Data Privacy Concerns: Norfolk Police's Recent Data Leak
04-09-2023 | By Robin Mitchell
Recently, Norfolk and Suffolk police admitted that victim data had been accessed after a freedom of information request was filed, potentially exposing well over a thousand individuals, thus demonstrating the incompetence of local governments and agencies when dealing with tech. What exactly happened, what challenges does this demonstrate with governments and technical capabilities, and does this demonstrate how paper and pen are arguably a better solution in a modern world?
Norfolk and Suffolk police data breach
It was only a few weeks ago that a major data leak in North Ireland exposed the identities of numerous police officers and victims, placing lives at serious risk from fanatics, and now, Norfolk and Suffolk police forces have just admitted that after a freedom of information (FOI) request was filed, a substantial amount of private data was leaked. In the leak, it is expected that around 1,230 people have had their data exposed, of which includes victims of crimes.
In response to the leak, the respective police forces will be issuing notices to those affected, but whether this also includes additional help in serious cases is yet to be seen. The leak also includes names of those who have been affected by numerous crimes, including domestic incidences, sexual offences, assaults, thefts, and hate crimes.
While it is not entirely clear what exactly caused the leak, the Police mentioned that during a FOI request, a technical issue resulted in raw data belonging to the two constabularies being attached to the request. The Police also mentioned how, in the request, those opening files would not have seen the data, suggesting that the data itself was embedded in the file data (meaning that it could only be accessed by raw binary analysis).
According to an official press release by the Suffolk Constabulary, the data breach was identified in responses to Freedom of Information (FOI) requests for crime statistics between April 2021 and March 2022. The data, which was unintentionally included in the files, was not immediately visible to anyone opening them. This data pertained to crime reports and included personal identifiable information of victims, witnesses, and suspects. The range of offences covered domestic incidents, sexual offences, assaults, thefts, and hate crimes. The constabularies have initiated the process of notifying the 1,230 affected individuals. They have also set up a dedicated team to address queries related to this incident.
Thus, it is possible that the cause of the leak was a result of faulty software that either hit a buffer overflow (hence returning data in files that shouldn’t have been accessed) or that during the data compilation, files were accessed unexpectedly. It is also possible that software designed to redact personal data didn’t function correctly; hence, during a FOI request, it is possible to get a list of all crimes minus those involved.
Regardless, this leaking of data from the Police is a perfect example of the dangers of authorities having access to large quantities of personal data that is easily accessible across computer systems.
What challenges does this demonstrate with governments and technical competencies?
This data leak is not the first time a government agency or body has struggled with technology, and it is unlikely to get any better. A prime example of this is the recent attempt by the NHS to modernise its entire IT infrastructure. Despite having spent more than £10 billion (yes, billion) on the project, it was found to not be effective and thus was scrapped in its entirety. Another example is the post office, which was faced with numerous accounting errors caused by faulty software from Fujitsu (while the post office is technically a privately owned company, it operates like a government agency in its monopoly and that it used to be publicly owned).
In fact, even trying to implement engineering projects such as High-Speed Rail 2 has proven to be too difficult for the government. But why is this the case?
The Underlying Issues with Government-Run Projects
Fundamentally, the reason why anything government-run either fails or struggles to perform well comes down to a lack of responsibility and consequences. In commercial businesses, if an idea fails to take off and costs too much money, the idea is either scrapped or the company goes under. In the case of governments, they know that they will always have money, thus eliminating the feeling of desperation in projects.
When it comes to responsibility, a company that suffers from data breaches or hacks is held responsible by local authorities and government agencies such as the Information Commissioners Office (ICO). If the company is found to be at fault, large fines and imprisonment can be issued, giving companies a strong incentive to use the best software and deploy strong security practices. By contrast, a police force that is found to be in breach of data laws is highly unlikely to be punished, with the exception of a few slapped wrists.
To make matters worse, as government departments effectively self-regulate, there is little incentive for self-punishment, making it easy to get away with blatant violations. And so this lack of care results in a lazy workforce that does really care about the data it holds or the technologies it uses.
“We would like to apologise that this incident occurred, and we sincerely regret any concern that it may have caused the people of Norfolk and Suffolk. I would like to reassure the public that procedures for handling FOI requests made to Norfolk and Suffolk constabularies are subject to continuous review to ensure that all data under the constabularies’ control is properly protected.” - T/Assistant Chief Constable of Suffolk Police, Eamonn Bridger
How does this demonstrate the power of paper and pen?
In a world where technology dominates everyday life, it is extremely tempting to eliminate paper-based systems, especially when considering how convenient such systems are. However, when it comes to data privacy, there is a serious advantage to paper over technology: it cannot be hacked.
If instead of relying on internet-connected computing systems, police data held on paper would be completely immune to both external hacks and internal accidental leaks. For example, in the processing of an FOI request, it is pretty hard for an assistant to pull out an entire draw of crimes and provide those files to the individual making the request without wondering why there are so many files. At the same time, it is equally difficult to walk into a police data centre, take photos of thousands of files, and then walk out completely unnoticed.
But, in the modern world, using paper is far too inconvenient, and the ability to digitise such files allows for advanced tools that can massively benefit crime fighting (such as cross-referencing). In fact, it is the digitisation of data that helps police forces across the world to find criminals as well as identify victims.
So, the real question isn’t whether paper should replace digital files but why automated software tools are being used to gather files and share them without being fully scanned and why such systems have internet access in the first place?