Comment

Australia’s encryption law threatens NZ cloud data

With data from Government agencies and some of our biggest companies hosted on Amazon's Sydney cloud platform, Richard MacManus asks what are the implications for Kiwis of controversial new Australian legislation.

Earlier this month, the Australian government rushed through a controversial anti-encryption bill that could have ramifications for tech companies all over the world. The legislation, dubbed the Assistance and Access Act, makes it mandatory for any organisation whose website or data is hosted in Australia to give authorities access to their IT system if requested.

That could mean providing a backdoor to an encrypted system, or “assisting” authorities to implant malware or otherwise undermine the organisation’s security.

As I noted last week, Amazon’s local AWS cloud platform is based in Sydney and hosts data from many of New Zealand’s biggest organisations – including Xero, Orion Health and GeoNet. Even some of our Government agencies host data on AWS. So this law, which has no precedent elsewhere in the western world, must be a big concern for AWS.

I approached both AWS and Xero for comment. I didn’t hear back from the former, and the latter would only say that it’s “carefully assessing how it will impact Xero and its customers”.

I can understand the reticence of AWS and Xero to offer their opinions. The reality is, this law threatens the ongoing privacy and security of their customers. It even invites the question: should New Zealand organisations continue to host their data offshore?

It’s a particularly important question for our Government to consider. After all, we do not want our citizens’ data to be compromised due to over-zealous Australian politicians.

It’s an even more pertinent issue because our Government has gone all-in on cloud computing. It has a “Cloud First” policy, which means that Government agencies are “required to use public cloud services in preference to traditional IT systems”. It’s also left up to each agency, individually, to carry out their own risk assessments.

Interestingly though, it doesn’t seem to matter much whether the data is hosted in New Zealand or offshore. The policy only requires agencies to “store data classified as restricted or below in a cloud service, whether it is hosted onshore or offshore”.

When I spoke with AWS NZ boss Tim Dacombe-Bird for last week’s column, he told me that AWS does have some New Zealand government agencies as customers. He estimated that 90-95 percent of public sector data is classified such that it can be deployed in Sydney.

For the remaining 5-10% percent of data, he said, there may be a legal requirement for it to be housed in New Zealand and AWS cannot host the data in its Sydney region. In all instances, Dacombe-Bird recommends that customers work with their regulators to ensure compliance.

So if we take AWS figures as guidance, 90-95 percent of Government agency data is eligible to be hosted in offshore cloud facilities. That seems like an awfully high figure, especially when Aussie authorities can go snooping in that data any time they like now.

Catalyst Cloud co-founder Don Christie thinks our Government “has not been doing enough due diligence in this area”.

“There is a sense of cultural cringe about their drive to put New Zealand citizens’ data and processing on overseas platforms beyond the jurisdictional control of Kiwis,” Christie told me. “This will become a growing issue as we see the attempts of overreach by legislation – such as the Patriot Act in the US and the encryption access bill in Australia.”

Christie believes hosting Government data offshore “not only makes New Zealand susceptible to foreign interference, but weakens the trust and protections New Zealanders might have in these platforms”.

Overall, Christie sees the offshoring of our data as a key sovereignty issue for our country.

“Just as New Zealand would not outsource its electric power generation to foreign lands,” he said, “nor should it be outsourcing its compute power. Our economic future lies in our data – we should retain control.”

It’s a great point, especially when you inspect the nitty gritty of Australia’s new anti-encryption law – the full title is the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018. My biggest takeaway: if there is sensitive New Zealand Government data being hosted in Australia, then it’s now completely outside of our control thanks to this law.

The sheer scope of the legislation is understated in the 145-page “explanatory memorandum” [pdf]. For example, the document describes “new powers to secure assistance from key companies in the communications supply chain both within and outside Australia” and states that the legislation enhances “agencies’ collection capabilities such as computer access”. This use of otherwise benign terms like “assistance” and “access” cloaks what the law actually decrees: that companies must give Australian authorities the keys to their IT systems, if demanded.

While our local AWS office has yet to comment on the legislation, other US big tech companies have. The Reform Government Surveillance coalition, which counts Apple, Google, Facebook and Microsoft among its members (but notably, not Amazon), said in a statement that “the new Australian law is deeply flawed, overly broad, and lacking in adequate independent oversight over the new authorities”.

Smaller tech companies, such as the password manager app 1Password, are now questioning whether they want to do business with Australia or its citizens. In a blog post, 1Password’s Jeffrey Goldberg suggested the company may ultimately have to “consider Australian nationality in hiring decisions”.

From a New Zealand perspective, this Australian law makes one thing very clear: it’s time for us to seriously re-consider whether our data, and particularly Government agency data, should be housed offshore.

Our Government, along with the four other Five Eyes partners, is currently obsessed with limiting the influence of Chinese telco Huawei. But this new Australian law is much more dangerous to our country.

After all, we have no idea if the Chinese government actually exerts any control over Huawei. But we know for sure that the Australian government can now do what it likes with any cloud data hosted in Australia, thanks to the AA Act.

If we’re trying to keep Huawei out for security reasons, then by the same token we should stop our data going in to Australia. Let’s not overlook the overreaching of our Five Eyes partners.