CPS fined £325,000 after losing victim interview videos

[Energize]

The Crown Prosecution Service (CPS) has been fined £325,000 by the ICO after they lost unencrypted DVDs containing recordings of police interviews.

The DVDs contained recordings of interviews with 15 victims of child sex abuse, to be used at the trial.

This is the second penalty imposed on the CPS following the loss of sensitive video recordings.

The DVDs contained the most intimate sensitive details of the victims, as well as the sensitive personal data of the perpetrator, and some identifying information about other parties.

The DVDs were sent by tracked delivery between two CPS offices, with the recipient office being in a shared building. The delivery was made outside office hours, and the DVDs – which were not in tamper-proof packaging – were left in the reception.

Although the building’s entry doors were locked, anyone with access to the building could access this reception area.

The DVDs were sent in November 2016, but it was not discovered that they were lost until December. The CPS notified the victims in March 2017, and reported the loss to the ICO the following month.

It is not known what has happened to the DVDs.

The ICO ruled that the CPS was negligent when it failed to ensure the videos were kept safe, and did not take into account the substantial distress that would be caused if the videos were lost.

It also found that, despite being fined £200,000 following a separate breach in November 2015 – in which victim and witness video evidence was also lost – the CPS had not ensured that appropriate care was being taken to avoid similar breaches re-occurring.

https://ico.org.uk/about-the-ico/ne...325-000-after-losing-victim-interview-videos/

The utter stupidity of using such an insecure way of delivering sensitive data is outstanding, why on earth was such sensitive data not sent over a VPN connection instead of being delivered in a physical format vulnerable to interception and loss?!

Who even uses DVD's in 2018?

 

[Energize]

The DVD's aren't encrypted as they would be the original productions and as such they would require the original disc from the Police Station which would then be copied for disclosure to the defence. It's not possible to send these in an encrypted format as it can, for example, introduce the possibility of arguments regarding tampering of digital evidence by the defence. The original discs/tapes are always required to be kept on file as they may be required at various points leading up to and during any trial.

From a computer science perspective that just makes no sense, there is no way to verify that it's the original recording so an unencrypted copy could just as easily be tampered with. Secondly, the original productions can be created already encrypted, so there is no need to alter the original recording.

 

[Energize]

Encryption just leads to more issues when trying to play it in court/use as evidence, having to have special decryption is just an extra hassle or someone forgetting the decryption key.

That's why absolutely no one uses "special decryption" or gives someone a password to remember. Open standards and industry solutions are in place which automate the encryption and decryption process.

The discs are bagged and signed on completion of the interview and accompanied with documentation certifying them as the originals. This is accepted by all parties as sufficient to declare such discs as the originals. I couldn't comment on the encryption side of things at the point of creation for a number of reasons however there are numerous agencies involved.

That is far less trustworthy than encryption however because encryption mathematically allows the authenticity and integrity to be verified, documents are comparably trivial to fabricate.

 

[Energize]

Every single police service and criminal justice agency in the UK.

Yes, that was a rhetorical question. I was making a point that they shouldn't be where possible. Physical media is suspectible to loss, tampering, theft and data corruption. Interviews should be encrypted at the point of recording so they are never in plain text, and automatically stored in a system that is protected from all the above. Home users have such systems in place for their family photos ffs.

 

[Energize]

DVD's have a certain quality in that they are easy to replicate when needed (although it does take time), they are easy to play back with no specialist systems needed, and are likely to be accessible in 10-20 years time if needed for an appeal or review (they can also be quite easily secured by the simple fact you need physical access to them).

Actually one of the publicised problems with DVDs is in fact called "DVD rot" whereby the disk degrades and becomes unreadable after a few years.

 

[Energize]

It's so normal for supposedly secure systems to be compromised and the data exposed that it doesn't even make the news unless it involves at least tens of millions of people and probably not even then. It's such a common occurence that it's not news. At least with physical media the data exposure is always very limited.

It would be very expensive to impose a single system on every police force, the CPS and every other aspect of the legal system. Far more than £325,000.

Are digitally altered recordings admissible in court? If not, you'd have to get that changed too.

When implemented properly the risk of breaches is much less than with physical media. If the data had been encrypted the loss would not have had the effect it did.

Of course it would be more expensive, that is the price of doing things properly as opposed to bodging it with unencrypted dvds. What sort of attitude is that, "well it's cheaper for us to pay the fines so we'll do that instead of securing sensitive data".

A dvd is a digitally altered recording already, it undergoes MPEG2 compression which results in an unpredictable amount of data loss, encryption doesn't alter the underlying recording anymore. Since encrypted files are used as evidence in court cases I don't see why there should be an issue.