stickerside - stock.adobe.com

Microsoft admits no guarantee of sovereignty for UK policing data

Documents show Microsoft’s lawyers admitted to Scottish policing bodies that the company cannot guarantee sensitive law enforcement data will remain in the UK, despite long-standing public claims to the contrary

Microsoft has admitted to Scottish policing bodies that it cannot guarantee the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure, despite its systems being deployed throughout the criminal justice sector. 

According to correspondence released by the Scottish Police Authority (SPA) under freedom of information (FOI) rules, Microsoft is unable to guarantee that data uploaded to a key Police Scotland IT system – the Digital Evidence Sharing Capability (DESC) – will remain in the UK as required by law.

While the correspondence has not been released in full, the disclosure reveals that data hosted in Microsoft’s hyperscale public cloud infrastructure is regularly transferred and processed overseas; that the data processing agreement in place for the DESC did not cover UK-specific data protection requirements; and that while the company has the ability to make technical changes to ensure data protection compliance, it is only making these changes for DESC partners and not other policing bodies because “no one else had asked”.

The correspondence also contains acknowledgements from Microsoft that international data transfers are inherent to its public cloud architecture. As a result, the issues identified with the Scottish Police will equally apply to all UK government users, many of whom face similar regulatory limitations on the offshoring of data.

The recipient of the FOI disclosures, Owen Sayers – an independent security consultant and enterprise architect with over 20 years’ experience in delivering national policing systems – concluded it is now clear that UK policing data has been travelling overseas and “the statements from Microsoft make clear that they 100% cannot comply with UK data protection law”.

“They’ve confirmed for the first time that a guarantee of sovereignty for data at rest (which is what they give) does not extend to data being processed (which is what everyone chose to assume) and does not cover support (which everyone ignored),” he said, referring to Microsoft’s acknowledgement that it runs a ‘follow the sun’ model, which in turn refers to how technical and IT support is provided without regard for location.

The sovereignty measures committed to by Microsoft do NOT extend to support of any services – this will always be likely to result in international transfers
Owen Sayers, independent security consultant and enterprise architect

“The sovereignty measures committed to by Microsoft do NOT extend to support of any services – this will always be likely to result in international transfers.”

Sayers added that from the point at which this newly received information enters the public domain, no UK policing body can justifiably claim that Microsoft is processing the data legally. “A line has been drawn beneath the period of ‘we didn’t know’ and anyone using this technology now is knowingly breaching UK law,” he said.

Nicky Stewart, a former ICT chief at the UK government’s Cabinet Office, said most people with knowledge of how hyperscale public cloud works have known about these data sovereignty issues for years.

“It’s clearly going to be a concern to any police force that’s using Microsoft, but it’s wider than that,” she said, adding that while Part 3 of the Data Protection Act (DPA) 2018 clearly stipulates that law enforcement data needs to be kept in the UK, other kinds of public sector data must also be kept sovereign under the new G-Cloud 14 framework, which has introduced a UK-only data hosting requirement.

Stewart further added that the FOI disclosure “creates a real opportunity to solve some of these problems, given how much of the UK’s most sensitive data is now sitting on these hyperscale systems”.

Computer Weekly contacted Microsoft about every aspect of the story and every claim made.

“Microsoft has strong data protection and data residency commitments for Azure, which hosts Axon’s Digital Evidence Sharing Capability,” said a Microsoft spokesperson. “We have not made any contractual commitments that change how Azure services already run. We have worked with Police Scotland to clarify how Azure operates to help them determine that they can use DESC on Azure in compliance with the obligations for law enforcement set out under Part 3 of the Data Protection Act 2018.”

Ongoing police cloud concerns

Since Computer Weekly revealed in December 2020 that dozens of UK police forces were processing over a million people’s data unlawfully in Microsoft 365, data protection experts and police tech regulators have questioned various aspects of how hyperscale public cloud infrastructure has been deployed by UK police, arguing they are currently unable to comply with strict law enforcement-specific rules laid out in Part 3 of the DPA.

At the start of April 2023, Computer Weekly revealed the Scottish government’s DESC service – contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure – was being piloted by Police Scotland despite a police watchdog raising concerns about how the use of Azure “would not be legal”.

Specifically, the police watchdog said there were a number of other unresolved high risks to data subjects, such as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s use of generic rather than specific contracts; and Axon’s inability to comply with contractual clauses around data sovereignty.

