1.  This is a submission in response to the Committee's Notice of 27 June 2007. PN 33 of Session 2006-07. It seeks to assist by providing some technical background on how telephone interception takes place and related issues of disclosure and admissibility.

  2.  It is hoped that this will enable the Committee to have more informed exchanges with witnesses from the relevant agencies and ministries, particularly in relation to methods of interception and practicalities of disclosure.

  3.  I gave evidence to the Committee's Inquiry into Terrorism Detention Powers both by written submission and in person on 14 February 2006. The Committee's Report is HC 901-1 and was published on 3 July 2006.

  4.  Qualifications. A updated CV appears as Appendix I. I am a Research Fellow at the London School of Economics specialising in information security and digital evidence and also a Visiting Research Fellow at the Open University. I have acted as an expert witness in many cases involving digital evidence since 1985—these have included Official Secrets, Terrorism, narcotics trafficking, paedophilia, fraud, large-scale software piracy, murder and global computer misuse. I am Joint Lead Assessor for Computer Examination in the scheme run by the Council for the Registration of Forensic Practitioners.[143] I have been an external examiner for the Master's course at the Centre of Forensic Computing at RMCS Shrivenham and have provided training to the Crown Prosecution Service and to police intelligence analysts as well as advice to the main high tech law enforcement training centre in Bedfordshire. I am the author of Directors' and Corporate Advisors' Guide to Digital Investigations and Evidence published by the Information Assurance Advisory Council.[144] I was Specialist Advisor to the Trade and Industry Select Committee before and during its scrutiny of the Electronic Communications Bill (HC 862/Session 1998-99)[145] which was the original locus of legislation on encryption—later transferred to the Regulation of Investigatory Powers Act, 2000. During my work for the Select Committee I visited the then interception facilities at the National Criminal Intelligence Service (NCIS).

  5.  I have been instructed by defence lawyers in a number of terrorism cases, including Crevice which was referred to but not specifically identified in police evidence during the Committee's Terrorism Detention Powers hearings, and Red Mercury. I currently have one instruction which includes allegations of terrorist-related activities. I have also been instructed in cases where interception material was acquired overseas and was therefore admitted. One important example was R v Austin, White, Winter and others, a narcotics importation case heard at Winchester Crown Court in 2005 and where intercept material apparently obtained in Columbia was adduced. In R v Pryce and Bevan, heard in 1997, there was extensive Internet-acquired interception material originating from the United Stats Air Force (USAF).

  6.  For the avoidance of doubt, this is a personal submission.

  7.  For convenience I am repeating, albeit in different form, some of the arguments from my earlier written submission.

  8.  Law of Interception. Interception of the content of telephone calls, emails, etc is admissible in common law but excluded by statute—currently s 17 RIPA 2000. Consensual interception is admissible and so is interception material lawfully acquired outside UK jurisdiction. The general effect is to allow interception warrants but to deny their existence for court proceedings—this applies to both prosecution and defence. The detail of how this is handled appears in the CPS Disclosure Manual[146] and I hope that the Committee will press the CPS and others hard to assess its effects—the Manual acknowledges many difficult areas of judgement.[147] The Committee should also review carefully the relevant Attorney General's Guidelines in relation to s 18 of RIPA.[148] s 12 of RIPA empowers the Secretary of State to order communication service providers to install facilities for interception subject to certain limitations.

  9.  Communications / traffic data—who called whom, when and for how long— is admissible under Part I Chapter II RIPA 2000. Such evidence is often produced in conspiracy trials to demonstrate a common purpose among a number of people. Commercially available software packages to identify patterns aid this exercise and produce persuasive graphics[149]. Data traffic also includes details of which cellphones were registered to which specific base stations thus bringing the geographic locations of individuals into evidence—this is called cellsite analysis.

  10.  There are frequent occasions when the production of evidence based on data traffic together with other evidence before the court makes it wholly obvious that interception has taken place, though neither prosecution nor defence are allowed to refer to it. In the recent Crevice trial, which lasted over a year, although extensive use was made of conversations acquired via audio bugs, including discussions about proposed bombing of the Ministry of Sound night-club and the Bluewater Shopping Centre, no reference was ever made to telephone intercepts. After the trial it was said that in excess of 100 intercept warrants had been used.[150]

  11.  The repeal of s17 RIPA 2000 would have the effect of allowing intercept material to be admitted; it would in no way compel it.

