Microsoft Admits No Guarantee of Sovereignty For UK Policing Data (computerweekly.com) 88
An anonymous reader shared this report from Computer Weekly:
Microsoft has admitted to Scottish policing bodies that it cannot guarantee the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure, despite its systems being deployed throughout the criminal justice sector.
According to correspondence released by the Scottish Police Authority (SPA) under freedom of information (FOI) rules, Microsoft is unable to guarantee that data uploaded to a key Police Scotland IT system — the Digital Evidence Sharing Capability (DESC) — will remain in the UK as required by law. While the correspondence has not been released in full, the disclosure reveals that data hosted in Microsoft's hyperscale public cloud infrastructure is regularly transferred and processed overseas; that the data processing agreement in place for the DESC did not cover UK-specific data protection requirements; and that while the company has the ability to make technical changes to ensure data protection compliance, it is only making these changes for DESC partners and not other policing bodies because "no one else had asked".
The correspondence also contains acknowledgements from Microsoft that international data transfers are inherent to its public cloud architecture. As a result, the issues identified with the Scottish Police will equally apply to all UK government users, many of whom face similar regulatory limitations on the offshoring of data. The recipient of the FOI disclosures, Owen Sayers — an independent security consultant and enterprise architect with over 20 years' experience in delivering national policing systems — concluded it is now clear that UK policing data has been travelling overseas and "the statements from Microsoft make clear that they 100% cannot comply with UK data protection law".
According to correspondence released by the Scottish Police Authority (SPA) under freedom of information (FOI) rules, Microsoft is unable to guarantee that data uploaded to a key Police Scotland IT system — the Digital Evidence Sharing Capability (DESC) — will remain in the UK as required by law. While the correspondence has not been released in full, the disclosure reveals that data hosted in Microsoft's hyperscale public cloud infrastructure is regularly transferred and processed overseas; that the data processing agreement in place for the DESC did not cover UK-specific data protection requirements; and that while the company has the ability to make technical changes to ensure data protection compliance, it is only making these changes for DESC partners and not other policing bodies because "no one else had asked".
The correspondence also contains acknowledgements from Microsoft that international data transfers are inherent to its public cloud architecture. As a result, the issues identified with the Scottish Police will equally apply to all UK government users, many of whom face similar regulatory limitations on the offshoring of data. The recipient of the FOI disclosures, Owen Sayers — an independent security consultant and enterprise architect with over 20 years' experience in delivering national policing systems — concluded it is now clear that UK policing data has been travelling overseas and "the statements from Microsoft make clear that they 100% cannot comply with UK data protection law".
Hmmm (Score:4, Funny)
Re: (Score:2, Troll)
Can be tough shit the other way around too, if they figure how this sort of data sharing is against the law.
At which point Dave the sales guy goes to prison, as does his boss, and his boss and anyone else who's signature is on this document that leads to criminal liability. In real world, this will of course be settled out of court, but in principle this is how this should go.
Re: Hmmm (Score:2)
Highly doubt Microsoft would even be liable. As they say, nobody asked when they signed the contract. Microsoft, Amazon and co will sell you just about anything, it is the customers responsibility to comply with and get eg HIPAA BAA agreements or ISO certification or whatever other regulatory framework you need. The secondary problem is whether they can provide the same resources on the island, there is a limited infrastructure in place, it is very likely that a single outage or serious event would affect a
Re: (Score:3)
Depends. Contract law does not supersede criminal law, and a lot of privacy issues in criminal justice system are under criminal law.
And as for the rest, that would indeed be "That's tough Dave, but you signed the contract and we obviously require you not to murder anyone or violate anyone's privacy or break any other laws in performing your contractual duties".
Re: (Score:1)
Re: (Score:2)
You can make those claims in court, certainly. That is why I said above that case will likely be settled.
But if some gung-ho prosecutor got selected for this and didn't actually get "the talk" from his superiors that this should be settled because a lot of civil servants will join Dave and his boss in prison... All bets are off. You could nail the seller, his boss, whoever designed the implementation and whoever did the final implementation at the very least. Probably more. In addition to many civil servant
Re: (Score:1)
Re: (Score:2)
Yes, that's what I said. You can make those claims as a defence in your criminal trial. In fact I specifically reference the fact that this would be a criminal rather than civil litigation above.
Re: (Score:1)
The contracts you sign make sure that the customer will use the system as appropriate for your jurisdiction. You can buy it, whether or not you can use it is up to the customer.
