We are currently experiencing network problems with the desktop version of Police Oracle. We hope to have these resolved as soon as possible.

Detective's casebook: handling cloud data as evidence

Former Radio 1 DJ Mark Page was sentenced to 18 years’ imprisonment for child sex offences after an investigation which “pushed boundaries” during early conversations around the Cloud.

An investigation into a Middlesbrough FC match day announcer contributed to early conversations around cloud capabilities and has subsequently been awarded a Home Office Internet Intelligence Award.

Mark Page was convicted of arranging the commission of child sex offences and sentenced to 12 years’ imprisonment – later increased to 18 years following an appeal.

The case had come through to Cleveland from the National Centre for Missing and Exploited Children in January 2020 – the name of the suspect was immediately familiar due to Mark Page’s association with the football club.

Detective Sergeant Kevin Carter told Police Oracle: “It wasn't until the verification came through with some bits and pieces we did intelligence wise that it really dawned on us the significance of [the case] and what is possible - how it could be of national interest.

“We headed out relatively straight away because of the immediacy around it - if Mark was a regular traveller to the Philippines, without access to his diary we didn't know if he was due to jump in a plane.”

A POLIT team of around five or six went to his house where they found his computer switched on and logged in to his Google account. It was at a time where, although the Cloud had become a topic of national conversation, police were not routinely seizing cloud data.

DS Carter explained: “Lots of people were obviously aware of it because it had been going on for some time, but British legislation hasn't even still now really fully caught up. There's lots of different interpretations of how best to handle [cloud data] – what powers are best and most appropriate to use.

“That was all still very much in its infancy back in January 2020. But we were lucky - it really was just a case of having the right people in the right place at the right time.”

In addition to being the SIO for the case, DS Carter was also the force digital investigations coordinator. It meant he had been involved in national conversations around cloud data and the options open to law enforcement.

He also had a digital investigation and victim identification officer with him – DC Steve Rookes.

“We looked at it straight away with the point of view of - there is no precedent for this. What bases do we need to cover?” DS Carter continued.

“There's several strands to it- first of all, where's the data saved? Traditionally, police would have gone in there and would have turned the computer off and put it into digital forensics examination.

“Had we done that, this case wouldn't have been as successful as it has been, because the data that we ended up relying in court was on Google servers in California not on his local computer.

“It was very much a recognition that whilst that machine was turned on, and it was logged into that account, that that data was accessible to us and could be downloaded.

“Once that computer is turned off, and that door closes, it can't be reopened.”

It comes back to an interpretation of Section 19 of PACE – that what is accessible from the property is considered on the property.

If the computer had been switched off, moved, and reopened – investigators would have had to go through a complicated legal process (Mutual Legal Assistance Treaty) between the UK and the US – whereby a case would need to be presented to the CPS who in turn would need to write to representatives in the US so they could take that to court.

“It's very laborious, and it can take over a year, which obviously when you've got kids in the Philippines being ferried around to hotels for people like Mark Page, you don't have the luxury of time,” DS Carter said.

Now, particularly with paedophile online investigations, it has become common use to triage suspects’ devices at the scene to establish whether there is cloud based data. At the time – it was still common practice to turn devices off and pass them to Digital Forensics Units.

Once you factor in delays for that process to take place – the suspect could be using that time to move/delete/change data and it can no longer be relied on as evidence.

DS Carter emphasises the team on the day were not “cavalier” in their approach. As DMIs – they knew the ACPO principles [Association of Chief Police Officers] – including that you should not touch or take any action that could change data, and that if it there is an urgent need to do so, you can as long as you are competent.

They also put a call in to the Covert Authorities Bureau at the scene.

“So that's what we did, we instigated a Google account archive from his machine in his house while we were there - it was from the archive that we just got 10 years or more worth of emails.”

It was the second key part of this case – exactly how much data is held about a person in the cloud.