  12.  Law in other Countries I draw to the Committee's attention a useful booklet produced by SS8, an equipment supplier, entitled The Ready Guide to Intercept Legislation which provides details of legislation in 24 countries.[151]

  13.  The arguments against allowing interception evidence to be admitted. The arguments against allowing interception evidence to be admitted are said to be[152]:

—  that knowledge of the technical means used would assist wrong-doers and make the task of law enforcement and intelligence more difficult;

—  that employees of law enforcement would be placed at significant risk;

—  that the process of disclosure would force law enforcement agencies to reveal more than was safe about their methods;

—  that the expense to the intercepting agency of storing the material would be considerable;

—  that compliance with disclosure requirements would involve the transcribing of large quantities of conversational material which in turn would be very costly;

—  that it would be difficult to prove who was talking to whom; and

—  that innocent third parties who had had contact with an accused might find their privacy compromised.

  14.  I submit that all of these are based on mis-conceptions either of technology or of the application of the criminal justice system.

  15.  Knowledge of the existence and reach of interception. The existence of interception facilities in the UK is not a secret; the power to carry out interceptions is enshrined in statute and each year the Interception Commissioner states the number of warrants in force.[153]

  16.  The Technology of Telephone Interception There is nothing complicated or secret in the principles of how interception of landline and cellular phones take place or how to capture Internet-related (IP—Internet Protocol) traffic. For conventional, voice-based telephony two elements are required: the voice component (by placing simple circuitry across the line or by capturing digitally) and the "traffic" component —who called whom, when and for how long—which is part of the regular record of the telecommunications company for revenue collection and quality of service purposes and already admissible.

  17.  There are two linked elements to the technology: the handover interface between the telecommunications or communications company; and the means to record what is handed over.

  18.  Information about the handover interfaces for the various types of telecommunications services is published on the website of the the European Telecommunications Standards Institute (ETSI)—http://portal.etsi.org/li/Summary.asp. The actual standards are also published at http://www.gliif.org/, the Global Lawful Intercept Forum. The US equivalents, designed to work under CALEA, Communications Assistance for Law Enforcement Act, are published by the Telecommunications Industry Association (TIA) and the Alliance for Telecommunications Industry Solutions (ATIS). The ATIS website sells the current specification documents: https://www.atis.org/docstore/. Details of the application to cable-based systems can be found at http://www.cablelabs.com/specifications/archives/PKT-SP-ESP-I03-040113.pdf.

  19.  The main feature is to guarantee and preserve the reliability of the intercepted material. The voice and the traffic components (referred to in the literature as the IRI, Intercept-Related Information) are designed to be forensically inextricably linked as a control against tampering and editing—the voice file and information about the call including the various terminating phone numbers, time and duration of call, are all held together as a single item when handed over to the Lawful Intercept authority, whoever that is.

  20.  Significant detail is published by vendors of law intercept equipment such as ss8—www.ss8.com. Appendix II consist of print-outs of web-pages from a range of vendors.

  21.  Turning now to the technology for recording telephone intercept, there is no reason why it should not be very similar to that used in call centres throughout the UK and the world—by financial institutions, government departments such as social services and the tax authorities, and mail order companies. The voice component is no longer stored on tape but as a digitised audio file on hard-disk. It is stored in a database searchable by time, date and any other fields that the user organisation deems helpful. Banks store, among other things, by account number and clerk/operator (I have seen such systems in the course of professional instructions). A lawful intercept system would, presumably store the audio files by reference to date, time, originating and receiving phone numbers, names of suspects, and warrant. Appendix III contains copies of web-pages from companies offering suitable generic products. It will be seen that some of these also claim to be able, to a limited extent, to use computers to monitor the content of call.

  22.  Once data is collected digitally, the cost of storage and back-up is minimal. One would imagine that there are powerful arguments within intelligence analysis for retention in case later events give greater significance to individuals initially thought of as relatively unimportant. Within financial services, voice data, along with everything else, is routinely held for at least seven years (Statute of Limitations requirements).

  23.  It would be very surprising if the UK government were using anything markedly different—current policy is to use and adapt Commercial Off the Shelf (COTS) products where-ever possible.

  24.  Lawful intercept also has to work for data as well as voice, including Internet-based material. Here again the websites of companies such as ss8 describe the equipment they offer and the specific types of data traffic including that for the world-wide web, email, eer-to-peer[154] networking, instant messaging, chat-room services and VOIP (voice over internet protocol which is a telephone-like service).

  25.  Sensitivity of Interception Methods. The above descriptions apply to the vast majority of intercepts, which are carried out with the full co-operation of the communications service providers. Different considerations may apply where the co-operation is not available and where technicians may, for example, eavesdrop of radio, satellite and microwave transmissions or break into a cable. But this must refer to a tiny minority of instances and those are presumably concentrated on overseas activities and for intelligence purposes. As we will see shortly, there would be no legal compulsion to disclose any of this.