Computer Weekly also revealed that Microsoft, Axon and the Information Commissioner’s Office (ICO) were all aware of these issues before processing in the DESC began. The risks identified extend to every cloud system used for a law enforcement purpose in the UK, as they are governed by the same data protection rules.

Microsoft’s international data processing

The correspondence released under FOI reveals details of a meeting held between DESC partners and Microsoft’s legal team on 25 April 2023.

The risks identified extend to every cloud system used for a law enforcement purpose in the UK, as they are governed by the same data protection rules

According to the SPA’s data protection officer (DPO), Microsoft’s lawyers said they consider the General Data Protection Regulation (GDPR) – which does not cover law enforcement processing – to be the gold standard, but that it was up to the customer to determine whether that is suitable in terms of the data they are processing. This mirrors the position Microsoft laid out in communications to Sayers in April 2019 when he first approached it about the implications of Part 3.

“There was also a tacit admission that data can go outside the UK. They advised that this is the very nature of cloud computing and that their support is on a ‘follow the sun model’,” the SPA told the ICO in an email update about the meeting, meaning that technical support is provided from locations around the globe.

“They also stated that there were a lot of other public bodies processing Part 3 data on Azure with no issues. Our IT rep at the meeting advised that we consider they are wrong and we are right. Indeed, a number of police forces have now made contact with the DESC project given the issues we have uncovered in a product many of them are using for body-worn video.”

Microsoft was also told by the DPO that police forces in England and Wales could not ignore the watchdog’s due diligence given media coverage and a formal information notice served by the Scottish Biometrics Commissioner in relation to the system: “We advised that we were trying to resolve the matter for all organisations subject to Part 3.”

In later correspondence between the SPA and Police Scotland from December 2023, the force’s chief technology officer outlined to the police watchdog’s DPO which of its services “may store and process data outside of the specified geo”, including Azure Cloud Services; Azure Data Explorer; Language Understanding; Azure Machine Learning; Azure Databricks; Azure Serial Console; preview, beta and other pre-release services.

The released correspondence indicated that the specific unredacted services listed are not in use by Police Scotland at this time, but several of these are known to be used by forces in England and Wales.

Computer Weekly contacted Microsoft about how it is preventing data from being stored and processed outside the geo for these Azure elements, but received no response.

Data transfer concerns

In follow-ups with Axon from January 2024, the SPA DPO pushed the company to confirm that DESC does not use any of these functions where data sovereignty cannot be guaranteed, or that no Part 3 law enforcement data would be present in any of those elements.

While the response to this was not disclosed, an update from the DPO to the ICO informed the regulator that, by mid-January 2024, Microsoft had agreed to make a number of changes to the Data Processing Addendum (DPAdd) being used for the DESC, after the company agreed that it “does not include UK GDPR and Part 3 requirements”.

Computer Weekly asked both Microsoft and Police Scotland what changes have been made to ensure the DESC’s compliance with Part 3, but received no specific response to this point from either organisation.

In a separate FOI response to Sayers in May 2024, the SPA again confirmed that “Microsoft have advised that they cannot guarantee data sovereignty for M365” and that, in relation to Azure, the company “cannot accept specific consent [to transfer data internationally] on a case-by-case basis as this would be impossible to operationalise”.

However, it clarified that given the data transfer concerns, Microsoft had agreed to make an additional commitment to both storing and processing the data within the selected region: “This expands the product terms ‘storage at rest’ commitment to store customer data at rest to include location of both storage and processing.”

Despite any changes made, there are ongoing issues around the extent to which Scottish policing bodies will have oversight and control of data being transferred overseas, as required by Part 3 of the DPA.

“The real sticking point we now have is that they say they would not make international transfers without our consent,” said the SPA DPO. “But by signing to agree to the DPAdd they take that as consent. We have expressed our position that this is not compliant with S59, S73 or S77 [of Part 3].”

Under Part 3, there can be no general approval for such transfers, as the processor must not send data offshore unless they are specifically told to so on a case-by-case basis. Each transfer must also be reported directly to the ICO.

These comments were made in an email from the DPO to the ICO in mid-December 2023, but the disclosure itself does not make it clear if the technical changes being implemented by Microsoft will include measures to ensure case-by-case permissions for international transfers.

Even if these changes were made, however, Microsoft’s commitment to not access customer data without permission is further complicated by the terms of service, which make that promise strictly conditional by giving the company the ability to access data without permission if they either have to fulfil a legal burden, such as responding to government requests for data, or to maintain the service.

On the point that policing bodies would have to give consent to Microsoft for every international transfer, Sayers noted this is an explicit Part 3 requirement, being “a case-by-case permission requirement”.