Basically all Microsoft has to say is "we didn't sell it to them for use with private data, the data on the system is the customer's responsibility". This is no different than an employee using Dropbox or Backblaze or Salesforce because they don't like whatever their company is buying for them. That doesn't make the company liable fo
Re: (Score:2)
>The contracts you sign make sure that the customer will use the system as appropriate for your jurisdiction.
And in this case, they signed it in UK, so they're bound by UK laws. That's in fact how contracting system works. You make a contract not in a void, but under jurisdiction of a specific sovereign. In this case, King of United Kingdom and His Majesty's legal system. This is why contracts typically specify what sovereign jurisdiction they're made under.
The rest is a continued misunderstanding on you
Re: (Score:1)
Yes, they are bound by UK laws, nobody says they aren't.
But Microsoft isn't contracted to provide a specific solution for their police force, they are contracted to provide solutions for computing systems and that is what they provided. This is no difference than renting out a car, if you are subsequently using the car as a taxi or ambulance, being a taxi and ambulance may have certain regulations on them that the renting company can't and doesn't need to fulfill. Here too, they bought a cloud system and su
Re: (Score:2)
How many more times do you want us to do this circle, where you say "yes I understand they can't break sovereign's laws" and then you explain how they can in fact break UK laws because "contracts magically let them break sovereign laws"?
Re: (Score:1)
I don't believe the king has yet decided that they are to be punished for this lapse on the side of the government. That is definitely possible in the UK, it isn't however when common law is followed.
There is no sovereign law that says "all data whatsoever shall remain within the UK" because that would make a whole lot of things including international trade impossible. Here the law is "the owner of the data shall make sure certain government data remains in the UK", they (the customer) subsequently shipped
Re: (Score:2)
Right, so you don't even understand the difference between "sovereign" and "representative of the sovereign" in a constitutional monarchy.
I don't think we can find common ground here. The lack of knowledge of basics on how legal system functions on your side is just too vast to bridge in a reasonable amount of time.
Re: (Score:1)
It's a monarchy, the sovereign is the sovereign, not a representative, they may claim as such, but legally speaking the monarch is still a sovereign, the only question is whether the army would still go along with that. You're an idiot that doesn't understand the way common law and contract law works.
Re: (Score:2)
Understood. I don't think we can continue the discussion if you refuse to recognise the role of bureaucracy and how it interacts with sovereignty, much less understand that UK is not an absolute monarchy.
Re: (Score:2)
It appears to me that the any criminal liability would lie with the police agency that signed the contract that did not specify the requirement to meet the law.
There is an automatic assumption that any contract will be legal in the jurisdiction that it is signed and applies to. And if it isn't it doesn't matter what is on the paper and what questions were asked, it is up to the business supplying the goods and services to ensure that their product is compliant otherwise they're breaking the law by supplying it as is in its unlawful state.
Re: (Score:3)
I find it difficult to believe that "contract law" requires the vendor to review every law on the books in every jurisdiction in which they operate. If they told the cops they were providing storage and the cops didn't say, "This has to stay in-country" then I can't see how they can be held liable for the police legal office's incompetence.
Re: Hmmm (Score:4, Insightful)
That is the same as saying that a vendor has no need to follow the laws in the country they are doing business in unless the contract says so.
I don't think that is how things work, but all companies would love it if it were true.
Re: (Score:2)
That is the same as saying that a vendor has no need to follow the laws in the country they are doing business in unless the contract says so.
By this logic are you saying that companies who sell or manufacture cars should be liable if people use those cars to break the speed limit or commit crimes? Where I live the fastest speed limit that exists is 65 miles per hour. Are you suggesting that Ford, Chevy, Nissan, Toyota, etc. shouldn't be able to sell cars that can exceed the speed limit in Oregon without special contracting? I realize it's not a perfect analogy, but think it's a reasonable comparison. Ultimately the purchaser of a good, service,
Re: (Score:2)
By this logic are you saying that companies who sell or manufacture cars should be liable if people use those cars to break the speed limit or commit crimes?
I'm afraid you are conflating two different things which makes the above a non sequitur. A company isn't normally liable for how a consumer uses the product but they are liable if the product they are selling is breaking the law by the very nature of how it functions when used. If we use your car analogy, they sold a car that doesn't for example conform to the emission standards or safety standards and when the buyer discovered that they couldn't use the car legally the seller just shrugged their shoulders
Re: (Score:2)
A car capable of driving faster than the speed limit can be driven at legal speeds, similarly cloud services can be used to store data that isn't location embargoed.
