Features

net.wars: Who killed Operation Ore?

Yes, there are disgusting pornographic images on the computer hard disk. But I didn't put them there. And I have no idea at all how they might have got there."

American readers probably won't have followed the case of Detective Constable Brian Stevens, which collapsed a couple of weeks ago with the prosecution blaming the computer experts for making "substantial errors" in analyzing the evidence.

Briefly, the story began with a couple of schoolgirls in Soham, Cambridgeshire who disappeared and were later found murdered. Stevens was the police liaison officer in the case, and became close to one of the families; he even read a poem at the girl's funeral service. Some time later, Stevens' name was one of those uncovered in the huge international Operation Ore, an investigation into child pornography on the Internet: his credit card information was on a list of some 7,000 British subscribers passed to the National Crime Squad by US authorities. Stevens was suspended and investigated, and the case came to trial in August with competing computer experts. Those who remember the early days of anti-virus software will be interested to hear that the ever-colourful Jim Bates was the expert for the defence; some ten to 12 years ago Bates wrote one of the first products to make an exact copy of a hard drive.

The collapse of the case has raised doubts about whether other Operation Ore cases can be successfully prosecuted. Less famously, a colleague of Stevens was successfully prosecuted and jailed for six months. Stevens himself is presumably still subject to disciplinary proceedings, and it's easy to imagine that after a space of time he will quietly be dropped from the police force.

The cases raises real questions: do we still, after years of experience, not know how to handle computer evidence? Or is there something really strange going on in that police department? Are we still back in 1991, the days of the Hacker Crackdown when the police were so ignorant of how computers worked that Barlow, Gilmore, and Kapor had to found the EFF in order to protest the confusion of printed books of rules for role-playing games with hacker manuals?

Peter Sommer, a visiting fellow at the LSE and also, under the name Hugo Cornwall, author of The Hacker's Handbook, says no. "It's total rubbish that we can't manage the chain of custody," he says. Sommer has acted as an expert witness in many cases involving computer evidence, and when it's working his home page on the LSE has links to articles (both technical and aimed at the general public) he's written on the subject, particularly as it pertains to Internet paedophilia cases. One important point he makes the lay version, however, is that because the field of computer evidence is so new, techniques and procedures for handling it have not been properly tested by peer-reviewed publication. In the Stevens case, the prosecution seems to have been unable to prove that the laptop belonging to Stevens, on which a small number of illegal images were found, was solely used by Stevens.

Sommer also says, "One of the big problems about the whole Operation Ore thing is that the data on the site is all from 1999, when it was closed down. So what we have, really, with all these names and credit card data, is useful intelligence that in 1999 someone using that credit card accessed the site who may possibly be associated with a UK citizen."

This is the kind of information that might go into a risk rating, particularly for those in sensitive professions. "What we tended to find," he adds, "is that after the first range of publicity and arrests some of the people tried to get rid of the material.

Quite a lot had but then reacquired material from other sources. So they were prosecuted not on the basis of using the site in Texas in 1999 but on the basis of the material on their systems now. It was an easy prosecution to go for. But the problem continues to be: supposing you do a raid and there's nothing there? No hard disk, no CD-ROMs, just this information going back to 1999. Is there a criminal offence? Probably not."

Sommer also says that a lot of the kinds of problems we saw back in the bad, old Hacker Crackdown days are largely gone. Police do, in general, understand the problem of unsolicited material, such as spam email containing illegal images. There is, after all, an obvious difference between an email directory filled with constantly arriving material of all types and a directory with a large stack of images assembled over a long period of time and carefully sorted into named categories. A good computer expert ought to be able to tell the difference.

My own view is less rosy than Sommer's; but then I have less contact with the police than he does, and I am more likely to hear about the abuses than the carefully handled successes. I completely believe that the police have developed the technical skills to ensure the chain of custody and analyse computer data. But proving who used the computer and how the data got there is going to be a difficulty for a long time to come. Very, very few computers live in a hermetically sealed environment where no one else has access to them.

In the case of Stevens, says Sommer, "The more I hear about it, the less I feel I know."