  26.  Impact on Interception Staff. If one thinks about what is involved in accepting a lawful intercept from a co-operating communications service provider, this has to be one of the least dangerous activities carried out by an agency. The operator stays in his office and uses a keyboard, a telephone, a screen, and a loudspeaker. The installer of a voice probe, the product of which is admissible, must covertly visit hostile territory; the agent handler, physical surveillance operator and under-cover personnel must all go out into the "field".

  27.  Disclosure Regime. The applicable law is Criminal Procedures and Investigations Act, 1996 (as amended, particularly by the Criminal Justice Act 2003[155]). Practical detail appears conveniently in the CPS Disclosure Manual.

  28.  The principles are that any material gathered in the course of an investigation but which is not specifically adduced in evidence must be recorded and retained; it must be revealed to the case prosecutor who applies a "disclosure test", which means "providing the defence with copies of, or access to, any material which might reasonably be considered capable of undermining the case for the prosecution against the accused, or of assisting the case for the accused, and which has not previously been disclosed." At the "revelation" stage, a police officer can mark material as "sensitive unused"; the test for this being that disclosure would give rise to "a real risk of serious prejudice to an important public interest"; reasons must be given.[156] In due course this may give rise to applications for Public Interest Immunity certificate. Throughout there is a continuing duty to disclose.[157]

  29.  But there is also an obligation on the Defence to provide a defence case statement, once initial prosecution disclosure has taken place. The CPS Disclosure Manual provides convenient details of what is required of defence case statement at Chapter 15. Failure to provide such a statement, which has to occur within specified time limits, can result adverse inferences being drawn at trial.[158] These can include differences between what is set out in a defence case statement and what is relied on in trial.

  30.  The detail of how this is currently handled in relation to intercept material appears in the CPS Disclosure Manual in Chapter 27 and in relation to unused forensic science material (which may be relevant to specific methodologies of interception) at Chapter 23.

  31.  The position of experts instructed by the defence also needs to be considered. In general terms: a defence expert, whether giving evidence of the results of a technical investigation or (if allowed by the judge) of opinion, has an over-riding duty to the court.[159] Advice given prior to evidence is legally privileged. Investigations carried out by the defence expert have in broad terms to comply with the defence case statement. The fact that a defence expert has been instructed must be disclosed even if the evidence is later not relied on[160]. Specific disclosure would only follow a detailed and consistent defence case statement. A defence expert receives information relating to a case solely for that purpose and cannot refer to it elsewhere unless it is also mentioned in open court; breach can result in contempt of court proceedings. The prosecution has the ability in pre-trial hearings to question the quality and bona fides of a defence expert and there are opportunities to seek undertakings and court orders in respect of defence experts. In my experience this is already done in terms of sensitive computer hard-disk evidence and where the expert may need to visit covert law enforcement and other premises.

  32.  How disclosure of intercept material would work in practice. Whereas a few years ago voice intercept material was recorded to reel-based tape recorders current methods record to digital audio file saved to hard-disk, each audio file being linked to a database.[161] This should significantly ease the practical problems of disclosure. The defence would receive CDs or DVDs containing the audio files plus the accompanying data (which number called which, when and for how long for conventional telephone intercepts, for example). Only material to be used in evidence would be initially transcribed by the prosecution; otherwise the defence would listen to the audio and, should they wish to adduce additional material, they would transcribe it. If there were disputes about what was being said, most can be resolved pre-trial between counsel and experts. Under current Criminal Procedure Rules a trial judge can order experts to have meetings to reduce the scope of a dispute.[162] This approach is what currently happens in relation to evidence from computer hard-disks where the whole of the hard-disk is disclosed in electronic form and only very small portions ever printed out. It is also what has been done in the case of audio probe evidence (which is currently admissible).

  33.  If we now consider the impact in terms of the objections usually raised in relation to the abolition of s 17 RIPA:

—  costs of routine disclosure would not be high—transcription of everything is not required; the material is held and used in digital format and data storage and copying costs are very low; much higher costs are routinely incurred in relation to computer hard-disk evidence;

—  under normal circumstances the defence could test for tampering by reference to the records created by the lawful intercept hand-over equipment, the separate routine records of traffic date produced by communications service providers (which are currently admissible and regularly produced) and the length of time of each audio file. All ought to match. In addition they could instruct a specialist audio expert to look for anomalies in the digital audio file;

—  in order to obtain further detailed knowledge of specific technologies, the defence would need to refer to them in a defence case statement and be prepared to justify such reference later if nothing adverse to the prosecution were found; the penalty for a defence fishing expedition would be that adverse inferences might be drawn against the defendant;

