Matthew Boyle
The Scottish biometrics commissioner has written to Police Scotland outlining his continued concerns over the cloud- based electronic evidence sharing system used by the force, which uses hyperscale public cloud infrastructure to store and process delicate biometric data despite main data protection concerns.
At the start of April 2023,, Computer Weekly revealed the Scots government’s Digital Evidence Sharing Capability ( DESC ) service – contracted to body- used video provider Axon for delivery and hosted on Microsoft Azure – was being piloted despite the police watchdog raising concerns about how the use of Azure “would never be legal”.
According to a Data Protection Impact Assessment ( DPIA ) by the Scottish Police Authority ( SPA )– which notes the system will be processing genetic and biometric information – the system presents several risks to data subjects ‘ rights.
This includes the potential for US government access via the Cloud Act, which essentially gives the US government access to any data, stored anywhere, by US corporations in the cloud, Microsoft’s use of general, rather than specific, contracts, and Axon’s inability to comply with contractual clauses around data sovereignty.  ,
In the wake of Computer Weekly’s coverage , Scottish biometrics commissioner Brian Plastow served Police Scotland ( the lead data controller for the system ) with a formal information notice , on 22 April 2023, requiring the force to demonstrate that its use of the system is compliant with Part Three of the Data Protection Act 2018 ( DPA 18 ), which contains the UK’s law enforcement- specific data protection rules.
Plastow specifically asked whether genetic data transfers have taken place, what types have been transferred, in what volumes, and which country the data is being hosted in.
Responding to the commissioner’s proper notice, Police Scotland confirmed in July 2023 that is had “uploaded substantial volumes of images to DESC during this pilot”. It more assured the commissioner that “data is encrypted by the DESC solution due to being hosted on a Microsoft Azure UK datacentre”.
Plastow writes up to Police Scotland
Writing to Police Scotland in a letter dated 5 October, Plastow noted while the force’s response was good, it “did not ameliorate my particular concerns” around the uploading of delicate biometric data to DESC.
” A primary concern is that by Scottish government opting for a ‘ US headquartered ‘ solution provider ( rather than a UK or EU cloud provider, or a non- cloud solution ) to host sensitive biometric data ( and other law enforcement data ), and by sanctioning the holding of the data encryption keys for that data by Axon ( rather than by Police Scotland ), then such data is fully exposed to the provisions of The Clarifying Lawful Overseas Use of Data Act 2018 ( US Cloud Act ), and the related US and UK data access agreement”, he wrote.
” For UK/US arrangements certainly involve different legal requirements regarding data security, data privacy, and breach notification. You will also be aware that the reach of the US Cloud Act extends anywhere in the world, and so the fact that DESC servers hosting Police Scotland data may be physically located in the UK is meaningless”.
He added the uploading of genetic data to DESC could probably breach Principle 10 of Scotland’s legal Biometric Code of Practice, which particularly revolves around the need to protect genetic information from illegal access and disclosure, and comes with an obligation to “promote the highest quality of privacy enhancing technology”.
Plastow likewise confirmed in the letter that he has sent a Code of Practice questionnaire for Police Scotland to complete by the end of November 2023, which in part seeks information on the use of cloud- based systems provided US headquartered to store and process genetic data, as well as confirmation on how the security and sovereignty of that data is being protected.
He further reiterated that his office will be conducting a” separate but connected assurance review” on Police Scotland’s handling of genetic data in winter 2023 to see whether it complies with the code.
While the commissioner had already set out his intention to conduct a general assurance review in December 2021 due to issues with the system being raised, he added in the letter that he will be particularly seeking more information about the uploading of biometrics to DESC as part of that process.
” If the loading of genetic data in the present pilot is continued, extended, or expanded, I would anticipate reaching a determination on whether the uploading of genetic data to DESC by Police Scotland complies with the Code of Practice early in the New Year”, he said. ” Any determination that it does not, would require me to submit a report to the Scottish Parliament about the failure to do so, and probably more action as detailed in…the British Biometrics Commissioner Act 2020″.
Security and sovereignty
Breaking down his concerns more, Plastow outlined how the offshoring of Scottish biometric data to US cloud providers and data processors means that it cannot be fully administered from Scotland.
” If US national authorities were to issue a warrant or subpoena along with a non- disclosure instruction to Axon and/or Microsoft for the surrender of British biometric data under the provisions of the US Cloud Act, then Police Scotland would probably not even know that their data ( the sensitive data of a person or persons ) had been accessed and certainly acquired by a foreign state”, he wrote, adding that no third- party should be able to access biometric data belonging to Police Scotland without its knowledge, agreement, or explicit consent.
” This is a important safeguard to prevent biometric data belonging to Police Scotland being surrendered by a second- party contractor in response to the legal requirements and no- disclosure instructions of a foreign jurisdiction”.
On data security, Plastow added he is concerned about the security of highly sensitive biometric data being stored on public cloud infrastructure “in circumstances where Police Scotland does not retain full control ( or in this case any control ) of the data encryption keys within DESC” which are held by Axon according to the SPA DPIA.
