Sensitive video evidence compiled by New Zealand police has been shuffled around between US tech companies without them knowing, a newly released document reveals.
Reports about the risks and costs around the government's big push for public agencies to use 'cloud' computing have revealed police had more than 20 systems handled by private companies under cloud computing contracts.
In their latest cloud deal with US firm Appian - designed to handle the daily data generated by their 10,000 officers - police have insisted on greater controls and three layers of checks.
But the risks around police - or any other customer - not knowing exactly what a tech company was doing with their data had "already eventuated", said an internal report released under the OIA.
This occurred within the evidence.com system run by US taser-maker Axon, where police keep footage of taser use and family violence interviews in servers in Australia.
"Evidence.com moved police video evidence from one hosting provider to another [from Amazon to Microsoft], which risked the evidence being inadmissible in court," said the report.
While the report is dated 2020, it remains the most substantive recent report police have on cloud computing risks, according to their OIA response.
Police told RNZ that the evidence mistake was due to an internal administrative oversight.
"Police assessed that the risk to police data security and protection had not changed.
"To the best of our knowledge there have not been any problems because of this move," a spokesperson said in a statement.
They had assessed, certified and approved evidence.com against government standards for the cloud, they added.
Details of another cloud burst revealed
The 2020 report also reveals a significant detail about another widely reported cloud botch-up, when tech firm SAP let unauthorised people see firearms owners' details in the police database in 2019.
"When the SAP firearms breach occurred it took up to 10 hours before all citizen access to the service was disabled," it said.
Police only found out about it when a dealer alerted them to the breach.
The risk was that "cloud services by their nature provide their customers with very little visibility of what occurs behind the scenes".
The upside was customers such as the police did not have to bother with the technical running of a growing data system, and it could be more secure than running their own.
The report outlined six cloud computing risks, including the lack of visibility; a tech firm's staff not being able to be vetted as much as police staff; leaks due to cloud services hosting multiple customers; and getting locked in to one vendor, "making it extremely difficult or expensive to move to another product later".
The government last year ordered all Crown agencies to choose 'cloud first' in virtually all cases, instead of storing public data themselves. The 'cloud' in this case consists of thousands of computer servers in warehouses, mostly in Australia.
More than 100 public agencies are now reliant on data security and processing primarily by Microsoft (in its Azure system), or Amazon Web Services (AWS).
Microsoft has been undergoing a roasting for months in the US over security breaches, in hacks blamed on Russia's foreign intelligence service.
The cost of a cloud
Being locked in to one vendor runs the risk of rising costs - and this has caught out the Environmental Protection Authority.
The EPA has been in deficit since 2017, and "the situation has worsened as we, along with all of government, have transitioned from historic, one-off, capital-based, information technology infrastructure to cloud-based solutions, requiring ongoing software-as-a-service expenditure", it warned its new Minister recently.
Its annual cloud costs had risen from $2.1m in 2018 to $3.38m, the EPA told RNZ.
The cloud costs for police are not clear, but the force now has 20 systems in the cloud.
Since first signing with evidence.com/Axon in 2017, police have added in their firearms information system, vehicle number-plate identification system that can track cars, and the 'Family Safety System', among a range of contracts with a wide variety of tech firms.
The OIA documents showed police have been learning as they go, adding in tighter conditions around sensitive data.
For their 21st cloud deal - handling daily data from officers on the job - the standard protections were not good enough.
Tender winner Virginia-based firm Appian had to promise special measures, in order to cut down the risks from insider-tampering, and from jurisdictional risk - the US has laws that allow it to seize data held by US firms - from "high" to a "medium" level.
"New Zealand Police will be provided with an additional third approval layer," Appian told police, in risk mitigation papers in October.
It would also minimise how much data about officers' daily jobs was kept, and for how long - it "will be transient data that does not remain stored beyond the use required".
All servicing would be out of Australia - not from the US or elsewhere - though the trade-off was less support, with the possibility of one technician, instead of 10, on hand.
The overall risks of relying on big US firms to handle police data in Australia was assessed as "a small risk" around sovereignty and control, and a "very low risk" of data being nabbed lawfully, such as by the US government, or unlawfully through espionage, the 2020 risks report said.
The threat was worse from 'orphan' servers - it was "common" for systems to end up with "a large number of orphan development and test servers" that sat around untended, if people were not careful, it said.
Microsoft has said the Russian attack on it was https://www.reuters.com/technology/cybersecurity/microsoft-says-cyber-threat-actor-has-been-able-access-internal-systems-2024-03-08/ through an inactive cloud test account.
"But it did not say how they had gotten from there into the emails of senior executives ... keeping open the possibility that [the Russian intelligence service] has discovered a new major flaw in Microsoft's Azure cloud system," the Washington Post reported earlier this month.
Analysts have expressed alarm because the attack on Microsoft had gone on for months, and because the firm had way more US government contracts than anyone.
The police's 2020 risk report gave special mention to Microsoft's AzureAD - a directory service - recommending changes so that sensitive information about staff was "not inadvertently leaked from it to other providers and services".
It said police needed an "exit strategy" for "critical cloud services due to the decreased short-and-long-term control we may have over those supply chains".
Appian scores highly on an industry security ranking site. Its billionaire founder, who is a world boardgame champion, calls the firm a "reshuffler of data".
Axon has been approached for comment.