In the wake of the Caffrey trial verdict in the UK I felt compelled to write an opinion piece on what this verdict and, in particular the style of defence, means for the information security community.
This verdict sets a potentially dangerous precedent with regard to hacking cases. In the future, any defendant charged with such an offence could attempt to compromise their own system, in order to employ a similar defence in the event of capture.
The accused in this case used what is known in legal parlance as an "affirmative defence". This is where the defendant introduces an alternative theory, or theories as to how and/or by whom the crime was committed. In many jurisdictions, a defendant offering an affirmative defence would then bear the burden of proof and the onus would be on them to prove their theory of the crime.
In the Caffrey trial, the theory on how the crime came to pass put forward by the defence was rather simple: an unknown individual or individuals broke into the defendant's computer, planted the evidence and launched the attacks, in order to frame the defendant for some unknown reason. Take away the technology aspect and this is an all-too-familiar defence claim in courts around the world. Had any substantive evidence been entered by the defence to support these allegations, I would not be writing this piece. However, the defence did little to support their assertions.
This case brings up a number of interesting issues, which I believe we should begin to debate. Does the United Kingdom, Europe, indeed the world have adequate legal processes to deal with the technology issues of today? In the UK, if an affirmative defence is to be employed, then should the burden of proof be reversed? At the very least, shouldn't the defendant be required to enter some substantive evidence supporting their claim?
The idea of specialist judge panels or juries is not an old one, but in the wake of this verdict and its potentially considerable consequences, I believe it is time to rekindle the idea. The jury system has served countries around the world well for hundreds of years. However, the introduction of technology-based crimes increases the complexity for those concerned. It is in the interest of justice that all parties fully understand the crime and the evidence. If a jury does not understand, or is confused by, the evidence, there is a greater likelihood they will give the defendant the benefit of the doubt and acquit them. One possible way of mitigating against this scenario would be to educate juries and prosecutors in the intricacies of information security so that such claims can be competently addressed. Perhaps an even better solution would be to ensure that, should a defendant choose to rely on this defence, the burden of proof would then be on that defendant.
One might rightly ask, whether the Police, the Crown Prosecution Service and the judges have adequate resources to prosecute and/or try such cases. Over the past few years I have worked with, acted as an advisor for, or sat on committees for, variously, the Scotland Yard Computer Crime Unit, the National High Tech Crime Unit, the FBI and the Interpol European Working Party on Technology Crime. All of these entities have made great strides during that time and are now world class in their own right. I have had the opportunity to work with both the Crown Prosecution Service and the US Department of Justice, and I am happy to say they too have made great advances in the prosecution of technology-based crimes. I believe an area, which remains in need of attention, is the education of judges and juries. That having been said, I was quite impressed with the judge in the Caffrey trail. He went to great lengths to understand the testimony and displayed an impressive level of technical knowledge.
In closing, I submit that the time has come to debate the need for specialist judging panels or juries that would allow for a more complete understanding of the evidence brought forth in technology-based trials. We should also examine whether it is appropriate to allow defendants to enter an affirmative defence in the absence of adequate supporting evidence.
Richard Starnes is Director of Incident Response EMEA, Managed Security Operations Centre, Cable and Wireless.