“From his emails, you could piece together much of his life - you've got his hotel bookings, his flight bookings, his seat reservations, his itinerary, all of his communications," DS Carter said. 

“Then you've got every photograph he's taken across every device he's had in the last decade (and he’s a man who takes a lot of selfies). Every selfie puts him in a geographical location, then you've got the metadata behind the photograph - the exact date and time it was taken, potentially got longitude and latitude.

“You start putting that together with the emails, and you're starting to get a real good timeline about where he was when and what he was doing there.”

Added to this was his Alexa voice history – which Google harvests as well. A folder of voice recordings contained many that were relevant to the case – and were impactful for a jury to hear.

This included one asking how to send money anonymously to the Philippines, and another asking the age of sexual consent in the Philippines.

The latter could then be overlaid with a message he sends to one of the facilitators in the Philippines saying something along the lines of ‘Can do 12 in the Philippines babe.’

For DS Carter: “With him as a radio personality with such a recognisable voice - there was just no grey area. It was crystal clear what he was asking - he could stand in the dock and try and explain it any way he wanted. But it was very, very powerful for the jury.”

Investigators worked closely with International Liaison Officer Richard Bradley from the NCA who was based in the Philippines. He was able to liaise with local law enforcement, who using social media accounts provided by Cleveland, were able to locate the three child victims and refer them into social care. He was also able to help the investigation by making inquiries with hotels about bookings. 

In court, investigators had been anticipating some rebuttals around their approach with the cloud because it had not been tested yet.

“You're taught in policing, aren't you that if they can't attack the evidence they attack the process," DS Carter said. 

“We were expecting it, but as it transpired it never came up.

“I can only surmise - but I think it comes back to the fact we’d been mindful to check our interpretation with the covert standards manager – to follow the principles and video record the steps that we took.”

What the defence team did plan on however was producing a jury bundle with pages and pages relating to notifications of suspicious activity on Mark Page’s account. Pages which had been designed to suggest that he was being hacked or targeted.

DS Carter and DC Rookes spent the weekend before the trial cross-referencing every individual event.

“For example if a login said there's been a login in Hong Kong on June 1 - we would go back into the data and find out where Mark was on June 1. And if there was anything whatsoever, if there was an email about a flight, if there was a selfie that’s been taken we would use that. If it said this suspicious login was from a Samsung phone, we would find a selfie from that period of time from a Samsung Galaxy S3 phone.

“Every single suspicious login that they proposed to tell the jury was evidence of hacking, we were able to attribute Mark Page to every single device and every single location.”

The defence team had also tried to use emails from Page’s ex-partner that demonstrated hostility in a bid to suggest she had reason to set him up.

Investigators once again used cloud data of previous correspondence to disprove it.

Page was convicted on four counts of arranging the commission of a child sex offence between 2016 and 2019.

DS Carter told Police Oracle that since this case both the Cloud and Digital Forensics Units’ understanding of it has come a long way.

Meanwhile, this case has since been recognised at the Home Office International Digital Investigation Awards – as one that contributed to the early national conversation around cloud capability.

Head of Major, Serious and Organised Crime, Detective Superintendent Anne-Marie Salwey, said: “The knowledge and expertise of Kev Carter, [OIC] Jo Pain, Steve Rookes and [Digital Forensic Investigator] Paul Ripley has resulted in an international award being brought home to Teesside and most importantly, it has prevented further children from being exploited by Page.”

For DS Carter: “Taking a child out of exploitation is obviously always going to be up there as one of the most powerful things you can do in policing.

“If we had not been willing to push those boundaries to try something new, this case wouldn't have led to what it did. 

“It speaks as well to just understanding what type of data companies hold, and knowing that what value that can bring to an investigation.”

Leave a Comment
View Comments 1
In Other News
Detective Casebook: Modern Slavery and Justice & Care
Detective's Casebook: Learning points from the David Fuller case
Detective's Casebook: computer misuse legislation is 'underused' More News