Global tech giant Amazon may not be able to protect Australian Government data held in its Australian servers — including data gathered by the COVID-19 tracing app released on Sunday — from US subpoenas, according to legal experts and crossbenchers.
- Data from the Government’s new COVIDSafe tracing app may be currently obtainable by US law enforcement via the CLOUD Act
- While COVIDSafe data will remain in Australia, it is held by US-based company Amazon, which can be legally compelled to provide that data to US law enforcement
- Amazon was awarded the contract for the COVIDSafe app data storage over several Australian-based cloud services
The COVIDSafe app is designed to help identify who a COVID-19 positive person has met while infected, speeding up the contact-tracing process.
The Government has defended its decision, revealed last week by the ABC, to award the app’s data-storage contract to Amazon cloud subsidiary Amazon Web Services (AWS), a US-incorporated business subject to the US CLOUD Act.
The CLOUD Act is a 2018 US law which requires American cloud services to produce, under subpoena, data held by them regardless of where in the world that data is stored.
The Australian Government initially told ABC News data held by Amazon would be protected from the CLOUD Act, but Australia’s peak legal body, the Law Council, disagreed, saying that under current arrangements the appeal avenues under the CLOUD Act “would not have application” in Australia.
The Government has also pointed to a Ministerial Determination issued on Saturday by Health Minister Greg Hunt, which it says will also protect the data. The Law Council and two crossbenchers said that was not certain.
The federal crossbenchers told ABC News they were concerned the Government had created an uncertain legal situation around the COVID-19 app.
“I think the application that has been proposed by the Government, and that is now available for download, is a useful application and it will help to save lives, however there are certainly still some grey areas in respect of privacy,” federal crossbench senator Rex Patrick said.
“There will be some people in the community who will rightly be a little bit anxious about downloading this application.”
The data created by the tracing app will be encrypted, stored on your phone, and not shared with anyone, unless you test positive to COVID-19.
If that happens, health officials may ask — but cannot compel you — to upload 21 days of your data. If you do, it is at that point your data will be sent to the Amazon cloud.
It is only then that the US Government could use the CLOUD Act to compel Amazon to hand over data.
ABC News reported concerns by industry insiders and bureaucrats that giving Amazon the contract could mean COVIDSafe data was obtainable by the US under CLOUD Act subpoena.
The insiders spoke to the ABC on condition of anonymity because they held contracts with the Government, or work for the Government and were not cleared to speak publicly.
The Government rejected the concerns, saying its data held by AWS would be protected because of a provision in the CLOUD Act that allowed US companies to apply to refuse or modify US subpoenas seeking the data of foreign governments, if providing such information violated the law in that foreign country.
However, such appeals are only available if a country is designated under the US CLOUD Act as a “qualifying foreign government”.
A spokesman for the Prime Minister confirmed over the weekend that Australia was not yet designated a “qualifying” jurisdiction under US law but insisted the data would remain in Australia.
“Even without yet being defined as a ‘qualified foreign government’ under the CLOUD Act, Australia already ensures data from a range of government agencies, including our intelligence agency the Australian Signals Directorate, is kept in Australia,” he said.
More steps needed to become a qualifying foreign government
To be recognised as a “qualifying foreign government”, Australia and the US are required to sign a so-called “executive agreement” under the CLOUD Act, which must involve special legislation in Australia.
Negotiations for that agreement were first made public during a meeting between Home Affairs Minister Peter Dutton and US Attorney-General William Barr on October 7 last year.
“This is the way of the future between like-minded countries,” Mr Dutton announced in a statement that day.
Mr Barr said: “This agreement, if finalised and approved, will allow service providers in Australia and the United States to respond to lawful orders from the other country without fear of running afoul of restrictions on disclosure, and thus provide more access for both countries to providers holding electronic evidence that is crucial in today’s investigations and prosecutions.”
The October announcement noted the “bilateral agreement”, which would allow Australia to become a “qualifying foreign government” under the CLOUD Act, would be “underpinned by Australian legislation yet to be introduced” into Parliament.
ABC News can confirm the legislation to give effect to the agreement was only put before the House of Representatives in early March and, crucially, the bill — the Telecommunications Legislation Amendment (International Production Orders) Bill — has not been enacted.
That means Australia has no enforceable protection under the CLOUD Act until the bill is passed, which can occur at the earliest in the middle of next month, when Federal Parliament returns.
“It is the view of the Law Council of Australia that the review mechanisms in the US CLOUD Act would not have application to information held in Australia’s territorial jurisdiction, in the absence of Australia being recognised by the US as a ‘qualifying foreign government’ under that act,” the Law Council’s president, Pauline Wright, said.
When the ABC initially reported the concerns about the CLOUD Act, the Prime Minister’s office also said the Government’s position — that the data would be secure — was “being reinforced by a declaration under the Biosecurity Act”.
That declaration was made on April 25, the day after the ABC’s story was published.
The Law Council said the Biosecurity Act declaration may serve to protect the data.
“The fact that it would be an offence under the Biosecurity Act and a breach of our domestic laws is likely to be a relevant consideration to the enforceability of any US-issued warrant in relation to data held in Australia, and Australia’s compliance with any mutual legal assistance request by the US for such information,” Ms Wright said.
‘It is illegal, it will be illegal’
Government Services Minister Stuart Robert and Prime Minister Scott Morrison both used future tense when speaking publicly about Australian government law that would stop the transfer of the COVID-19 tracing app data out of Australia.
On Friday afternoon, Mr Morrison said: “It would — it is illegal — it will be illegal, for information to go out of that data store to any other person other than that for whom the whole thing is designed.”
On Saturday, a spokesman for Mr Morrison again used future tense when discussing the penalties of removing any COVID-19 data from Australia.
“The Australian Government will ensure it is a criminal offence to transfer data to any country other than Australia,” Mr Morrison’s spokesman said.
“These claims about US authorities are incorrect.
“We’re using the same approach we use to protect some of the highly sensitive data of the Australian Signals Directorate as we are for this app.”
When contacted for comment, an Amazon spokesman said questions about the CLOUD Act relevant to COVIDSafe data should be referred to the Australian Government.
In 2018, major US law firm Bryan Cave Leighton Paisner wrote an analysis of the CLOUD Act, in which they noted data protections of foreign governments such as Australia may not be enough to stop a lawful US government subpoena.
“Under the CLOUD Act, Microsoft will now be required to hand over to criminal prosecutors in New York emails held on Microsoft servers hosted in Ireland, regardless of the stringent EU data-protection requirements applicable in Ireland,” the firm wrote.
Senator Patrick told ABC News while the COVIDSafe app had a use, he was disappointed the contract went to US company Amazon.
“It’s nothing short of an absolute disgrace that this cloud contract was awarded to an overseas company,” he said.
“We have in effect just exported Australian dollars to the US, and at the same time, what we’ve done has caused some concerns in relation to the protection of the data that may be collected by the application.”
The Government has yet to explain why Australian cloud service providers — which have been security-vetted for precisely such a purpose — were excluded from the opportunity to apply for the contract.
Greens senator and digital rights spokesman Nick McKim said the CLOUD Act could apply to the COVIDSafe data.
“People who will be sitting in head office in Amazon in the US will not be covered by Australian law, they will be within jurisdiction of US law,” Senator McKim said.
“And the US role is abundantly clear … that US security agencies actually do have a claim on data that is held by a US company, no matter where that data is hosted in the world.”