Criminal IT: Unlocking the power of computer crime evidence

How to deal with strong encryption?

There are many different ways to become a 'computer criminal'. And there are many different types of crimes for which computer evidence might become important to the prosecution or defence of a criminal charge.

The computer can be the victim, the tool or the witness to crimes of nearly every different kind. There have been murders in which mobile phone records have been admissible and relevant; and murders in which alibis have been established by purchase records, and in which motives have been established through fragments of deleted email.

There have been bullion robberies in which online map and route-finder information have been discovered; stalking and harassment cases in which the victim's computer has been plundered for information.

There have been rapes, assaults, car crimes and racial attacks; in all of these, computer records have proved vitally important to the police. And of course, this isn't counting the obvious computer crimes of hacking, fraud, copyright theft and internet paedophilia; the computer is clearly a vital source of evidence.

Police officers can no longer afford to treat the computer as a special case; crown prosecutors can no longer afford to be reluctant over presenting such evidence; and the courts themselves need to be well-prepared for the inevitable requirement to display computer material.

Naturally, each of these is considering the impact of increased computer evidence on their operation - from the establishment and funding of appropriate laboratories; the selection, training and accrediting of suitable expert witnesses; and the introduction of technology into the courts. The judicial process is therefore well aware and apparently responding appropriately to the requirements of computer evidence - but what of the law itself?

Given the ubiquity of computer technology, there are actually a surprisingly small number of areas in which computers are explicitly mentioned in the body of law. The Computer Misuse Act naturally discusses computers, specifically the question of unauthorised access or modification. The Data Protection Act discusses the processing, storage, display or transmission of personal data, with the assumption that computers and networks are involved. The Terrorism Act talks of interference to electronic systems; and other laws refer to computers in a slightly more tangential manner.

Perhaps the most important element, though, are those situations in which the question of computer-derived evidence is important - covered in laws such as the Police and Criminal Evidence (Pace) and the Regulation of Investigatory Powers Acts (Ripa), both of which cover the situations in which information obtained can be presented as evidence to a court.

In general, information obtained fairly and lawfully can be used as evidence. In computer terms, for police criminal investigations, that fair and lawful requirement is described explicitly in guidebooks prepared under the direction of the Association of Chief Police Officers. In particular, the ACPO Good Practice Guide for computer-derived evidence details the correct handling, analysis and storage of such information so as to have the best possible chance that it will be considered admissible.

Unfortunately for law enforcement, all of these careful and practical measures, all of the consideration of presenting evidence effectively, all of the presentational technology and qualified expert witnesses - all of these elements become worthless if the computer criminal concerned has taken the obvious and simple step of encrypting their data with any one of the inexpensive (indeed, in some cases free) applications available. And at present, none of the laws takes into consideration the inevitable difficulty of this - though the original concept driving forward Ripa would have done.

Currently, there is no compunction on a suspect to reveal the contents of an encrypted file. Pace allows officers to take away encrypted material but does not allow the officer to require the suspect to decrypt it - either directly or by revealing their pass-phrase. Of course, there are still some possible avenues of attack in this situation. Investigators can seek a warrant from the Home Secretary to allow them to plant bugs and keyboard sniffing tools so as to obtain the pass-phrase - though this is only really likely to be possible in the most serious of cases, such as terrorism or very high-value frauds. Alternatively, they can try to guess the pass-phrase, or they can try various deals and persuasive approaches to encourage the suspect to help them.

This contrasts dramatically with the situation in civil law, where a person served with a requirement to produce documents for the courts has to produce them in a form such that they are intelligible. Under civil law, therefore, the defendant cannot simply refuse to decrypt files; they have to reveal or use the pass-phrase, or face fines for contempt.

In fairness, up until now, encrypted evidence has not been a major stumbling block in prosecutions. Of course, there have been many cases in which encrypted evidence has been discovered - but most often, that encrypted information has also existed in a plain-text form elsewhere, or technical measures of various kinds have been possible. In only a handful of situations has a prosecution been wholly derailed by the presence of encrypted material. However, there is a groundswell of opinion amongst those involved in law enforcement that legal measures to respond to strong encryption are at least worth considering, even if they are found to not yet be appropriate.

The obvious question is: what kind of measures? There are some obvious possibilities. We could outlaw the use of strong encryption, making the existence of encrypted information itself sufficient evidence for a prosecution. This would be wholly unacceptable, unreasonable and inappropriate - and, worse, it wouldn't solve anything. Criminals do illegal things; why would they hesitate to use strong encryption simply because it was declared illegal? We can and should discount this possible response.

Second, we could allow the use of encryption but only those forms of encryption which are sufficiently weak or are implemented with backdoors so as to allow law enforcement to gain access. Again, this is unworkable; strong encryption is freely available and will be used. And from a security manager's perspective, why would anyone use a known vulnerable algorithm?

Third, we could allow strong encryption but require that pass-phrases (or the keys themselves) be lodged with some central, trusted escrow agent. This is an approach which has some enthusiastic advocates but the practical aspects of it would make it unworkable. Who is to be trusted to hold the keys? What mechanisms would be required to transmit the keys securely? How would the keys be protected? And, as above, why should we believe that the criminals will avail themselves of the mechanism?

So, fourth, our criminal law can take a leaf out of the civil law book and provide a legal requirement for the pass-phrase or keys to be requested under warrant. In this way, only those under investigation will be required to reduce their levels of security, rather than every user of encryption. Naturally, the criminal is likely to claim that they have forgotten their pass-phrase - just as they can in civil cases. But in those cases, evidence can be admitted as to whether this claim is reasonable and likely: when was the encryption suite last used? When were the protected files last opened? And if the balance of probability is that the defendant is lying, then they can be prosecuted for contempt.

There is much to be considered in that approach. For example, in the civil case the requirement to disclose is applied to the defendant rather than to a suspect - that is, the individual is already in court. However, it would seem to provide the best solution to the problem of protecting everyone else while allowing the police to be effective in their investigation of the criminal.

Over the next few months, these questions are to be debated by the Home Office. The results of this debate could change the face of UK computer crime policing for the next 20 years.