The federal government’s already difficult job of winning sufficient public trust to convince Australians to download a forthcoming COVID-19 tracing app has hit another pothole, after multinational cloud provider Amazon Web Services was handed a deal to host the app’s data.
Reports by respected ABC and former Fairfax investigative journalists Linton Besser and Dylan Welch say the deal was awarded to AWS by limited, invitation only tender despite concerns raised by the Digital Transformation Agency, which has refuted the claims.
The report from the national broadcaster comes as the government prepares a marketing blitz to persuade Australian’s to download the app in the hope it will help health authorities more quickly trace and isolate potential infections before they proliferate.
The revelation that an overseas company has secured the contract to house the app’s data is certain to raise questions as to whether the federal government is capable of securing sufficient public buy-in to make the app work at scale and is better off handing the sell to the states.
In contrast to federal distrust, most states have already mounted largely successful public information campaigns to keep people from gathering and moving around. The states are also the end recipients of the data from the app and run the tracing the app augments.
The failure by the government to anticipate and mitigate the hostile reaction from cyber security experts, privacy advocates and other groups wary of intrusive surveillance and potential expansion of the app by authorities by awarding the contract to a global player is another misstep in a series of problems plaguing the project.
However information security sources have suggested to iTnews that one reason for the use of a limited invitation tender was low interest and reticence from local sovereign cloud providers who privately viewed the contract as potentially toxic.
Government Services minister Stuart Robert, who is best known to the public for defending Robodebt and then erroneously suggesting his department’s myGov outage that cause massive queues at Centrelink was a distributed-denial-of-service attack, has defended the procurement.
“The Minister has the utmost confidence in how the information is being managed,” a spokesman for Robert said.
“Uploaded contact information will be stored in Australia in a highly secure information storage system and protected by additional laws to restrict access to health professionals only.”
The spokesman denied data would be accessible by foreign governments.
“Australia has not passed legislation that would allow it to operate and share data under the US CLOUD Act,” Robert’s spokesman said.
However, legislation is currently before the Parliament to facilitate data sharing between US and Australian law enforcement agencies under the Telecommunications Legislation Amendment (International Production Orders) Bill 2020.
Robert’s office also said that keeping Australian data in Australia would also be guaranteed through “a determination through the Biosecurity Act and legislation.”
“It will be a criminal offence to transfer data to any country other than Australia. A penalty of imprisonment for five years and/or 300 penalty units ($63,000) could apply to breaches of the direction.”
Prime Minister Scott Morrison also defended the decision to use AWS at media briefing on Friday afternoon, stressing that it will be illegal for information to be accessible to anyone other than the state health professionals involved in contact tracing.
“The server is in Australia and it’s using AWS, who work with Australia on many, many sensitive issues,” he said.
The app is expected to be released next week.
