Will US authorities have access to data? Photo: MNB

AMAZON HOSTING

Australian authorities have awarded US retail and technology giant Amazon a storage contract for the new COVIDSafe tracing app, sending the data of millions of Australians overseas.

The federal government has defended its decision to allow the application’s data-storage capabilities to be turned over to Amazon subsidiary Amazon Web Services (AWS).

Digital Transformation Agency chief Randall Brugeaud told a Senate Inquiry into the government’s COVID-19 response that the hyperscale cloud provider was chosen due to “the extent of services offered, which extends beyond hosting”.

He said the contract, which will set the government back $710,000 between April and October, was for “a combination of hosting, development and operational services”.

Prime Minister Scott Morrison has pushed back against criticism of the decision to use AWS at media briefing, stressing that it will be illegal for information to be accessible to anyone other than the ‘state health professionals’ involved in contact tracing:

“The server is in Australia and it’s using Amazon Web Services, who work with Australia on many, many sensitive issues.”

However, critics of the decision say a failure by the government to anticipate and mitigate the hostile reaction from cyber security personnel and privacy advocates — wary of intrusive surveillance when awarding the contract — is another misstep in a series of problems plaguing the project.

Initial questions were raised over the fact the American cloud provider is using a data centre in Sydney which is fully owned by a Chinese company.

Furthermore, the technology giant may not be able to protect the data held in its Australian servers — including data gathered by the COVIDSafe tracing app — from instances where US subpoenas are ordered, according to legal experts and crossbenchers.

THE CLOUD ACT

The federal government has cited a Ministerial Determination issued on Saturday by Health Minister Greg Hunt, which says authorities will protect the data of Australians under the US CLOUD Act.

So, just what is the ‘CLOUD Act’? The CLOUD Act is a 2018 US law which requires American cloud services to produce, under subpoena, data held by them directly to United States authorities.

Traditionally, companies and individuals who have had their data handed over to US authorities via this law can go through an appeals process to retain their information.

However, Australia’s peak legal body, the Law Council, says that under current arrangements, the appeal avenues under the CLOUD Act “would not have application” in Australia.

The government rejected the concerns, saying its data held by AWS would be protected because of a provision in the CLOUD Act that allowed US companies to apply to refuse or modify US subpoenas seeking the data of foreign governments (if providing violated their domestic laws).

Upon closer examination, claims of security by Morrison and fellow Polyergus crew members falls flat, with legal experts revealing such appeals are only available if a country is designated under the US CLOUD Act as a “qualifying foreign government”.

A spokesman for the Prime Minister confirmed over the weekend that Australia was not yet designated a ‘qualifying’ jurisdiction under US law. Who would have guessed?

To be recognised as a “qualifying foreign government”, Australia and the US are required to sign a so-called ‘executive agreement’ under the CLOUD Act, which must involve special legislation developed and passed in Australian parliament.

Laws to give effect to the agreement were only put before the House of Representatives in early March and, crucially, the bill — the Telecommunications Legislation Amendment (International Production Orders) Bill — has not been enacted.

That means Australia has no enforceable protection under the CLOUD Act until the bill is passed, which may occur (at the earliest) in the middle of May, when federal parliament returns.

In 2018, major US law firm Bryan Cave Leighton Paisner wrote an analysis of the CLOUD Act, in which they noted data protections of foreign governments, such as Australia, may not be enough to stop a lawful US government subpoena.

The new developments add further concerns to a troubling saga of privacy and safeguard announcements relating to the introduction of the controversial COVIDSafe app.

COVIDSAFE SAGA

In the toolkit of strategies to ‘stop the spread’ and ‘flatten the curve’, Australia is now reaching towards smartphone apps. COVIDSafe is designed to locate and contact registered residents who have been in contact with ‘confirmed cases’ of COVID-19.

The government has assured citizens the COVIDSafe app does not require you to enable location tracking. This selling point is being used as a guise to mask the true intention of the system — to build social profiles on the behaviours of millions of Australians.

So far, the Australian government hasn’t provided a good answer as to why it believes an app will be effective at all and civil liberty experts are raising concerns with the creeping surveillance model.

Objections primarily stem from the fact that central authorities will receive a huge amount of information it’s not necessarily well-equipped to protect. New Amazon discoveries add to this.

In decentralised systems, only those who have been close contacts of those who have tested positive know, whereas in the centralised approach, the government can get an idea of who all those people are — even if the information is ‘restricted’ to health officials engaged in contact tracing.

More than 300 researchers across the world released a joint statement urging governments considering such apps to rely only on systems that are subject to public scrutiny and that are privacy-preserving by design. The COVIDSafe app is not one of these.

Furthermore, the draft Privacy Amendment (Public Health Contact Information) Bill 2020, or the “COVIDSafe bill”, released this week, is the first step towards parliamentary legislation providing privacy protections for users of the app.

Examination of the new draft legislation has found a significant lack of data protection, loopholes for safeguards against coercion and no source code analysis among key issues.

Clearly, with no legislative safeguards established — both for international data storage and application security itself — the COVIDSafe app presents a fundamental threat to all Australians.

What role will this application play moving forward in the COVID-19 saga? How will it be used?

Reports are already emerging that businesses are incorporating the COVIDSafe app as a requirement in new ‘COVIDSafe Work Practices’, now required to be developed as the country begins a three-step plan to re-open the economy. The Health Department have hinted at this possibility.

COVID-19 has opened the door for an unprecedented month of spying and monitoring of society, and current attempts to introduce the COVIDSafe system should be taken with a grain of salt.

The success of this push relies on the citizens of Australia downloading the app, and with a “target audience” roughly 18 million, the numbers a slowly creeping.

How long until Australia finally stops believing the stories peddled by known liars? Only time will tell.