—  it is difficult to envisage a successful defence disclosure request which might refer to such potentially sensitive information as the overall capacity to intercept or the extent to which automated monitoring of intercept material is possible (for example by listening for keywords or looking for indications of voice-stress) as these would usually not be relevant to any specific case. It should also be borne in mind that what a terrorist planner surely really wants to know is are those circumstances in which the authorities find it most difficult to intercept, the principle that it is possible and occurs is already well-known;

—  it would still be open to the prosecution to raise PII issues against the usual tests as with other types of sensitive evidence such as covert human intelligence sources;

—  the normal use of intercept evidence would be to show planning, intent, or "bad character"[163]. The usual stances of the defence will include: that the prosecution have misidentified the speakers; that the selected passages are being misinterpreted as to significance and meaning; that by also referring to other conversations in the unused material, a different light is shed on the motivations of an accused. But all these are within the normal scope of court activity and in any event applies to audio probe and computer hard-disk[164] material which are currently admissible; and

—  the rights of third parties who had innocent connections with an accused and who conversations with them might have been intercepted will be preserved in the same way as innocent people who have email contact with suspects and whose emails are found on hard-disk. The innocent conversations will only be seen/heard by lawyers and experts and will not be used in open court. Abuse of such data would be a contempt of court.

  34.  The Technology of Data Interception. So far we have been largely concerned with interception of telephones—landline and cellular. Because the "voice" and "traffic data" elements are so obviously separate it is easy to understand how to handle the distinction made in RIPA[165] between content and communications data. But interception in the data world of the Internet means, in the instance, capturing all the data packets associated with an Internet identity and then attempting to filter them according to whether they appear to be "traffic data" (for example the "header" in terms of email) or "content" (the message itself). There is little clarity, for example, with how one would make the distinction in web-based email such as Hotmail and the facilities offered by large Internet Service Providers (ISPs) such a BT Internet. The problem becomes even greater as conventional telephony is replaced by Voice over Internet Protocol (VoIP) telephony and the use of Instant Messaging grows.

  35.  It is obviously beyond the scope of your current enquiry to investigate in detail such matters: there are significant cost and regulatory implications to ISPs but my immediate point is that increasingly there will be disputes about interpretation of RIPA—and these disputes will inevitably require disclosure of material which may later be declared inadmissible for being "content", an impossible situation.

12 July 2007

144   http://www.iaac.org.uk/Portals/0/Evidence%20of%20Cyber-Crime%20v08.pdf Back

145   http://www.parliament.the-stationery-office.co.uk/pa/cm199899/cmselect/cmtrdind/862/86202.htm;http://www.parliament.the-stationery-office.co.uk/pa/cm199899/cmselect/cmtrdind/648/64802.htm;http://www.parliament.the-stationery-office.co.uk/pa/cm199899/cmselect/cmtrdind/187/18707.htm Back

146   http://www.cps.gov.uk/legal/section20/chapter_a.html£148 Back

147   http://www.cps.gov.uk/legal/section20/chapter_e.html Back

148   http://www.cps.gov.uk/legal/section20/chapter_a_annex_i.html Back

149   For example, Analyst's Notebook by I2 Back

150   http://www.telegraph.co.uk/opinion/main.jhtml?xml=/opinion/2007/06/11/do1102.xml Back

151   Available from http://www.ss8.com/ready-guide.php Back

152   I have partly based this on the Report of the Interceptions Commissioner for 2005-06, paragraph 46. http://www.official-documents.gov.uk/document/hc0607/hc03/0315/0315.pdf and a 1995 Home Office document produced prior to RIPA and which is no longer on the Home Office website. Back

153   http://www.official-documents.gov.uk/document/hc0607/hc03/0315/0315.pdf Back

154   As used in file-sharing services Back

155   Part 5 Back

156   CPS Disclosure Manual Chapter 8 Back

157   s 7A CPIA Back

158   s 11 CPIA 1996, s 39 CJA 2003. Back

159   Criminal Procedure Rules, Part 33.http://www.justice.gov.uk/criminal/procrules_fin/contents/rules/part_33.htm Back

160   s 35 Criminal Justice Act 2003, amending s 6, CPIA, 1996 Back

161   See para 21 above Back

162   Part 33.5 http://www.justice.gov.uk/criminal/procrules_fin/contents/rules/part_33.htm Back

163   Possible, subject to certain judicial safeguards, under ss 98 ff Criminal Justice Act 2003. Back

164   A frequent issue with personal computers used by several people is "whose fingers on the keyboard at the relevant time?" Back

165   Specifically ss 20 and 21(4)(a) Back