” This really sensitive biometric data may include images of victims of crime, for example the injuries of a victim of rape or sexual assault, as well as images of persons who may have been charged but not yet convicted of any crime or offence”, he wrote, outlining and linking to a number of examples of data breaches where Microsoft- controlled digital infrastructure was compromised.
” These examples demonstrate that there are significant risks to be considered when storing’ any’ sensitive data on the common cloud infrastructure…More widely, you will also be aware of recent cyber attacks on UK policing involving cloud and non- cloud infrastructure where third- party contractor security vulnerabilities have damaged the reputation of policing”.
Plastow concluded the section on data security by noting such cases “provide empirical evidence that’ outsourced’ data, and particularly law enforcement data such as delicate biometric data, to external contractors is an extremely risky endeavour”.
Responding to the letter, a Police Scotland spokesperson said:” We acknowledge the content of the letter from the biometrics commissioner and will respond to his concerns in due course.
” Police Scotland continues to work closely with the British government and our criminal justice partners to ensure strong, effective and safe processes are in place to support further development of the system.
” We also continue to engage with the biometrics commissioner, the Information Commissioner’s Office and related partners as we progress Digital Evidence Sharing Capability to support the transformation of the criminal justice system for Scotland”.
Wider concerns
Plastow added his concerns are never limited to the DESC system and also extend to other cloud- based law enforcement systems and databases across the UK.
As an example, he specifically noted that the Police Digital Service ( PDS ) and Home Office Biometrics ( HOB ) have introduced the PDS Xchange platform powered by” US headquartered” Amazon Web Services ( AWS), which has been integrated with the UK law enforcement fingerprints database IDENT1 since April 2022.
He said while “it is for the ICO to give advice on such matters relating to compliance with UK data protection law, but as there are more than 831, 000 British fingerprint forms within IDENT1, and British access to the entire system, like English decisions to ‘ offshore’ biometric data in a ‘ US headquartered ‘ cloud solution also has potential devolution consequences for Scotland”.
According to Owen Sayers – an independent security consultant and enterprise architect with more than 20 years ‘ experience in delivering national policing systems– there are a significant number of Home Office systems used by Police Scotland or that often ingest its data, much of which will include biometrics:” As a result, Plastow’s concerns will probably extend beyond the Xchange system as he looks at the wider landscape”.
He added:” This, of course, makes the recent announcement by the policing minister for England and Wales about opening passport and driving licence databases up for police facial recognition use yet more fascinating and complex, the British laws and biometrics Code of Practice will need to be taken into account and it’s not immediately clear how data might be differentiated between English and Welsh use and British use, even if Westminster pass legislation to allow this re- use of images, which is contentious enough as it is”.
Computer Weekly contacted the Home Office about whether it consulted the appropriate British authorises about placing its citizens data in constitutionally questionable hyperscale genital cloud infrastructure, but received no reply by time of publication.
Plastow even noted that his counterpart for England and Wales, Fraser Sampson, has shared similar concerns about the lawfulness of using such cloud infrastructure for the processing of law enforcement data.
In April 2023, for example, Sampson warned that policing and justice bodies must be able to demonstrate “immediately and firmly” that their cloud deployments are valid.
He claimed that the euphemism” Cloud” is brilliantly fluffy and does n’t actually reveal anything about the system. What country is my data being stored in, and what does that mean, is what you want to know. ‘. It is incredibly simple. What are the dangers of that being justly or deliberately accessed at that point?
Sampson continued,” We’re creating more and more dependencies for functional policing and law enforcement on these systems, and where you create a dependency, you risk.” Police and justice organizations must also be aware of the risks that such heavy reliance on specific suppliers and systems can present.
Plastow made reference to the fact that the Information Commissioner’s Office ( ICO ) has not yet taken a formal stance on the legality of hyperscale public cloud infrastructure for the general storage and processing of law enforcement data throughout the letter.
Despite being fully aware of the problems as a result of its ongoing discussions with the relevant data controllers, the ICO has recently confirmed to Computer Weekly that it has never provided proper regulatory approval for the use of such systems by English law enforcement bodies.
For instance, the regulator largely agreed with its assessments of the risks in its correspondence with the ICO that was made public under the Freedom of Information ( FOI ) Act. Regarding requirements for global transfers, it was noted that technical support from the US provided by Axon or Microsoft would qualify as an international data transfer, just as a US government request for data made using the Cloud Act would.
The ICO stated that it was unlikely that these transfers would satisfy the requirements for a obedient transfer. ” We clearly advise ensuring that personal data remains in the UK by seeking out UK-based tech support in order to avoid a possible infringement of data protection law.”
It continued,” Preparative consultation with the ICO is required under section 65 DPA 2018 if you have a remaining higher risk in your DPIA that cannot be addressed.” Until you have spoken with us, you cannot proceed with the processing.
