Global tech giant Amazon may not be able to protect Australian Government data held in its Australian servers including data gathered by the COVID-19 tracing app released on Sunday from US subpoenas, according to legal experts and crossbenchers.
The COVIDSafe app is designed to help identify who a COVID-19 positive person has met while infected, speeding up the contact-tracing process.
The Government has defended its decision, revealed last week by the ABC, to award the app's data-storage contract to Amazon cloud subsidiary Amazon Web Services (AWS), a US-incorporated business subject to the US CLOUD Act.
The CLOUD Act is a 2018 US law which requires American cloud services to produce, under subpoena, data held by them regardless of where in the world that data is stored.
The Australian Government initially told ABC News data held by Amazon would be protected from the CLOUD Act, but Australia's peak legal body, the Law Council, disagreed, saying that under current arrangements the appeal avenues under the CLOUD Act "would not have application" in Australia.
The Government has also pointed to a Ministerial Determination issued on Saturday by Health Minister Greg Hunt, which it says will also protect the data. The Law Council and two crossbenchers said that was not certain.
The federal crossbenchers told ABC News they were concerned the Government had created an uncertain legal situation around the COVID-19 app.
"I think the application that has been proposed by the Government, and that is now available for download, is a useful application and it will help to save lives, however there are certainly still some grey areas in respect of privacy," federal crossbench senator Rex Patrick said.
"There will be some people in the community who will rightly be a little bit anxious about downloading this application."
The data created by the tracing app will be encrypted, stored on your phone, and not shared with anyone, unless you test positive to COVID-19.
If that happens, health officials may ask but cannot compel you to upload 21 days of your data. If you do, it is at that point your data will be sent to the Amazon cloud.
The Government's contact-tracing app aims to help track down people who may have been exposed to COVID-19, but like any smartphone app, it raises privacy and security questions.
It is only then that the US Government could use the CLOUD Act to compel Amazon to hand over data.
ABC News reported concerns by industry insiders and bureaucrats that giving Amazon the contract could mean COVIDSafe data was obtainable by the US under CLOUD Act subpoena.
The insiders spoke to the ABC on condition of anonymity because they held contracts with the Government, or work for the Government and were not cleared to speak publicly.
The Government rejected the concerns, saying its data held by AWS would be protected because of a provision in the CLOUD Act that allowed US companies to apply to refuse or modify US subpoenas seeking the data of foreign governments, if providing such information violated the law in that foreign country.
However, such appeals are only available if a country is designated under the US CLOUD Act as a "qualifying foreign government".
A spokesman for the Prime Minister confirmed over the weekend that Australia was not yet designated a "qualifying" jurisdiction under US law but insisted the data would remain in Australia.
"Even without yet being defined as a 'qualified foreign government' under the CLOUD Act, Australia already ensures data from a range of government agencies, including our intelligence agency the Australian Signals Directorate, is kept in Australia," he said.
To be recognised as a "qualifying foreign government", Australia and the US are required to sign a so-called "executive agreement" under the CLOUD Act, which must involve special legislation in Australia.
Negotiations for that agreement were first made public during a meeting between Home Affairs Minister Peter Dutton and US Attorney-General William Barr on October 7 last year.
"This is the way of the future between like-minded countries," Mr Dutton announced in a statement that day.
Mr Barr said: "This agreement, if finalised and approved, will allow service providers in Australia and the United States to respond to lawful orders from the other country without fear of running afoul of restrictions on disclosure, and thus provide more access for both countries to providers holding electronic evidence that is crucial in today's investigations and prosecutions."
The October announcement noted the "bilateral agreement", which would allow Australia to become a "qualifying foreign government" under the CLOUD Act, would be "underpinned by Australian legislation yet to be introduced" into Parliament.
ABC News can confirm the legislation to give effect to the agreement was only put before the House of Representatives in early March and, crucially, the bill the Telecommunications Legislation Amendment (International Production Orders) Bill has not been enacted.
That means Australia has no enforceable protection under the CLOUD Act until the bill is passed, which can occur at the earliest in the middle of next month, when Federal Parliament returns.
If something pops up in your feeds or inboxes, please help us by uploading screenshots, photos, videos or links, and tell us how it got to you.
