The Cloud '6 Tests for Policing' - updated & very (VERY) simplified

I recently posted about a change to the transparency of FOI requests that I make relating to Data Protection Act 2018 Part 3 compliance by Law Enforcement Competent Authorities (the Police, Courts, Ministry of Justice, Prisons, some Home Office services, etc. etc.). You can read that article here.

Before I leap into publishing those however - and because of a few conversations I have had with folks over the past fortnight, who appear to have no understanding of the legal basis of Public Hyperscale (Global) Cloud platforms for processing this type of data - I want to revisit an article I wrote nearly 3 whole years ago.

June 2020 was post Brexit vote, but pre-actual Brexit and as such reflected a much simpler legal landscape. It even pre-dated the Schrems II judgement (which happened a month later) that threw European & UK GDPR based Data Protection into a tail-spin re transfers to the United States. Its therefore very very overlong a re-publish (HERE), and an update - which is the purpose of this short article.

In the first round of testing I looked at six pretty obvious things (hence 'The 6 Tests') that related to the whole posture and confirmation of a cloud service as being suitable for Police (or wider CJS) use.

I could of course do this full set of tests again, and if I did so then the Cloud services I look at in this article would sadly fare equally poorly - but it takes a lot of time...

Its also very likely that no-one in a position selecting these services would pay a blind bit of notice (just like last time). Plus they say that repeating the same thing over & over again and expecting a different result is a quick path to insanity, so lets not do that.

For this review I've instead trimmed the analysis right back to basics - in fact of the SIX Tests I ran in June 2020, I'm only posing ONE question this time around :

Do the services clearly comply with the obligations applied to any processor under the UK's Data Protection Act 2018 Part 3?

This question is simple to ask, but actually quite complex to answer - there are 13 obvious and defined elements in the Act that need to be tested to give a fair assessment of a Service Provider's level of legal compliance (or gaps in it).

Some Caveats & Necessary Housekeeping

Before I simply publish the results (and I'll do that in a really simple graphical output below), there are a few things to explain about the methodology, sources and what inferences you may - and should not - draw from these results:

1. For each of the Cloud Services I have looked at I've used their published 'Terms of Service', 'DPA Addendums', 'Privacy Annexes' or similarly worded materials on their web-pages.
2. These were all extracted and examined on the same date - 21st May 2023 - which is important because these terms of service change regularly (roughly every 6 months in most cases, or after a specific event like a court case or new legislation).
3. None of the findings in this review in any way reflect the security posture or general utility value of these Cloud Services. I've absolutely no issue with them as platforms, nor do I have any particular concerns about them as commodity technology solutions. In fact I consider them all to be generally adequate & equally good at what they do and I'm willing to accept their various marketing blurb at face value. To be clear: I'm not assessing their 'inherent quality' - just if their terms meet the UK's legal requirements.
4. I've used publicly available sources here, and its wholly conceivable (despite repeated confirmations from UK Policing bodies that they do NOT have special terms of service), that the Cloud Providers have different terms applicable to UK Law Enforcement organisations. If they do, or if any of the Cloud Provider's here think I've mis-represented their compliance in any way then just let me know. If you give me a copy of the actual relevant terms to assess then I'll do so, adjust this article, and make clear what the actual status is if it differs form these findings.

Final point - I can do this for ANY Cloud Service (and I'm going to start doing it for the multitude of processors who provide services to UK Policing & Justice on these platforms at some point soon in any event - its a necessary step as part of the FOI's I'll be releasing that I do so by way of explanations).

If anyone wants a service reviewed, send me the Terms of Service and any Data Protection Terms applicable to it.

If you want this done privately to assess YOUR service - just DM me, I do these quite often and of course any assessment and report that I do in response to a DM request won't be published afterwards.

| also won't go and do an immediate separate assessment just so I can write about your service: my transparency disclosure terms (which are based on standard industry vulnerability disclosure practices) will apply at the very minimum, so you can get a risk or exposure assessment with confidence that you aren't going to be my next topic of publication ;)

The Results

This time around I'm examining 4 of the key Cloud Providers, whereas last time out I only looked at AWS & Microsoft Azure. This reflects the growth in Public Cloud adoption for the justice space in the UK since 2020.

Arguably I could have added others and over time I probably will. In each case here however I've analysed their publicly available commodity hyperscale platforms - the one's that anyone can buy, not any bespoke or special on-prem deployments like Azure Stack, etc. Those have their own compliance challenges to consider for analysis & some may or may not be able to comply with UK laws.

The four under test today are:

• Microsoft Azure
• AWS
• Google Cloud Platform, and
• Oracle Cloud

Its worth noting that all of these providers are subject to the US S.702 and CLOUD Act provisions - so regardless of where your data is, they could be forced to disclose it on demand to the US Government. The ICO confirmed this for Azure when they gave advice on the DESC programme, but it applies to all four Cloud providers equally.

Its also worth noting that NONE of these providers even recognise that the UK's DPA 2018 Part 3 (or the EU's Law Enforcement Directive 2016/680) is an applicable Data Protection Law for their service in their Terms - so given that, the results aren't going to be very surprising...

