Microgen - stock.adobe.com

How to solve the computer evidence problem

The Law Commission is in disgrace for its historic misrepresentations of IT experts when pushing a change to the law on the use of computer evidence through Parliament.

James Christie’s devastating analysis of how the Law Commission misrepresented the work of engineers and computer scientists (myself included) to overturn the basic statutory requirement that evidence from computers could only be admitted in court cases if it could be shown to be reliable, creates an existential crisis for Alex Chalk, the Lord Chancellor.

The Justice system he presides over is currently not fit for purpose. Secret lobbying by big companies and lazy departments in the 1990s led to the problem - it was inconvenient” for organisations like the Post Office to have to prove that their computer evidence was reliable. The 1995-1999 Law Commission is in disgrace for its historic misrepresentations to push its change through Parliament.

But out of this crisis there is a solution which could be implemented within months. We have a new generation in the judiciary that heads up the Law Commission in 2023, which publishes all lobbying received and which is not afraid of working in association with the distinguished engineers that have been leading the research and development of security engineering in our research institutes and universities. We must harness this relationship of security technologists and lawyers.

How could this be done? We can learn from measures used by our American cousins who passed the Sarbanes-Oxley Act (SOX) which protects American investors and helped rebuild trust in the financial markets after Enron and other major accounting scandals. The SOX law regulates public companies, their auditors, and stockbrokers. SOX requires management and directors of public companies to certify the accuracy of financial reports filed with the Securities and Exchange Commission (SEC). It does this by requiring internal controls for assuring the accuracy of financial reports and disclosures, and mandates both audits and reports on those controls. It also requires timely reporting of material changes in financial condition and specific enhanced reviews by the SEC or its agents of corporate reports.

To rebuild trust in the UK judicial processes it would be possible for security technologists and lawyers to produce a modern version of my Seven Statement Test which I set out in my 1982 book “The Computer in Court”. This could enable the safe use of all computer and internet evidence in civil and criminal proceedings and give lawyers the tools they need to highlight latent errors in computer and internet evidence so that judges can direct juries on the correct weight to give to computer evidence in the courtroom.

Like SOX we can implement equivalent procedures for computer evidence in the UK. In 1982 in my book The Computer in Court I recommended that anyone wishing to rely on computer evidence in court proceedings needed to support it with a prescriptive affidavit or deposition in seven parts.  The Seven Statements would provide a window on the reliability of the submitted computer evidence because it would give detailed information on all aspects of the computer evidence in a standard format that would enable lawyers and judges (and juries) to form reasonable conclusions on the reliability of the evidence being presented to the court. It would enable non-technical lawyers to raise questions and gain answers so that we could be sure that only reliable computer evidence was considered by the court.

It should be a regulatory requirement for a major company or a government department to comply with a modern Seven Statement test.  Six of the Seven Statements regarding the reliability of the computer evidence could be pre-written and held as detailed draft internal audit reports in a standardised format as recommended by auditors and engineers. There would be an audit duty to maintain these drafts as being accurate and up-to-date as part of the normal bookkeeping requirements of all businesses and organisations. Consequently, it would only require the preparation of the Seventh of the Seven Statements, the detailed evidence which was being submitted and the associated report regarding its production, that would need to be drafted and filed with each deposition of computer or internet evidence.

I also suggest that the change to bring in the Seven Statement Test could be implemented at no cost to the public purse by adopting a sensible risk management provision in respect of business insurance. This would be that if any company or organisation failed to have a comprehensive and up-to-date Seven Statement Test statement available for use in reliance upon its computer records, the automatic consequence of this would be that any Directors and Officers Liability insurance cover taken out by the company or by its directors and officers would be void.  This rule would apply to private companies as well as public companies.

By this means the risk of criminal convictions arising from bad computer evidence would be moved from people, such as the defendants in the Post Office Horizon cases, to the directors and officers of the Post Office who could otherwise hide behind the corporate veil.

Alistair Kelman is a British barrister (retired) and technologist. For over twenty years he practiced at the Bar developing the law relating to microelectronics and computing as an intellectual property barrister and in the investigation and prosecution of computer crime. He co-wrote the 1981 BCS Report on "Admissibility and Reliability of Computer Evidence in Civil and Criminal Cases" for the Home Office which led to Section 69 of the Police and Criminal Evidence Act allowing all computer evidence to be admissible so long as it was reliable. He also wrote, with Richard Sizer the Chairman of the BCS Professional Standards Board, the book "The Computer in Court" which explained how bad computer evidence could lead to wrongful convictions and injustice if wrongfully allowed in trials. This 1982 book is today available for free download from his personal website.

Read more on IT legislation and regulation

Data Center
Data Management