Labor’s Ed Husic has called for government to rescind its contract with US tech giant Amazon Web Services to host and manage data from the COVIDSafe contact tracing app and hand the work to an accredited and security credentialed Australian firm.
The four Australian secure cloud services providers that had been accredited to store and manage government data to Protected level by the Australian Signals Directorate had been “shabbily treated” by the government in the awarding of the COVID Safe app National Data Store contract to AWS, Mr Husic told parliament.
Amazon Web Services was awarded the contract under a limited tender arrangement in which Australian secure cloud service provider were precluded from bidding.
Mr Husic said questions remained about whether foreign nationals could potentially access the data, despite the AWS and government commitments that the COVIDSafe data would be held in data centres onshore in Australia.
“Even today, in the Financial Review, the head of AWS in Australia [Adam Beavis] could not guarantee that foreign nationals would be prevented entirely from being able to access any of the data generated by the COVIDSafe app and the National Data Storage arrangements,” Mr Husic said.
“This could have been avoided if one of the Australian accredited cloud service providers had been given access to this contract,” he said.
“My firm firm is that the AWS data management contract should be taken off AWS and [given to an Australian company] that is on that Protected list that is Australian based in order to build stronger confidence in the way this app is being managed.”
He said the many Australian still had privacy and security concerns about the contact tracing app. While five million Australians had downloaded COVIDSafe, there could be many more if these concerns were addressed.
“We should in a demonstration of good faith to the five million that did download the app, we should demonstrate that we take their privacy and their concerns seriously, and that the data is being managed by an Australian company on Australian soil.”
His call for the AWS contract to be terminated was not protectionist and was not an attempt to cut corners. The Australian companies had been certified by the Australian Signals Directorate to meet stringent requirements of handling Protected-level government data, and by doing so would avoid the potential complications of foreign nationals based offshore managing the public cloud system potentially having access to COVIDSafe data.
“You cannot have our Industry Minister [Karen Andrews] going out and saying in the middle of this pandemic when considering its impact on supply chains and … the need to rethink the way we do business in this country to support Australian industry.”
“You can’t have that happening in one instance and then have another minister go out and make a decision that is contrary [to the interests] of Australian industry when that industry is quite capable of doing the job,” Mr Husic said.
He said that Australians, and particularly Australian technology workers, would “expect that their government would back Australian firms where they are capable of doing the work, and who are capable of managing sensitive data and who are being ignored by this government.”
Speaking during the second reading debate on the Privacy Amendment (Public Heath Contact Information) Bill, he said the irony was that the cloud offerings being offered in Australia to the Australian Government would not be acceptable to the US government in relation to the management of sensitive citizen data.
“They would expect a higher standard of security and storage of data. This is my issue with the way that the cloud services providers in this country have been shabbily treated by a government that reckons it looks after Australian firms and doesn’t.”
Shadow Attorney-General Mark Dreyfus also used the debate to call for greater transparency in the way the government handled the AWS contract to store and manage COVIDSafe data.
“The Government should explain why it awarded the COVIDSafe data storage to Amazon Web Services instead of an Australian cloud service provider,” Mr Dreyfus told parliament.
“And it should provide assurances – concrete assurances – to the Australian people that the inexplicable decision to award this contract to Amazon does not mean that the data collected by the COVIDSafe app could or will be accessed by anyone outside Australia.”
Late in the day, federal Resources Minister Matt Canavan told Radio National that although AWS was an American company the data would be stored in Australia by Australians.
He said Australia was one of the first western countries to produce a tracing app, and that Amazon Web Services had proved to be the company that was quickest and most agile in getting that work done.