The Government defends choosing Amazon to store contact tracing app data

The Federal Government has defended choosing Amazon to store data uploaded from its contact tracing app.

Chris Griffith

2 min read

5:00PMApril 24, 2020.

Updated 5:57PMApril 24, 2020

Government Services Minister Stuart Robert. Picture: AAP

The Federal Government has defended choosing US cloud provider Amazon Web Services to store data uploaded from its contact tracing app.

Amazon Web Services or AWS will store both data and highly secure information storage keys used to reveal the identity of those who come into contact with people testing positive with coronavirus.

Phones will store the encrypted identities of other phones when a person is no more than 1.5 metres away from another person for at least 15 minutes.

From information provided to date, there are two occasions when data is uploaded to the cloud. One is when the user installs and registers the app in which case their name, mobile number, age and postcode are recorded. The other instance is when a person tests positive to the virus and their contact information is uploaded.

Government Services Minister Stuart Robert says all other data remains on phones and it will not be uploaded to the cloud. Further, data will be deleted when it is three weeks’ old.

The government has confirmed that Amazon Web Services (AWS) will store the data, which has prompted some concern about the preservation of data sovereignty and whether Australian contact information could be stored in the US and accessed under US law.

A spokesman for Mr Robert said the uploaded contact information will be stored in Australia in a highly secure information storage system and protected by additional laws to restrict access to health professionals only, and it will not be stored in the US.

“Australia has not passed legislation that would allow it to operate and share data under the US CLOUD Act,” the spokesman said.

“Keeping Australian data in Australia will also be guaranteed through a determination through the Biosecurity Act and legislation.

“It will be a criminal offence to transfer data to any country other than Australia. A penalty of imprisonment for five years and/or 300 penalty units ($63,000) could apply to breaches of the direction.”

The spokesperson said the keys used to decrypt data and mobile numbers will be managed through Amazon Web Services’ Key Management System which he said was a widely used security service that has been previously assessed by the Australian Cyber Security Centre.

“This is exactly the same way the Australian Government already uses AWS for many other agencies, including the work of our intelligence agencies, including ASD, and ensures Australian data stays in Australia.”

The spokesperson said Australia had not passed legislation that would allow it to operate and share data under the US CLOUD Act.

“The Minister has the utmost confidence in how the information is being managed.”

It is understood that if the government requested data from AWS under the US CLOUD Act, AWS would be able to reject that request under US law because compliance with the request would constitute a criminal offence under Australian law.

The government argues that data collected by the app is the digital equivalent of the type of information that contact tracers collect through face-to-face interviews with those testing positive.