Scottish police tech piloted regardless of main knowledge safety points
A cloud-based digital evidence-sharing system for police in Scotland is being piloted, regardless of main knowledge safety issues raised by watchdogs about how using Microsoft Azure may very well be placing individuals’s delicate private knowledge in danger.
The Scottish government’s Digital Evidence Sharing Capability (DESC) service is aiming to digitally remodel how the legal justice system manages proof by making a unified system for prosecutors, court docket employees, cops and defence attorneys to entry and deal with digital proof safely and securely.
Physique-worn video know-how supplier Axon has been contracted by the Scottish authorities to ship the digital proof system, which is being hosted in activate Microsoft Azure.
Nevertheless, in a data protection impact assessment (DPIA), and thru e-mail exchanges with the Data Commissioner’s Workplace (ICO) courting again to summer time 2022, the Scottish Police Authority (SPA) – an oversight physique set as much as scrutinise policing in Scotland – recognized that the system couldn’t totally adjust to particular knowledge safety necessities for UK legislation enforcement our bodies.
Emails from each Axon and Microsoft’s authorized groups, which have been shared with Laptop Weekly, additionally reveal that the problems now being flagged by the SPA have been identified and understood by the businesses themselves for no less than two years, throughout which period no motion was taken to treatment the issues raised.
Each corporations have been requested in regards to the emails and what motion they’ve since taken to resolve the problems raised. Axon stated it really works “intently with clients to make sure sturdy and efficient safeguards are in place”, whereas Microsoft didn’t reply. Axon’s full response is detailed below.
As detailed by the SPA, the DESC system “will present the aptitude to gather and securely share digital proof between legal justice companions”, and the sorts of digital proof being saved and processed embody “private and non-private house CCTV, body-worn video, evidential calls to police management rooms, police interviews, pictures and movies of victims, accused, crime scenes, paperwork and fingerprints.”
This, in flip, might go away witnesses and victims of crime, plus suspects and folks being prosecuted, open to various dangers, together with the potential of their knowledge being transferred to a jurisdiction with demonstrably lower data protection standards. It might additionally negatively influence their knowledge rights to rectification, erasure and never being topic to automated decision-making.
The extent of knowledge processing being performed is just not “novel”, the SPA added, however it’s new for policing in Scotland and due to this fact presents “further dangers” that don’t exist within the present processes, requiring a DPIA to be accomplished.
The SPA particularly famous that “transfers to abroad cloud suppliers, Axon USA or sub-processors exterior of the UK [such as Microsoft] wouldn’t be authorized”, and that there have been various different unresolved excessive dangers to knowledge topics, resembling US authorities entry, Microsoft’s use of generic fairly than particular contracts, and Axon’s lack of ability to adjust to contractual clauses round data sovereignty.
The DPIA was launched by way of a freedom of knowledge (FOI) request by Owen Sayers, an unbiased safety marketing consultant and enterprise architect with over 20 years’ expertise in delivering nationwide policing techniques, alongside the SPA’s correspondence with the ICO. All of this materials has been seen by Laptop Weekly.
Sayers stated the problems dropped at gentle by the FOI have been well-understood and identified about for various years. “Due to the honesty of those Scottish FOI disclosures, painful although they may have been for the events to make them, that secret is out and can hopefully be positively mentioned and addressed.”
Below the phrases of the Data Protection Act (DPA) 2018, policing our bodies are obliged to conduct necessary DPIAs earlier than the beginning of any new private knowledge processing the place a kind of processing is more likely to lead to a excessive danger to the rights and freedoms of people. This contains the place the system is just not but stay, however actual private knowledge remains to be getting used.
The discharge of the DPIA and ICO correspondence additionally brings into query the lawfulness of cloud deployments by policing and legal justice our bodies all through England and Wales, as a spread of different DPIAs seen by Laptop Weekly don’t assess the dangers outlined by the SPA round US cloud suppliers, regardless of being ruled by the identical knowledge safety guidelines.
Laptop Weekly contacted the ICO in regards to the contents of the DPIAs and using US cloud suppliers by UK legislation enforcement – together with whether or not the ICO has sought formal authorized recommendation since providing an “preliminary view” to the SPA, and whether or not it was conscious the DESC pilot had launched with two unmitigated excessive dangers.
“Police Scotland and the Scottish Police Authority approached the ICO to realize recommendation on the Digital Proof Sharing Functionality service, together with use of cloud internet hosting. Engagement is ongoing as we take into account the problems and subsequent steps,” stated an ICO spokesperson.
