Editorial: Volume 6
Digital evidence and electronic signatures may appear to be mundane - both to lawyers and lay people, but they affect everybody that has a bank account or uses a credit or debit card. The technology now used to deal with money cannot be considered to be ubiquitous across the globe yet, but the introduction of ATMs across many countries is now occurring at speed, especially in African states. The use of information technology by the banking sector has not prevented criminals from stealing money from banks and organizations that issue plastic cards for the purposes of obtaining cash and buying goods and services on credit. Indeed, criminals now have the capacity to steal far greater amounts of money than hitherto - they exchanged the horse for the motor car as a means of escaping from the scene of a robbery as soon as the technology permitted, and the more determined now manipulate customers through social engineering techniques, and take advantage of the possible flawed implementations of technology used by banks.
As the recent banking crisis has illustrated, many people in control of banks lost sight of what business they were in: risk (Samuel Johnson (taken from the edition improved by Henry John Todd, (John Walker, 1836)) defined 'bank' as 'a repository where money is occasionally lodged; to lay up money in a bank' and a banker as 'one who receives money in trust'). Banks deal with the risks inherent in the control of money, and in the increasingly complex world that humans have created, banks and how banks deal with the risks associated with the control and transfer of money affects everyone; indeed, governments generally take great care to oversee the mechanisms associated with the movements and stability of currency.
It is for this reason that customers of banks and governments ought to take as much interest in the systems used by banks to provide customers with a service (mainly through ATMs) as do criminals. In an attempt to reduce the ability of criminals to steal money from banks, the banks and card issuers have resorted to more technically complex methods (such as the adoption of EMV - that is, the inclusion of a chip on the card) of protecting the mechanisms (e.g. ATMs and Point of Sale terminals (PoS) that have become ubiquitous) used to dispense cash or permitting a customer to authorize transactions on their account. The problem with the increased complexity of the systems put in place by the banks, as the article by Dr Steven J. Murdoch illustrates, is that there is a corresponding increase in the risks associated with the flawed implementation of such systems.
In addition, the courts have not necessarily treated the delicate balance between the risks that should be borne by the banks and those risks the banks prefer to transfer to the customer. The decisions in the case of 29.06.2000, 2 Ob 133/99v of the Oberste Gerichtshof (Supreme Court of Austria) and Civil case No. 3K-3-390/2002 from the Lietuvos Aukšciausiasis Teismas (Supreme Court of Lithuania) represent a more realistic and accurate analysis of the position on legal liability than the judgment in the case of 5 October 2004, XI ZR 210/03 (published BGHZ 160, 308-321) by the Bundesgerichtshof (German Federal Court of Justice), each of which are translated into English and included in this edition of the Review.
In this respect, misunderstandings continue in relation to the technology and how the technology is analysed in legal terms. Consider, by way of example, the report 'Checking out chip and PIN: The Northampton trial report 2003' (Chip and PIN Programme Management Organisation- available at hppt://www.chipandpin.co.uk/reflib/northampton_trial_report.pdf). In this report, the authors provide a list of questions and answers, one of which is set out below (on page 21)(the editor acknowledges the very helpful comments and suggestions made by Nicholas Bohm in respect of the discussion that follows):
'What is a PIN?'
'A PIN (Personal Identification Number) is your 4-digit number which proves you are who you say you are. You tap in your PIN to verify a payment.'
Note the word 'verify' in relation to a payment usually means 'check that it has been made'. In this example, it seems 'verify' actually means 'authorize.' (Note that PINs can be between 4 and 12 digits; 5 digits are used in South Africa and 6 in France).
This statement indicates a misunderstanding of what a PIN is and what it purports to do.
In the same way that a manuscript signature can be forged, PINs are forged every day, as some customers of banks are aware.
If the assertion noted above were correct, then the fact that a transaction was carried out using the correct PIN would automatically mean it was the person to whom the card was issued who typed the PIN into a key pad. But a PIN can obviously be forged (that is, a thief can discover the correct PIN and then use it), so the forgery obviously does not prove that the person who typed in the correct PIN is the person to whom the card was issued. The issuers of plastic cards require customers to use a PIN in the full knowledge that when a PIN is forged, the issuer cannot tell the forged PIN from a PIN keyed in to a machine by the actual customer. That the card issuers have chosen to use what appears to be a somewhat flimsy method of ascertaining their customers' agreement to a transaction with a machine is their problem, and not the customer's - at least that is the legal position. But as any person who has had money removed from their account by a thief will be aware, making the card issuer understand that it was not the customer who withdrew the money can be far from easy.
