Further details have emerged about the Home Office’s new £450m cloud contract with AWS, which came into force this month.
In response to written questions submitted by Liberal Democrat Lord Timothy Clement-Jones, a Home Office minister confirmed that some AWS staff may require vetting for specific work undertaken under the agreement and that policing services are hosted by AWS. These answers shed new light on the £450m agreement, which was criticised for appearing to exempt staff at the hyperscale cloud provider from undergoing any form of security checks.
Lord Clement-Jones asked three separate questions: whether AWS staff working under the contract required security vetting; if the contract complied with section 59(5) of the Data Protection Act 2018; and if the Home Office data being handled by AWS was theoretically open to inspection by foreign governments. To the first point, Lord Sharpe, under secretary in the Home Office, replied that AWS staff would be subject to security vetting if they undertook “specific work [that] requires such clearance.” This appears to contradict the wording in the original contract, which specifies in its technical standards section that there was “no supplier staff vetting requirement.” However, a government source also told Tech Monitor that, despite the wording in what they described as a “generic call-off contract,” AWS staff are still subject to vetting requirements when handling Home Office data (though it remains a mystery why the provision was inserted in the first place.)
The minister also stated that the data stored under the agreement is under the control of the Home Office and that AWS has no access to personal data under the controllership of policing or the ministry itself. Moreover, wrote Lord Sharpe, “due to the security controls in place, AWS has no knowledge of what is stored, nor is it provided with instructions on the nature of processing. By design, the contract does not contain details that would that are not necessary to be bound by a contract that provides the necessary protections to personal data.”
The minister added that data watchdog the Information Commissioner’s Office was aware of this arrangement. When Tech Monitor reached out to the ICO for comment, a spokesperson confirmed that the office does not have the power to provide any exemptions to section 59 of the Data Protection Act 2018, which states that the processing of data must be governed by a contract between the data controller and processor that specifies the “nature and purpose of the processing [and] the type of personal data and categories of data subjects involved.”
At rest and in transit
The implication by Lord Sharpe that security measures in place deny AWS knowledge of what it is storing or processing could mean that the Home Office is in breach of the DPA, argues Secon Solutions senior partner and cloud security expert Owen Sayers. “Under section 59.5 they must tell them what the data is,” says Sayers. “They must tell them what the categories of the data are and what obligations the processor must apply to that data. It’s a legal requirement. The ICO can’t give them relief from that.”
Sayers also believes that Lord Sharpe’s explanation about AWS being technically unable to inspect Home Office data stored in its facilities because it is encrypted “at rest and in transit” is likely inaccurate. That may be true if the department was only storing data on AWS’s cloud, but the data would need to be decrypted if it were to be processed (Tech Monitor has seen documentation that suggests such processing is taking place.) When that occurs, explains Sayers, “it will exist in cache files on an individual machine; it will exist in proxy servers; it will exist in other cached areas on the network. At any time, an AWS admin could take a snapshot of a machine and they would have the information that’s in there.”
It is for this reason, he adds, that vetting is in place for cloud facility staff handling sensitive law enforcement data. Additionally, says Sayers, both the controller and processor of the data in question should be seen to be adhering to vetting requirements to maintain public confidence in the entire process. So far, argues the cloud security expert, this inclination seems to be missing in the government’s responses to inquiries about the Home Office’s latest contract with AWS.
“I am certain that Lord Sharpe has not intended in any way to mislead in his answers,” he says. “I am certain that he has only been given the answers that he, himself, has been given. But these answers do not make sense. And they do not stand up to scrutiny.”
When asked to elaborate on Lord Sharpe’s responses, a Home Office spokesperson told Tech Monitor that “[c]ontractors are required to adhere to all applicable laws and data protection regulations as part of our expectations for legal compliance.” AWS has not replied to a request for comment at the time of writing.