“It is very important preserve excessive requirements of knowledge safety compliance when processing legislation enforcement knowledge, in an effort to guarantee public belief and confidence and safeguard towards hurt. The aim of a DPIA is to determine dangers, after which to look to mitigate them: that latter step can’t be skipped.”
Laptop Weekly additionally requested the ICO in regards to the prevalence of US cloud suppliers all through the UK legal justice sector, and whether or not their use is suitable with UK knowledge safety guidelines. The ICO stated it had referred Laptop Weekly’s inquiries to the FOI workforce for additional responses.
Unresolved, high-risk points
In line with the SPA’s DPIA, “there are issues that the processing might breach the tight controls that apply to international transfers as outlined in s73 of the DPA [Data Protection Act 2018]. These issues relate to the supplier, a completely owned US firm and its sub-processor, Microsoft Azure”, each of which it added are topic to invasive laws that permits the US authorities to entry their knowledge.
Particularly, this contains part 702 of the International Intelligence Surveillance Act (FISA), which permits the US lawyer normal and director of intelligence providers to collectively authorise the focused surveillance of individuals exterior the US, so long as they aren’t a US citizen; and the Cloud Act, which successfully offers the US authorities entry to any knowledge, saved wherever, by US companies within the cloud.
Whereas the DPIA famous the chance of US authorities entry by way of the Cloud Act was “unlikely… the fallout can be cataclysmic”.
Alex Lawrence-Archer, a solicitor at knowledge safety specialist legislation agency AWO, informed Laptop Weekly: “There appears to be a rigidity between what the Information Safety Act 2018 requires and that US laws.”
He added that even when all the pieces was processed from inside the UK with out routine knowledge transfers to Microsoft for assist functions, the US authorities “would nonetheless be capable of compel UK legislation enforcement private knowledge from Microsoft… all of this knowledge, no matter the place it’s saved or processed will be accessed by Microsoft US, which is inside attain of the US authorities. And to the extent that it’s accessed, even the police received’t essentially know that has occurred.”
The DPIA famous various different “high-risk” points with Microsoft’s phrases and situations that additional carry into query its suitability to course of UK policing knowledge.
This contains the truth that Microsoft’s customary knowledge processing addendum is drafted primarily to use to processing associated to the General Data Protection Regulation (GDPR) fairly than Part 3 processing (the specific law enforcement requirements); that the contract between Axon and Microsoft doesn’t comprise the “granular degree of element” required to fulfill both GDPR or Half 3; and that Microsoft’s use of generic phrases and situations means the DPA’s part 59 requirement for a selected contract detailing the character of the processing can’t be met.
It added that whereas the Microsoft addendum states knowledge is held within the UK, it additionally states that knowledge could also be transferred to or processed within the US, or every other nation wherein Microsoft or its processors function, opening up the chance of it processing UK policing knowledge exterior of the UK “with none visibility or management over this processing for the controllers”.
For Axon, there’s additionally a excessive danger of it transferring UK policing knowledge to the US with out the information or consent of the info controllers.
“The phrases of the contract have been clear in respect of knowledge sovereignty, nevertheless, throughout due diligence it turned clear that Axon might not have been totally conversant/understanding of this time period as providers inside the answer processed knowledge within the USA,” it stated.
All of those points have been marked as “excessive danger” within the DPIA. Within the following part on measures that might mitigate these dangers, the SPA famous that it was both nonetheless awaiting on assurances from Microsoft, or that there was no mitigation doable.
“In early June 2022, the Scottish Police Authority requested, by way of Microsoft reseller Phoenix, that Microsoft verify in writing that MS Azure operates in compliance with Half 3 of the Information Safety Act 2018, and particularly is compliant with the s73 [international transfer] necessities,” it stated. “The response was that ‘Microsoft would seek the advice of their CELA [corporate, external, and legal affairs] and reply, nevertheless, it could take a while’. This response doesn’t give the controllers the extent of confidence they may have hoped for.”
The SPA’s correspondence with the ICO additionally reveals that the regulator largely agreed with its assessments of the dangers. Concerning worldwide switch necessities, for instance, it famous that technical assist supplied from the US by both Axon or Microsoft would represent a world knowledge switch, as would a US authorities request for knowledge made by way of the Cloud Act.
“These transfers can be unlikely to satisfy the situations for a compliant switch,” it stated. “To keep away from a possible infringement of knowledge safety legislation, we strongly suggest guaranteeing that private knowledge stays within the UK by looking for out UK-based tech assist.”
Commenting on using US cloud suppliers by UK legislation enforcement usually, Lawrence-Archer stated the authorized place round tech assist from a 3rd nation is evident, in that every occasion of entry counts as a switch.