A PIN on its own is not capable of proving the person is who they say they are - in fact, a PIN even with some other form of link with a name (such as a credit card) is not capable of proving who you say you are. Both PINs and cards can be stolen and used by criminals without any fault on the part of their proper user.
The function of a PIN is to verify a payment
Arguably, the PIN combines two functions. Before considering the two functions, consider the requirements of the card issuer. The card issuer needs to know if the customer to whom the card has been issued is the person interacting with the ATM or PoS. If the bank or card issuer is satisfied on these two points, then the bank has satisfied itself that it is dealing either with the customer to whom the card was issued, or at least the card and PIN is in the possession of another person that has both the card and PIN with the authority of the customer.
Thus the bank or card issuer needs sufficient evidence to satisfy itself that the card is legitimate, and the card is in the possession of the customer to whom it was issued (or a person authorized by the customer to use the card). For the card issuer to be satisfied of these two facts, a sequence of events takes place for ATM transactions. They are summarized below.
Interrogation of the card
The first aim of the card issuer is to have sufficient evidence from the computer systems to demonstrate that the card issued to the customer is the card the computer systems are interacting with, and not a forged card. The ATM terminal interrogates the card to determine which technology it should use for the transaction (magnetic stripe or chip).
Verification of the card holder
The ATM prompts the customer to enter the PIN. The issuing bank compares the PIN to their records, and a message is sent back to the ATM to indicate whether the verification was successful. It does not follow that this process succeeds in all completed ATM transactions.
Authentication of the card
First, it should be noted that it does not follow that this process succeeds in all completed ATM transactions. With an EMV card (also called Chip & Pin in the UK), the chip will normally be interrogated to enable the issuer to determine whether the card is the one issued to the customer. If the chip is not read or cannot be read, the ATM will probably read the magnetic stripe on the card to perform a magnetic stripe fallback authentication, where the ATM sends the contents of the magnetic stripe to the issuing bank, via the card scheme network. The issuing bank will then verify whether it contains the correct information. Providing the bank or card issuer received satisfactory responses from either the chip or the magnetic stripe, and the PIN is correct, then the person at the machine is then free to undertake transactions on the account.
The functions of a PIN
Thus the functions of a PIN can now be analyzed. The first function of the PIN is to act as a means of authentication. In this respect, a PIN demonstrates that the person that keyed in the PIN knows the correct PIN.
The second function of a PIN is to act as a form of electronic signature. Once the computer systems of the bank or card issuer are satisfied that the card is legitimate and the PIN is the correct PIN of the card holder, then the person at the ATM or PoS can undertake any activity on the account that is permitted within the mandate and within the limitations of the technology.
It must be right to say that the PIN, even though it is offered to the machine before a transaction is effected, acts as a signature to verify the customer's authority to make a payment or other form of transaction. In this respect, the presentation of a card to an ATM, and the input of a PIN can be likened to a cheque that is written out by the account holder, signed, and then presented to the cashier at the bank. The customer completes the action necessary to request a payment in advance of the payment being made by the cashier, and then signs the cheque in the presence of the cashier - all before receiving acknowledgement that a transaction has been authorized. In this respect, the PIN is a form of electronic signature.
Arguably, the legal analysis is relatively straight forward. The more difficult issue is to force the bank or card issuer to adduce the digital evidence, and then for the lawyer to test it effectively by cross-examination.
