[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
UK privacy case: Munden
interesting story I hadn't heard before. this guy
complained about a bad bank balance and went to jail for
it. touches issues such as security of bank software,
government oppression, crypto, judicial evidence legality, etc.
------- Forwarded Message
Date: Thu, 11 Jul 1996 04:38:27 -0700 (PDT)
From: Phil Agre <[email protected]>
To: [email protected]
Subject: John Munden freed
X-URL: http://communication.ucsd.edu/pagre/rre.html
[This case is so outrageous that it wouldn't even work as a "Dilbert" strip.
Fortunately the guy is now free, having had his life ruined for complaining
about the theft of his bank deposits.]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message was forwarded through the Red Rock Eater News Service (RRE).
Send any replies to the original author, listed in the From: field below.
You are welcome to send the message along to others but please do not use
the "redirect" command. For information on RRE, including instructions
for (un)subscribing, send an empty message to [email protected]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Date: Wed, 10 Jul 1996 11:00:11 -0800
From: Jon Callas <[email protected]>
To: "The Eristocracy" <[email protected]>
Subject: Munden set free
[Editor's note: I sent out an article about the Munden case when it was
current -- in late '94. For those who don't remember, John Munden is a British
policeman who was jailed for complaining about his bank balance being wrong.
No, you didn't read that incorrectly. Read on for more details. I certainly
hope that the next chapter will be some sort of restitution paid to Munden. --
jdcc]
Date: Tue, 09 Jul 1996 12:13:28 +0100
From: Ross Anderson <[email protected]>
To: [email protected]
Subject: Important UK court case
+----------------------------------------------------+
Addressed to: [email protected]
+----------------------------------------------------+
At a trial in England yesterday, a judge decided that if a bank was
not prepared to let their computer systems be examined by a hostile
expert witness, then they could not even present bank statements
in evidence.
At least SET has been done right - I believe it is the first
significant banking protocol to have undergone an open design
review. I hope that there will be implementations that have also
undergone credible scrutiny.
I append a note of the case that I posted to our supporters.
Ross Anderson
*********************************************************************
John Munden is acquitted at last!
At twenty past two today, John Munden walked free from Bury Crown
Court. This resolved a serious miscarriage of justice, and ended an
ordeal for John and his family that has lasted almost four years.
In a judgment loaded with significance for the evidential value of
cryptography and secure systems generally, His Honour Justice John
Turner, sitting with two assessors, said that when a case turns on
computers or similar equipment then, as a matter of common justice,
the defence must have access to test and see whether there is anything
making the computers fallible. In the absence of such access, the
court would not allow any evidence emanating from computers.
As a result of this ruling, the prosecution was not in a position to
proceed, and John Munden was acquitted.
John was one of our local policemen, stationed at Bottisham in the
Cambridge fenland, with nineteen years' service and a number of
commendations. His ordeal started in September 1992 when he returned
from holiday in Greece and found his account at the Halifax empty. He
complained and was told that since the Halifax had comfidence in the
security of its computer system, he must be mistaken or lying. When
he persisted, the Halifax reported him to the police complaints
authority for attempted fraud; and in a trial whose verdict caused
great surprise, he was convicted at Mildenhall Magistrates' Court on
the 12th February 1994.
I told the story of this trial in a post to comp.risks (see number
15.54 or get ftp.cl.cam.ac.uk/users/rja14/post.munden1). It turned
out that almost none of the Halifax's `unresolved' transactions were
investigated; they had no security manager or formal quality assurance
programme; they had never heard of ITSEC; PIN encryption was done in
software on their mainframe rather than using the industry-standard
encryption hardware, and their technical manager persisted in claiming
(despite being challenged) that their system programmers were unable
to get at the keys. Having heard all this, I closed my own account at
the Halifax forthwith and moved my money somewhere I hope is safer.
But their worships saw fit to convict John.
An appeal was lodged, but just before it was due to be heard - in
December 1994 - the prosecution handed us a lengthy `expert' report by
the Halifax's accountants claiming that their systems were secure.
This was confused, even over basic cryptology, but it was a fat and
glossy book written by a `big six' firm with complete access to the
Halifax's systems - so it might have made an impression on the court.
We therefore applied for, and got, an adjournment and an order giving
me - as the defence expert witness - `access to the Halifax Building
Society's computer systems, records and operational procedures'.
We tried for nine months to enforce this but got nowhere. We
complained, and the judge ordered that all prosecution computer
evidence be barred from the appeal. The Crown Prosecution Service
nonetheless refused to throw in the towel, and they tried to present
output such as bank statements when the appeal was finally heard
today.
However, the judge would have none of it.
For the computer security community, the moral is clear: if you are
designing a system whose functions include providing evidence, it had
better be able to withstand hostile review.
Ross
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This message was sent by [email protected]. For a complete listing
of available commands, please send mail to '[email protected]'
with 'help' (no quotations) contained within the body of your message.
- - --- end forwarded text
- ------- End of Forwarded Message
------- End of Forwarded Message