-Amazon Web Servers was awarded the government’s invitation-only contract
-The US-registered company was chosen over several vetted Australian companies
-Data held by U.S. companies can be accessed by U.S. law enforcement
-Encryption keys will be stored in the cloud, going against cybersecurity best practice
Amazon has won the contract to provide data storage for the Federal Government’s new COVID-tracker app, raising concerns from government insiders and tech analysts that storing data offshore could ultimately be used by US law enforcement agencies.
Under U.S. legislation, law enforcement agencies are able to access any data held by US-registered companies for the purpose of investigations, sparking concerns from those in the know.
The ABC is reporting that “bureaucrats inside the Government’s Digital Transformation Agency voiced concerns about the awarding of the contract to an overseas provider when several wholly Australian-owned cloud storage services have been security vetted for precisely such high-level contracts.”
According to that report, the ABC confirmed that the government tender was an exclusive, invitation-only contract offered by the Department of Home Affairs. Scott Morrison earlier this week stated that the Department of Home Affairs would not be accessing any data collected by the COVID tracing app.
With Amazon winning the tender, regardless of where the data originated or is stored, under a 2018 law enforcement act, that data on its servers could be accessed by US agencies because Amazon is a US-registered company. Under the Cloud Act, if the FBI wanted to access data on an Australian citizen, they could legally access data collected from the government’s upcoming COVID-tracing app for their investigations.
Whether or not this information could be passed onto Australian law enforcement for their investigations remains a looming, unaddressed technicality from any government figure.
It too, directly contradicts a statement issued by the Attorney-General, Christian Porter earlier this week who said that he would not allow that data to be accessed by Australian law enforcement. “The government has already made the decision not to make any information collected by the app available for other purposes, including law enforcement investigations,” he said.
A spokesperson for the Department of Home Affairs said “the department’s role in the development of a contact tracing capability has been one of support to enable access to the capacity of staff with relevant technical and delivery skills to progress this work on behalf of the Department of Health and the Digital Transformation Agency.”
Minister for Government Services, Stuart Rober is head of the Digital Transformation Agency, who says he has complete confidence in how the data will be collected, indexed and managed. “Uploaded contact information will be stored in Australia in highly secure servers and protected by additional laws to restrict access to health professionals only,” he said in a statement.
When pressed on why the Home Affairs department led an invitation-only tender process, and chose a US-registered company over Australian companies that had been vetted for high levels of data protection, Robert deflected, stating “we cannot comment on a procurement process led by another department.”
Perhaps more significantly, the Government has announced that decryption keys will be stored in the cloud, which has drawn criticism from analysts and technology experts considering the practice as a basic flaw in maintaining an air gap for extremely important tools like decryption keys.
A spokesman for Minister Robert said “database keys will be managed through Amazon Web Services’ Key Management System (KMS), a widely used security service that has been previously accessed by the ACSC,” in reference to the Australian Cyber Security Centre, part of the Australian Signals Directorate.
Michelle Price, chief executive at AustCyber said that she was disappointed an Australian company was not awarded the invitation-only tender. “I don’t know why they weren’t alerted to it,” she said. “It’s a bit unfortunate that local providers who have worked hard and attained accreditation to provide security in the cloud to government were not able to be a part of this,” she added.
In reference to storing decryption keys in the cloud, where they could potentially be accessed by an authorised third party, Price said “the other thing we can do as best practice is to ensure, because the data is appropriately going to be encrypted, the encryption keys are held separately to the database.”
“It’s my understanding that off the back of us and others asking the question about whether the keys will be stored in the same cloud, and pointed out that best standard is to hold them separately, that’s being actively worked on.”
“It’s my recommendation that those keys be held in a sovereign cloud,” Price concluded.