The decision by both states to use international tech giants Amazon and Microsoft to host the data appears to have opened the possibility for overseas law enforcement and other agencies to access the information, although it is unclear if any such access has been sought.

The legal frameworks underpinning the apps have been under scrutiny following revelations this week that WA Police had used the state’s SafeWA check-in app to assist with two serious criminal investigations, despite promises from the government that the compulsory app would only ever be used to assist in Covid contact tracing. The WA government on Tuesday introduced emergency legislation aimed at closing the loophole.

The terms and conditions of the WA and Queensland apps note that the storage of the check-in information is hosted by Amazon Web Services and Microsoft Azure Cloud Services respectively. They both feature near-identical warnings that the two software giants are “subject to both Australian and overseas laws that may require the disclosure of your information (in limited circumstances) to government authorities here and overseas”.

While the data in both apps is encrypted to help protect it from external attack, the WA app’s conditions note that both Amazon and GenVis – the Perth-based technology company that developed the SafeWA app – hold ­encryption keys.

According to the terms and conditions of Check In Qld, the encryption keys for the data collected through the app are with the Department of Communities, Housing and Digital Economy.

Neither the Service Victoria nor Service NSW check-in apps feature similar warnings in their terms and conditions to the WA or Queensland apps, although the Victorian app notes that personal information may be handed over for law enforcement or to investigate unlawful activity, or to a commonwealth security agency.

The commonwealth’s own COVIDSafe app is protected by legislation that specifies that the data collected must “be stored in, and not disclosed outside of, ­Australia”.

It also specifies that the data can only be accessed by the police or Director of Public Prosecutions “to investigate and prosecute ­alleged breaches of the Privacy Act in relation to the handling of Covid app data”.

Julia Powles, an associate professor of law and technology at the University of WA, said the police access to the data and the provisions for access by overseas authorities were “staggering”.

“This absolutely guts public trust,” she said. “You go from a position where you say ‘well ­surely this does what it says on the tin’ to now where you don’t need to be a conspiracy theorist to say ‘well I don’t know now where this is going and who is getting access, and how can I get a good assurance that it hasn’t gone elsewhere’.”

The success of the apps, she said, relied on the public being confident they would not be used as a “Trojan horse” to track ­people’s whereabouts for other purposes.

“They say they’re now closing this loophole, but have there been other requests and does the government even know, especially on that overseas question?” she said.

A spokesman for Queensland’s Department of Communities, Housing and Digital Economy confirmed that data held by Microsoft could be provided to overseas authorities but said there had been no notifications of any such access.

“Microsoft are obliged to inform the state of any disclosure to any overseas authority,” she said.

A spokesman for Amazon Web Services said the company did not disclose customer information in response to government demands unless it was required to do so to comply with a legally valid and binding order.

“Unless prohibited from doing so or there is clear indication of ­illegal conduct in connection with the use of AWS products or services, AWS notifies customers ­before disclosing content information,” he said.

The spokesman said the US CLOUD Act did not give law ­enforcement agencies unfettered access to cloud data, but enabled US agencies to seek evidence about US crimes. “It’s highly unlikely that SafeWA data could be relevant to a US crime,” he said.

More Coverage

Alarm at cops’ Covid data breach

Paul Garvey

Data reveals our traditional Monday to Friday work week is disappearing

DEIRDRE MACKEN

Bank apps, RBA hit by another mass outage

DAVID SWAN

Paul GarveySenior Reporter

Paul Garvey has been a reporter in Perth and Hong Kong for more than 14 years. He has been a mining and oil and gas reporter for the Australian Financial Review, as well as an editor of the paper's Street Talk section. He joined The Australian in 2012. His joint investigation of Clive Palmer's business interests with colleagues Hedley Thomas and Sarah Elks earned two Walkley nominations.

@PDGarvey

More related stories

Nation

Employers failing to monitor prevalence of sexual harassment

New Workplace Gender Equality Agency data shows that more than a quarter of Australian employers are failing to monitor the prevalence of sexual harassment within their workplace.

Read more

Nation

EV politics reflects city-regions divide

Electric vehicles have had highest take-up in Greens, teal independent, and Labor-held inner-city electorates, raising questions about how the major parties would position themselves to woo suburban voters.

Read more