“I am positive it’s proper that not each time such entry takes place from the USA will private knowledge falling inside the scope of Half 3 be concerned, however it’s most likely honest to imagine that no less than for a few of these transfers… there’s, at a minimal, a really actual danger of worldwide transfers happening in a means that’s not actually inside the management of the controller,” he stated. “It’s tough to see how such worldwide transfers may very well be lawful.”
Different policing our bodies concerned within the DESC system as joint controllers have been additionally FOI’d for the DPIAs they’d performed, together with the Crown Workplace Procurator Fiscals Service (COPFS) and the Police Service of Scotland (PSoS).
The Scottish authorities itself was additionally FOI’d because the contracting physique answerable for funding the system, however is just not performing as a knowledge controller and due to this fact is just not legally obliged to finish a DPIA.
Responding to an FOI, the Scottish authorities supplied an extract of the contract between Axon and Scottish ministers, however as highlighted within the SPA DPIA, the contract is constructed round GDPR necessities, and this time makes no specific point out of the Half 3 guidelines or the truth that legislation enforcement knowledge is being processed.
Whereas the excerpt does point out the necessity for knowledge to stay within the UK in two of the clauses, there is no such thing as a indication that Axon and Microsoft are in a position to obtain this, given the issues raised by the SPA.
Additional, the Scottish authorities disclosed that it has no concept what sub-processors are concerned within the contract, or what nations knowledge is likely to be truly transferred to, calling into query what diligence it utilized through the course of.
Below part 59 of the DPA, controllers (the Scottish legal justice our bodies) themselves should even have a direct written contract with the processors (Axon, on this case), however there is no such thing as a indication that is the case. Though “knowledge processing agreements” have been created, Sayers stated the instance supplied falls far in need of being an precise contract assembly the part 59 phrases.
Laptop Weekly contacted the Scottish authorities about DESC to ask why its fundamental due diligence didn’t determine the US-based sub-processors and which nations knowledge can be saved or processed in, in addition to its ideas on whether or not Axon and Microsoft are technically able to protecting knowledge within the UK, given the issues clearly recognized by the SPA.
“The Scottish authorities takes the privateness of residents’ knowledge very critically and is collaborating with DESC companions to ship a ground-breaking service which complies with statutory necessities and reduces dangers associated to storing and transporting bodily proof. This course of contains engagement with the Data Commissioner’s Workplace and ensures that sturdy protections are in place to assist the six-month pilot,” stated a Scottish authorities spokesperson.
“All digital proof within the DESC system, at the moment restricted to various extra minor circumstances in a single court docket jurisdiction, is held securely and solely accessible to authorised personnel resembling cops, prosecutors and defence brokers. Entry to this info is totally audited and monitored, and processes are in place to make sure any knowledge dangers are shortly recognized, assessed and mitigated.”
Wanting on the COPFS DPIA, it asserts – opposite to the SPA DPIA – that each one knowledge stays inside Microsoft’s UK police-assured safe facility (PASF) datacentres, and that though there’s a small danger of knowledge being transferred to a 3rd nation, “this has been mitigated”. What that mitigation is stays unclear.
Nevertheless, it does acknowledge that “proof contained in DESC falls underneath the jurisdiction of the US Cloud Act, which in precept, might present a authorized gateway for proof (content material knowledge) to be supplied to the US authorities with out the information of the info controllers or contracting authority. If this have been to occur, this could have an opposed influence on a knowledge topic’s rights”.
Whereas the COPFS DPIA acknowledged that Axon and Microsoft are additionally topic to UK knowledge safety legal guidelines, it once more cited UK GDPR and never the legislation enforcement-specific Half 3.
“On the idea of research of the authorized recommendation obtained (which is according to the recommendation obtained by different DESC companions and which fashioned the idea of the DESC companions’ collective decision-making on this difficulty), the authorized frameworks in place, the provider knowledge processor and UK GDPR authorized and contractual tasks… the US Cloud Act and GDPR dangers referring to Axon and Microsoft US-owned firm standing are mitigated or will be managed appropriately,” it stated.
Nevertheless, the sections outlining all of the dangers and any mitigations have been solely redacted, making it inconceivable to evaluate the extent of danger COPFS believes it’s carrying. The explanation given for withholding this info was: “A goal of the continued pilot is to determine and reply to any issues which can be recognized. Untimely disclosure of this info would prejudice our means to do that successfully. I’ve due to this fact taken the view that it isn’t within the public curiosity to reveal this info.”
