The Scottish biometrics commissioner has written to Police Scotland outlining his ongoing concerns over the cloud-based digital evidence sharing system used by the force, which uses hyperscale public cloud infrastructure to store and process sensitive biometric data despite major data protection concerns.
At the start of April 2023, Computer Weekly revealed the Scottish government’s Digital Evidence Sharing Capability (DESC) service – contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure – was being piloted despite the police watchdog raising concerns about how the use of Azure “would not be legal”.
According to a Data Protection Impact Assessment (DPIA) by the Scottish Police Authority (SPA) – which notes the system will be processing genetic and biometric information – the system presents several risks to data subjects’ rights.
This includes the potential for US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s use of generic, rather than specific, contracts; and Axon’s inability to comply with contractual clauses around data sovereignty.
In the wake of Computer Weekly’s coverage, Scottish biometrics commissioner Brian Plastow served Police Scotland (the lead data controller for the system) with a formal information notice on 22 April 2023, requiring the force to demonstrate that its use of the system is compliant with Part Three of the Data Protection Act 2018 (DPA 18), which contains the UK’s law enforcement-specific data protection rules.
Plastow specifically asked whether biometric data transfers have taken place, what types have been transferred, in what volumes, and which country the data is being hosted in.
Responding to the commissioner’s formal notice, Police Scotland confirmed in July 2023 that is had “uploaded significant volumes of images to DESC during this pilot”. It further assured the commissioner that “data is encrypted by the DESC solution prior to being hosted on a Microsoft Azure UK datacentre”.
Plastow writes back to Police Scotland
Writing to Police Scotland in a letter dated 5 October, Plastow noted while the force’s response was helpful, it “did not ameliorate my specific concerns” around the uploading of sensitive biometric data to DESC.
“A primary concern is that by Scottish government opting for a ‘US headquartered’ solution provider (rather than a UK or EU cloud provider, or a non-cloud solution) to host sensitive biometric data (and other law enforcement data), and by sanctioning the holding of the data encryption keys for that data by Axon (rather than by Police Scotland), then such data is fully exposed to the provisions of The Clarifying Lawful Overseas Use of Data Act 2018 (US Cloud Act), and the related US and UK data access agreement,” he wrote.
“Such UK/US arrangements inevitably involve different legal requirements regarding data security, data privacy, and breach notification. You will also be aware that the reach of the US Cloud Act extends anywhere in the world, and so the fact that DESC servers hosting Police Scotland data may be physically located in the UK is irrelevant.”
He added the uploading of biometric data to DESC could potentially breach Principle 10 of Scotland’s statutory Biometric Code of Practice, which specifically revolves around the need to protect biometric information from unauthorised access and disclosure, and comes with an obligation to “promote the highest quality of privacy enhancing technology.”
Plastow also confirmed in the letter that he has sent a Code of Practice questionnaire for Police Scotland to complete by the end of November 2023, which in part seeks information on the use of cloud-based systems provided US headquartered to store and process biometric data, as well as confirmation on how the security and sovereignty of that data is being protected.
He further reiterated that his office will be conducting a “separate but related assurance review” on Police Scotland’s handling of biometric data in winter 2023 to see whether it complies with the code.
While the commissioner had already set out his intention to conduct a general assurance review in December 2021 prior to issues with the system being raised, he added in the letter that he will be specifically seeking additional information about the uploading of biometrics to DESC as part of that process.
“If the loading of biometric data in the current pilot is continued, extended, or expanded, I would anticipate reaching a determination on whether the uploading of biometric data to DESC by Police Scotland complies with the Code of Practice early in the New Year,” he said. “Any determination that it does not, would require me to submit a report to the Scottish Parliament about the failure to do so, and potentially further action as detailed in…the Scottish Biometrics Commissioner Act 2020.”
Security and sovereignty
Breaking down his concerns further, Plastow outlined how the offshoring of Scottish biometric data to US cloud providers and data processors means that it cannot be fully administered from Scotland.
“If US federal authorities were to issue a warrant or subpoena together with a non-disclosure instruction to Axon and/or Microsoft for the surrender of Scottish biometric data under the provisions of the US Cloud Act, then Police Scotland would presumably not even know that their data (the sensitive data of a person or persons) had been accessed and indeed acquired by a foreign state,” he wrote, adding that no third-party should be able to access biometric data belonging to Police Scotland without its knowledge, agreement, or explicit consent.
“This is a necessary safeguard to prevent biometric data belonging to Police Scotland being surrendered by a third-party contractor in response to the legal requirements and non-disclosure instructions of a foreign jurisdiction.”
On data security, Plastow added he is concerned about the security of highly sensitive biometric data being stored on public cloud infrastructure “in circumstances where Police Scotland does not retain full control (or in this case any control) of the data encryption keys within DESC” which are held by Axon according to the SPA DPIA.
