Body-worn video provider Axon is still in possession of the encryption keys for a major Police Scotland cloud IT project, despite repeated warnings from policing bodies and regulators about the data protection risks.
In January 2023, Police Scotland launched a pilot of its Digital Evidence Sharing Capability (DESC) – contracted to Axon and hosted on Microsoft’s hyperscale public cloud infrastructure – despite major unresolved data protection issues identified by its oversight body, the Scottish Police Authority (SPA).
According to the police watchdog’s data protection impact assessment (DPIA) – also finalised in January 2023 – it specifically highlighted concerns around data transfers to the US (including through invasive US government legislation), and contractual issues around Microsoft’s terms and conditions that meant it was unable to comply with law enforcement-specific data protection rules.
While DPIAs from other policing bodies involved in DESC claimed the data was protected while being transferred due to the use of at-rest and in-transit encryption, the SPA DPIA clearly identified that the encryption keys were held by Axon, meaning “they would be able to decrypt and provide the data, potentially without our knowledge or consent, where compelled by US authorities to do so”.
In a follow-up freedom of information (FOI) request sent by Computer Weekly to the SPA, the watchdog confirmed that, at the time of its response on 12 November 2024, Axon is still in possession of the encryption keys, over three months after the system was rolled out nationally at the start of August 2024.
Axon’s ongoing possession of the encryption keys was confirmed in a separate FOI response from Police Scotland, which also disclosed copies of two Transfer Risk Assessments (TRAs) that the Information Commissioner’s Office (ICO) said is required to carry out restricted law enforcement transfers under Part Three.
Both of the TRAs – one for the transfer of “content” data and one for the transfer of “non-content” data – contain sections on the “personal information risk level” associated with transfers, which data controllers (i.e. Police Scotland) must complete as part of their due diligence. While it noted that data is encrypted both in transit and at rest, one of the columns in the table provided requires them to mark “yes” or “no” to whether “Before transfer information is encrypted, pseudonymised or similar, and importer does not have the key”. In both instances, Police Scotland marked these columns with a “no”.
Open Rights Group
According to Mariano delli Santi, legal and policy officer at the Open Rights Group (ORG), while it is feasible that technical measures like encryption could provide some level of security for law enforcement data in cloud environments, this certainly is not the case when an IT service provider holds the encryption keys.
“If the key is handled by an entity which is under US jurisdiction, then US authorities can force this entity to disclose the encryption key to them,” he said. “Encryption is useful only and as far as third parties, such as a foreign government, cannot obtain the decryption key, and encryption key management has become a key consideration for the security of international data transfers since the Schrems II judgement in 2020.” While encryption key management is not a novel issue, he added, “I’m not really seeing a lot of indication that our government is actually dealing with the problem.”
Computer Weekly contacted Police Scotland, the SPA and Axon about the ongoing possession of the DESC encryption keys.
“We have worked closely with criminal justice partners to ensure all required data security, protection controls and governance are in place and legally compliant ahead of the national roll-out of the Digital Evidence Sharing Capability system,” said a Police Scotland spokesperson. “We recognise the public interest in DESC data security controls and continue to engage with the Scottish Biometrics Commissioner and the Information Commissioner’s Office as required.”
On what measures are in place to stop Axon decrypting data without the knowledge or consent of the data controllers, an SPA spokesperson said that while the watchdog cannot speak for other DESC partners as each is a data controller in their own right, “There is a full audit trail on DESC that will be subject to scrutiny by the partners,” and that it is “not unusual” for vendors to manage the encryption keys.
“Many organisations using services in the cloud will rely on either their vendor or the cloud provider to manage encryption, given the specialist nature of this role,” they said. “There is a risk where any third party manages an organisation’s encryption keys, however, the management of keys is a specialist area and the risk of ‘getting it wrong in-house’ may be deemed to be a greater risk.”
Axon did not respond by time of publication.
Ongoing concerns
The issues associated with Axon’s possession of the DESC encryption keys have been known for some time, and have been reiterated by other police regulators since the SPA completed its DPIA.
In October 2023, for example, Scottish biometrics commissioner Brian Plastow noted in a letter to Police Scotland that Axon being in possession of the encryption keys would expose the data to the US Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud.
“A primary concern is that by Scottish government opting for a ‘US-headquartered’ solution provider (rather than a UK or EU cloud provider, or a non-cloud solution) to host sensitive biometric data (and other law enforcement data), and by sanctioning the holding of the data encryption keys for that data by Axon (rather than by Police Scotland), then such data is fully exposed to the provisions of The Clarifying Lawful Overseas Use of Data Act 2018 (US Cloud Act), and the related US and UK data access agreement,” he wrote.
In an appearance before the Scottish Parliament’s Criminal Justice Committee on 13 November 2024, Plastow explained to MPs that while there have been attempts by Police Scotland and the SPA to mitigate the data sovereignty and security risks in DESC, these risks cannot be completely eliminated.
