Many countries are debating how digital information is used to detect and resolve crime. On the right-wing, there is a push to justify the accesses to ISP (Internet Service Provider) information, such as for the IP addresses of users downloading and distributing copyright material, while more liberal government see this as a Big Brother society.
In a countries such as Canada there is a move for information from ISPs to be handed over without a warrant. The Conservative government in Canada has thus pushed through Bill C-13 (Protecting Canadians from Online Crime Act) which aims to allow access to ISP records within a warrant, but the Bill has just been overruled by Canada’s top court as being unconstitutional, and seen as a snooping law. A major question must be in how creditable Internet records will actually be, as many homes are allocated a single IP address, which maps to all the users of the home network. The Bill is justified through the risks around Cyberbully and copyright breaches, but could obviously be abused, and used for a range of surveillance activities. A previous Bill (C-30) was rejected due to surveillance concerns, and many think that the recent cases of Cyberbullying in Canada are being used to justify C-13.
In Scotland, too, there has also been a great deal of discussion on ditching corroboration in cyber crime in Scotland. It looks like that this will not go ahead. One thing that should be remembered is that digital evidence is often fragile. To outline how fragile it is, the article outlines six key scenarios which show that it is often not possible to fully prove the digital information is fully creditable in criminal investigations. The six defence scenarios which can be easily quoted are:
- It wasn’t my computer.
- Someone accessed my machine and did it.
- Someone stole my user account details.
- The bot did it.
- My computer automatically went to it.
- I didn’t send the email.
The article does not outline the rights or wrongs of accessing without a warrant, but outlines the cases where the digital information cannot be seen as definitive sources of evidence.
Digital Information is really just a bunch of 1s and 0s. It is fragile, and often can be changed while it is stored, transmitted or even processed. Basically all the information what we see is converted from these 1s and 0s, and often provided in a way which can be easily compromised. I thus see the usage of digital evidence gathering provides investigators with new ways to quickly investigate, and also to provide corroboration to traditional evidence. I’d like to thus outline seven scenarios, which show how fragile digital information is.
Crime Scenario 1 (Defence: It wasn’t my computer). In this case Bob is at home, and his ISP has detected that he has been accessing illegal content. Bob is arrested, and says that it was someone else in his work. In this case, most home networks use NAT (Network Address Translation) which maps one or more private IP addresses (such as 192.168.0.1, 192.168.0.2, and so on) to a single public IP address. Thus all the data packets received by the ISP will have the same IP address, no matter the computer that generated the request. Thus it is not possible to lock-in on the physical address of the computer, as the physical address cannot be determined from the data packets. So just IP addresses alone cannot be taken as a single source of evidence.
In a company environment, again, the IP address alone cannot be taken as a creditable single source, as it can be spoofed. In this case, Alice waits for Bob to log-off, and then sets her computer to a static address which matches Bob’s computer, and then accesses the material, and Bob gets the blame. If we were to use the physical too as a trace, again, the physical address (normally known as the MAC address) is also easily spoofed.
Crime Scenario 2 (Defence: Someone accessed my machine and did it). In this case, Bob’s computer has illegal content on it, and he claims that he had no idea how it got there. In this case, most computers are networks, and once they join a network that can be connected to. Often guest shares or guest accounts can be used to create a connection. If not, there’s a whole lots of malware kits that Eve can use to gain remote access to the machine. In this case Eve sends a link to Bob to access a PDF document. He views it, and it actually setups up a remote access method for Eve, and she can do whatever she wants on his machine. If Bob hasn’t patched his machine, he has become vulnerable to this. So in defence he just says that he doesn’t trust Microsoft for their patches, and it was their fault. If the PDF one doesn’t work, she tries a Java exploit, if that doesn’t work, it’s a Flash compromise … and she keeps trying.
Crime Scenario 3 (Defence: Someone stole my user account details). Bob is arrested for trying to take money from someone else’s account and put it into an off-shore account. The bank says that he logged in, and transferred the money. With this, Eve has send Bob a trick email which asks him to login and check some details. He logs in, but it doesn’t work, but the next time it is fine. After this Eve has his login details, and can go ahead and login on his behalf. Bob has no idea that anything has went wrong, but the first site was a spoof-site, and captured his login details for his bank, and then redirected to the main site, for which the login worked. To make the spoof site look real, Eve has scrapped the images, text and style sheets from the bank site, so it all look real.
Crime Scenario 4 (Defence: The bot did it). In this case, Bob has been attacking a remote site, and is arrested. His defence is that it wasn’t him, but it was a bot on his machine. In most cases, this defence is not strong, but there is always a chance that a bot on the computer did generate the malicious activity. Just because no malware is found on a machine at the point of investigation, doesn’t mean that it wasn’t there at some time in the past.
Crime Scenario 5 (Defence: My computer automatically went to it). In this case, Bob has been detected by his ISP in accessing some criminal material. He is arrested, and says that he knew very little about it, and has basically accessed his bank but ended up viewing the criminal material. For this one, we have to look at details at domain name servers (DNSs), and to Internet gateways. Unfortunately, the Internet has been created with very little creditability in the information that is passed. So when Bob starts his computer, Eve has broadcasts the MAC address of her computer, and pretends to be his Internet gateway and also his DNS server. All Bob knows is that when he accesses his bank, he sees the wrong site. In fact, Eve has poisoned his domain name look-ups, and she resolves his domain requests to the wrong IP address, which is logged on the ISP.
