This is a case for the data protection commissioners: the German Federal Police uses a cloud offering from Amazon Web Services (AWS Cloud) to store data from body cameras (bodycams). According to the Federal Ministry of the Interior, this complies with German data protection standards. This can only be a bad joke.
Police data is stored in the Amazon Cloud
More and more police officers are being equipped with so-called bodycams; these cameras are intended to protect officers from assaults and document operations. The Federal Police stores the recordings in an Amazon Cloud. According to the Federal Ministry of the Interior, the cloud service from Amazon Web Services (AWS) complies with German data protection standards and stores the data in encrypted form on servers in Frankfurt/Main.
What the Ministry of the Interior is apparently not aware of is that Amazon is a US company and is therefore necessarily subject to the US Patriot Act.
What are Amazon Web Services (AWS)?
It is impossible to imagine our everyday lives without Amazon. In addition to apps, videos and of course the store, Amazon also offers cloud storage. Amazon Cloud Drive includes online services and applications for websites. This also includes the Amazon EC2. This offers scalable computing capacity in the Amazon Web Services (AWS) Cloud. For private customers, Amazon offers “Amazon Drive.”
What is the US Patriot Act?
The US Patriot Act is an American federal law that was passed on October 26, 2001. It was a direct response to the terrorist attacks on September 11, 2001. The law is designed to help America stop terrorism and make it easier for federal authorities to investigate a terrorist threat. U.S. agencies and intelligence agencies have the ability to view data on all citizens through the U.S. Patriot Act. They can also listen in on telephone conversations without any problems.
Protection of sensitive data not possible with US Patriot Act
This means that Amazon must grant US authorities access to all customer data, regardless of where the servers for the stored data are located. As a result, U.S. security authorities and intelligence agencies could easily access German police data in the future.
Even if Amazon’s data is stored in the cloud in encrypted form, Amazon must have a backdoor key ready for U.S. authorities to grant the U.S. administration access to German police data.
Privacy Shield regulations between USA and EU equally questionable
But not only the US Patriot Act is extremely questionable, also the Privacy Shield which is supposed to regulate the data protection requirements of the data transfer between the US and the EU is questionable. Since 2016, the Privacy Shield has officially allowed data to be transferred from EU countries to the US. The EU Commission is required to verify whether all conditions of the agreement as well as the GDPR are complied with by US authorities.
However, the Committee on Civil Liberties, Justice and Home Affairs of the EU Parliament criticizes the Privacy Shield with regard to the compatibility of European data protection standards and proposes to the EU Parliament to amend or suspend the Shield.
No data protection for police data in the Amazon Cloud
The question is, why is the Federal Ministry of the Interior taking such a high-level security risk for all of our highly sensitive data? What will follow next, such as opening it up to social bots?
Questionable certification of the BSI
The statement by the Federal Police Headquarters that Amazon, with AWS, is the only provider in Germany to offer a cloud certified by the Federal Office for Information Security (BSI) seems downright absurd. What is actually behind this certification is unclear.
The fact is that every US company is subject to US legislation, i.e. the US Patriot Act and the US Cloud Act. The latter is more or less a supplement to the Patriot Act and regulates that US authorities also have access to data from US companies that they store abroad. This is intended to strengthen cooperation with US and foreign law enforcement agencies. We certainly don’t need to go into further detail here about how this is absolutely not in line with data protection.
TeamDrive as a secure alternative to the Amazon Cloud
Only a purely German company, such as TeamDrive, is subject exclusively to German laws. Our partners, such as T-Systems, are also chosen with care. Only local providers can guarantee that the data stored in the TeamDrive cloud does not fall into the hands of third parties. What’s more, TeamDrive does not possess any keys to the customer data and can therefore not grant access to authorities under any circumstances – neither American nor German authorities. It is precisely this absolute confidentiality that US companies are generally unable to guarantee.
It must be seen as either boundless naivety or malicious intent when the German police store data with US-controlled providers and – greetings from Absurdistan – even have this procedure “certified” by the BSI. The BSI should ensure complete transparency here as to how police data is encrypted and who can gain access to the keys. Moreover, even encrypted data is personal and can be deciphered in the worst case.