"It is the view of the Law Council of Australia that the review mechanisms in the US CLOUD Act would not have application to information held in Australia's territorial jurisdiction, in the absence of Australia being recognised by the US as a 'qualifying foreign government' under that act," the Law Council's president, Pauline Wright, said.
When the ABC initially reported the concerns about the CLOUD Act, the Prime Minister's office also said the Government's position that the data would be secure was "being reinforced by a declaration under the Biosecurity Act".
That declaration was made on April 25, the day after the ABC's story was published.
The Law Council said the Biosecurity Act declaration may serve to protect the data.
"The fact that it would be an offence under the Biosecurity Act and a breach of our domestic laws is likely to be a relevant consideration to the enforceability of any US-issued warrant in relation to data held in Australia, and Australia's compliance with any mutual legal assistance request by the US for such information," Ms Wright said.
Government Services Minister Stuart Robert and Prime Minister Scott Morrison both used future tense when speaking publicly about Australian government law that would stop the transfer of the COVID-19 tracing app data out of Australia.
On Friday afternoon, Mr Morrison said: "It would it is illegal it will be illegal, for information to go out of that data store to any other person other than that for whom the whole thing is designed."
On Saturday, a spokesman for Mr Morrison again used future tense when discussing the penalties of removing any COVID-19 data from Australia.
"The Australian Government will ensure it is a criminal offence to transfer data to any country other than Australia," Mr Morrison's spokesman said.
"These claims about US authorities are incorrect.
"We're using the same approach we use to protect some of the highly sensitive data of the Australian Signals Directorate as we are for this app."
When contacted for comment, an Amazon spokesman said questions about the CLOUD Act relevant to COVIDSafe data should be referred to the Australian Government.
In 2018, major US law firm Bryan Cave Leighton Paisner wrote an analysis of the CLOUD Act, in which they noted data protections of foreign governments such as Australia may not be enough to stop a lawful US government subpoena.
"Under the CLOUD Act, Microsoft will now be required to hand over to criminal prosecutors in New York emails held on Microsoft servers hosted in Ireland, regardless of the stringent EU data-protection requirements applicable in Ireland," the firm wrote.
No system is 100 per cent secure, but the Signal app can be used to protect your identity by using end-to-end encryption. Please read the terms and conditions of the app to work out if it is the best method of communication for you.
Senator Patrick told ABC News while the COVIDSafe app had a use, he was disappointed the contract went to US company Amazon.
"It's nothing short of an absolute disgrace that this cloud contract was awarded to an overseas company," he said.
"We have in effect just exported Australian dollars to the US, and at the same time, what we've done has caused some concerns in relation to the protection of the data that may be collected by the application."
The Government has yet to explain why Australian cloud service providers which have been security-vetted for precisely such a purpose were excluded from the opportunity to apply for the contract.
Greens senator and digital rights spokesman Nick McKim said the CLOUD Act could apply to the COVIDSafe data.
"People who will be sitting in head office in Amazon in the US will not be covered by Australian law, they will be within jurisdiction of US law," Senator McKim said.
"And the US role is abundantly clear that US security agencies actually do have a claim on data that is held by a US company, no matter where that data is hosted in the world."
