own laboratory and with all of his or her resources and reference materials ready to hand.
Would the law insist that a pathologist were only allowed to examine a body at a police station?
When considering the use of experts on behalf of the prosecution, the document suggests a number of considerations, many of which are subjective and impossible to measure in practical terms: "How skilful is the person at this particular job?" One of the considerations is that of the security of the premises at which the expert will examine the material again suggesting that the making of copies would be necessary as most police officers would not want their original evidence to be out of their possession. Are we to assume that the judge must order those copies too, or is it only the defence who are procedurally hamstrung?
Many private forensic examiners have a police background, but a large number do not. While they may well be experienced in court procedures, they may not always be aware that all their actions will be subject to the Human Rights Act 1998 since they will be acting as agents of a public authority. While the new ACPO/NHTCU guidelines require the police to make their experts aware of a number of issues, it is singularly silent on the Human Rights obligations.
It should be well understood that there is no escape from the net of the ECHR. Whenever one acts for a public authority - and that includes the police - one's behaviour must be European compliant. Failure to observe this necessary requirement will almost inevitably result in an abuse of process application and all the uncertainties that it may bring. It follows that 'external consulting witnesses' should, as best practice, be made aware of their absolute obligations.
Summary
It appears that the relentless pace of development has yet again outstripped those charged with dealing with IT in our legal system. We still have no clear guidelines on access to sensitive material and this will lead to an unnecessary extra burden on the courts. We still have no firm direction on the requirements for 'best evidence' in matters relating to e-mail and the Internet, leading to the possible exclusion of valid material (by either side) unless its provenance is demonstrable. It seems that ACPO and the NHTCU may need to review their latest guidelines in conjunction with private industry and the legal profession to ensure smooth and proper handling of IT evidence.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version