Chancellor Jeremy Hunt has committed £230m to police forces so they can pilot or roll out productivity-boosting technologies, but open questions around the legality of how certain systems are already being used could undermine further investment.
In his Spring Budget speech, Hunt said police officers currently waste around eight hours a week on unnecessary admin tasks, and that the money will therefore go towards a range of “time and money-saving technology”.
This will include further investment in live facial recognition, automation and artificial intelligence (AI), and the use of drones as potential first responders. The funds will also be used to set up a new Centre for Police Productivity to support forces’ greater use of data and AI, as well as to help maximise their productivity.
Pre-briefings of the government’s technology plans to journalists revealed that automated redaction technologies would be a priority, so that personal information can be removed from documents or irrelevant faces can be blurred out from body-worn video footage.
Hunt also committed to providing a further £75m to the roll-out of Violence Reduction Units and hot spot policing tactics, the latter of which largely revolves around the use of data to target police resources and activities to areas where crime is most concentrated.
Computer Weekly contacted the Home Office for further details of the funding and what it will be spent on. A spokesperson said the Home Office is working with policing partners to allocate the funding, and that further information on specific fund allocations will be set out in due course
However, lingering concerns around the legality of how UK police are deploying cloud infrastructure and AI-powered facial recognition could undermine the effectiveness of the investment.
In the case of facial recognition, there have been repeated calls for new biometric-focused legislation from a wide range of actors due a lack of clear rules controlling its use; while the UK data regulator is yet to confirm how police use of US-based cloud infrastructure is legal, following multiple issues raised by data protection experts and other regulators around how these systems handle people’s data.
Migrating police systems over to public cloud infrastructure was highlighted as a key technological enabler by the Police Digital Service (PDS) and the National Police Technology Council (NPTC) in their joint National policing digital strategy 2020-2030, which set the goal to have 80% of police technology in these systems by the end of the decade.
Given this priority, as well as the computing power and storage required to effectively use AI, data protection experts told Computer Weekly that many of the new AI tools being deployed will be hosted on this US-based cloud infrastructure, opening them up to potential legal compliance challenges as well.
Computer Weekly asked the Home Office if it believed the investment in police tech could be undermined by the legal issues around their deployments, but received no response on this point.
Facial recognition
In March 2022, for example, following a 10-month investigation into the use of AI and algorithmic technologies by UK police – including facial recognition and various crime “prediction” tools – the Lords Justice and Home Affairs Committee (JHAC) found that forces are deploying a range of advanced tech without a thorough examination of their efficacy or outcomes.
It added that UK police are essentially “making it up as they go along”, and described the situation as “a new Wild West” characterised by a lack of strategy, accountability and transparency from the top down.
Following a short follow-up investigation, this time looking exclusively at the use of facial recognition, the JHAC found in January 2024 that UK police are expanding their use of LFR technology without proper scrutiny or accountability, despite lacking a clear legal basis for their deployments.
“Does the use of LFR have a basis in law? Is it actually legal? It is essential that the public trusts LFR and how it is used?” asked then JHAC chair Baroness Hamwee. “It is fundamental that the legal basis is clear. Current regulation is not sufficient. Oversight is inadequate.
“Technology is developing so fast that regulation must be future-proofed. Police forces may soon be able to link LFR cameras to trawl large populations, such as Greater London, and not just specific localities. We are an outlier as a democratic state in the speed at which we are applying this technology. We question why there is such disparity between the approach in England and Wales and other democratic states in the regulation of LFR.”
Commenting on the fresh police tech funding, the JHAC’s new chair, Lord Foster, said: “While we don’t yet know the full details of the proposals, we accept that new technologies may well provide valuable tools to help police forces.
“However, our inquiry into one such technology, live facial recognition, showed a lack of clear standards and regulation for its use. We expect the government to respond shortly. But, as police forces increasingly rely on technology, we will want assurance that there will be proper scrutiny and accountability of their use.”
Some critics have also questioned the lawfulness of facial recognition as a policing tool based on its questionable proportionality and necessity, arguing that the scanning of tens of thousands of faces every time the tech is deployed would likely not pass this legal test, particularly when other, less intrusive methods are already available to police.
New legal frameworks
Both Parliament and civil society have repeatedly called for new legal frameworks to govern law enforcement’s use of biometrics – including the UK’s former biometrics commissioner, Paul Wiles; an independent legal review by Matthew Ryder QC; the UK’s Equalities and Human Rights Commission; and the House of Commons Science and Technology Committee, which called for a moratorium on LFR as far back as July 2019.
In an exclusive interview with Computer Weekly, the outgoing biometrics and surveillance camera commissioner for England and Wales, Fraser Sampson, also highlighted a number of issues with how UK police had approached deploying its facial recognition capabilities, and warned that the future oversight of police tech is at risk as a result of the government’s proposed data reforms.