Editorials copyright Stephen Mason, 2009
Digital data as hearsay
Steven W. Teppler rehearses the arguments for treating digital evidence as hearsay, and illustrates the failure of US courts to deal with digital data consistently
Evidential issues from pre-action discoveries: Odex Pte Ltd v Pacific Internet Ltd
Daniel Seng considers a recent case in Singapore in which the lawyers failed to obtain statements from appropriate witnesses
Judgment in the case of K.U. v Finland: the European Court of Human Rights requires access to communications data to identify the sender to enable effective criminal prosecution in serious violations of private life
Tuomas Pöysti examines an important decision by the European Court of Human Rights that must include the investigation of digital evidence
Businesses’ perception of electronic signatures: An Australian study
Dr. Aashish Srivastava provides a summary of his research into the perception of electronic signatures in Australia amongst the business community, including lawyers
Civil law liability for unauthorized withdrawals at ATMs in Germany
Assistant Professor DDr. Gerwin Haybäck analyses the present state of the law relating to liability for unauthorized withdrawals from ATMs in Germany
Bank card fraud in Spain
Ricardo M. Mata y Martín and Antonio Mª. Javato Martín discuss the legal obstacles and remedies in Spain relating to the effective prosecution of thieves that steal bank cards, and consider how the EU is dealing with the issue
Bread and Donkey for Breakfast how IT law false friends can confound lawmakers: an Italian tale about digital signatures
Ugo Bechini considers a recent law in Italy that requires the transfer of a share in an Italian limited liability company to be effected by a digital signature, and a case where the judge has determined that the digital signature must be notarized to be effective
The essential elements of an effective electronic signature process
Greg Casamento and Patrick Hatfield set out some of the practical and legal considerations when dealing with electronic signatures in the United States of America
Reliability of Chip & PIN evidence in banking disputes
Steven J. Murdoch provides an outline of the ATM system that supports Chip & Pin in the UK, illustrating the complexities of the systems put in place by the banks and the weaknesses that customers may not be aware of
PINs, passwords and human memory
Wendy Moncur and Dr Grégory Leplâtre provide an introduction to some of the problems relating to memory and the ability of the human to recall passwords
Known knowns, known unknowns and unknown unknowns: anti-virus issues, malicious software and internet attacks for non-technical audiences
Daniel Bilar illustrates the ease by which third parties can obtain control of computers without the authority of the owner or user, with the concomitant need for lawyers to more fully understand the issues, failing which they might be considered negligent
Remote electronic discovery
Gib Sorebo takes a wide-ranging look at the changes that are taking place technically in respect of the ability of digital evidence specialists to obtain digital evidence without physically crossing national borders
Legal privilege and the high cost of electronic discovery in the United States: should we be thinking like lawyers?
Daniel R. Rizzolo provides an insight into the costs of litigation in the United States, identifies a significant bottleneck, and proposes an answer to the problem
International phishing gangs and operation Phish & Chip
Francesco Cajani provides an insight to the practical problems when dealing with cross-border crime
Interception of communications: Skype, Google, Yahoo! and Microsoft tools and electronic data retention on foreign servers: A legal perspective from a prosecutor conducting an investigation
Francesco Cajani illustrates the problems associated with dealing with evidence across borders and offers the perspective of an Italian prosecutor
Digital evidence and e-signature in the Russian Federation: a change in trend?
Alex Dolzhich considers the approach of the Arbitrazh Courts and the Arbitrazh Procedural Codes in relation to digital evidence
More on suppression and the internet in New Zealand
Ursula Cheer brings the reader up-to-date to her article on the decision of the judge in New Zealand Police v KOrs
Whether a photograph taken for Google’s Street View can be used as evidence in a criminal process: a case note
Nadezhda Purtova and Arnold Roosendaal consider the implications for data protection and the admissibility of evidence where a photograph retained by Goggle presented evidence of a criminal act
Digital evidence – do not confuse digital archiving with backups
Philippe Bazin indicates the difference between back-ups of data and the archiving of digital data in the light of a recent French decision
Digital evidence in the new Swiss Federal Code of Civil Procedure
