Civil liberty groups dismiss guarantee on US not accessing COVIDSafe data

During a hearing on Australia's pending International Production Orders Bill, representatives from the International Civil Liberties and Technology Coalition said the government cannot guarantee that Amazon will not share data with United States entities.

Representatives from a coalition of technology experts and civil liberties groups have told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) that the Australian government cannot guarantee United States authorities will not have access to data held by the COVIDSafe coronavirus contact tracing app.

Amazon Web Services (AWS) was handed the data storage contract for Australia's COVID-19 contact tracing app in April. With AWS headquartered in the United States, concerns over the security of the data were raised, with fears it could be accessed by US law enforcement.

latest developments

Coronavirus: Business and technology in a pandemic

From cancelled conferences to disrupted supply chains, not a corner of the global economy is immune to the spread of COVID-19.

Read More

A spokesperson for Minister for Government Services Stuart Robert told ZDNet at the time that the minister had "the utmost confidence in how the information is being managed".

"Uploaded contact information will be stored in Australia in a highly secure information storage system and protected by additional laws to restrict access to health professionals only," the spokesperson said.

According to the minister, keeping Australian data within the country would be guaranteed through a determination through the Biosecurity Act and legislation.

Under law, it is a criminal offence to transfer data to any country other than Australia, with a penalty of imprisonment for five years and/or 300 penalty units -- AU$63,000 -- being applicable to any breaches of the direction.

The COVIDSafe legislation entered Parliament on Tuesday.

"One of the things the government has sought to do to is ensure individuals that their data wont be shared by Amazon with US entities and that data won't leave … it's not something that Australia can guarantee," Lucie Krahulcova from the International Civil Liberties and Technology Coalition said on Wednesday.

"Amazon is still an entity, it's a US-based entity, and when we get into a place where governments put provisions like this into legislation, there's simply no way unless there's a very expensive diplomatic undertaking and extreme carve-outs are sought, there's just no way to guarantee that."

Krahulcova was appearing before the PCJIS to discuss Australia's pending Telecommunications Legislation Amendment (International Production Orders) Bill 2020  (IPO Bill), which is intended to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to create a framework for Australian agencies to gain access to stored telecommunications data from foreign designated communication providers in countries that have an agreement with Australia, and vice versa.

The Bill is a precondition for Australia to obtain a proposed bilateral agreement with the United States in order to implement the US Clarifying Lawful Overseas Use of Data Act (the CLOUD Act).

"Our concern, I guess, is about how the framework that's set up in the future and which countries have that direction over others and I would urge this committee to consider the sort of implications that creates for international regimes more broadly," Krahulcova said.

Appearing alongside Krahulcova was Sharon Bradford Franklin, who is also a US attorney. Both used COVIDSafe as an example to discuss the notion of a sovereign state using an international agreement only for its own benefit and attempting to introduce civil penalties into the agreement to achieve this.  

While implementation of the CLOUD Act would lift the blocking provision under the Stored Communications Act (SCA) and authorise US service providers to disclose data to foreign governments pursuant to an executive agreement, Franklin said the CLOUD Act does not serve as a basis for extraterritorial jurisdiction over foreign providers that Australia is asserting through the Bill.

The IPO Bill is intended to apply extraterritorially and would attempt to require the production of user data from service providers pursuant to international agreements, including executive agreements under the CLOUD Act. The coalition argues that the Bill treats the mere existence of a CLOUD Act agreement as the basis for jurisdiction.

The Bill would seek to subject service providers to civil penalties if they fail to comply.

Franklin said these provisions contravene the text and the spirit of the CLOUD Act.

"Something like interfering with slavery and enforcing human rights, I could see that as being a noble reason to interfere and exert that power, but here we have seen huge infringements and I'm not convinced with the challenges that exist within the Australian system that have been really amplified by TOLA, I'm not convinced that Australia should be seeking to assert such power," Krahulcova added.

Previously making a submission to the PJCIS, the group took issue with the Bill's omission of a requirement to tell subjects of data requests that they were under surveillance and also noted that Australia's Administrative Appeals Tribunal (AAT) falls short of the mark for judicial review, yet law enforcement under the Bill would be able to skirt judges and head to the AAT for approval.

The group includes Google, Reporters Without Borders, Electronic Frontier Foundation, Internet Society, and individuals such Stanford cybersecurity expert Riana Pfefferkorn.

MORE ON THE IPO BILL