He added that given Microsoft’s disclosures to the SPA, “it must now be obvious that M365 and Azure Cloud services do not meet the two key requirements” to be a legal processor or sub-processor of law enforcement data under the DPA 18.

“These are: one, to conduct all processing and support activities 100% from inside the UK; and two, to only make an international transfer if they are specifically instructed to make the particular transfer by the controller,” he said.

“Microsoft have confirmed that they do not and cannot commit to requirement one for their M365 services, or indeed for most of the services they operate and support in Azure. They have also said that they cannot ‘operationalise’ individual requests as required of them under section 59(7) of the act, thus failing to meet requirement two.

“There can be no clearer evidence than Microsoft’s own clarifications that they cannot meet the legal requirements for a processor or sub-processor of law enforcement data.”

Stewart said: “If it’s not possible to understand the simple question, ‘do you know where your data is all the time?’, then you probably shouldn’t be putting your data in that platform.”

Computer Weekly contacted Microsoft about all of these claims but received no specific response.

‘No one else had asked’

Although the specific details of the changes and commitments made by Microsoft are likely included in passages of redacted text from the emails, the DPO noted that the changes will only be made for the SPA, Police Scotland and Axon: “I muted the point that it should be in the DPAdd for all customers, but they responded that no one else had asked them.”

The minimum we ought to see is an immediate moratorium against expansion of the use of Microsoft Cloud for law enforcement processing whilst appropriate realignment and progressive reduction of the services can be undertaken
Owen Sayers, independent security consultant and enterprise architect

The DPO added that without the changes being made for all users, it will be harder to do business with third parties using Azure without having to ask them to approach the ICO about their terms being changed.

“So…good news for the DESC project. Our lawyers are just going to circle back this week and make sure this resolves all our concerns or whether we should buy the advanced data residency offering as well,” the DPO said, adding while the results are a “mixed bag”, getting Microsoft to agree to some changes is, “in my view, a huge win and opens the door for closer working in the future”.

In its response to Computer Weekly’s questions about the FOI disclosures, however, Microsoft noted it already has “strong data protection and data residency commitments for Azure” and has “not made any contractual commitments that change how Azure services already run”.

It is therefore currently unclear from Microsoft and Police Scotland’s responses what specific changes have been made to ensure DESC compliance.

Commenting on Microsoft’s refusal to make changes for other UK policing bodies, Sayers said while the company might make their services legally compliant, it has known about the issues since at least the first quarter of 2019 and is yet to make any positive changes.

“I do not actually believe they could feasibly make their core cloud services compliant with DPA 2018 Part 3, and a move away from Microsoft-based cloud is probably the only option,” he said, adding that individuals and departments responsible for law enforcement data now face a Hobson’s choice: “Do they continue to knowingly and openly break UK law by continuing to use these services, placing the rights and interest of citizens at risk, and potentially bringing their evidence and case management systems into disrepute, or shall they stop doing so?

“The argument will be made that it is impractical to simply crash stop Microsoft use with immediate effect, and I broadly agree that’s the position we’re in. The minimum we ought to see is an immediate moratorium against expansion of the use of Microsoft Cloud for law enforcement processing whilst appropriate realignment and progressive reduction of the services can be undertaken.”

In April 2023, Computer Weekly reported on the contents of emails between Sayers and Microsoft, in which the company’s legal team noted: “We do not plan to distribute any proactive communications to our customers regarding the proposed changes to Part 3 of the DPA, but expect that those customers with questions or concerns will contact us directly with their queries.” 

Stewart called Microsoft’s reluctance to implement technical changes for other UK policing customers a “missed opportunity” as making the cloud infrastructure “bulletproof for UK sensitive data” means it could be getting even more business than it already is.

She added this is partly down to a lack of competition in hyperscale cloud markets, which means Microsoft is not incentivised to make changes or innovate because public sector procurement teams will buy its products regardless: “Why should Microsoft innovate? How do you incentivise something as powerful as Microsoft to do the right thing?”

Every aspect of the story was put to Microsoft, but the company declined to comment on any of the specific points raised.

Despite Microsoft’s admissions, the FOI disclosures also contain advice from the ICO to Police Scotland on the measures it believes can ensure the DESC’s compliance with UK data protection law, which will be covered in an upcoming Computer Weekly story.

The admissions also represent an issue for the whole of government, given the data sovereignty clauses in the latest G-Cloud framework, which will also be covered in an upcoming Computer Weekly story.

Read more about police technology

Read more on Big data analytics