Microsoft Refuses To Divulge Data Flows To Police Scotland (computerweekly.com) 60
Police Scotland and the Scottish Police Authority (SPA) are pressing ahead with a Microsoft Office 365 rollout despite Microsoft refusing to disclose where sensitive law enforcement data will be processed. Freedom of Information documents reveal that Microsoft cannot guarantee data sovereignty, may process data in "hostile" jurisdictions, retains encryption key control, and blocks vetting of overseas staff -- all leaving the force unable to comply with strict Part 3 data protection rules. Slashdot reader Mirnotoriety shares an excerpt from a Computer Weekly article: "MS is unable to specify what data originating from SPA will be processed outside the UK for support functions," said the SPA in a detailed data protection impact assessment (DPIA) created for its use of O365. "To try and mitigate this risk, SPA asked to see ... [the transfer risk assessments] for the countries used by MS where there is no [data] adequacy. MS declined to provide the assessments." The SPA DPIA also confirms that, on top of refusing to provide key information, Microsoft itself has told the police watchdog it is unable to guarantee the sovereignty of policing data held and processed within its O365 infrastructure.
"Microsoft states in their own risk factors that O365 is not designed for processing the data that will be ingested by SPA," said the DPIA, adding that while the system can be configured in ways that would allow the processing of "high-value" policing data, "that bar is high." It further added that while Microsoft previously agreed to make a number of changes to the data processing addendum (DPAdd) being used for Police Scotland's Azure-based Digital Evidence Sharing Capability (DESC) -- the nature of which is still unclear -- Microsoft has advised that "O365 operates in a completely different manner and there is currently no way to guarantee data sovereignty." It further noted that while a similar "ancillary document, like that provided ... via the DESC project" could afford "some level of assurance" for international transfers generally, it would still fall short of Part 3 requirements to set out exactly which types of data are processed and how.
"Microsoft states in their own risk factors that O365 is not designed for processing the data that will be ingested by SPA," said the DPIA, adding that while the system can be configured in ways that would allow the processing of "high-value" policing data, "that bar is high." It further added that while Microsoft previously agreed to make a number of changes to the data processing addendum (DPAdd) being used for Police Scotland's Azure-based Digital Evidence Sharing Capability (DESC) -- the nature of which is still unclear -- Microsoft has advised that "O365 operates in a completely different manner and there is currently no way to guarantee data sovereignty." It further noted that while a similar "ancillary document, like that provided ... via the DESC project" could afford "some level of assurance" for international transfers generally, it would still fall short of Part 3 requirements to set out exactly which types of data are processed and how.
Re: (Score:2)
I don't doubt it's possible, but we don't have solid evidence. Until it's been heard in court, I would reserve judgement.
Re: (Score:3)
The Daily Mail (yes, god knows) have traced the guy who seems to be a completely innocent long term immigrant / working man / father.
https://www.dailymail.co.uk/ne... [dailymail.co.uk]
Note, not an "asylum seeker" from a small boat as claimed and the police say there's no evidence of him having tried to harm anyone. Mad racist trouble makers causing problems as ever.
Re: (Score:2)
Your pedophile immigrant population getting up close to 12yo girls to film them is evidence enough.
You don't ever go out of the house do you? When you walk down a street you pass people, often in close proximity.
There's an important lesson here (Score:5, Insightful)
When you commit to the so-called "Cloud", you aren't just voluntarily dropping your pants and bending over a barrel, you're also consenting to a gang bang.
Re: (Score:3)
The CoPilot avatar is clearly the blob that runs down your leg after that dirty deed.
sovereign clouds (Score:2)
Microsoft has a few sovereign clouds but UK is not one of them.
Re: sovereign clouds (Score:2)
No, it wasn't. There was no referendum on whether Scotland leave or remain.
Re: sovereign clouds (Score:2)
Scotland is part of the UK and the UK voted out. Youre quite happy to get the billions in handouts from westminster so suck it up.
Re: (Score:2)
The cunts in Westminster took hundreds of billions of our oil. How the fuck do you think Thatcher (hawk, spit!) afforded her council-housing give-away and the war on trade unions?
Re: (Score:2)
We're talking about Scotland, a region of Europe that was forcibly dragged out of the EU against its own will.
This shit wouldn't fly on the continent.
Wrong. [electoralc...ion.org.uk] More people either voted to leave or didn't care enough about it to bother to vote than voted to remain.
