The contract handed to American tech giant Amazon to handle the cloud storage of data from the COVID-19 contact tracing app is a “disgrace” and more must done to ensure Australia’s self-reliance in tech capabilities, crossbench senator Rex Patrick says.
It was revealed last week that government had contracted Amazon Web Services (AWS) to store the data from its COVIDSafe app. The national database of contact information of users who have been diagnosed with COVID-19 will held on the company’s cloud service in Australia.
A government current Biosecurity Act determination and legislation that will be passed in the coming weeks will make it illegal for this data to be leave Australia.
The Labor-led Senate committee inquiring into the government’s response to the ongoing COVID-19 pandemic will investigate AWS’ role with the app’s data storage and look at other contracts involved with its development.
Senator Patrick has already put questions to the Attorney-General’s department, Digital Transformation Agency, Home Affairs and the Department of Health.
The AWS contract should have gone to one of the many Australian companies with the same capabilities and security clearance, keeping the data secure and supporting the local economy, according to.
“There was a capability in Australia to host the data servers in a secure manner, but it’s clear that Australian entities were not even invited to tender. Post COVID-19, we need to be very aware of the need to stimulate the economy and to address matters of self-reliance,” Centre Alliance’ Senator Rex Patrick told InnovationAus.
“In that sense I’m quite disturbed that this contract went to a US company. If we have these capabilities, if we have this expertise in Australia, we should support it rather than exporting Australian taxpayer dollars overseas.”
Awarding the closed tender to AWS would damage local tech companies’ ability to compete with their overseas rivals, he said.
“There’s a saying in government, ‘you won’t get fired for going to IBM’. While you have that attitude, you’ll never develop capability here in Australia,” Senator Patrick said.
“The downside to that selection has two limbs to it. First is that you are giving taxpayer money and effectively exporting that money whilst not providing support to the Australian entity,” he said.
“Subtly at the same time you actually make the overseas entity stronger and better able to compete against those Australian companies because they will profit from the contract and that profit will be redirected internally to the company’s research and development.”
“You’re boosting the capabilities of a foreign company that just makes it harder for Australian companies to compete in other contracts – government and commercial.”
Senator Patrick has written to the government calling for more emphasis on the economic benefit to Australia when undertaking procurement in light of the ongoing pandemic.
In the letter to Finance Minister Mathias Cormann, Senator Patrick said the weighting of “economic benefit to Australia” should be raised, all current tenders should to ensure they provide the most benefit to Australia, and that a national plan for enhancing Australia’s resilience should be developed.
The new requirements should also be extended to state and territory governments, the senator argued.
Senator Patrick is also concerned about the data security implications of bringing in an American company.
“By contracting it to a US-owned entity, it exposes the data to subpoena from the United States on account of the CLOUD Act. The bottom line is that by going to a US company they have created a risk that many people will consider in their decision-making as to downloading the application,” he said.
“That’s a shame because the application will provide a useful function from a health perspective and has the potential to save lives.”
Government ministers have repeatedly said that the US government will not be able to access the data held on AWS servers in Australia, and it is illegal for any of this information to be sent overseas.
“Australia has not passed legislation that would allow it to operate and share data under the US CLOUD Act. Keeping Australian data in Australia will be guaranteed through a determination under the Biosecurity Act and legislation,” a spokesperson for government services minister Stuart Robert told InnovationAus.
“The highly secure information storage system keys will be managed through Amazon Web Services’ Key Management System, a widely used security service that has been previously assessed by the ACSC. This is exactly the same way the Australian government already uses AWS for many other agencies.”
Senator Patrick has joined a growing number of crossbenchers and Labor MPs raising concerns over the AWS contact tracing app deal.
Earlier this week Labor MP Ed Husic said the government has “big questions” to answer over the contract and AWS’ potential use of a China-owned data centre in Sydney.
“These are the types of things that need to be cleared up. If you don’t have the trust in the way this app is managed, this will dent the ability of this app to be successful,” Mr Husic said on Tuesday.
Greens leader Adam Bandt has also been highly critical of the deal, especially the potential for the US government to demand access to the data held by AWS.
“Our unfair trade agreements with the US mean Australians’ personal data – who you’ve met, who you live with, who you’ve stayed with – could potentially be up for grabs by US law enforcement. This is a gross violation of privacy, and can’t be allowed to happen,” Mr Bandt tweeted.
The federal government has argued that the US government will not be able to request access to the contact tracing app data held in Australia, and it will be illegal for it to be sent offshore.