Body-worn video supplier Axon is inactive in possession of the encryption keys for a major Police Scotland cloud IT project, despite repeated warnings from policing bodies and regulators about the data protection risks.
In January 2023, Police Scotland launched a pilot of its Digital Evidence Sharing Capability (DESC) – contracted to Axon and hosted on Microsoft’s hyperscale public cloud infrastructure – despite major unresolved data protection issues identified by its oversight body, the Scottish Police Authority (SPA).
According to the police watchdog’s data protection impact assessment (DPIA) – besides finalised in January 2023 – it specifically highlighted concerns around data transfers to the US (including through invasive US government legislation), and contractual issues around Microsoft’s terms and conditions that meant it was incapable to comply with law enforcement-specific data protection rules.
While DPIAs from another policing bodies active in DESC claimed the data was protected while being transferred due to the usage of at-rest and in-transit encryption, the SPA DPIA clearly identified that the encryption keys were held by Axon, meaning “they would be able to decrypt and supply the data, possibly without our cognition or consent, where compelled by US authorities to do so”.
In a follow-up freedom of information (FOI) request sent by Computer Weekly to the SPA, the watchdog confirmed that, at the time of its consequence on 12 November 2024, Axon was inactive in possession of the encryption keys, over 3 months after the strategy was rolled out nationally at the start of August 2024.
Axon’s ongoing possession of the encryption keys was confirmed in a separate FOI consequence from Police Scotland, which besides disclosed copies of 2 Transfer hazard Assessments (TRAs) that the Information Commissioner’s Office (ICO) said is required to carry out restricted law enforcement transfers under Part Three.
Both of the TRAs – 1 for the transfer of “content” data and 1 for the transfer of “non-content” data – contain sections on the “personal information hazard level” associated with transfers, which data controllers (i.e. Police Scotland) must complete as part of their due diligence.
While it noted that data is encrypted both in transit and at rest, 1 of the columns in the table provided requires them to mark “yes” or “no” to whether, “Before transfer information is encrypted, pseudonymised or similar, and importer does not have the key”. In both instances, Police Scotland marked these columns with a “no”.
Open Rights Group
According to Mariano delli Santi, legal and policy officer at the Open Rights Group (ORG), while it is feasible that method measures like encryption could supply any level of safety for law enforcement data in cloud environments, this is not the case erstwhile an IT service supplier holds the encryption keys.
“If the key is handled by an entity which is under US jurisdiction, then US authorities can force this entity to disclose the encryption key to them,” he said.
“Encryption is useful only and as far as 3rd parties, specified as a abroad government, cannot get the decryption key, and encryption key management has become a key consideration for the safety of global data transfers since the Schrems II judgement in 2020.”
While encryption key management is not a fresh issue, he added, “I’m not truly seeing quite a few indication that our government is actually dealing with the problem.”
Computer Weekly contacted Police Scotland, the SPA and Axon about the ongoing possession of the DESC encryption keys.
“We have worked closely with criminal justice partners to guarantee all required data security, protection controls and governance are in place and legally compliant ahead of the national roll-out of the Digital Evidence Sharing Capability system,” said a Police Scotland spokesperson.
“We recognise the public interest in DESC data safety controls and proceed to engage with the Scottish Biometrics Commissioner and the Information Commissioner’s Office as required.”
On what measures are in place to halt Axon decrypting data without the cognition or consent of the data controllers, an SPA spokesperson said that while the watchdog cannot talk for another DESC partners as each is simply a data controller in their own right, “There is simply a full audit way on DESC that will be subject to scrutiny by the partners,” and that it is “not unusual” for vendors to manage the encryption keys.
“Many organisations utilizing services in the cloud will trust on either their vendor or the cloud supplier to manage encryption, given the specialist nature of this role,” they said. “There is simply a hazard where any 3rd organization manages an organisation’s encryption keys, however, the management of keys is simply a specialist area and the hazard of ‘getting it incorrect in-house’ may be deemed to be a greater risk.”
Axon did not respond by time of publication. There is no proposition or evidence that Axon has used, or allowed to be used, the encryption keys without Police Scotland being aware.
Ongoing concerns
The issues associated with Axon’s possession of the DESC encryption keys have been known for any time, and have been reiterated by another police regulators since the SPA completed its DPIA.
In October 2023, for example, Scottish biometrics commissioner Brian Plastow noted in a letter to Police Scotland that Axon being in possession of the encryption keys would exposure the data to the US Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud.
“A primary concern is that by Scottish government opting for a ‘US-headquartered’ solution supplier (rather than a UK or EU cloud provider, or a non-cloud solution) to host delicate biometric data (and another law enforcement data), and by sanctioning the holding of the data encryption keys for that data by Axon (rather than by Police Scotland), then specified data is full exposed to the provisions of The Clarifying Lawful Overseas usage of Data Act 2018 (US Cloud Act), and the related US and UK data access agreement,” he wrote.
In an appearance before the Scottish Parliament’s Criminal Justice Committee on 13 November 2024, Plastow explained to MPs that while there have been attempts by Police Scotland and the SPA to mitigate the data sovereignty and safety risks in DESC, these risks cannot be completely eliminated.