- PAM as a Service: Its All a Matter of Trust - Security Boulevard - June 2nd, 2020
- How To Best Adapt Your Business When The World Is Moving Online - Forbes - June 2nd, 2020
- Cloud computing via satellite to drive 52 Exabytes of traffic by 2029: NSR - SatelliteProME.com - June 2nd, 2020
- Multinational Insurance Company Completes Upgrade of Majesco Policy for P&C from On-Premise to Majesco CloudInsurer to Bolster Growth Strategy -... - June 2nd, 2020
- COVID-19 Impact on Healthcare Cloud Computing Market Marked US$ 13 Bn in forecast Years 2025 - 3rd Watch News - June 2nd, 2020
- Cloud computing, future trends to be followed in the industry - Optocrypto - June 2nd, 2020
- You couldn't do this already? AWS adds size and bandwidth growth to FSx for Windows File Server - Blocks and Files - June 2nd, 2020
- Upstream Security Partners With Amazon Web Services to Enhance Automotive Cybersecurity - PRNewswire - June 2nd, 2020
- Improvements on the verify domain error in Office 365 - TechGenix - June 2nd, 2020
- Digital transformation held back by lack of skilled people - ComputerWeekly.com - June 2nd, 2020
- NTT Com internal cloud server hacked, information on 621 customers stolen - DatacenterDynamics - June 2nd, 2020
- Where is the edge in edge computing? And who gets to decide? - ZDNet - June 2nd, 2020
- Cloud-native architectures will define the vRAN future - 5Gradar - June 2nd, 2020
- Developers recall career 'aha' moments that have shaped their Docker experience - SiliconANGLE News - June 2nd, 2020
- HSBC platform uses AI to analyse trading data thousands of times faster - ComputerWeekly.com - June 2nd, 2020
- CloudBolt Releases Version 9.3 of Its Award-Winning Cloud Management Platform - Container Journal - May 31st, 2020
- Kaminario offers cut-price virtual SAN in the cloud - ComputerWeekly.com - May 31st, 2020
- 4 types of mobile security models and how they work - TechTarget - May 31st, 2020
- Increased cybersecurity for the transportation industry - Commercial Carrier Journal - May 31st, 2020
- Cloud-Based Firewalls Are Key to Protecting Employees While Working Remotely - Security Boulevard - May 31st, 2020
- Cloud storage 101: File, block and object storage in the cloud - ComputerWeekly.com - May 31st, 2020
- Cloud Transition During the COVID-19 Exposing the Enterprise Vulnerabilities - EnterpriseTalk - May 31st, 2020
- The Role of Artificial Intelligence in Ethical Hacking | EC-Council Official Blog - EC-Council Blog - May 31st, 2020
- Shelves are well-stocked with cloud-native tools, but simplicity remains a moving target - SiliconANGLE - May 31st, 2020
- Uncover and overcome cloud threat hunting obstacles - TechTarget - May 26th, 2020
- This extraordinary motherboard is being used by server CPU scavengers - TechRadar India - May 26th, 2020
- VMware reduces hardware footprint of its shiny new K8s-on-vSphere toys - The Register - May 26th, 2020
- How Zoom plans to better secure meetings with end-to-end encryption - TechRepublic - May 26th, 2020
- VMware, Dell level up their combined on-prem cloud with much more computing grunt - The Register - May 26th, 2020
- Accelerator Card Market Will Witness Substantial Growth in the Upcoming years by 2027 - WaterCloud News - May 26th, 2020
- Uber India deploys Canon information management solution- Therefore for operational workflow - CRN.in - May 26th, 2020
- Potential Impact of COVID-19 on Research Report prospects the Server Backup Software Market - Cole of Duty - May 26th, 2020
- Do You Know Where Your Servers Come From? Heres Why Securing The Supply Chain Matters - Forbes - May 26th, 2020
- Live analytics without vendor lock-in? It's more likely than you think, says Redis Labs - The Register - May 26th, 2020
- Latest Forecast on Government Cloud Market Emerging Industries, Growth, Remarkable Developments and Key Players| Global Future Prospects 2025 - 3rd... - May 26th, 2020
- Cloud Accounting Software Market Research Report Comprising Development Trends 2020, Key Manufacturers and Competitive Landscape to 2025 - Cole of... - May 26th, 2020
- Gartner: How and why cloud providers need to support their customers through Covid-19 - Cloud Tech - May 22nd, 2020
- The Connection Between Cloud Service Providers and Cyber Resilience - Security Intelligence - May 22nd, 2020
- Google And Dell Pave The Way For File Data In The Cloud - The Next Platform - May 22nd, 2020
- Veeam teams up with Kasten for containerised app backup Blocks and Files - Blocks and Files - May 22nd, 2020
- Hybrid cloud: The key to surviving and thriving during the pandemic - WTOP - May 22nd, 2020
