Using an Australian company to host the COVIDSafe data would have delayed the rollout of the app and added “additional risk and complexity”, the Digital Transformation Agency says, amid heightened scrutiny of the controversial data contract awarded to Amazon Web Services.
There have been questions around the contracting of the American tech giant and the potential for the US government to access the data under the CLOUD Act. The federal government has vigorously denied that this is possible and passed legislation this week stating that COVIDSafe data must be kept in Australia, and transferring it offshore is a criminal offence.
But there remain widespread concerns that this is a possibility, with several Senators calling on the government to gain diplomatic assurance from the US government that this would not happen.
The Department of Home Affairs began the early work on the COVIDSafe app and developed a prototype of it in March. It was the department to first bring AWS on board, awarding it a $165,000 contract for the early work.
On 6 April, Home Affairs handed the project to the Digital Transformation Agency (DTA). On the same day, the DTA approached AWS for a quote to provide a range of services assisting in the development of the app and cloud storage. These services included hosting, development and operational support.
Two weeks later the deal was signed, with AWS landing $709,000 for the contract running until October.
The DTA decision was made by the agency’s chief digital officer Peter Alexander, chief financial officer David Donovan and head of digital infrastructure service Anthony Warnock.
In answers to a questions on notice from the senate committee investigating the government’s response to COVID-19, the DTA said it had little choice but to give the contract to AWS due to its work on the prototype with Home Affairs.
It said the limited tender was needed due to “genuine urgency and continuation of an existing agreement”, and that splitting up the hosting and development work would’ve “introduced additional risk and complexity to the COVIDSafe system”.
“To meet expectations for the development and release timeframes for the COVIDSafe application, the DTA conducted procurement activities to replicate the initial conceptual development of the application and ecosystem by the Commonwealth,” the DTA said.
“Changes in supplier arrangements would have introduced an unacceptable risk to the on-time delivery of the application and likely resulted in higher cost to the Australian government, as the work already done may not have been transferable to another supplier.”
Labor and a number of crossbench Senators have repeatedly questioned why one of the four local accredited cloud providers weren’t even given the opportunity to participate in the tender process for the COVIDSafe work.
Because it was awarded to an American firm, there are now “legitimate concerns” that US law enforcement could access the data, shadow home affairs minister Kristina Keneally said in Parliament this week.
“This concern could have been avoided if the government had chosen to award the data storage contract to an Australian-based, owned and operated cloud service provider. In fact, at a time when the Australian economy needs as much stimulus as possible due to this unprecedented economic crisis, I’m perplexed as to why the government did not award the contract to an Australian company,” Senator Keneally said.
The AWS decision is “inexplicable” and “so far unexplained”, Greens Senator Nick McKim said.
“Despite saying we should stay together and we will get through this together, despite continually saying we need to secure Australian jobs and livelihoods, this contract was awarded to a company with a head office overseas,” Senator McKim said.
“Even though I acknowledge the government has done its best by legislating here in Australia, the simple fact remains that the head of AWS in the US is likely to be far more concerned about the operation of US law than the operation of Australian law.”
Labor is now calling on the government to secure diplomatic assurance from the US government that it will not request access to the COVIDSafe data, as part of its current negotiations for a CLOUD Act agreement.
“I urge the Minister for Home Affairs to pursue this option as it will provide further assurances to the Australian public and hopefully will result in more downloads of the app. If the government wants this app to be embraced by millions more Australians they would be taking these steps,” Senator Keneally said.
Labor MP Ed Husic has called for the AWS contract to be rescinded and awarded to one of the accredited local cloud providers, saying these companies have been “shabbily treated”.
“My firm view is that the AWS data management contract should be taken off AWS and [given to an Australian company] that is on the Protected list that is Australian based in order to build stronger confidence in the way this app is being managed,” Mr Husic said.
“We should in a demonstration of good faith to the five million that did download the app, we should demonstrate that we take their privacy and their concerns seriously, and that the data is being managed by an Australian company on Australian soil.”
It comes as a government agency assessment completed by cyber consultancy Foresight which warned late last year that AWS may send some of the data it holds overseas was revealed publicly by the Nine newspapers. The report stated that AWS relies on tools that might send some stored information throughout its 700-server network around the world.
The report did state that this likely related to metadata rather than the type of personal data generated by COVIDSafe which will be stored locally.