I don't know enough about the specific UK data residency requirements at play here to be authoritative, but unless absolutely no data of any kind can be processed outside of the UK, there would be a non-zero number of legal use cases that Microsoft could use to defend its liability. For example, if truly zero data could be processed outside the
Re: (Score:2)
This claim makes sense if you believe that contract law supersede criminal law. I.e. that you can contractually stipulate that criminal law will not apply in some cases.
"Your honor, this needs to be dropped as a criminal case because while I killed this child with my power tools as a result of my gross negligence, but since it stipulates in contract that I am doing this work at this house with power tools, I'm allowed to kill that child". Not even if contract specifically stipulated that he's allowed to kil
Re: Hmmm (Score:4, Interesting)
No, I'm saying that Microsoft was selling **storage**, they're not in control of what the police decided to store there. For that matter, if it's configured right they probably have no idea what's stored in that container.
So to use your example, Ace Hardware sells you a power tool, and your incompetence using it kills the kid. I don't think that Ace Hardware should be held accountable.
Re: (Score:2)
Cool. "I've sold storage that I actively manage according to the contract. You can't prosecute me for accepting a corpse with several bullet wounds from a client, even though I actively did look at the corpse before accepting it into the storage!"
Nope, still doesn't work.
Re: (Score:2)
actively did look at
So you don't know how cloud storage works? This is not your server where you're the admin and can see everything on it or your iCloud account where Apple has god-like access. MS doesn't know what is being stored, they give the customer a container, or more likely a group of containers, and unless the customer specifically gives them permission they have no access to the data in it. All they see is a big blob of encrypted bits to which they do not have the key. If they need to move it from one site to an
Re: (Score:2)
>So you don't know how cloud storage works? This is not your server where you're the admin and can see everything on it or your iCloud account where Apple has god-like access.
Projection of ignorance on your part. Content is scanned as a matter of routine for potential material violation even by simple cloud providers (iCloud is more than a simple cloud storage and does a lot more scanning than them because of it), specifically because of the criminal liability issues.
You can find relevant scanning clause
Re: Hmmm (Score:2)
So you don't know.
Content scanning only happens at consumer cloud services, commercial and government customers would never tolerate that, and for MS and AWS that's their bread and butter.
Re: (Score:2)
>government customers would never tolerate that
Because of criminal liability, yes. And in this case, the point is that providers fucked up, and are now in trouble with the government.
You got it.
Re: (Score:2)
So you think that all the confidential/medical/national security data should be reviewed before being saved at the cloud provider? That's a rather, umm, unique perspective.
Re: (Score:2)
So you've moved goal posts with every single post. The process has been "I call you on a clear cut error, you dodge and change the goal posts." We're now down to you splitting hairs over "screen" vs "review".
The answer hasn't changed by the way. Nor has the fact that government is in fact having the problem mentioned. No matter how much you dodge around.
Re: (Score:3, Informative)
Ignorance of the law is no excuse, yes they must ensure they are complying with local law.
Re: (Score:2)
If the customer configures a storage unit correctly, be it MS, AWS or Google, then the cloud service has no way of knowing what is stored there. (At AWS that's the default, I assume it's the same with the others.) All the cloud provider sees is a big blob of encrypted bits of a certain size, generally they can't even tell if all the space in the blob is in use. Now how the frack do you expect them to maintain confidential data in-country IF THEY DON'T EVEN KNOW WHAT'S STORED THERE?
What the cops failed to
Re: (Score:2)
"I find it difficult to believe that "contract law" requires the vendor to review every law on the books in every jurisdiction in which they operate"
Your problems in believing the truth are your own problem. "Ignorance of the law is no excuse."
Re: (Score:2)
GDPR, police here would be the data controller, and hence responsible for who they gave data to. They should have checked where the data was going to be stored. They should have asked Microsoft for a shiny tick box which read, "keep data in GDPR compatible jurisdictions only" (of which there are several around the world). And if they didn't know they should have done this, the data protection authorities will just say, "you should have known". Any org above a certain size must have a data protection officer
Re: (Score:1)
UK, so GDPR doesn't apply.
*facepalm* (Score:1)
"keep data in GDPR compatible jurisdictions only"
Luckyo:
UK, so GDPR doesn't apply.
Reality:
After leaving the European Union the United Kingdom enacted its "UK GDPR", identical to the GDPR. [wikipedia.org]
Everyone:
*facepalm*
Re: (Score:2)
They're probably storing the data in the big cluster of datacenters outside Dublin, the same as pretty much every other cloud player in Europe.
