Australian government justifies decision to go with AWS for COVIDSafe

The Digital Transformation Agency also outlined the technical specifications given to Amazon Web Services to build it an app.
Written by Asha Barbaschow, Contributor

The Digital Transformation Agency (DTA) has provided further detail on the federal government's COVIDSafe coronavirus trace tracking application, including around the procurement of the solution from Amazon Web Services (AWS).

In response to questions on notice from a COVID-19 hearing held earlier this month, the DTA confirmed the contract, awarded to AWS under a standing arrangement between the cloud giant and the Commonwealth, cost a total of AU$709,059.37.

With AWS headquartered in the United States, concerns over the security of the COVIDSafe data were previously raised, with fears it could be accessed by US law enforcement.

A spokesperson for Minister for Government Services Stuart Robert told ZDNet at the time that the minister had "the utmost confidence in how the information is being managed".

"Uploaded contact information will be stored in Australia in a highly secure information storage system and protected by additional laws to restrict access to health professionals only," the spokesperson said.

Lucie Krahulcova from the International Civil Liberties and Technology Coalition told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Wednesday, however, that Australia could not guarantee that data won't be shared by Amazon with US entities.

"Amazon is still an entity, it's a US-based entity, and when we get into a place where governments put provisions like this into legislation, there's simply no way unless there's a very expensive diplomatic undertaking and extreme carve-outs are sought, there's just no way to guarantee that," she said.

The DTA was asked if there was any legislation, policy, or practice in the United States that would prevent or mitigate any effort by US agencies to access COVIDSafe data.

The DTA said the Attorney-General's Department was better placed to answer such questions but said that AWS has no access to the national COVIDSafe data store.

Asked why it chose to go with AWS, excluding Australian entities from the procurement process, DTA CEO Randall Brugeaud said during the hearing that the services procured from AWS were much more extensive than the range of services provided by pure hosting providers.

The DTA expanded on this in response to questions on notice, saying the procurement of AWS provided the DTA with a combination of hosting, development, and operational support services for the COVIDSafe application and the National Data Store.

"Changes in supplier arrangements would have introduced an unacceptable risk to the on-time delivery of the application and likely resulted in higher cost to the Australian government, as the work already done may not have been transferrable to another supplier," the DTA said.

"Splitting work packages (hosting, development, operational support, etc.) would have introduced additional risk and complexity to the COVIDSafe system."

The statement of work required AWS to deliver four items: AWS Platform Design and Build; AWS Mobile Web App Build; AWS Admin App Build; and AWS Project Control.

It was specified that the National COVIDSafe data storage system must use protected certified cloud services and that the data held in the National COVIDSafe data storage system must be located in Australia.

Requirements also stipulated to re-use, where relevant, the source code provided by the Singapore government from its TraceTogether contact tracing app.

A long list of functional requirements was also created, including the ability for users to register to use the app by providing minimal personal information, specifically, a name, age-range, postcode, and phone number, as well as the ability of public health officials to view information in the health administration portal about close contacts for individuals who test positive with COVID-19.

Technically speaking, it was requested that the app be able to achieve targeted registration volumes of 3 million per hour and 5,000 per second, and achieve 9 million registration API requests per hour and 2,500 per second as a minimum.

The app, the government specified, should be able to achieve encounter upload volumes of 5,700 per hour and 1.58 per second, and achieve 34,200 API requests per hour and 9.5 per second. It should also be able to achieve temporary ID both volume and API requests of 18 million per hour, and 5,000 per second.

The app response time was required to be less than 0.5 milliseconds at the 95th percentile.

The privacy requirements for the app were in line with the legislation that entered Parliament last week -- such that it be consent-based, data encrypted, and no location information was to be scraped.

"The requirements listed above were tested with a 100 per cent successful pass rate prior to release," the DTA said.

Speaking with media last week on a virtual panel session, AWS Australia and New Zealand Country Director for Public Sector Iain Rouse said security was the cloud giant's number one priority.

"As far as the question around legislation duty, I think we have to go back to our position as an organisation which we really believe in," Rouse said.

"We've stated many times that security is our top priority and in relation to any legislation, our position around security stays the same and that is simply that we're committed to providing all customers, including government agencies who trust us with the most sensitive content, with the most extensive set of security features and services and we make sure that customers can maintain complete control of their data."


The DTA said functional and performance testing was conducted for the Apple iOS and Google Android versions of the COVIDSafe App prior to release.

It said 179 functional tests were conducted, including Bluetooth encounters between various device types, in various states, including the phone being locked and unlocked, and the application open and not open.

"All tests satisfied the baseline design requirements," the DTA said. "Performance tests were also conducted against the technical requirements."

The DTA said in these tests, the system "met and sustained the requirements and remained stable through the testing process".

"The successful testing results underpinned the Digital Transformation Agency's decision recommendation to release the COVIDSafe App into production," it explained. "Consistent with an agile development methodology, the DTA will continue to make iterative enhancements to the App."

The COVIDSafe App is supported on Android devices with Android OS version 6.0 Marshmallow or later and for Apple devices, it is supported on iPhone 5s and above, running Apple iOS version 10.0 or later.

"Earlier operating systems are not supported because they do not meet the minimum encryption and cybersecurity requirements," the DTA wrote.

According to the DTA, 98.7% of Australian Apple device users have the required iOS version and 92.9% of Android users have the required Android OS version.

As of Friday, the COVIDSafe app has had one update since it was released. The update included: A design update, including branding and what the DTA described as a clearer and simpler upload user flow in the event of a positive coronavirus diagnosis; the resolving of minor registration issues associated with the name field; notification message updates and fixes to resolve occasional looping to registration screen on iOS; as well as crash fixes for Android.

In response to a question on flaws that have been identified within the app, the DTA said it identified additional Bluetooth performance and security concerns and that enhancements had been found to improve the performance of the app.

"The DTA is in the process of developing additional Bluetooth performance and security enhancements," it added. "The DTA is also working with Apple and Google to understand the improvements they are making to Bluetooth and will consider incorporating their changes if they provide improved Bluetooth performance."

Additionally, the DTA said it monitors developments more broadly in other countries to assess whether other approaches to Bluetooth performance could be leveraged to further improve the performance of Australia's app.

The DTA said it would make iterative enhancements to the app to improve the user experience and performance.

As of Friday, Prime Minister Scott Morrison said more than 5.7 million Australians have downloaded the COVIDSafe app.

At the time of writing, the World Health Organization reported that there have been over 4.5 million confirmed cases, with over 307,000 fatalities as a result of the virus. Australia has reported just over 7,000 cases and 99 deaths.

There have been over 1 million COVID-19 tests undertaken in Australia and the country has seen social distancing restrictions lift in direct response to the positive response nationwide in efforts to contain the spread of COVID-19.


Editorial standards