Police Scotland did not consult ICO about high-risk cloud system

Police Scotland chose not to consult the data regulator before deploying its cloud-based digital evidence-sharing system, despite identifying a number of “high risks” with the data processing, freedom of information (FOI) disclosures have revealed.

The disclosures also show that although the Information Commissioner’s Office (ICO) had previously been informed of the risks and acknowledged them, it was asking for clarification on their seriousness and why a formal consultation was not sought nearly three months after the system’s pilot deployment with live personal data.

At the start of April 2023, Computer Weekly revealed the Scottish government’s Digital Evidence Sharing Capability (DESC) service – contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure – was being piloted by Police Scotland despite a police watchdog raising concerns about how the use of Azure “would not be legal”.

Specifically, the police watchdog said there were several other unresolved high risks to data subjects, such as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s use of generic rather than specific contracts; and Axon’s inability to comply with contractual clauses around data sovereignty.  

However, correspondence disclosed under FOI rules between Police Scotland and the ICO now reveals the force believed it was not necessary to formally consult with the regulator about DESC because there were “mitigations” in place and there was “ongoing and detailed engagement” with the regulator.

The correspondence also reveals that Police Scotland believed US government access via the Cloud Act would be “unlikely” because the data it holds in Microsoft does not fit the criteria of that legislation. However, Police Scotland added: “There is no known case law to date to illustrate this position.”

The correspondence also reveals that despite being in full view of the high risks through previous meetings with other DESC partners, the ICO was following up with Police Scotland for clarification on the risks and why there was no formal consultation initiated by the force in April 2023 – nearly three months after the system had already been deployed.

We have worked closely with criminal justice partners to ensure all required data security, protection controls and governance are in place and legally compliant ahead of any national roll-out of the Digital Evidence Sharing Capability system
Police Scotland spokesperson

Computer Weekly contacted Police Scotland about every aspect of the story and every claim made by data protection experts.

“We have worked closely with criminal justice partners to ensure all required data security, protection controls and governance are in place and legally compliant ahead of any national roll-out of the Digital Evidence Sharing Capability system,” said a spokesperson. “We recognise the public interest in DESC data security controls and continue to engage with the Scottish Biometrics Commissioner and the Information Commissioner’s Office as required.”

Computer Weekly also contacted the ICO about why it only sought clarification three months after DESC’s roll-out, especially given it had already been made aware of the high risks through other avenues, but received no response on this point.

“This is a complex issue with several factors to consider, so we have taken the necessary time to review and provide our stakeholders with relevant guidance. We consider that law enforcement agencies may use cloud services that process data outside the UK where appropriate protections are in place,” said an ICO spokesperson.

Ongoing police cloud concerns

Since Computer Weekly revealed in December 2020 that dozens of UK police forces were processing the data of over a million people unlawfully in Microsoft 365, data protection experts and police tech regulators have questioned various aspects of how hyperscale public cloud infrastructure has been deployed by UK police, arguing they are currently unable to comply with strict law enforcement-specific rules laid out in Part 3 of the Data Protection Act (DPA) 2018.

Computer Weekly then revealed in April 2023 that the Scottish government’s DESC service was being piloted by Police Scotland despite the clear data protection concerns; and that Microsoft, Axon and the ICO were all aware of these issues before processing in DESC began. The risks identified extend to every cloud system used for law enforcement purposes in the UK, as they are governed by the same data protection rules.

In January 2024, in response to questions from Computer Weekly about whether it also uses US-based hyperscale public cloud services for its own law enforcement processing functions, the ICO sent over a bundle of Data Protection Impact Assessments (DPIAs) – 495 pages of them – detailing a number of systems in use by the ICO.

According to these documents, the ICO is explicit that it uses a range of services that sit on Microsoft Azure cloud infrastructure for law enforcement processing purposes. However, it declined to provide any comment on its legal basis or conducting such processing, and the extent to which its own use of these cloud services has prevented it from reaching a formal position on whether the use of these services conflicts with UK data protection rules.

Other recent FOI disclosures revealed that following Police Scotland’s pilot DESC deployment in January 2023, Microsoft admitted to the Scottish Police Authority (SPA) that it cannot guarantee the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.

Specifically, it showed that data hosted in Microsoft infrastructure is regularly transferred and processed overseas; that the data processing agreement in place for DESC did not cover UK-specific data protection requirements; and that while the company has the ability to make technical changes to ensure data protection compliance, it is only making these changes for DESC partners and not other policing bodies because “no one else had asked”.