Electorate: 3,987,112
Remain votes: 1,661,191
Last time I looked 1,661,191 was not anywhere near half of 3,897,112. The rest either voted leave (1,018,322) or cared so little about it they didn't vote. So no they weren't dragged out of the EU against their will.
Re: (Score:3)
Microsoft has a few sovereign clouds but UK is not one of them.
If Microsoft has them, they aren't sovereign.
Re: sovereign clouds (Score:2)
It is Scotland and the article said, ""hostile" jurisdictions"...you realise that means England, right?
Re: (Score:2)
Yes, we do.
Re: (Score:2)
Its all a bit weird. I worked in the government here in Australia, and our laws are really clear. Ain't no data allowed to leave the shores. This was drilled into us. No cloud accounts with weird (usually american) foreign cloud services, none of that. Australian data held by the govt must be kept under australian juristiction. The only govt departments likely to be excempt (or just not giving a shit) would be spook agencies (5 eyes is a racket to let your govt spy on you by just getting a friendly nation o
Re: sovereign clouds (Score:2)
Good luck with that. All an admin has to do is look at the data from another country - not even move the file - then the data has gone international. These sorts of rules just dont work on the internet.
Re: (Score:2)
Which is a good reason for keeping them within the SPA's intra-net, firmly walled off from access to, and from, the inter-net. Which, is precisely what, AIUI, SPA have asked M$ to do. If that' is beyond M$'s technical (or political) capabilities - then they just need to admit it, and remove their tender for the contract.
Which would probably mean SPA having to dump M$ from providing office services. [SHRUG]. Their problem for bidding on a tender they were n
Re: (Score:2)
It's not. Scotland has an entirely separate legal system, as guaranteed under the Act of Union (1707 - somewhat before the Rebels rebelled). Which is why we have our own courts system, separate lawyer training from first year university (you go back at least 2 years if you cross border mid-course to or from a non-Scottish university), separate chains of promotion and command for Sheriffs, Advocates,
This is not rocket science (Score:5, Insightful)
Re: (Score:2)
Police forces should run their own infrastructure, preferably using products where the source code is available, and deliberately keep everything away from the general internet except for a web browser and an email client, each inside a cheeky little isolated remoteapp.
Ditto for ALL levels of government, and from one-horse towns to the largest of cities. It's time to stop the tail from wagging the dog, and it's time for everyone at any level of government to stop bending their constituents over for Big Data.
Re: (Score:2)
Where are you going to come up with that many competent IT staffers? Much less the money to pay them.
Re: (Score:2)
The British government has some excellent IT people. It's a meme really that Civil Service staff are only there for the jobs for life because they couldn't make it in the private sector. The GDS team in particular have successfully automated a huge variety of government interactions with tens of millions of people and for example are widely regarded as having some of the best UX design and accessibility experts anywhere. Building on that to support other government activity, including internal functions not
Re: (Score:2)
The problem is that requires competent IT staff, which is anathema to most police forces because if they do their job correctly then police screw ups, malfeasance, corruption and incompetence gets exposed. It also costs money which they would prefer to spend on their own salaries, weapons, vehicles and other macho posturing equipment.
Re: (Score:2)
Re: (Score:2)
Fair enough, I've never spent enough time there to know how the police are there.
Re: (Score:2)
The reloading and servicing charges for a side-arm baton - whatever they replaced the skull-cracker truncheon with - are negligible. For other weapons, they always struggle to get enough officers to volunteer for firearms training, because almost nobody joins our police with the intention or becoming a psychopathic gun-wielder. And most of those go from the recruitment interview to the "dangerous, watch!" folder without getting to the "second interview" folder.
Toto, y
Re: This is not rocket science (Score:2)
All software used by all government agencies should be open source. Taxpayers payed for that shit. The people own it.
Trusting Microsoft AI? (Score:2)
"Microsoft refusing to disclose where sensitive law enforcement data will be processed.
Given Microsoft is all in on using AI then can you really trust them not to have an AI 'help' by processing sensitive law enforcement data? This could all end badly for some innocent person.
I'd be more concerned ... (Score:2)
This post is framed weird (Score:3)
I love to hate on Microsoft as much as anyone, but why is this written as "Microsoft is refusing..."? Microsoft is selling a product that isn't designed for the needs of SPD. Why on God's green Earth the SPD is proceeding with the purchase knowing full well it's a non-compliant product is beyond me, but it's certainly not Microsoft's fault assuming they deliver what they're advertising.
If the law compels me to buy an electric car, and I go buy a gas one anyway, it's not the car dealer's fault for not converting it for me.