“On the question of data sovereignty, the Scottish Police Authority and Police Scotland have done everything within their power, including having clauses inserted into contracts and so on, to mitigate those risks as far as possible, but it is an inescapable fact that the national Bureau of Investigation could access that data if it wanted to,” he said. “Should that concern us? most likely not.
“The second question is, for me, more important. It is about the issue of security, and I included circumstantial examples in the letter that I wrote … to show that, even at government level, as we have seen in the United States in fresh years, a number of agencies have been hacked and crucial data has been stolen. We are where we are with that.”
Plastow added that the ICO has claimed since his letter that it is lawful to host law enforcement data in hyperscale infrastructure with appropriate protections in place. “I am in a more comfortable position now than I was erstwhile I wrote the letter, but my substantive point is that we cannot destruct all risks,” he said.
Despite Plastow’s warnings, he is incapable to take any action as data protection regulation and compliance is the sole work of the ICO.
However, a separate clarification FOI sent to the ICO revealed the regulator became aware that Axon was in possession of the encryption as early as 26 August 2022, well over a year before Plastow wrote to Police Scotland outlining his concerns and months before the DESC pilot went live with real individual data on 24 January 2024.
While the ICO later issued advice to DESC partners on how to make the cloud processing legal – released under FOI – it did not mention anything about the request for organisations to control their own encryption keys; or the fact that encryption is not considered to be a applicable or effective safeguard under Part Three (as it does not let for “supplementary measures” that would enable data to be sent to jurisdictions with demonstrably lower data protection standards, specified as the US).
Computer Weekly contacted the ICO about Axon’s ongoing possession of the encryption keys, including why it took no action despite being aware of the issue since August 2022, and whether it considers encryption an “appropriate safeguard” under Part Three.
A spokesperson said the ICO had nothing further to add, and reiterated a consequence given to Computer Weekly in July 2024: “We have carefully considered whether competent authorities may usage cloud-based platforms in compliance with data protection law. Our view is that they may where appropriate protections are in place.
“We have ensured that DESC partners have been provided with guidance on this and have been asked to implement this. Should we have any concerns that DESC has not been implemented in a compliant way, as you would expect, this would be considered and actioned in line with our regulatory action policy.”
Other regulators’ views
A DPIA on the usage of various Microsoft services commissioned by the Dutch Ministry of Justice said that although the company has mitigated a number of the risks identified by its assessment, the fact that the data can be ordered through the Cloud Act means “there is simply a advanced hazard for the processing of delicate and peculiar categories of data … as long as the organisation cannot control its own encryption keys”.
“Even if the likelihood of occurrence is highly low, the impact on data subjects in case of disclosure of their delicate and peculiar categories of individual data to US law enforcement or safety services can be highly high,” it said. “This is due to the deficiency of notification and the deficiency of an effective means of redress for EU citizens. This hazard even occurs erstwhile these data are exclusively processed and stored in the EU.”
While an executive order was signed by president Biden in October 2022 that committed the US to providing European citizens with redress erstwhile their data is collected by US signals intelligence agencies, the CEPS think tank has identified a number of gaps that call into question whether the redress provided is actually meaningful.
The European Data Protection Board (EDPB) came to a similar conclusion about the function of encryption in June 2021, debunking the thought that cryptography is an effective safeguard erstwhile the data is either decrypted for processing in the cloud, or the keys are otherwise held by a technology service provider.
For example, the EDPB noted that erstwhile cloud service providers require access to “data in the clear” for processing (i.e. unencrypted, which is all time they request to process text data due to the fact that there are presently no technologies that enable in the clear processing on this kind of information), “transport encryption and data-at-rest encryption, even taken together, do not constitute a supplementary measurement that ensures an fundamentally equivalent level of protection if the data importer is in possession of the cryptographic keys”.
Computer Weekly asked the ICO whether it agrees with the EDPB interpretation, but received no consequence on this point.
TRA details
In June 2024, Computer Weekly reported that Microsoft had previously admitted to Scottish policing bodies that it was incapable to warrant the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.
The disclosure specifically revealed that data hosted in Microsoft’s hyperscale infrastructure is regularly transferred and processed overseas; that the data processing agreement in place for the DESC did not cover UK-specific data protection requirements; and that while the company may have the ability to make method changes to guarantee data protection compliance, it is only making these changes for DESC partners and not another policing bodies due to the fact that “no 1 else had asked”.
However, the regular nature of the transfers in Microsoft infrastructure is not mentioned in either of the TRA documents, which alternatively claim that “the services will routinely be provided wholly in the UK and will not be subject to global transfer”.
It added that data may be transferred “for business continuity, in the event of a catastrophic failure or attack requiring immediate action to decision data to prevent failure or access by a threat actor, the data may be temporarily transferred to another retention location outwith the UK”.
However, it besides noted that, in the event of specified a “catastrophic incident”, it could affect “hundreds of thousands of individuals depending on the date/time”.
Computer Weekly contacted Police Scotland for comment on the contents of the TRA – including why the risks associated with the deficiency of sovereignty are not mentioned; what assurances it has received from Microsoft to mitigate these risks; and how it is ensuring that Axon does not decrypt the data without its cognition or consent – but received no consequence on these points.
Computer Weekly besides contacted the ICO about whether it believes the TRA papers have been completed to a satisfactory standard, but likewise did not receive a consequence on this point.
