The government has defended its decision to store data from the planned contact tracing app with Amazon Web Services, committing to pass new laws mandating that the information must be kept in Australia.
ABC News revealed on Friday that the Home Affairs department had contracted US-based Amazon Web Services to provide cloud storage for the “national storage” of the contact information of Australians diagnosed with COVID-19 using the official tracing app.
The database would be managed through US tech giant Amazon Web Services’ Key Management System, a spokesperson for Government Services Minister Stuart Robert confirmed, but all of the data will be kept in Australia.
The contracting of Amazon to provide the storage services has been labelled “problematic” by some privacy and cybersecurity experts, with the ABC story raising the possibility for the private information being accessed by US authorities under the CLOUD Act.
This has since been refuted by the government.
The Coalition is set to introduce legislation making it a criminal offence for the contact tracing data to be sent offshore.
“Uploaded contact information will be stored in Australia in a highly secure information storage system and protected by additional laws to restrict access to health professionals only. Australia has not passed legislation that would allow it to operate and share data under the US CLOUD Act,” the spokesperson for Mr Robert told InnovationAus.
“Keeping Australian data in Australia will be guaranteed through a determination through the Biosecurity Act and legislation. The Minister has the utmost confidence in how the information is being managed.”
Under the laws, it will be a criminal offence to transfer any of the contact information to any country outside of Australia, with a penalty of five years imprisonment and a fine of up to $63,000.
The use of AWS’ Key Management System to store the highly sensitive information is “highly secure” and common practice in government, the spokesperson said.
“This is exactly the same way the Australian government already uses AWS for many other agencies, including the work of our intelligence agencies, including ASD, and ensures Australian data stays in Australia,” they said.
This new law would also give Amazon an out if they did receive a request under the US CLOUD Act, as it would require the tech giant to break the law in Australia. The government has also pointed out that it is yet to pass the legislation paving the way for Australia to sign an agreement with the US under the CLOUD Act, but this would not prevent the US government from using these powers on an American company.
The government is also planning to store the decryption keys for the data in the same cloud as the data on who someone with COVID-19 had been in contact with.
AustCyber chief Michelle Price, who has been involved with reviewing the app, said she advised the government against this practice.
“The other thing we can do as best practice is to ensure, because the data is appropriately going to be encrypted, the encryption keys are held separately to the database,” Ms Price told ABC News.
“It’s my understanding that off the back of us and others asking the question about whether the keys will be stored in the same cloud, and pointed it out that best standard is to hold them separately, that’s being actively worked on. And it’s my recommendation those keys be held in a sovereign cloud.”
The use of AWS to host the national store of data from the contact tracing app has raised concerns among privacy, cybersecurity and civil liberties experts.
There are several Australian-based cloud providers with the necessary level of ASD Protected-level security accreditation that could have been used instead, including Vault, Sliced Tech and Macquarie.
The contract to provide the servers for the contact tracing app should have gone to a local provider, Digital Rights Watch chair Lizzie O’Shea said.
“There are Australian providers that could meet the requirements. An Australian-based hosting company should have been the preferred choice, and frankly the government should be supporting local business wherever possible in these challenging times,” Ms O’Shea said.
Deakin University senior lecturer Dr Monique Mann said the use of Amazon is “problematic” and “raises a whole range of privacy concerns”.
“The fact they’re sending data offshore is really concerning, particularly given there are local providers that could store the data that have already been vetted. There is the opportunity to ensure information is stored locally,” Dr Mann told InnovationAus.
“Sending it offshore is one thing but the fact they’re centralising it in a database is really concerning. Why can’t they come up with a solution where this is stored locally on a device?”
The government has said that it will be illegal for any of the contact tracing app to be sent offshore.
Cryptography expert Vanessa Teague agreed, saying the centralised model to be used by the Australian government is unnecessary and brings with it several privacy concerns. This also leads to the issue where the decryption keys are stored on the same AWS encrypted cloud server as the actual data.
“It’s important to understand that this is inherent to this style of protocol. There’s no simple fix, because the server needs to be constantly encrypting people’s IDs and then decrypting them again when someone tests positive,” Dr Teague told InnovationAus.
“This problem can really only be solved by fundamentally changing the protocol to one in which one giant server isn’t doing everyone’s encryption and decryption. Nobody should have this level of control and surveillance over Australians.
“It still wouldn’t be okay even if it was an Australian company. We should be using a different protocol that doesn’t give one company immediate visibility of everyone’s ‘encrypted’ IDs.”