Re: (Score:2)
Right. That's the border they're referring to. To my knowledge (admittedly outdated) MS and AWS don't have any major DCs in England/Scotland/North Ireland.
Re: (Score:2)
Re: (Score:1)
Ever hear the term ignorance of the law is no excuse? It certainly applies in this case. If you market a product in a country, you must do so in a legal way in that country, and not break thevlaw. Break the law, there are consequences.
Re: Hmmm (Score:2)
Re: (Score:3)
Can be tough shit the other way around too, if they figure how this sort of data sharing is against the law.
At which point Dave the sales guy goes to prison, as does his boss, and his boss and anyone else who's signature is on this document that leads to criminal liability. In real world, this will of course be settled out of court, but in principle this is how this should go.
If I buy the wrong kind of electrical conduit for a new circuit and my house burns down, it's not Home Depot's fault or the fault of the manufacturer, it's my fault for not following code and ensuring the product was for for purpose. I didn't follow the law so it's on me. It is on whoever was in charge of procurement on the UK government side to either ensure the MS cloud solution was compliant with all relevant regulations, or to put language in the contract with MS to ensure that the necessary customi
Re: (Score:1)
If the electric conduit that is sold is patently not fit for purpose but is made as fit for purpose and sold as fit for purpose, and it kills someone, who will be on trial?
Re: Hmmm (Score:1)
Re: (Score:2)
I'm actually talking about the principle, and if you read my posts in this thread, you'll not only see me doing that, but you'll even find me pointing out that this will probably not work that way in practice because Dave the sales guy would have to share a cell with civil servants from the other side of the deal.
Re: (Score:2)
"If I buy the wrong kind of electrical conduit for a new circuit and my house burns down, it's not Home Depot's fault or the fault of the manufacturer, it's my fault for not following code and ensuring the product was for for purpose."
Not a good analogy. If Home Depot sells you a kind of electrical conduit *that's so unsafe that it's illegal to sell it*, it's sure as hell the fault of Home Depot and/or the manufacturer (but still possibly yours as well).
Re: (Score:2)
That's not what I said at all. I said if I bought something without looking if the specs meet code for my purpose. It could be perfectly fine for 4 THHN conductors, but if I shove 3 ROMEX cables in there, it's a problem, and it's not the seller nor the manufacturer's fault.
Re: (Score:3)
Sure, Dave said it's in the Terms of Service.... but don't worry, that probably won't happen.
It's in the name (Score:5, Insightful)
"hyperscale public cloud infrastructure"
It is huge. It is spread everywhere (for redundancy). It is the same infrastructure shared with everyone else -all over the world.
Data of importance should be stored on your own infrastructure. Somewhere you can (physically) reach. Maintained by people you can (physically and legally) reach. Control and responsibility commensurate with the importance of the data.
Re: (Score:2)
Re: It's in the name (Score:1)
Re: (Score:2)
Data security (and thus sovereignty) is not absolute: there is no such thing as "secure" or "insecure", but only levels of grey within. To *guarantee* a
Re: (Score:2)
Data of importance should be stored on your own infrastructure. Somewhere you can (physically) reach. Maintained by people you can (physically and legally) reach. Control and responsibility commensurate with the importance of the data.
Ummmm, how the hell will other organizations gain access to your data then? There are numerous quasi-governmental organizations that regularly comb through all data uploaded to any "cloud". The question isn't whether or not someone is aggregating all of the data, the question is: Who has access to it?
That is the trillion dollar question.
I need some help (Score:3)
Re: (Score:2)
Not as such. It can be done...but it is not straightforward.
Think of it using the old hard disk analogy. You can specify what disc drive you store a file on (C, D, E, etc.). But if one is actually a RAID, there are multiple physical discs with the data spread across them -you cant specify to only use certain ones and not others.
Amazon offers regionally separate clouds. Microsoft offers the US Govt a secure cloud that is physically completely separate from it's public cloud service. UK seems to have jus
Re: (Score:2)
No only is this possible, they will often offer as a feature the ability to place different instances in different locations for business continuity, i.e. keep them separated so that if one data centers goes down the instances in another data center can keep going.
No Microsoft subsidiary can guarantuee sovereignty (Score:4, Insightful)
Only national owned companies with national owned infrastructure are within a nations sovereignty. All Microsoft and Microsoft subsidiary servers are defacto under the sovereign control of the United States.
Re: No Microsoft subsidiary can guarantuee soverei (Score:2)
Re: (Score:2)
Like in Ireland ... it didn't help.
At best Cloud act might not compel access to European's data if the American judges are feeling generous. FISA will compel access to all.