On worldwide transfers, it added that whereas Axon’s statements to COPFS and its agreements with them “don’t totally mitigate the sovereignty danger”, it does present “vital controls to cut back dangers and the probability of this difficulty occurring”. As a part of the mitigations, COPFS referred to standard contractual clauses (SCCs), which Sayers stated has no relevance to Half 3 processing.
COPFS additionally disclosed a sub-processor list, which explicitly states that sure components of the service will probably be supplied from US corporations, together with Axon’s dad or mum firm Axon Enterprise, in addition to Twilio, Mixpanel and Qualcomm.
In response to the FOI, COPFS confirmed it additionally doesn’t maintain info on the contract with Axon.
The PSoS FOI disclosures spotlight comparable inconsistencies, and are arguably extra vital given PSoS is performing because the lead knowledge controller. Its correspondence with the ICO, for instance, reveals the PSoS had conferences with the ICO in December 2022 and January 2023 wherein DESC was mentioned.
An ICO e-mail from 20 January 2023 summarised the conferences, noting that the DESC pilot would start on 24 January and would contain stay private knowledge; that “there will probably be worldwide transfers concerned within the provision of technical providers”; and that PSoS is “assured because the controller” that it’s assembly the entire legislation enforcement knowledge safety obligations.
Nevertheless, it famous: “In case you have a remaining residual excessive danger in your DPIA that can not be mitigated, prior session with the ICO is required underneath part 65 DPA 2018. You can’t go forward with the processing till you have got consulted us.”
Wanting on the DPIA disclosed by PSoS under FOI, which was accomplished and signed off on 19 January, two unmitigated excessive dangers remained, together with that sub-processors of Axon will not be topic to the phrases and situations, and that the suppliers are topic to the US Cloud Act. These dangers have been recognized by the ICO within the December conferences, the place it made clear that these would contravene Sections 59, 64 and 66 of Half 3 in the event that they weren’t resolved.
Whereas the dangers are marked as excessive, the DPIA reveals they’ve been accepted by the senior info danger proprietor (SIRO). Nevertheless, in line with Sayers, these dangers can’t be accepted by the SIRO as a result of they relate to the rights and pursuits of knowledge topics, and will not be security-related dangers.
“On the face of it, then, PSoS have proceeded to pilot with out disclosing two excessive dangers, which they’ve accepted however can’t mitigate,” he stated. “They’ve performed so instantly after a gathering and e-mail alternate with ICO, the place the ICO have been fairly clear – you can not proceed with excessive dangers, and should formally refer them to us for our consideration first.”
PSoS and COPFS responses
Responding to particular questions on their DPIAs and the DESC service, a PSoS spokesperson stated: “Police Scotland takes knowledge administration and safety very critically and is working alongside legal justice companions to make sure sturdy, efficient and safe processes are in place to assist the introduction of DESC.
“All digital proof on the DESC system is held securely and solely accessible to authorised personnel, resembling cops, COPFS and defence brokers. Entry to this info is totally audited and monitored, and processes are in place to make sure any knowledge dangers are shortly recognized, assessed and mitigated.”
It didn’t reply to direct questions in regards to the unmitigated excessive dangers accepted by the organisation, whether or not it has been approached by the suppliers about identified compliance points, and if it had formally consulted the ICO.
In the same response to Laptop Weekly’s questions – which included additional queries about the way it has accounted for the discrepancy between its claims that each one knowledge stays inside the UK and the disclosed sub-processor lists which explicitly states that sure components of the service will probably be supplied from US corporations – a COPFS spokesperson stated the organisation “takes critically its accountability to deal with delicate info rigorously” and has sturdy processes in place to maintain knowledge safe.
“We proceed to collaborate with companions to ship a safe and sturdy pilot scheme for the digital sharing of proof, working to make sure knowledge is processed securely, appropriately and in compliance with related statutory obligations,” they stated. “The pilot scheme is modern in strategy, and is one a part of a sector-wide transformation which is able to enhance the expertise of these concerned in legal circumstances.”
In line with Sayers, nevertheless, “it isn’t clear how COPFS can declare or moderately imagine that they’ve met all statutory necessities based mostly on their very own DPIA”. He additional famous that whereas COPFS is claiming to have met all of its statutory obligations, the PSoS response has not made such claims.
The problems highlighted by this spate of FOI disclosures have been ongoing for various years.
Sayers famous that FOI responses from policing our bodies are often closely redacted and can solely be launched after a sequence of inner critiques or ICO appeals. “Whatever the content material, the contributors on this spherical of FOI requests do deserve full marks for his or her transparency, even when that’s uncovered points they won’t have needed to presently publish,” he stated.