“On the question of data sovereignty, the Scottish Police Authority and Police Scotland have done everything within their power, including having clauses inserted into contracts and so on, to mitigate those risks as far as possible, but it is an inescapable truth that the Federal Bureau of Investigation could access that data if it wanted to,” he said. “Should that concern us? Probably not.
“The second question is, for me, more important. It is about the issue of security, and I included specific examples in the letter that I wrote … to show that, even at government level, as we have seen in the United States in recent years, a number of agencies have been hacked and important data has been stolen. We are where we are with that.”
Plastow added that the ICO has claimed since his letter that it is lawful to host law enforcement data in hyperscale infrastructure with appropriate protections in place. “I am in a more comfortable position now than I was when I wrote the letter, but my substantive point is that we cannot eliminate all risks,” he said.
Despite Plastow’s warnings, he is unable to take any action as data protection regulation and compliance is the sole responsibility of the ICO.
However, a separate clarification FOI sent to the ICO revealed the regulator became aware that Axon was in possession of the encryption as early as 26 August 2022, well over a year before Plastow wrote to Police Scotland outlining his concerns and months before the DESC pilot went live with real personal data on 24 January 2024.
While the ICO later issued advice to DESC partners on how to make the cloud processing legal – released under FOI – it did not mention anything about the need for organisations to control their own encryption keys; or the fact that encryption is not considered to be a relevant or effective safeguard under Part Three (as it does not allow for “supplementary measures” that would enable data to be sent to jurisdictions with demonstrably lower data protection standards, such as the US).
Computer Weekly contacted the ICO about Axon’s ongoing possession of the encryption keys, including why it took no action despite being aware of the issue since August 2022, and whether it considers encryption an “appropriate safeguard” under Part Three.
A spokesperson said the ICO had nothing further to add, and reiterated a response given to Computer Weekly in July 2024: “We have carefully considered whether competent authorities may use cloud-based platforms in compliance with data protection law. Our view is that they may where appropriate protections are in place.
“We have ensured that DESC partners have been provided with guidance on this and have been asked to implement this. Should we have any concerns that DESC has not been implemented in a compliant way, as you would expect, this would be considered and actioned in line with our regulatory action policy.”
Other regulators’ views
A DPIA on the use of various Microsoft services commissioned by the Dutch Ministry of Justice said that although the company has mitigated a number of the risks identified by its assessment, the fact that the data can be ordered through the Cloud Act means “there is a high risk for the processing of sensitive and special categories of data … as long as the organisation cannot control its own encryption keys”.
“Even if the likelihood of occurrence is extremely low, the impact on data subjects in case of disclosure of their sensitive and special categories of personal data to US law enforcement or security services can be extremely high,” it said. “This is due to the lack of notification and the lack of an effective means of redress for EU citizens. This risk even occurs when these data are exclusively processed and stored in the EU.”
While an executive order was signed by President Biden in October 2022 that committed the US to providing European citizens with redress when their data is collected by US signals intelligence agencies, the CEPS think tank has identified a number of gaps that call into question whether the redress provided is actually meaningful.
The European Data Protection Board (EDPB) came to a similar conclusion about the role of encryption in June 2021, debunking the idea that cryptography is an effective safeguard when the data is either decrypted for processing in the cloud, or the keys are otherwise held by a technology service provider.
For example, the EDPB noted that when cloud service providers require access to “data in the clear” for processing (i.e. unencrypted, which is every time they need to process text data because there are currently no technologies that enable in the clear processing on this type of information), “transport encryption and data-at-rest encryption, even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys”.
Computer Weekly asked the ICO whether it agrees with the EDPB interpretation, but received no response on this point.
TRA details
In June 2024, Computer Weekly reported that Microsoft had previously admitted to Scottish policing bodies that it was unable to guarantee the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.
The disclosure specifically revealed that data hosted in Microsoft’s hyperscale infrastructure is regularly transferred and processed overseas; that the data processing agreement in place for the DESC did not cover UK-specific data protection requirements; and that while the company may have the ability to make technical changes to ensure data protection compliance, it is only making these changes for DESC partners and not other policing bodies because “no one else had asked”.
However, the routine nature of the transfers in Microsoft infrastructure is not mentioned in either of the TRA documents, which instead claim that “the services will routinely be provided wholly in the UK and will not be subject to international transfer”.
It added that data may be transferred “for business continuity, in the event of a catastrophic failure or attack requiring immediate action to move data to prevent loss or access by a threat actor, the data may be temporarily transferred to another storage location outwith the UK”.
However, it also noted that, in the event of such a “catastrophic incident”, it could affect “hundreds of thousands of individuals depending on the date/time”.
Computer Weekly contacted Police Scotland for comment on the contents of the TRA – including why the risks associated with the lack of sovereignty are not mentioned; what assurances it has received from Microsoft to mitigate these risks; and how it is ensuring that Axon does not decrypt the data without its knowledge or consent – but received no response on these points.
Computer Weekly also contacted the ICO about whether it believes the TRA documents have been completed to a satisfactory standard, but similarly did not receive a response on this point.