The documents also contain acknowledgments from Microsoft that international data transfers are inherent to its public cloud architecture.

While long-awaited official advice was sent to Police Scotland by the ICO in April 2024 – which details the data protection due diligence required and how it believes police cloud deployment can be made legally compliant – the regulator was clear that its guidance “does not constitute approval for the roll-out or assurance of compliance under data protection law”.

Police Scotland’s mitigations

In line with issues identified by the SPA, Police Scotland’s DPIA for DESC – which was completed and signed off on 19 January 2023, just days before the roll-out on 24 January – showed that two unmitigated high risks remained.

These risks were that sub-processors of Axon are not subject to the terms and conditions, and that the suppliers are subject to the US Cloud Act.

Reaching out to the force for clarification after its pilot deployment, the ICO said: “We note that in the DPIA there seems to be two high risks that have not been reduced but have been ‘accepted’ and we wanted to seek clarity on these.

“In our meeting of 19 January 2023, it was our understanding there were no unmitigatable high risks outstanding and therefore the processing could go ahead, and the DPIA wouldn’t be submitted to us under Section 65 DPA 2018 but rather it would be provided to us informally.”

Highlighting the two risks, the ICO added: “As you will know if you have carried out a DPIA that identifies a high risk, and you cannot take any measures to reduce this risk, you need to formally consult with us under Section 65 DPA 2018. You cannot go ahead with the processing until you have done so.”

Responding to the ICO’s request for clarification on the high data protection risks present with DESC in April 2023, Police Scotland’s data protection officer (DPO) noted that “to comply with Part 3, PSoS is clear that law enforcement data (content data) must be stored and processed in the UK at all times.”

The DPO then went on to outline the DESC contract mandates for UK-based data storage and processing, which Axon confirmed in writing: “In delivering this requirement, Axon has partnered with Microsoft to deliver the cloud infrastructure and storage of the DESC solution. Microsoft’s datacentres are located in the UK and are assured to national policing standards set by the Home Office.”

They added that Police Scotland had undertaken due diligence in respect to sections 59, 64 and 69 of Part 3 of the DPA, and that Axon had provided the force with the relevant information.

This includes details of its contract with Microsoft, which states that data will only be processed in the two Police Assured Secure Facilities (PASF)-accredited datacentres in the UK; the relevant sub-processor agreements; and assurances that all sub-processors engaged are subject to the terms and conditions of the contract.

However, in later correspondence between the SPA and Police Scotland, from December 2023, the force’s chief technology officer outlined to the police watchdog’s DPO which of its services “may store and process data outside of the specified geo”, including Azure Cloud Services; Azure Data Explorer (ADX); Language Understanding; Azure Machine Learning; Azure Databricks; Azure Serial Console; preview, beta and other pre-release services.

In their clarification email to the ICO, the Police Scotland DPO acknowledged that one of Axon’s sub-processors – Twilio SMS – was used three times throughout the pilot despite the mitigations in place, which included the notification system that alerted the force to its use.

“Mitigations considered for pilot were that Microsoft processes data only in the two PASF-assured datacentres in the UK and data in transit is encrypted.  Further diligence is now being undertaken with regards the specific sub-processor engagement to be in line with the full terms and conditions as per the contract,” they said.

“PSoS recognises the risks described but considers the use of a global cloud provider is the only real and practical solution. This is informed by current understanding around the risk and likelihood of our data being exposed in such ways and the need to operate a modern and secure environment for the collection and management of law enforcement content across disparate partners.”

Linking Police Scotland’s approach to Microsoft’s recently disclosed admission that it cannot guarantee UK data sovereignty, independent security consultant Owen Sayers said while the company should have acted proactively to address the issues with customers when it was flagged to them in early 2019, “the problem is actually down to police forces and other law enforcement bodies who have tried to put legally and operationally special processing requirements on a commodity hyperscaler cloud platform without properly understanding or caring about its limitations”.

Regarding Police Scotland’s claims that Microsoft processed data in the UK, Sayers said: “We knew this to be a false position, and now we have evidence that it has always been a false position. At the point of Police Scotland discovering this to be the case, they should have stopped processing in DESC – otherwise they would be in breach of the act – and offshoring data.”

