Policeman's acquittal challenges computer "security through obscurity"

John Munden, the Cambridgeshire policeman prosecuted for fraud when he complained about money missing from his account, had his name cleared last week. The case may force banks and building societies, at least, to change the way they organise computer and network security. Either they will have to switch to systems which can withstand open public challenge -- or they may have to accept that they cannot prove or disprove electronic transactions which leave no signature on paper.

On 3 October 1992, his birthday, John Munden returned from holiday in Greece, to find [UKpound]460 missing from his account at the Halifax Building Society in Newmarket. He complained to the branch manager -- who, he told the Guardian, "gave me the sort of interview I would give a suspect". On 26 February 1993 he was arrested at his police station, and charged with fraud. In February 1994 a magistrates' court found against him. The Halifax argued, in essence, that its computers didn't make mistakes or allow internal or external fraud, so the money must have been withdrawn by John or his family.

On appeal, Bury St Edmunds Crown Court court ordered the Halifax to give his defence team access to its computer security procedures, to check how infallible they were. The Halifax commissioned a study from consultants KPMG, but did not satisfy the court that it had met the order -- so John Munden's name was finally cleared after two-and-a-half years.

The case does not set a formal legal precedent -- but lawyers acting for other people complaining to banks and building societies about so-called "phantom withdrawals" can draw courts' attention to it.

John Munden is offering "advice or, you could say, emotional support" to others in a similar position. "I'd say, be totally sure of your facts, and don't give in, but be prepared to pay a terrible price, because I've paid it both financially, physically and mentally." He still doesn't have a bank account, and he wants his [UKpound]460 back with interest.

Ross Anderson is a leading researcher into computer security at Cambridge University, and acted as John Munden's expert witness. He sees much wider implications from the case: "A fundamental of justice is that people are allowed to examine the open court the evidence against them. So long as that stands the Crown Prosecution Service may have great difficulty in relying on electronic records of any cash or security transfer."

He draws attention to the new CREST share transaction system: the Bank of England has refused offers by him and other security experts to try to break it to see how good its measures to prevent fraud are. He says that this raises "a serious question over whether evidence from CREST is usable in a criminal trial."

Brian Gladman has just left NATO after 22 years working in military computer security. He believes that "the essence of any good design is independent review... Going from the public evidence, there is plenty of evidence that the banks' claims are not justified... I hope that as a result of the Munden case there will be many more challenges to them."

The case attracted international attention through specialist internet mailing lists. John Michael Williams, a Maryland-based consultant who advises the US National Security Agency, told the Guardian: "Whatever the other facts of the case, I would challenge the Building Society's claims of impenetrable, infallible security, not subject to disclosure or independent review. I sincerely hope this reversal helps make those arguments untenable in future criminal proceedings, in any country."

The Halifax stresses that it was the Crown Prosecution Service, not the Building Society, which pursued the prosecution. John Munden believes that they initiated the case. They say that they offered John Munden's team the same access they gave to KMPG, and refused "blanket access" because it would breach their duty of confidentiality to customers. Brian Gladman agrees that "There's a valid argument that you can't reveal all the intimate details of a security system in open court," but, he continues, "that doesn't mean that you can't bring in an independent group of experts. I think that this would be in the banks' interest."