Foreign cloud companies such as Amazon and Microsoft would be restricted from handling certain government data sets as part of a new government plan following concerns over the security of COVIDSafe data.
Government Services Minister Stuart Robert told the National Press Club the Coalition was mulling a “sovereign cloud” capability for certain kinds of sensitive data, such as from the COVIDSafe contact tracing app or the census.
He also criticised tech giants Google and Apple for blocking governments from accessing their contact tracing framework that didn’t adopt its decentralised model, saying they should “recognise sovereign nations making sovereign decisions”.
US-based tech firm AWS was handed a $709,000 contract to provide cloud storage of the data from the COVIDSafe app, with users that have been diagnosed with COVID-19 uploading a record of their close contacts to a central database, run on an AWS server hosted in Australia.
This led to significant concerns over the security of this sensitive data, and whether the US government would be able to compel the American company to hand over Australian data.
There are also concerns around the new CLOUD Act which would allow the US government to request data held by American firms in any other country.
The Australian government is currently negotiating a CLOUD Act agreement with the US, with the powerful national security parliamentary committee expected to table a report on the legislation in August.
Despite the federal government denying there was any risk in contracting AWS for the COVIDSafe data, it is now scoping the possibility of adopting sovereign cloud service capability to ensure any sensitive data is hosted by an Australian company, in Australia.
“When developing the COVIDSafe app, Australians were loud and clear that they expect government to respect their privacy and have their data stored, secured and protected here, in Australia,” Mr Robert said in the speech.
“Going forward, we need to acknowledge community expectations and be transparent about how we manage the information that Australians are concerned about sharing with us,” he said.
“Accordingly, I can announce we are examining the sovereignty requirements that should apply to certain data sets held by government, in addition to the existing Protected Security Policy Framework.
Under the plan, the government would declare certain data sets as “sovereign”, meaning they could only be hosted in Australia by an accredited Australian data centre across Australian networks and only accessed by the Australian government and service providers.
This would effectively block the likes of AWS and Microsoft from winning government contracts to host certain government data. There are already several accredited Australian cloud storage companies.
“We need to ensure that Australians can trust that government will appropriately manage the information that they provide to us – whether it is for a tracing app or for the Census,” Mr Robert said.
Centre Alliance Senator Rex Patrick, who labelled the AWS COVIDSafe deal a “disgrace”, said he supported the new proposal.
“I am supportive of this proposal, particularly in light of the controversy created in relation to the COVIDSafe app. Australia needs a sovereign cloud capability. Any sovereign cloud must be hosted within Australia and developed by majority owned Australian entities,” Senator Patrick told InnovationAus.
It is important that the government narrow the scope of what kind of data is considered sovereign, Australian Strategic Policy Institute International Cyber Policy Centre director Fergus Hanson said.
“The challenge for the government in coming up with this is making sure they narrow the scope rather than going too broad and losing the financial benefits that come from true cloud capability where you have the scale and cost efficiencies that cloud has,” Mr Hanson told InnovationAus.
“Data localisation tends to drive up costs rather than the other way around. It makes sense for some kinds of data, but they have to try to make sure it isn’t taken to extremes,” he said.
“They also need to be making sure the market remains open and competitive, rather than an oligopoly or narrowing it down too lightly and scoping it too tightly so you don’t have a competitive marketplace anymore.”
The move towards tech and data sovereignty has a broader global context, with a number of countries recently emphasising the importance of this.
The European Union, led by Germany and France, recently outlined plans to build a firewall around GDPR-data, with the use of sovereign cloud storage over mostly US-based commercial providers, such as Amazon and Microsoft.
This shift could lead to the balkanisation of the internet, Deakin University senior lecturer Dr Monique Mann said.
“There’s a broader international context here, and we’ve seen this recently with Europe – they’re pushing the idea of technology sovereignty and being in control of it, having its own geopolitical and geo-economic control of data,” Dr Mann told InnovationAus.
“States recognise that they’re vulnerable and are trying to assert control over digital infrastructure and data through data locations and storage, and that’s why we have these moves to data sovereignty,” she said.
“The risk here though is it will lead to balkanisation of the internet, or the splinternet. The splintering off of components of data, and that has implications for trade too.”
The move towards cloud sovereignty would also ensure Australian law enforcement is able to access data with a warrant going forward, Mr Hanson said.
“If you think about where the data might be stored and if there’s a legitimate warranted request for that data, this is making sure you can access that data as legitimate law enforcement in the country. That’s another dimension to this problem,” he said.
At the National Press Club, Mr Robert was also highly critical of Google and Apple’s move to only allow governments that adopt their strict privacy-based approach to contact tracing to access its improved Bluetooth technology.
Australia’s COVIDSafe app is based on a centralised model that is incompatible with Google and Apple’s Exposure Notification Framework.
“There are real sovereignty issues with allowing Google and Apple to dictate terms in allowing us to do contact tracing. I don’t agree with Google and Apple that they should have stronger Bluetooth signal if you use their system, but if you use the existing technology in the system you have a slightly weaker system,” Mr Robert said.
“I think Google and Apple are wrong on that approach and they should recognise sovereign nations making sovereign decisions,” he said.
“There’s an opportunity here for the big tech companies to lockstep with countries and assist them with their sovereign approach to doing tracing. They are saying that digital tracing unto itself is enough, but the global experience shows us quite simply that it is not enough.”