Computer Weekly contacted Police Scotland for clarification on when exactly it became aware that Microsoft could not guarantee UK data sovereignty, as well as what actions it took upon this discovery. It did not respond on these points.  

Commenting on the last-minute completion of the DPIA by Police Scotland – just five days before the pilot deployment – Nicky Stewart, a former head of IT at the UK Cabinet Office, said: “It’s not time at all. That’s the kind of thing that should’ve been done months in advance if you’re in a complex deployment like that.”

She added: “It smacks of, ‘We’re so deep in this, we haven’t got the time or the money to back out, effectively we’re locked in, therefore, we’re just going to go with it’. It begs the question of how much this to and froing between the ICO and the information assurance people is costing the taxpayer.”

The Cloud Act issue

In their clarification email to the ICO, Police Scotland’s DPO further added: “Any use of the US Cloud Act to access data requires the supplier to decrypt the data, and the supplier confirmed that such a request would be legally challenged by the vendor and the client informed of the request.”

In outlining the specific provisions of the Cloud Act, the DPO noted that any US government attempt to access Police Scotland’s data via an order to Microsoft “would seem unlikely” because it relates to investigations and prosecutions taking place in a different jurisdiction, and would be unlikely to include data on US persons.

“Under the US Cloud Act issue, DESC data could, in theory, be obtained via US orders by warrant, subpoena or court order. Although technically possible, it would seem unlikely that US authorities would compel Axon or Microsoft to disclose data (constituting an international transfer Under Part 3 DPA 18) held within the DESC solution,” they said.

“This is unlikely to fit well within the scope of the Cloud Act or Bilateral Agreement and PSoS do not think that it is the intention of the legislation. The Cloud Act is also more specific about what persons it covers. The Act and Bilateral Agreements between two nation states are intended only to be used to target citizens or residents of the country seeking the order. It is therefore unlikely that it extends that it could not compel the release of data held about DESC partners’ staff and end users, who are unlikely to fit the criteria of a US person or resident.”

However, the DPO also noted: “There is no known case law to date to illustrate this position.”

While Police Scotland’s watchdog, the SPA, agreed in its own DPIA that the risk of US government access via the Cloud Act was “unlikely”, it added that “the fallout would be cataclysmic” if it did occur.

It also noted that the encryption keys are held by Axon, meaning “they would be able to decrypt and provide the data, potentially without our knowledge or consent, where compelled by US authorities to do so” – something the DPO does not mention in their clarification.

The FOI disclosures further reveal that Scottish biometrics commissioner Brian Plastow – who has called on the ICO to formally investigate UK police hyperscale public cloud deployments after seeing its cloud advice for policing – also took a very different view of the risks associated with the Cloud Act and unauthorised data access.

In emails from Plastow to two ICO employees – written in August 2023, ahead of an open letter he published in October sharing his concerns with the system – the biometrics commissioner said: “I am certain in my own mind that DESC does not comply with the [biometric] Code of Practice in Scotland because the data is not protected from unauthorised access. Any arguments to the contrary are undermined by the fact that data could be accessed (under US law) without the knowledge or consent of Police Scotland.”

In a follow-up from September 2023, which warned the ICO employees of the open letter about to be published, Plastow added: “I think that it is almost inevitable that (regardless of any ICO view on compatibility with UK data protection law) they [Police Scotland] run the risk of being found in breach of Principle 10 of the Scottish Code of Practice when we look at this formally over the winter.”

He further outlined his two primary concerns: “A major concern (in terms of the code) is that a third-party contractor (Axon or Microsoft) could surrender Police Scotland data to a foreign jurisdiction without either the knowledge or consent of Police Scotland (regardless of whether that surrender may be lawful under the terms of any US and UK agreement under the US Cloud Act).

“The second major concern is that Microsoft Cloud platforms (including Azure) have quite a poor track record of data leaks and hacks emanating from hostile states like Russia and China. As recently as July [2023], this has resulted in sensitive data (including US government data) being successfully hacked from the cloud.”

In the final follow-up disclosed between Plastow and ICO employees, from October 2023, the commissioner once again highlighted that Police Scotland does not hold its own decryption keys.

“The argument that Police Scotland (and Scottish Government) seem to be rehearsing is that the risks to data sovereignty (and security) through activation of the provisions of the US Cloud Act are low,” he said. “Therefore, they plan to simply tolerate the risk that biometric data (and other sensitive law enforcement data) could be accessed and acquired by a foreign state without their knowledge or consent.”

