English bank security case rebuffed

Rohit Khare (khare@w3.org)
Tue, 9 Jul 1996 09:22:34 -0400 (EDT)

Sometimes, justice DOES get served. On the other hand, this case was won
due to prosecutorial ineptitude rather than setting a proper precedent of
banking ineptitude.


Date: Tue, 9 Jul 1996 09:03:05 -0400 (EDT)
From: "Donald E. Eastlake 3rd" <dee@cybercash.com>
To: dee-interest@cybercash.com
Subject: FWD: Important UK court case
Mime-Version: 1.0

Date: Tue, 09 Jul 1996 12:13:28 +0100
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>

At a trial in England yesterday, a judge decided that if a bank was
not prepared to let their computer systems be examined by a hostile
expert witness, then they could not even present bank statements
in evidence.

At least SET has been done right - I believe it is the first
significant banking protocol to have undergone an open design
review. I hope that there will be implementations that have also
undergone credible scrutiny.

I append a note of the case that I posted to our supporters.

Ross Anderson


John Munden is acquitted at last!

At twenty past two today, John Munden walked free from Bury Crown
Court. This resolved a serious miscarriage of justice, and ended an
ordeal for John and his family that has lasted almost four years.

In a judgment loaded with significance for the evidential value of
cryptography and secure systems generally, His Honour Justice John
Turner, sitting with two assessors, said that when a case turns on
computers or similar equipment then, as a matter of common justice,
the defence must have access to test and see whether there is anything
making the computers fallible. In the absence of such access, the
court would not allow any evidence emanating from computers.

As a result of this ruling, the prosecution was not in a position to
proceed, and John Munden was acquitted.

John was one of our local policemen, stationed at Bottisham in the
Cambridge fenland, with nineteen years' service and a number of
commendations. His ordeal started in September 1992 when he returned
from holiday in Greece and found his account at the Halifax empty. He
complained and was told that since the Halifax had comfidence in the
security of its computer system, he must be mistaken or lying. When
he persisted, the Halifax reported him to the police complaints
authority for attempted fraud; and in a trial whose verdict caused
great surprise, he was convicted at Mildenhall Magistrates' Court on
the 12th February 1994.

I told the story of this trial in a post to comp.risks (see number
15.54 or get ftp.cl.cam.ac.uk/users/rja14/post.munden1). It turned
out that almost none of the Halifax's `unresolved' transactions were
investigated; they had no security manager or formal quality assurance
programme; they had never heard of ITSEC; PIN encryption was done in
software on their mainframe rather than using the industry-standard
encryption hardware, and their technical manager persisted in claiming
(despite being challenged) that their system programmers were unable
to get at the keys. Having heard all this, I closed my own account at
the Halifax forthwith and moved my money somewhere I hope is safer.

But their worships saw fit to convict John.

An appeal was lodged, but just before it was due to be heard - in
December 1994 - the prosecution handed us a lengthy `expert' report by
the Halifax's accountants claiming that their systems were secure.
This was confused, even over basic cryptology, but it was a fat and
glossy book written by a `big six' firm with complete access to the
Halifax's systems - so it might have made an impression on the court.
We therefore applied for, and got, an adjournment and an order giving
me - as the defence expert witness - `access to the Halifax Building
Society's computer systems, records and operational procedures'.

We tried for nine months to enforce this but got nowhere. We
complained, and the judge ordered that all prosecution computer
evidence be barred from the appeal. The Crown Prosecution Service
nonetheless refused to throw in the towel, and they tried to present
output such as bank statements when the appeal was finally heard

However, the judge would have none of it.

For the computer security community, the moral is clear: if you are
designing a system whose functions include providing evidence, it had
better be able to withstand hostile review.