Government insiders and technology industry players have raised alarms about the Federal Government’s new COVID-19 tracing app, after a contract for its data storage went offshore to US retail and technology giant Amazon.
Key points:
- The Federal Government says the app will help trace the coronavirus spread in Australia
- Concerns are raised that Australians’ data will be hosted by US tech giant Amazon
- Data held by US-registered companies can be accessed by US law enforcement
Bureaucrats inside the Government’s Digital Transformation Agency voiced concerns about the awarding of the contract to an overseas provider when several wholly Australian-owned cloud storage services had been security vetted for precisely such high-level contracts.
The ABC has also confirmed the tender was a limited, invitation-only opportunity initially run by the Department of Home Affairs, which is principally responsible for border protection and national security.
Issuing the contract to Amazon may also mean the Australian data is obtainable by US law enforcement under a 2018 law that allows them to obtain information held by US-registered data companies no matter where in the world that information is held.
However, today the Prime Minister and a spokesman for Government Services Minister Stuart Robert rejected suggestions the US law would apply to the tracing app data.
Amazon, incorporated in Seattle, is one of the world’s largest companies.
Last year it reported earnings of more than $270 billion.
Home Affairs declined to answer specific questions about the tender process.
A spokesman for the department said: “The department’s role in the development of a contact tracing capability has been one of support to enable access to the capacity of staff with relevant technical and delivery skills to progress this work on behalf of the Department of Health and the Digital Transformation Agency.”
Responsibility for the tracing app has since been moved to the Digital Transformation Agency, which comes within the portfolio of Government Services Minister Stuart Robert.
A spokesman for Mr Robert said the Minister had confidence in the management of the tracing app data, which he said was a “contact” app and still in development.
Asked for Mr Robert’s view of the decision of Home Affairs to run a limited, invitation-only tender, his spokesman said: “We cannot comment on a procurement process led by another department.”
ABC News can also reveal the Government has plans to store the decryption keys for the data in the same cloud as the data itself — a practice frowned upon within the industry for such a sensitive cache of public information.
Mr Robert’s spokesman said the practice was acceptable.
“Database keys will be managed through Amazon Web Services’ Key Management System (KMS), a widely used security service that has been previously assessed by the ACSC,” the spokesman said.
ACSC refers to the Australian Cyber Security Centre, part of the Australian Signals Directorate, the country’s electronic spy agency which is responsible for government cyber security.
How the tracing app works
The app is designed to help identify with whom a COVID-19 positive person has met while infected, speeding up the contact tracing process.
Relying on Bluetooth technology, the app will identify other phones using the app that have been within a 1.5 metre range for at least 15 minutes.
The app logs and encrypts that contact on the phone. Later, if a person using the app tests positive to COVID-19, they would be asked to download their encrypted contact log and send it to the Government, which will store it in the Amazon cloud.
State and territory health authorities will then be able to access the cloud, decrypt the data and contact those who were in close proximity to the COVID-positive person.
The tracing app has been sold by Prime Minister Scott Morrison as an important part of easing restrictions in Australia, but it has also been met with concerns regarding how information will be used and stored.
The revelation that this information is to be held by Amazon’s cloud service — Amazon Web Services (AWS), the world’s largest cloud service, which operates under US law — may spark further concern.
AWS is subject to a raft of invasive US national security legislation, including the CLOUD Act, a 2018 law compelling US-based technology companies to provide data to federal law enforcement under warrant, regardless of whether the data is held in the US or overseas.
However, a spokesman for Mr Robert said the US CLOUD Act did not apply to Australian data.
“Keeping Australian data in Australia will be guaranteed through a determination through the Biosecurity Act and legislation,” he said.
“It will be a criminal offence to transfer data to any country other than Australia. A penalty of imprisonment for five years and/or 300 penalty units ($63,000) could apply to breaches of the direction.
“This is exactly the same way the Australian Government already uses AWS for many other agencies, including the work of our intelligence agencies, including ASD, and ensures Australian data stays in Australia.”
The Prime Minister said in a press conference today that only health workers undertaking contact tracing would legally be able to access the personal information in the app.
“The server is in Australia and it’s using AWS, who work with Australia on many, many sensitive issues,” he said.
“It’s a nationally encrypted data store.
“It is illegal — it will be illegal for information to go out of that data store to any other person other than that for whom the whole thing is designed.”
Australian providers overlooked
Among those raising concerns about the Amazon deal is cyber security not-for-profit, AustCyber.
AustCyber’s chief executive, Michelle Price, said the exclusion of Australian-owned providers for the service was disappointing.
“I don’t know why they were not alerted to it,” Ms Price said.
Among the local providers who were overlooked for the contract are AUCloud, Macquarie Telecom, Sliced Tech and Vault.
The Government has previously security vetted two giant US corporations to provide secure cloud storage — Microsoft and Amazon.
Since September 2013, the Commonwealth Government has published contracts with AWS worth more than $116 million.
The departments of health, defence and agriculture have all issued cloud storage contracts to AWS, as has the Australian Signals Directorate.
In June last year the Digital Transformation Agency published details of a $55 million contract with AWS for a “whole of government agreement” which runs until April 2022.
Ms Price said she and others had also advised the Government that its current plan — to store the encryption keys in the same cloud as the data itself — posed an unnecessary security risk.
“The other thing we can do as best practice is to ensure, because the data is appropriately going to be encrypted, the encryption keys are held separately to the database,” she said.
She hoped the Government would change tack.
“It’s my understanding that off the back of us and others asking the question about whether the keys will be stored in the same cloud, and pointed it out that best standard is to hold them separately, that’s being actively worked on,” she said.
“And it’s my recommendation those keys be held in a sovereign cloud.”
Asked whether she would still use the app even if the keys are not separated, Ms Price said: “In this instance, yes I would because it’s about saving lives and getting Australians back in the classroom and back to work.
“In a different context I would think twice about it.”