“This extremely sensitive biometric data may include images of victims of crime, for example the injuries of a victim of rape or sexual assault, as well as images of persons who may have been charged but not yet convicted of any crime or offence,” he wrote, outlining and linking to a number of examples of data breaches where Microsoft-controlled digital infrastructure was compromised.
“These examples demonstrate that there are major risks to be considered when storing ‘any’ sensitive data on the public cloud infrastructure…More broadly, you will also be aware of recent cyber attacks on UK policing involving cloud and non-cloud infrastructure where third-party contractor security vulnerabilities have damaged the reputation of policing.”
Plastow concluded the section on data security by noting such cases “provide empirical evidence that ‘outsourcing’ data, and especially law enforcement data such as sensitive biometric data, to external contractors is an exceptionally risky endeavour”.
Responding to the letter, a Police Scotland spokesperson said: “We acknowledge the content of the letter from the biometrics commissioner and will respond to his concerns in due course.
“Police Scotland continues to work closely with the Scottish government and our criminal justice partners to ensure robust, effective and secure processes are in place to support further development of the system.
“We also continue to engage with the biometrics commissioner, the Information Commissioner’s Office and relevant partners as we progress Digital Evidence Sharing Capability to support the transformation of the criminal justice system for Scotland.”
Plastow added his concerns are not limited to the DESC system and also extend to other cloud-based law enforcement systems and databases across the UK.
As an example, he specifically noted that the Police Digital Service (PDS) and Home Office Biometrics (HOB) have introduced the PDS Xchange platform powered by “US headquartered” Amazon Web Services (AWS), which has been integrated with the UK law enforcement fingerprints database IDENT1 since April 2022.
He said while “it is for the ICO to give advice on such matters relating to compliance with UK data protection law, however as there are more than 831,000 Scottish fingerprint forms within IDENT1, and Scottish access to the entire system, such UK decisions to ‘offshore’ biometric data in a ‘US headquartered’ cloud solution also has potential devolution consequences for Scotland”.
According to Owen Sayers – an independent security consultant and enterprise architect with more than 20 years’ experience in delivering national policing systems – there are a significant number of Home Office systems used by Police Scotland or that otherwise ingest its data, much of which will include biometrics: “As a result, Plastow’s concerns will probably extend beyond the Xchange system as he looks at the wider landscape.”
He added: “This, of course, makes the recent announcement by the policing minister for England and Wales about opening passport and driving licence databases up for police facial recognition use even more interesting and complex; the Scottish laws and biometrics Code of Practice will need to be taken into account and it’s not immediately clear how data might be differentiated between English and Welsh use and Scottish use, even if Westminster pass legislation to allow this re-use of images, which is contentious enough as it is.”
Computer Weekly contacted the Home Office about whether it consulted the relevant Scottish authorises about placing its citizens data in legally questionable hyperscale pubic cloud infrastructure, but received no reply by time of publication.
Plastow also noted that his counterpart for England and Wales, Fraser Sampson, has shared similar concerns about the lawfulness of using such cloud infrastructure for the processing of law enforcement data.
In April 2023, for example, Sampson warned that policing and justice bodies must be able to demonstrate “immediately and unequivocally” that their cloud deployments are lawful.
“Cloud is a brilliantly fluffy euphemism that doesn’t actually tell you anything about the system,” he said. “What you want to know is, ‘What country is my data being stored in and what does that mean?’. It’s really basic. And what are the risks of that then being accessed either maliciously or judicially?”
Sampson added that policing and justice bodies must also be conscious of the risks that relying so heavily on certain suppliers and systems can create: “We’re creating more and more dependencies for operational policing and law enforcement on these systems, and where you create a dependency, you create risk.”
Throughout the letter, Plastow also alluded to the fact that the Information Commissioner’s Office (ICO) is yet to take a formal view on the legality of hyperscale public cloud infrastructure for the storing and processing of law enforcement data generally.
The ICO has previously confirmed to Computer Weekly that it has never given formal regulatory approval for use of such systems by UK law enforcement bodies, despite being in full view of the issues due to its ongoing conversations with the data controllers involved.
In the SPA’s correspondence with the ICO released under the Freedom of Information (FOI) Act, for example, the regulator largely agreed with its assessments of the risks. Regarding international transfer requirements, for example, it noted that technical support provided from the US by either Axon or Microsoft would constitute an international data transfer, as would a US government request for data made via the Cloud Act.
“These transfers would be unlikely to meet the conditions for a compliant transfer,” said the ICO. “To avoid a potential infringement of data protection law, we strongly recommend ensuring that personal data remains in the UK by seeking out UK-based tech support.”
It added: “If you have a remaining residual high risk in your DPIA that cannot be mitigated, prior consultation with the ICO is required under section 65 DPA 2018. You cannot go ahead with the processing until you have consulted us.”
Computer Weekly contacted the ICO to ask if it was able to provide a timeline on when it will come to a formal decision on the legality of using these cloud systems for law enforcement data storage and processing, but received no response by time of publication.