Christoph Gasser gives an outline of the new Swiss Code of Civil Procedure for the admissibility of digital evidence and the electronic filing of submissions to the courts
Registered e-Mail and e-Invoicing in Turkey
Dr. Leyla Keser Berber sets out the developments in Turkey in relation to registered e-mail and e-invoicing, and how they may affect contractual relations
The Indonesian law on electronic information and transactions
Hamud M. Balfas provides a summary of the new law regulating electronic signatures and electronic commerce in Indonesia
A brief outline of the position in Uruguay in relation to cyber crime legislation
Luis Aguerre and Diego Baldomir provide a brief outline of the present difficulties faced by the authorities in Uruguay in relation to prosecuting cyber crimes
Line based hash analysis of source code infringement
Svein Yngvar Willassen provides an insight into the complexities of investigating lines of code for the purposes of establishing the theft of intellectual property rights and proposes a new method of investigation
On the complexity of collaborative cyber crime investigations
Peter M. Bednar, Vasilios Katos and Cheryl Hennell consider the various issues relating to investigating cyber crimes, and suggests a methodology that might prove to be helpful in dealing with such complex criminal investigations
An investigator’s approach to digital evidence
Paul Lund’s article considers the practical issues, with examples, that a digital evidence specialist faces when dealing with complex allegations of fraud using digital evidence
OGH judgment of 29.06.2000, 2 Ob 133/99v - Liability for misuse of ATM cards, commentary by Dr. Clemens Thiele
Liability; bank cards; ATM; misuse; electronic signature (PIN)
Request for dissolution; Bankruptcy Court; signature; sufficiency of electronic signature with name typed on document
Request for dissolution; Bankruptcy Court; requirement for manuscript signature; sufficiency of electronic signature with name typed on document
England & Wales
Job v Halifax PLC (not reported) Case number 7BQ00307, commentary by Alistair Kelman
ATM; electronic signature (PIN); proof for civil proceedings
Appeal No. 07-17622 Court of Cassation - second civil chamber of 4 December 2008
Original document; copy of original; digital copy; evidence of logo on scanned letter regarding proof of receipt
Appeal reference n° : 07-12545 (Not published in the Judgments Bulletin), Court of Cassation, 1st Civil Chamber of 25 June 2008
Digital evidence; bank transfers written in identical terms; commencement of proof in writing
5 October 2004, XI ZR 210/03, published BGHZ 160, 308-321 with a commentary by Dr Martin Eßer, and a further commentary by Dr. Thomas Kritter
Ž.Š. v Lietuvos taupomasis bankas, Civil case No. 3K-3-390/2002, Supreme Court of Lithuania, translated by Sergejs Trofimovs
LJN; AY6903, Services Court Judge Amsterdam, 345291 / KG 06-1112 AB, commentary by Arnold Roosendaal
Sygn. akt I KZP 39/08, Polish Supreme Court, 26 March 2009, commentary by Dr Arkadiusz Lach
Zhang Hua v Shanghai Danwei Information Consultation Co. Ltd, Shanghai People’s Court of Jing’an District, case note by Dr Minyan Wang
Authentication; e-mail; civil proceedings
U 1959.40/1H, case note by Professor Jon Bing and Jan Hvarre
Secured indemnity bond; manuscript signature by a ball-point pen; validity
19 February 2009, IV R 97/06 by Dr. Martin Eßer
Statement of claim; submitted with a digital signature (qualified electronic signature); certificate; monetary limit; validity of signature
2 BvC 3/07, 2 BvC 4/07Federal Constitutional Court of Germany, case note by Dr. Zoi Opitz-Talidou
Unconstitutional use of electronic voting machines
Case No. А40-43946/08-93-94, Arbitrazh Court of Moscow
Digital evidence; status of scanned copies as written evidence; contractual agreement for e-mail correspondence
Case No. А40-19739/08-10-141, Arbitrazh Court of Moscow
Digital evidence; construction of contract; e-mails instead of signed transfer and acceptance on paper
Notes by Alex Dolzhich
Public Prosecutor v Neo Khoon Sing  SGDC 225, by Bryan Tan
Digital evidence; the standard of proof for circumstantial evidence; it should lead one to 'the irresistible inference and conclusion' that the offence was committed by the accused
Up-106/05-27, by Dr Liljana Selinšek
Seizure of mobile telephone; admissibility of data stored on an SIM card; constitutional right to privacy of communication
Bonnier Audio AB, Earbooks AB, Norstedts Förlagsgrupp AB, Piratförlaget AB and Storyside AB v Perfect Communication Sweden AB (the Ephone case) by Mathilda Andersson
Action for infringement of IPR; right of claimant to request IP address; probable cause
George L. Paul, general editor, Foundations of Digital Evidence, (American Bar Association, 2008)
David J. Howell, general editor, Electronic Disclosure in International Arbitration, (JurisNet, LLC, 2008)
Assistant Professor DDr. Gerwin Haybäck, Risikohaftung bei missbräuchlichen Bankomatbehebungen Ein österreichisch-deutscher Rechtsvergleich, (Neuer Wissenschaftlicher Verlag, 2008)