Microsoft Azure

Microsoft used to make it pretty easy to review their Terms of Service but over the past couple of years they've made their documents much harder to get hold of, navigate and frankly to make much sense of.

Overall Microsoft score about average for the four Cloud Providers (which is to say that like all the rest they really don't comply with UK law for DPA Part 3 at all), but its important to also recognise that they caveat their services, the extent of their liabilities and its use quite heavily.

This is also not unusual - most of the Cloud providers make clear that their services are not suitable for certain types of processing and Microsoft and Google in particular clearly express that their services must not be used for 'High Value' data - which is tricky because Policing & CJS personal data is quite often in that category...

Of additional specific note are clauses that give Microsoft "a worldwide and royalty-free intellectual property license to use Your Content " - that's something that also appears in various forms across a number of the providers and it ought to give pause for thought for any user, Law Enforcement or otherwise.

RESULT: Microsoft (still) don't meet the core legal requirements to be able to comply with the UK's Data Protection Act 2018 Part 3, (as amended post Brexit).

AWS

AWS still make it fairly easy to review their Terms of Service. They tend to include some of the same clauses as Microsoft, but they do score a little differently (but only a little) due to their use of a UK Region. in practice this doesn't prevent them from offshoring data, or supporting it form outside of the UK (which is effectively the same thing), but the commitments they DO give are marginally better than the other three.

RESULT: AWS (still) don't meet the core legal requirements to be able to comply with the UK's Data Protection Act 2018 Part 3, (as amended post Brexit).

Google Cloud Patform

Google have by far the easiest terms to find, read and assess.

They're also pretty open & honest (as are Oracle) that they'll freely send your data globally (including any personal data you upload) if you use their services.

They score marginally less well than the others, but TBH it is only marginally less, and the end result isn't really any different.

RESULT: Google Cloud Platform doesn't meet the core legal requirements to be able to comply with the UK's Data Protection Act 2018 Part 3, (as amended post Brexit).

Oracle Cloud

Oracle are growing their footprint rapidly in the Poice & Justice space in the UK so they come on to our analysis radar for the first time in this review.

They certainly aren't any worse than the other providers in this space - but being newcomers one might have hoped they'd do better in some areas.

Oracle are however still sufficiently new, and have such a long track record of seeking, achieving and maintaining HMG compliance for their tooling and software that they might conceivably seek to modify their services to comply.

To do so however they'd need to drop the clauses that allow them to send your data to any of the 80 global countries referred to in their Terms of Service, and more than likely need to change their deployment model (if it currently works on the basis of being able to send data anywhere for support or processing) so this will be no small ask.

RESULT: Oracle Cloud doesn't meet the core legal requirements to be able to comply with the UK's Data Protection Act 2018 Part 3, (as amended post Brexit).

Summary

You might be quite disappointed (and even a bit morose) at these findings, but no-one should feasibly claim to be surprised - they mirror almost exactly the more detailed analysis findings of June 2020, and in the interim the ICO has done absolutely nothing to promote Cloud Provider compliance with the UK DPA 2018 Part 3.

(In fact for the ICO its almost as if their "Cloud Clock" stopped ticking the day that GDPR & the DPA Part 3 came into effect - their 'cloud guidance' still refers to DPA 1998 legislation...)

There are also providers available in the UK's shrunken domestic Cloud marketplace that can give you a service that both fully meets the legal obligations as well as the wider 6 tests relating to datacentre security, personnel vetting, etc.

If you want a service to be hosted legally then I know one right now that ticks all the boxes and a couple more who could do so fairly readily if there was demand for them to do so and they put in some effort.

(NB: they might already meet the requirements - I haven't reviewed all of their Terms of Service because they aren't published).

For the above Hyperscale Cloud services I have analysed however, there should be no remaining doubt in anyone's mind that at present - based on their published terms of service, their current service configurations and their corporate structures - they definitely do not meet the requirements of UK law.

Any Law Enforcement processing conducted on them is at best a risky exercise - both for the Controller organisation using the service, and for the service provider who acts as the Processor. This is not always the Cloud Provider of course - in the DESC case I linked to above the Processor is Axon and its them who would face the burden of compensation (or currently very unlikely, any ICO action).

It's also a risk to the rights and interests of data subjects - many of whom will be rightly concerned or worried about their data being offshored. Some might have suffered more than just discomfit and stress, but all of them could (with a little know how) quite easily take action against the Controller and/or Processor for compensation - its a lot easier to do for Part 3 than it is for UK GDPR.

Using the commonly employed Press euphemism, it is 'unlawful' to use these services for any Law Enforcement processing of personal data, however being more accurate and a lot more candid its in contravention of the law to do so, or if you prefer simple language - its 'illegal'.

That's not however stopping their use, or indeed their officially driven promulgation, as we'll see in the FOI requests I'll start publishing in a couple of days. TBH the sheer scope, scale and nature of the law breaking is without precedent in my experience (and I've spent the thick end of 30 years working in Criminal Justice). It might even be too big to fix by normal means - but fixed it must be.

This update and simplified assessment is just important to put out as a scene-setter before we go into those FOI's in more detail, because we're going to see a lot of common themes, 'standard errors' and claims of unachievable compliance (often because they cite entirely the wrong legislation) repeated over and over again. Watch this space.