Tuesday, 18 December 2012

Why electrical network frequency analysis might be unsafe to trust in court

    Tl;dr: Electrical network frequency analysis involves analysing the frequency of recorded mains hum to verify the time a recording was made, and that it has not been edited. This piece expresses concern that it could be fooled using readily available computer equipment, and makes a suggestion as to how that might be prevented.

    Electrical network frequency analysis has been in the news recently. It offers a solution to the problem facing courts when dealing with audio recordings; that of establishing the time a recording was made and that it has not been edited or tampered with.
    It works by analysis of any mains hum present on a recording. The mains electricity system uses AC, or alternating current, which is to say that its current changes direction many times a second. AC power cables thus are surrounded by an oscillating magnetic field which induces a tiny AC voltage in any electronic equipment that comes within its range. If the electronic equipment is a tape recorder then that tiny AC voltage will be copied onto any recordings it makes, resulting in a constant detectable background hum.
    In the UK our AC power grid operates at a frequency of 50Hz, which is to say that its current changes direction 50 times a second. All our power lines are connected to the same grid, so when there are minute variations in the frequency of the grid power in response for example to instantaneous surges in demand, those variations will be identical everywhere in the country. Thus if you were to store the frequency of the grid power as it varies over a period of time you could identify when a recording was made within that time by comparing the variations in frequency of any mains hum it contained with your stored values for mains frequency.
    It is a very effective technique, because the mains hum provides a readily reproducible timestamp. An infallible weapon in the fight against crime, you might say.

    Unfortunately I have my doubts.

    As an electronic engineer by training, when I read the BBC piece linked above, I thought immediately of Fourier transforms. A Fourier transform, for those fortunate enough never to have had to learn them, is a mathematical method for taking a piece of data in the time domain and looking at it in the frequency domain. If this sounds confusing, consider a musical stave. As you move from right to left along it you are moving in the time domain, the notes it contains are each played as you pass them. If however you shift your viewpoint through 90 degrees and look at the stave end-on, you are now looking at it in the frequency domain and you are seeing each note as it is played represented in its position on the paper by its pitch. If you encounter a chord, you will see several notes at the same time each at a different pitch.
    Now if you were to imagine the same trick applied to a complex recording such as human speech you would need to abandon the musical stave and instead imagine a much wider frequency range. And instead of single frequencies generated by musical notes you would see a multitude of different frequencies at different intensities which make up the astonishing variation of the human voice.
    Once you have transferred a recording into the frequency domain like this, you can examine individual frequencies such as any 50Hz mains hum. The forensic teams will use this technique to measure any variations in the hum, it's an extremely useful piece of mathematics.
    However, as well as examining individual frequencies you can also manipulate them. You can remove them entirely if you want to, or put new ones in. Then you can recombine all the frequencies from your Fourier transform back together into the time domain to create a new, altered copy of your recording.
    And it is this ability that is at the root of my doubts about electrical network frequency analysis, that since it is possible to remove the mains hum timestamp from a recording in this way and replace it with an entirely different one it seems to me that relying on this technique to verify when a recording was made and that it has not been altered is inherently unsafe.
    While researching this piece I had a good long chat with a friend whose career took him in to the world of DSP. From the course of our discussion came an idea as to how the job of detecting manipulation of a hum signature might be achieved.
    As it has been described, the forensic analysis can only look at the frequency of the 50Hz hum. They record it at their lab and compare it with the recording under examination. Yet the local mains supply where the recording is being made will contain so much more information than simply the hum frequency, it will contain a much wider bandwidth of noise that is unique to the mains environment in that particular location. That noise will be generated by the mains equipment electrically close to the recorder; everything from electric motors through fluorescent lights to poorly-shielded electronics. In addition it will contain phase changes, small movements of the waveform in the time domain, caused by any of those pieces of equipment that do not have purely resistive loads, and those phase changes could be readily linked to the noise from the devices that generate them. This information would be much more difficult to remove from a recording than just the 50Hz hum, so could provide a means to tie a genuine hum signature to a recording.
    Unfortunately though the only component of this that will be recorded will be the strongest lower frequency component of this noise, the 50Hz hum itself. This is because whatever is recorded has to be induced in the recorder by the magnetic field of the mains installation, hardly a coupling conducive to the transfer of higher frequencies.
    But what if instead of relying on induction the recorder mixed in a suitably attenuated copy of the complete  mains noise spectrum with the input from its microphone? In that case all the information about nearby mains-connected devices and their effect on the phase of the 50Hz hum it might contain would be preserved, making it extremely difficult to insert another hum signature whose phase changes do not match the changes in electrical noise also present on the recording. It is not beyond the bounds of possibility to imagine that "official" recorders in police stations and the like could be modified to record this noise.
    Of course, I may be an electronic engineer, but I spend my days working for a dictionary. The frequency analysis I do for a living these days involves language and word frequencies rather than audio, and any digital signal processing I have a go at is strictly in the hobby domain. I know the removal and reinsertion of a 50Hz hum signature in the way I have described is nothing special and could be performed by someone proficient with DSP software on a rather modest computer far less powerful than most modern cellphones, but I have no knowledge of any specialist techniques that might be used to detect it in a finished recording. My concern is that I am seeing a forensic technique acquire a scientific halo of being somehow a piece of evidence that is beyond reproach, and this prospect worries me when I can see such a flaw. This is not from a desire to damage justice but to strengthen it, for it is not unknown for evidence to be found to have been fabricated.
    So if there is nothing to be concerned about and manipulation of hum signatures in the way I have described could be easily spotted, fine. That's what I want to hear. Don't just say it though, prove it. But if instead this technique turns out to be a valid attack on network frequency analysis, then let it be brought into the public arena so that methods of detecting it can be devised.