In October 2019, the ICO also published an opinion that said while new legislation was not necessary, there is a need for more clarity around how it applies to LFR, which should come in the form of a statutory and binding code of practice.
“Such a code should provide greater clarity about proportionality considerations, given the privacy intrusion that arises as a result of the use of LFR, for example, facial matching at scale,” it said.
“Without this, we are likely to continue to see inconsistency across police forces and other law enforcement organisations in terms of necessity and proportionality determinations relating to the processing of personal data. Such inconsistency, when left unchecked, will undermine public confidence in its use and lead to the law becoming less clear and predictable in the public’s mind.”
Responding to concerns raised about LFR, a Home Office spokesperson said: “Facial recognition, including live facial recognition, is a powerful tool that has a sound legal basis, confirmed by the courts. It has already helped the police to catch a large number of serious criminals, including for murder and sexual offences.
“The police can only use facial recognition for a policing purpose, where necessary, proportionate and fair, in line with data protection, equality and human rights laws.”
The JHAC has previously said it expects the government to respond to its findings on facial recognition on 26 March 2024.
Hyperscale public cloud infrastructure
Aside from facial recognition, there are also ongoing data protection concerns about the use of US-based hyperscale public cloud systems by UK police forces, and whether such systems can comply with the UK’s stringent law enforcement-specific data protection rules that place strict requirements on when and how data can be transferred overseas.
The issues with the cloud infrastructure therefore largely stem from the potential for US government access via the Cloud Act, subjects, such as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; the use of generic rather than specific contracts that take into account the police-specific data protection rules; and the risk of overseas transfer of sensitive law enforcement data to a jurisdiction where there are demonstrably lower data protection standards.
Since Computer Weekly revealed in December 2020 that dozens of UK police were processing over a million’s people data unlawfully in Microsoft 365, data protection experts and police tech regulators have questioned various aspects of how hyperscale public cloud infrastructure has been deployed by UK police, arguing they are currently unable to comply with strict law enforcement-specific rules laid out in Part Three of the Data Protection Act (DPA) 2018.
At the start of April 2023, Computer Weekly then revealed the Scottish government’s Digital Evidence Sharing Capability (DESC) service – contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure – was being piloted by Police Scotland despite a police watchdog raising concerns about how the use of Azure “would not be legal” because of the above issues.
Computer Weekly also revealed that suppliers Microsoft and Axon, as well as the ICO, were all aware of these issues before processing in DESC began. The risks identified extend to every cloud system used for a law enforcement purpose in the UK, as they are governed by the same data protection rules.
Responding to subsequent concerns raised by Scottish biometric commissioner (SBC) Brian Plastow, information commissioner John Edwards initially told him in December 2023 his office was likely to green-light these police cloud deployments because of an information-sharing agreement with the US government, which he suggested would take precedent over domestic UK laws.
The regulator backed down from this position after a letter detailing their meeting was published online by Plastow, and later clarified to Computer Weekly that UK police can legally use cloud services that send sensitive law enforcement data overseas with “appropriate protections” in place. However, it declined to specify what these protections are.
In the wake of the Budget announcement, Plastow confirmed to Computer Weekly that he has still not received a copy of the ICO’s legal advice on DESC’s compatibility with UK data protection law.
“This links to the broader point about not investing in technologies until it has been established that they are legal,” he said.
While funding for Police Scotland is largely a devolved matter for the Scottish Parliament, meaning the £230m announced only applies to police tech in England and Wales, Plastow added that he shares the concerns of the JHAC, and “endorse their call for proper independent oversight and scrutiny over the ethical and effectiveness considerations relative to biometric enabled surveillance technologies used in policing throughout the UK”.
Computer Weekly contacted the ICO about when it will be publishing its legal advice on police use of cloud.
An ICO spokesperson said: “The ICO considers that, under the Data Protection Act 2018, law enforcement agencies may use cloud services that process data outside the UK where appropriate protections are in place.
“We are actively considering the DESC proposals and are working with the relevant partners in that regard,” they said. “We continue to provide advice to police and law enforcement agencies on using new technologies in a way that complies with data protection law. We will be providing guidance in due course on the general use of cloud services, and we will consider further support that law enforcement agencies may require.”
Since Computer Weekly first reported on data protection issues with police cloud in December 2020, the use of US cloud providers has expanded throughout the criminal justice sector.
This includes the integration of the Ident1 fingerprint database with Amazon Web Services (AWS) under the Police Digital Services (PDS) Xchange cloud platform; and HM Courts and Tribunals’ cloud video platform, which is partly hosted on Azure and processes biometric information in the form of…