Canberra has confidence in AWS' ability to securely store COVID-19 tracing app data

Contract handed to Amazon Web Services under whole-of-government cloud services agreement.
Written by Asha Barbaschow, Contributor

Amazon Web Services (AWS) has been handed the data storage contract for Australia's soon-to-be launched COVID-19 contact tracing app.

With AWS headquartered in the United States, concerns over the security of the data have been raised, with fears it could be accessed by US law enforcement.

A spokesperson for Minister for Government Services Stuart Robert told ZDNet the minister has "the utmost confidence in how the information is being managed".

"Uploaded contact information will be stored in Australia in a highly secure information storage system and protected by additional laws to restrict access to health professionals only," the spokesperson said.

According to the minister, keeping Australian data within the country would be guaranteed through a determination through the Biosecurity Act and legislation.

Under law, it is a criminal offence to transfer data to any country other than Australia, with a penalty of imprisonment for five years and/or 300 penalty units -- AU$63,000 -- being applicable to any breaches of the direction.

On storing the decryption keys in the same location as the data, Robert's spokesperson told ZDNet the storage system keys would be managed through AWS' Key Management System (KMS), which has previously been assessed by the Australia Cyber Security Centre.

"AWS is vigilant about our customers' privacy and security," AWS told ZDNet. "Our customers retain ownership and control of their content stored in AWS. AWS provides tools customers can use to encrypt their data at rest or in motion, or customers can choose from a number of supported third-party security solutions.

"Content that has been encrypted is rendered useless without the applicable decryption keys."

Robert's office added that this is exactly the same way the Australian government already uses AWS for many other agencies, including the Australian Signals Directorate, and "ensures Australian data stays in Australia".

The contract forms part of the whole-of-government agreement AWS signed with the Digital Transformation Agency in June.

The deal allows all federal, state, and territory agencies and departments, as well as public universities and government-controlled corporations, to access AWS cloud services.

The arrangement comes by way of a "simplified procurement model", which has been touted as allowing agencies to save costs from the day they sign up due to the economies of scale.

See also: Morrison says using COVID-19 tracing app a matter of 'national service'  

Robert and Prime Minister Scott Morrison have been pushing the message that the government has been carefully working through the security concerns and technical assurances of the app before it goes live.

"Now, that app, the information, that is collected from that app, goes into a national data store that is fully encrypted and the Commonwealth government has no access whatsoever to the information into that data store," Morrison said, addressing media on Thursday.

"None. Zero. Zip. Nothing."

He reiterated that the information could only be unlocked by health officers at the state and territory level and in direct communication with the person who may find themselves at risk of contracting coronavirus.

"It's got one job. Just one job. We're not having it do other jobs. It will never do other jobs. It's for a time-limited period. It has the specific job of helping public health officials help you," he said.

"We've been listening carefully to the debate that has followed since I first indicated that we were going down this path, and we've been responding to that and we've been ensuring that the protections are built in, so this just does focus on this one job. We have no interest in it doing any other job. There is no geolocation. There is no tracking of people's movements. None of that is true."

The app, which is "coming soon", will be a rework of Singapore's TraceTogether.

TraceTogether app taps Bluetooth signals to detect other participating mobile devices in close proximity to allow them to identify those who have been in close contact when needed. 

The app is able to estimate the distance between TraceTogether smartphones as well as the duration of such interactions.

It identifies participating TraceTogether users who are within two metres of each other for more than 30 minutes. The data then is captured, encrypted, and stored locally on the user's phone for 21 days, which spans the incubation period of the virus.

Singapore has only had a 20% buy-in, but Morrison said Australia would need to at least double that for the initiative to work.

Former Shadow Minister for the Digital Economy and Human Services Ed Husic said in order to reach a successful buy-in, more assurances around privacy need to be given.

"If the government can't get its own members to use it, what faith would the broader public have in using this tracing app," he said.

"It needs to ensure the data that is generated through the app is only used for the purpose that everyone's been told it's being used for and that is to help prevent the spread of coronavirus in Australia and that we can track where people have been infected so that we can better deal with those outbreaks."

At the time of writing, the World Health Organization reported that there have been over 2.5 million confirmed cases, with nearly 176,000 fatalities as a result of the virus. Australia has reported 6,667 cases and 76 deaths.

More than 474,000 tests have been conducted across Australia.


Editorial standards