Body-worn video provider Axon still controls the encryption keys for a critical Police Scotland cloud project, despite ongoing warnings about data protection risks.
In January 2023, Police Scotland began a pilot for its Digital Evidence Sharing Capability (DESC), contracted to Axon and hosted on Microsoft’s public cloud. This kick-off happened even though the Scottish Police Authority (SPA) had raised significant data protection concerns. Their impact assessment noted issues with US data transfer laws and contractual terms with Microsoft that couldn’t meet law enforcement data protection standards.
While other police bodies involved in DESC assured users that data was secured through encryption during transfer, the SPA flagged that Axon holds the keys. This situation means Axon could decrypt and release data without Police Scotland’s consent if compelled by US authorities.
A freedom of information request revealed that as of November 2024, Axon continued to hold these keys, more than three months after DESC was fully launched. Police Scotland’s separate response confirmed this, disclosing two Transfer Risk Assessments (TRAs) required for lawful data transfers. Both TRAs included an assessment of personal information risk, and despite noting encryption protocols, Police Scotland indicated on key management that they did not control the encryption keys.
Mariano delli Santi from the Open Rights Group pointed out the problem: if an entity under US jurisdiction holds the encryption keys, it poses a significant risk. US authorities can demand access to that data. While encryption can offer some security, it fails to protect against government access if the keys are with a US-based provider.
In public statements, Police Scotland emphasized working closely with criminal justice partners to ensure data security measures were in place before DESC’s rollout. They noted the public’s interest in these controls and ongoing engagements with the Scottish Biometrics Commissioner and the Information Commissioner’s Office.
The SPA, in response to questions about preventing Axon from accessing data without consent, stressed that DESC has a comprehensive audit trail. They noted it’s common for vendors to manage encryption keys in cloud environments, weighing the risks of third-party control against potential internal mismanagement.
However, concerns about Axon’s possession of the encryption keys have been long-standing. In October 2023, Scottish biometrics commissioner Brian Plastow raised alarms about the risks posed by the US Cloud Act, which could allow the US government access to data stored by Axon. He admitted while efforts have been made to mitigate risks, they cannot be completely eliminated, acknowledging that if necessary, US authorities could access the data.
Despite this, the ICO maintains that hosting law enforcement data in cloud infrastructures can comply with legal standards if proper protections exist. They reiterated that DESC partners received guidance and needed to implement it, indicating that any non-compliance would prompt regulatory scrutiny.
Beyond Scotland, broader insights from the Dutch Ministry of Justice reinforced the risks associated with having encryption keys managed by a US provider. They flagged that compliance with US laws under the Cloud Act carries significant risks for personal data, regardless of where the data is processed.
Furthermore, a report earlier revealed Microsoft cannot guarantee that UK law enforcement data hosted on its platforms remains secure from overseas processing. Despite stating that these services will be confined to the UK, the TRAs admitted data could still be transferred during emergencies.
These details emerged amid calls for more transparency regarding the risks of relying on US companies for sensitive data storage and processing. Police Scotland, Axon, and the ICO did not provide comments addressing these concerns in detail.