Commenting on Police Scotland’s breakdown of the Cloud Act provisions, Stewart said the DPO was likely downplaying the risk, at least unknowingly, because they do not account for the past behaviour of US intelligence services like the National Security Agency (NSA), which was revealed by Edward Snowden to be collecting data on millions of non-Americans via an extensive international dragnet; or the potential for the US government to slip into full-blown authoritarianism via a regime change.

“Some deranged president sitting in his prison cell chucking out executive orders to sequester data isn’t beyond the bounds of possibility,” she said, adding that increasing geopolitical instability around the world could also lead to a change in attitudes within the US government, which could make accessing the data seem more permissible.

“You hear arguments around that, depending on who you’re talking to in government, saying, ‘Oh, they’re our allies so it doesn’t matter’.”

Stewart further added that even if the Cloud Act does only apply to US citizens, “look at what the NSA did”.

Computer Weekly contacted Police Scotland about all of these claims but received no specific response.

No need for consultation

In the email’s concluding paragraph, the DPO said no formal consultation was sought with the ICO because “suitable mitigations as outlined were in place and the DPIA was being updated as regularly as possible through consultation with partners, legal practitioners, data protection and security representatives, and regular consultation with ICO for guidance and advice”.

They added that because mitigations were either in place or planned, as well as the “ongoing and detailed engagement” with the ICO, “it was not viewed that a more formal consultation was not required prior to pilot”.

I am not surprised that the ICO has done nothing about this – they’re bending over backwards not to take action against DESC because that would require them to also take action against other forces, and indeed against themselves for breaching the act in the same manner
Owen Sayers, independent security consultant

Given Microsoft’s admission that it cannot guarantee the sovereignty of policing data, even in UK-based datacentres, Sayers said the measures put in place do not mitigate the risks to the rights and interests of the data subjects and that, in any event, not all of the mitigations were put in place prior to the processing of live personal data.

“The fact they were in communication with the ICO, which included a specific direction from the ICO to PSoS that they must not go live with high risks without referral, is a reason why they SHOULD have referred, not why they didn’t,” he said.

“I am, however, not surprised that the ICO has done nothing about this – they’re bending over backwards not to take action against DESC because that would require them to also take action against other forces, and indeed against themselves for breaching the act in the same manner.”

The ICO told Computer Weekly in April 2023 that it had “never given formal regulatory approval for the use of these systems in a law enforcement context” and confirmed in January 2024 that it was also using Microsoft’s hyperscale public cloud architecture for law enforcement processing purposes.

While the newly released correspondence suggests the regulator did not know about the high risks prior to DESC’s deployment, emails from the ICO to DESC partners in December 2023 show these risks were already known to the regulator by that point, as it made clear that these would contravene Sections 59, 64 and 66 of Part 3 of the DPA if they were not resolved. 

Earlier Police Scotland exchanges with the ICO released in a previous round of FOI disclosures show the force and regulator had meetings in December 2022 and January 2023 in which DESC and its risks were discussed.

Separate correspondence with the SPA – also disclosed under FOI – revealed the regulator largely agreed with the watchdog’s assessments of the risks, noting that technical support from the US, or US government access via the Cloud Act, would constitute an international data transfer.

“These transfers would be unlikely to meet the conditions for a compliant transfer,” it said. “To avoid a potential infringement of data protection law, we strongly recommend ensuring that personal data remains in the UK by seeking out UK-based tech support.”

However, an ICO email from 20 January 2023 summarised the meetings, noting that the DESC pilot would begin on 24 January and would involve live personal data; that “there will be no international transfers involved in the provision of technical services”; and that Police Scotland is “assured as the controller” that it is meeting all of the law enforcement data protection obligations.

Computer Weekly contacted the ICO for clarification of when exactly it became aware of the high risks, given that it had acknowledged them in December 2023 before reaching out to Police Scotland for further information in April. Computer Weekly also asked what due diligence the regulator had done itself, or whether it was relying solely on assurances from Police Scotland, as well as if its own use of Azure for law enforcement processing had an impact on its decision-making.

The ICO did not answer any questions about the specifics of this story, citing the “pre-election period of sensitivity”. It has instead forwarded the questions to its information access team as an FOI request.