- Global Bare Metal Cloud Market : Industry Analysis and Forecast... - Azizsalon News - May 22nd, 2020
- Exabeam sees more than half of new and add-on recurring revenue from cloud offering - Help Net Security - May 22nd, 2020
- OnShip Brings its Parcel & Freight Shipping Transportation Management Platform to the Cloud with Cameyo - Supply and Demand Chain Executive - May 22nd, 2020
- 'What is Dropbox?': How to use the cloud-based file-storage service for collaboration - Business Insider - Business Insider - May 22nd, 2020
- Couchbase Announces $105 Million Equity Investment Led by GPI Capital to Fuel Its Next Phase of Growth and Cloud Innovation - GlobeNewswire - May 22nd, 2020
- The Register calls for aid, and Microsoft's Rohan Kumar will answer... our questions about SQL Edge and Azure Synapse - The Register - May 22nd, 2020
- What are the different types of cloud load balancing? - TechTarget - May 22nd, 2020
- How data centers will become automated and self-reliant - TechHQ - May 22nd, 2020
- Masayoshi Son says AWS and Microsoft will buy more chipsets from the SoftBank Vision Fund-backed Arm, and not - Business Insider India - May 22nd, 2020
- Chinese IPOs hang in the balance as Senate and Nasdaq change rules - Data Economy - May 22nd, 2020
- Portworx upbeat on container storage revenues Blocks and Files - Blocks and Files - May 22nd, 2020
- New study Global Managed Servers Market 2019 | Growth Opportunities, Investment Feasibility, Market Share And Forecast 2025 - Cole of Duty - May 22nd, 2020
- New Study Finds that IT Pros Are Worried About Corporate Data Security - Database Trends and Applications - May 19th, 2020
- Get your head in the cloud: why cloud is crucial for sustainable business - New Zealand News Centre - Microsoft - May 19th, 2020
- The Global Public Cloud Services Market is expected to grow by $ 221.84 billion during 2020-2024 progressing at a CAGR of 19% during the forecast... - May 19th, 2020
- Traditional or Cloud Antivirus Solutions Which is Best? - PC Tech Magazine - May 19th, 2020
- Moving beyond Covid-19: what does the future of work look like? - ETCIO.com - May 19th, 2020
- AWS unleashes custom Arm processor the Graviton2 in new EC2 M6g instance type - The Register - May 14th, 2020
- Pandemic Shows The Value Of The Public Cloud - The Next Platform - May 14th, 2020
- Jigsaw24 Expands Via24 Cloud Services With Deployment of EditShares EFSv - Broadcasting & Cable - May 14th, 2020
- The age of the ethical cloud is green and for everyone Intelligent CIO Europe - Intelligent CIO Africa - May 14th, 2020
- The Future of Artificial Intelligence: Edge Intelligence - Analytics Insight - May 14th, 2020
- How cloud is accelerating the growth of digital payments - TechHQ - May 14th, 2020
- Live Webinar Preview: Commands & Custom Scripting for Remote Application Installs - Security Boulevard - May 14th, 2020
- Private Cloud Server Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Swarm Theory: Lessons from nature in the advancement of robotics - Techerati - May 14th, 2020
- What are the Differences Between IaaS, PaaS, and SaaS? - stopthefud - May 14th, 2020
- Zoom Settles with NY AG over Privacy and Security Concerns - Security Magazine - May 14th, 2020
- Codestone helps shipping agent to cloud-based infrastructure - Codestone - May 14th, 2020
- Server sales went through the roof in the first three months of 2020. Enjoy it while it lasts, Dell, HPE, and pals - The Register - May 14th, 2020
- Global Cloud Infrastructure Testing Market Research Report 2020 By Size, Share, Trends and Analysis up to 2025. - Cole of Duty - May 14th, 2020
- Digital Harmonic to Bring its Powerful AI-Driven Image and Video Enhancing Solution to the Federal Market - Business Wire - May 14th, 2020
- Sorry if this seems latency obvious, but... you can always scale out your storage with end-to-end NVMe - The Register - May 14th, 2020
- The role of the data centre in the future of Data Management - Data Economy - May 14th, 2020
- We'd love to come up with a Harbor container ship pun but we're too corona-frazzled. Version 2.0 is out - The Register - May 14th, 2020
- Edge Intelligence: The Next Wave of AI - EE Times India - May 14th, 2020
- Patch by Friday or compromised by Monday: Salt exploit exposes Infrastructure-as-Code tools threat - SC Magazine UK - May 6th, 2020
- Serverless Exists In The Cloud and Both Need Servers - Computer Business Review - May 6th, 2020
- Analysis on Impact of COVID-19- Rugged Servers Market 2020-2024 | Increased Adoption of Cloud Applications to Boost Growth | Technavio - Business Wire - May 6th, 2020