Re: (Score:1)
Why on God's green Earth the SPD is proceeding with the purchase knowing full well it's a non-compliant product is beyond me
It's not complicated, corruption, quid pro quo is why this very chronic problem continues.
Re: (Score:2)
They should have gone with AWS, which could have easily accommodated all their requests within their existing infrastructure, just like they do for several other governments. It's one of the reasons why they have the IRS, CIA, and NSA contracts.
Re: This post is framed weird (Score:2)
AWS doesn't have a cloud document suite. They could use Google Cloud though.
Police Works (Score:2)
Why hasn't someone developed "Police Works" by now?
An office suite with a WP, DB, Spreadsheet and slide presentation program, all integrated and such, meeting law enforcement needs?
You wouldn't even have to do it from scratch. Just fork an existing open source project and go from there.
Re: (Score:2)
Re: (Score:2)
I have a vague memory that this is not the first time this has been suggested. Not even the first decade it has been mentioned in (bearing in mind, we're half-way through the decade, regardless of whether you start on the "0" or the "1"). Quite plausibly, not the first millennium it has been mentioned in. (When did StarDivision open source StarOffice? About 1997, wasn't it? Certainly the Open University were distributing it by 1999, though I'd seen it on Xenix (?) before then at a client.)
Re: (Score:2)
I've never seen that as a valid issue, there are a shitload of old office suites like AMI or First Choice that would be perfectly adequate for this usage and their small footprint (those both installed off three or four floppies) means they could easily be hosted on a cloud server. For that matter I'm sure there are other small open source projects that could be used, if something free wasn't absolutely anathema to most government bureaucrats.
Why does any data flow to Microsoft? (Score:5, Interesting)
Re:Why does any data flow to Microsoft? (Score:4, Interesting)
Because their tiny brains cannot grasp that there is office software other than Microsoft.
Re: (Score:2)
I was about to suggest LibreOffice, but then I realized you're right. People so stupid they can't use other software that does he same damned job without grabbing your data and putting it behind a paywall can't be helped.
Re: Why does any data flow to Microsoft? (Score:2)
Data retention, sharing, and security.
Re: (Score:2)
Having all of your data onsite tends to work out badly if that site suffers a catastrophe of one kind or another.
Re: (Score:2)
Have you... heard of backups at all?
If the kind of site that would host this kind of system internally at an organisation like a police service has been catastrophically damaged then you probably have bigger problems than the time it takes to restore a backup.
Re: (Score:2)
Have you... heard of backups at all?
Yes. And they are most useful when not on site.
Even more useful when made in real-time.
Hmm.....off site and in real time. I wonder how that can be achieved. Oh, I know!!!!!
Re: (Score:2)
Of course you want off-site backups. And everyone has been doing that for decades so I don't see the problem with that.
Streaming replication of databases and the like is pretty much ubiquitous as well.
What exactly did you think all those big cloud services were doing for their managed database offerings?
Re: (Score:2)
I think you may be responding to the wrong person.
A poster stated there isn't any reason for a WP and the like to "send data off-site". I made the case that yes there is, off-site backups, with which you seem to simultaneously agree and take issue with.
Re: (Score:2)
There is absolutely no reason why a word processor, spreadsheet, database, image editor, or other such program needs to send data off-site. Why on earth do people buy a product that insists on doing this when there are perfectly adequate alternatives?
1) Because few organisations have the funding/willpower/know-how to maintain the infrastructure needed to keep the data on-site in a way that meets business continuity requirements.
2) Even fewer organisations have the funding/willpower/know-how to provide 24/7 on-site support for that infrastructure when something goes catastrophically wrong and you need an expert to look at the infrastructure to figure out how to fix.
That second point specifically seems to be related to what MSFT is being squirrely abo
Windows = A fat Azure client (Score:2)
"hostile" jurisdictions (Score:2)
I trust everyone realises to whom this phrase refers...yup England, of course.
Data protection law (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
But of the many that should, the Scottish Police, and the judicial system are one of the few that have to deal directly with written law guaranteeing a separate and distinct system on each side of the border - as per the Act of Union, 1707.
Even this non-Scot (though resident in Scotland, of choice, for 42 years now) knows that.
And every lawyer I've ever known (in Scotland, of course) knows it too, since they were warned form Year 1 of training that they'd go back at least 2 years if they chose to transfer
Just use DKE for everything (Score:2)
Ignore everything Microsoft says about DKE.
DKE is right for every organization and is right for all their data, it's the only way to use Azure that makes sense. Dumb data storage.