01 July 2024

Gee, Now There is a Surprise

Microsoft, the cloud service for Scottish Law enforcement, admitted to the the Scottish Police Authority (SPA) that it would not keep their data in Scotland.

Given that both Microsoft and the SPA have publicly promised, "Data Sovereignty," this is a bit of a kick in the teeth:

Microsoft has admitted to Scottish policing bodies that it cannot guarantee the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure, despite its systems being deployed throughout the criminal justice sector.

According to correspondence released by the Scottish Police Authority (SPA) under freedom of information (FOI) rules, Microsoft is unable to guarantee that data uploaded to a key Police Scotland IT system – the Digital Evidence Sharing Capability (DESC) – will remain in the UK as required by law.

While the correspondence has not been released in full, the disclosure reveals that data hosted in Microsoft’s hyperscale public cloud infrastructure is regularly transferred and processed overseas; that the data processing agreement in place for the DESC did not cover UK-specific data protection requirements; and that while the company has the ability to make technical changes to ensure data protection compliance, it is only making these changes for DESC partners and not other policing bodies because “no one else had asked”.

The correspondence also contains acknowledgements from Microsoft that international data transfers are inherent to its public cloud architecture. As a result, the issues identified with the Scottish Police will equally apply to all UK government users, many of whom face similar regulatory limitations on the offshoring of data.

The short version of this is, "You cannot rely on Microsoft for your security."

The slightly longer version of this is, "If you rely on Microsoft for your security, you are a f%$#ing moron."


Post a Comment