The SPA’s correspondence with the ICO additionally refutes earlier claims made by different policing our bodies – together with from England and Wales – that the regulator had been consulted on, and subsequently signed off, using US cloud suppliers all through the UK legal justice sector.
“We’re not conscious of any approval or assurance by way of processing within the cloud,” it stated, in reference to being informed by the SPA knowledge safety officer that the roll-out of cloud providers to police throughout the UK had been agreed upon by the Nationwide Police Chief’s Council (NPCC) and the ICO.
Related claims have been made to Laptop Weekly relating to ICO sign-off on the roll-out of Microsoft 365, which the ICO refuted on the time in December 2020. Most of the beforehand disclosed FOIs additionally don’t assess the dangers highlighted within the DPIAs accomplished by Scottish policing our bodies. For instance, there is no such thing as a point out of the US Cloud Act, or the truth that Microsoft solely gives generic contracts.
On prime of policing our bodies’ claims to have obtained regulatory sign-off, the suppliers themselves have additionally been conscious of the problems round servicing UK policing clients for various years.
In November 2019, after initially discussing the issues at a convention in Scotland, Sayers supplied Axon with an in depth breakdown of the Half 3 knowledge safety points related to their providers, significantly Microsoft’s use of generic phrases and situations, which Axon staff famous they’d “do a correct evaluate” of.
The identical points have been additionally highlighted by Sayers to Microsoft in February 2019, which have been then reviewed by Microsoft’s authorized workforce. Responding to Sayers in April 2019, the authorized workforce famous: “Microsoft is able to work with clients in reference to their compliance with the up to date legislation [referring to the Data Protection Act 2018, which went into effect the previous May].
“Nevertheless, as you point out, our clients have a spread of deployment landscapes and repair eventualities with us and we belief that, as previously, they’ve every performed an in depth evaluate of their very own circumstances. Consequently, we don’t plan to distribute any proactive communications to our clients relating to the proposed adjustments to Half 3 of the DPA, however count on that these clients with questions or issues will contact us straight with their queries.”
It added that if clients of Microsoft have questions or issues, “we might be comfortable to work with them to handle these on a case-by-case foundation by way of the same old course of, so please instruct them to contact their Microsoft account govt or contact”.
Laptop Weekly contacted each Axon and Microsoft in regards to the emails and what actions the organisations have taken with their legislation enforcement clients to treatment the problems raised.
“Axon has established and continues to reinforce knowledge safety measures to assist all of our clients, together with our contract with the Scottish authorities. Axon’s info safety and privateness info administration techniques are independently licensed to finest practices, together with ISO 27001 and 27701,” stated an Axon spokesperson.
“Given the dynamic regulatory and safety atmosphere together with our dedication to guard the info and providers our merchandise present, we work intently with clients to make sure sturdy and efficient safeguards are in place.
“We’re dedicated to persevering with to develop and improve Axon’s merchandise to make sure clients can meet knowledge safety and privateness expectations from their communities and regulatory atmosphere when utilizing Axon merchandise.”
Microsoft didn’t reply.
Sayers stated, nevertheless, that final accountability lies with the policing and legal justice our bodies.
“While there is no such thing as a doubt that each Microsoft and Axon have identified about these points for a while, and have arguably performed nothing to resolve them, the duty to analyse and floor the issues for them to be addressed, or the providers to be confirmed as unsuitable for police use, has at all times sat with the legislation enforcement group,” he stated.
Owen Sayers, unbiased safety marketing consultant and enterprise architect
“The issue at its root is that while others knew or suspected these issues existed, they haven’t utilized the diligence or effort that the entire Scottish DESC controllers, however particularly the SPA, have.”
Sayers stated the answer for UK policing has already been lined by ICO steering and the emails described with Axon and Microsoft, which is to maneuver the info processing to a platform that’s 100% UK-based and which meets the entire Half 3 necessities.
“The dimensions of police knowledge swimming pools is large, and their techniques are complicated,” stated Sayers. “However till just lately, every drive has had two or extra of their very own datacentres that, if mixed with industrial police-assured websites within the UK, may very well be used to create a Federated UK Justice Cloud comparatively shortly.
“The means and the abilities to do it actually exist – all that’s wanted is the desire to take action. While it would take a couple of years to transition all this knowledge from these legally difficult-to-use public clouds to new UK-based and authorized options, throughout which period dangers for compensation or authorized challenges may live on, the top end result – a UK sovereign functionality using 1000’s of expert employees and controlling UK citizen knowledge contained in the UK – has to carry some attractiveness.”
Laptop Weekly requested the ICO whether or not it might examine using US cloud suppliers by UK legislation enforcement our bodies, however obtained no response by time of publication.