Re: No Microsoft subsidiary can guarantuee soverei (Score:1)
Re: (Score:2)
EU as a whole is addicted to globalism and the kind of people who get into the commission are addicted to sucking US dick (they like that the US spies on their citizens and then passes on some of the data).
Cloud Act is somewhat justifiable since it at least needs a public court order which takes into account company obligations under foreign law ... but FISA can only be ignored. When FISA says jump, Microsoft jumps.
Cloud (Score:2)
Re: (Score:2)
It's okay for encrypted backups.
Re: (Score:2)
Assuming you didn't pick the passphrase "mybackups12345".
Who Cares? (Score:3)
Nothing of significance will come of this:
UK: By law, our data must remain in the UK.
Microsoft: We can't do that.
UK: No problem. We'll change our laws, or just exempt you from them.
Re: Who Cares? (Score:1)
Re: (Score:2)
"That is not Microsoftâ(TM)s fault. "
It depends if Microsoft claimed to be able to do it when negotiating the contract.
Because they chose not to pay for these guarantees (Score:2)
Re: (Score:2)
I wonder what the UK regulatory bodies/courts have to say about Microsoft's actions.
Microsoft is obliged to abide by the laws of the countries where it does business, full stop.
Re: (Score:2)
My shitty little startup could do this (Score:3)
But Microsoft can't?
And oh, "noone asked us to"? It's the fucking law.
There are just no words in the English language to fully describe disrespectful, arrogant and apathetic you have to be to work like this.
Re: (Score:2)
Microsoft can, and do, if you pay for the correct product that provides this service.
Maybe nations need their own cloud providers... (Score:2)
Sometimes I wonder if nations need their own cloud providers. One that might be contracted out, but the actual data centers are not going to have data auto-exfiltrate to other places or even hostile nations because cloud provider "A" decided to offload to some dudes in Lower Elbonia rather than beef up capacity.
This way, because it is run by the government, it won't be perfect, but it will at least have a set of standards that need to be followed to ensure data security and availability, like how backups a
Re: (Score:2)
Sometimes I wonder if nations need their own cloud providers. One that might be contracted out, but the actual data centers are not going to have data auto-exfiltrate to other places or even hostile nations because cloud provider "A" decided to offload to some dudes in Lower Elbonia rather than beef up capacity.
This way, because it is run by the government, it won't be perfect, but it will at least have a set of standards that need to be followed to ensure data security and availability, like how backups and replicas are kept.
Bonus points for multiple tiers, where some data may just need availability in one geographic area. Some data needs to be replicated multiple places. Some data needs to be put on tape and taken by Shaver's deros deep into underground caves. The more valuable or secure, the more money it should cost.
This way, a town police force can have an assurance that data stored on a cloud provider is going to be well protected.
There are an absolute shitload of companies that can guarantee data sovereignty by ensuring that physical storage is physically located in a UK datacentre, access is only permitted to UK staff, located in the UK... I'm one of them (recently had a request to see if I could work from Australia for a few weeks visiting my family denied for this reason).
It's just that Microsofts model of doing it on the cheap (I.E. sending whatever they can do cheaper countries) doesn't... Then they lied (even by omission, i
Told you so (Score:2)
In the Cloud = On Someone Else's Computer
Why in hell is this so difficult to understand?
Inconsistent statements from Microsoft (Score:2)
The summary says:
"Microsoft is unable to guarantee that data uploaded to a key Police Scotland IT system — the Digital Evidence Sharing Capability (DESC) — will remain in the UK as required by law"
but also says:
"the company has the ability to make technical changes to ensure data protection compliance, it is only making these changes for DESC partners and not other policing bodies because"
The first says it's not possible, the second says not only is it possible but it is going to do so for DESC
Re: (Score:2)
One statement talks about current tense, the other about the future.
Re: (Score:2)
"is unable" is present tense.
"has the ability" is present tense, and contradicts "is unable".
Re: (Score:2)
The first statement obviously means that the current situation means they are unable to make the guarantee
The second statement says things need to be changed.
Australian Experience (Score:2)
This... (Score:2)
is why we dont use cloud anything at all where I work.
On prem only.
In my last job we did use Azure, but again due to data protection and GDPR rules we ensured the data and the VM's were only in the UK specific datacentres.
I knew in the back of my mind that MS didnt actually handle data in a safe way, it looks like they do, on the surface but under the carpet you see the ugly truth that they have no guarentees.
On prem only. I say this to so many sales calls, the sound of shock or even uncomfortableness, lik