Crime Scenario 6 (Defence: I didn’t send the email). In this case we have Bob who is send abusive emails to Alice, and she forwards them onto the Police saying that he is abusing her. Bob is then arrested saying that he knew nothing about it. In this case, the email system we have setup has no credibility, and anyone can send an email saying that they are anyone they want to be. Thus Eve uses her own SMTP server, within a private network, and send the email. In fact the email contents just contain headers of:
To: Alice@test.com From: Bob@test.com
and there is no way of actually telling it was from Bob. So? Email really can’t be used as a fully creditable source of evidence. If can be used to timeline, but you cannot ever confirm that the send is actually who it says in the “From:” field.
There’s very little of what is generated on a computer or network is actually 100% creditable. Basically if someone wants to change things on the Internet, or on computers, they can do so. I appreciate that many of the crimes which are investigated related to cybercrime have threat levels, but that does not justify reducing the threshold for the evidence level. To pin-point someone from an IP address (or even a MAC address), when they are using a shared home network, it not really any form of creditable evidence, and can only be used to provide one piece of the picture around a crime.
Text from the article
POLICE have called for the abolition of a key plank of Scots law in order to help secure convictions for online crimes such as child pornography and grooming.
Officers say the need to corroborate key facts to bring a case to court is limiting their ability to tackle cyber crimes, which include paedophilia, harassment and online fraud.
But online experts have warned that digital trails of evidence can be unreliable on their own and need to be corroborated by others forms of evidence to prevent miscarriages of justice.
Police Scotland officers struggle to find corroborating evidence when acting on allegations of online crime brought by members of the public.
Assistant Chief Constable Malcolm Graham said: “It’s an emerging crime type where the likelihood of getting corroboration for essential facts diminishes.
“A lot of cases that come through the courts are where police have proactively monitored people, where we think there’s a risk that children might be abused.
“But in cases where people come and report to us that they have been the victim of cyber crime, there can be issues in terms of attributed communications hardware.
“We believe the law should develop to keep in touch with technology. This would be an example where current legislation has not developed and evolved in recognition of the range of criminal operations.”
Police Scotland supports the Scottish Government’s plans to abolish the requirement to have corroboration in order to bring a case to court.
The legislation, which is being debated in the Scottish Parliament, is based on recommendations by Lord Carloway, the Lord Justice Clerk, which are opposed by other Scottish judges and leading lawyers.
Professor Bill Buchanan, director of Edinburgh Napier University’s centre for distributed computing, networks, and security, which trains police in tackling cyber crime, also warned against abolishing the need for corroboration.
“On the internet it’s very difficult to take one source of evidence as a definitive source as things can be changed and people can have different identities,” he said.
“We should always get some physical and some traditional corroboration, along with the digital footprint.
“Logs can be tampered with, you have an IP address, but people can spoof them.”
A UK expert on online crime said that more funding, rather than a change in the law, was needed.
David Cook, a cyber crime and data security solicitor, said: “Our prosecutors find it notoriously difficult to adequately evidence crimes that occur online and the vast majority go not only without prosecution but even without a proper investigation.
“However an effective investigation can and should still take place. That those who police us choose to not provide adequate resources to such matters, instead suggesting the erosion of a civil liberty that is centuries old, is a lamentable position.
“I fear that such a change would inevitably cause an increase in the number of miscarriages of justice,” he added.
Police Scotland estimates that 3,000 more victims will be granted access to justice by abolishing the need for corroboration,” he added.
In a separate study, the Crown Office looked at 458 rape allegations which did not reach court because of insufficient evidence. They were re-examined as if corroboration was not required and prosecutors estimated 82 per cent could have proceeded to trial, and 60 per cent had a reasonable prospect of conviction.
Police Scotland has not yet produced similar research on what impact removing the requirement would have on cyber crime.
Alison McInnes MSP, Scottish Liberal Democrat justice spokeswoman, said: “This is a new argument which has certainly not been reflected in the wide range of evidence given to the justice committee. If Police Scotland believe that corroboration has impeded cases such as these then I am surprised that they have not reflected that in their oral evidence to the committee.
Abolition call: Cadder ruling
The proposed abolition of corroboration – the requirement to have two independent pieces of evidence to bring a case to court – stems from a Supreme Court judgment in 2010.
The UK’s highest criminal court found in favour of Peter Cadder by ruling that it was a human rights breach for police to interview suspects without giving them access to a solicitor. This has led to more suspects refusing to speak in interviews.
This is particularly problematic for police in cases of alleged rape. Previously an accused may have admitted having sex but claimed it was consensual, which would have allowed police to corroborate a key element of the charge.
In light of the Cadder ruling, the Scottish Government asked Lord Carloway, now Scotland’s most senior judge, to review Scots law. Carloway made a raft of recommendations, including abolishing the need for corroboration. The proposal is in a criminal justice bill now in front of the Scottish Parliament.