Accessibility comes with security risks

A new data sharing system is to be introduced in Scotland for managing digital evidence in criminal investigations.

The Scottish government is inviting tenders for what it's calling a Digital Evidence Sharing Capability (DESC).

The idea is that users such as police officers, prosecutors, court staff, and defense agents will be able to access evidence digitally, rather than having to send evidence such as CCTV footage, video interviews, and forensic images in physical form.

“Reducing delays is just one of the benefits of this project, which will make evidence sharing more cost effective and provide the groundwork for further modernization of the criminal process,” says justice secretary Humza Yousaf.

The £20 million (about $25 million) contract, running over five years, covers the delivery and support for a software solution that would be integrated with other systems, such as case management, through to open standard APIs.

It would manage everything from the collection of evidence from local authorities, businesses, and the public, allowing both police and prosecution to utilize the uploaded multimedia at ease. Data-sharing with other parties such as defense agents and the court system brings additional benefits.

Sharing means more risk

Three years ago, a report from HM Crown Prosecution Service Inspectorate and HM Inspectorate of Constabulary warned that the Crown Prosecution Service (CPS) was frequently misplacing discs containing sensitive evidence and information.

This included CCTV, recordings of 999 calls, suspect interviews, and testimony from victims and witnesses.

In one case, the CPS was fined £200,000 (approximately $246,200) after laptops containing videos of police interviews were stolen.

The new DESC system is expected to help in cases like these.

“The expectation is that data will be held in secure and independently assured cloud facilities with the necessary certifications for the storage and access of evidential material,” a government spokesperson tells The Daily Swig.

“The Scottish government and its criminal justice partners also required that the physical storage and processing location of all assets remains in the UK at all times.”

The eventual supplier of the new system will also be required to have Cyber Essentials Plus accreditation, while the solution will be assessed against National Cyber Security Centre (NCSC) Cloud Security Principles and will be subject to regular testing.

However, says Tyler Moffitt, a security analyst with Carbonite subsidiary Webroot, there are still significant risks associated with the storage of so much personal information.

“Shared databases mean more access, which equates to more exposure and more risk that everyone’s data could be exposed or compromised. It becomes a numbers game,” he tells The Daily Swig.

“With this new DESC, there are more machines and accounts with access to the data, making more opportunities for cybercriminals to find a vulnerability – even if monitored and audited.

“No government, or company for that matter, is infallible when it comes to security,” he added.

The call for proposals closes on October 25, 2019.

YOU MIGHT ALSO LIKE Security experts weigh in on EU biometrics database plan