House debates

Tuesday, 12 May 2020

Bills

Privacy Amendment (Public Health Contact Information) Bill 2020; Second Reading

5:57 pm

Photo of Ed HusicEd Husic (Chifley, Australian Labor Party) Share this | Hansard source

I sometimes feel that, in the discussion around these elements of the nation's response to COVID-19, if at any point we do raise matters that are contrary or critical, then in some way we are considered treasonous or not supportive of the national effort in responding to this pandemic. Nothing could be further from the truth. The reality is that, where there is a call for national unity, we do want to be able to act in a way that delivers it. I note that, a number of times, people within the opposition have used the term 'constructive', and we have been constructive, by and large. But being constructive does not require us to be mute. It does require us to look, in a very objective way, at some of the things that are being proposed. And, where we believe recommendations or changes should be made, they should be put forward. There have been elements, where I am aware that both the shadow minister for health and the shadow attorney-general have put forward ideas with respect to elements of the privacy amendment bill. These changes are being made to this legislation. And, within the context of the COVIDSafe app, a number of times we have made the point that we support the app. Apparently this is the threshold requirement for any discussion around this matter—that, in some way, if we are critical of the app, we're not supportive of it.

We do want this app. We do recognise that the app has a role to play, as has been expressed by a number of speakers in this debate. I note in particular the contribution by the member for Indi, saying that we want to see this work—and also to pick up on the point made by the member for Gellibrand—because as a community we will be safer. In the case of what the member for Indi spelt out, in her community, like many others, the economic impact can be lessened. I totally get that as well. But I have been frustrated, in the context of the discussion around the app, about the government's preference for headlines over hard yards, where we have wanted them to actually get a few things done right in respect of this.

It is not enough for the government to say, 'Trust us' and then appeal to the community to just download the app en masse without having done the homework. In a number of cases it took quite a bit of time for this legislation to be released, despite the commitment made that it would be released promptly. We had a biosecurity determination put in place as a mechanism to deliver a certain level of protections, but it took time for that to happen. We were told that the source code, the building blocks—in effect the language that's used by the app to determine what is done and what isn't done—would be released. Then we were told that it would take a couple of weeks for it to be released. And now, from what I'm led to believe, the source code has been released, but it's not open source, so there are some hurdles in being able to obtain that.

There is another thing that has concerned Australians. The five billion Australians who have downloaded the app have done that on the basis of trusting the government to get this right. As I described earlier, a target was set in relation to this app, and then there was a walkaway from that target. We don't know whether 30 per cent, 40 per cent or 50 per cent of smartphone users would be required to hold onto this app. It's almost like attaching the target to a chocolate wheel and spinning it and at some point we'll reach what they need. We should have something definite from the government as to what is required in terms of the number of downloads—a target that is required to ensure public safety—and then do the things that will build trust.

One of the things I've been deeply concerned about is the awarding of the contract for the data storage to an overseas multinational, Amazon Web Services. Now, Amazon Web Services is a great company—no doubt. They have supported a lot of innovation, and a lot of effort online has been as a result of their offering. I'm absolutely in support of that. But, having said that, when Microsoft first got access to government data through its cloud services offering I was critical of that in this place. I also forewarned to Amazon and to Google that I would have the same view, because there are capable, competent cloud services providers that are Australian based, that are Australian generated and that have been vetted by government and can do this work. You need only go to the government's own websites that list half a dozen cloud services providers that have been vetted as being able to securely manage data in this country. Of that protected list, two of them are overseas multinationals: Amazon and Microsoft. The four others—NTT Australia, Sliced Tech, Macquarie Telecom and Vault—were overlooked by this government in its rush to provide the contract for COVIDSafe to Amazon Web Services.

Again, Amazon Web Services do work in my electorate and have supported community groups in my electorate, for which I've been enormously grateful. But I will not, as a parliamentarian, turn a blind eye to the requirement that we speak in the national interest where it's appropriate. And a lot of Australians have been concerned that an overseas multinational has been given carriage of this element of the COVIDSafe app, even though the government has said that it will be stored here and have tried to build an assurance to the Australian public that the data is safe. Even today in the Financial Review the head of AWS in Australia could not guarantee that foreign nationals would be prevented entirely from being able to access any of the data generated by the COVIDSafe app in the national data storage arrangements. They themselves have admitted that and have contradicted the Attorney-General's Department, which tried to give us an assurance contrary to this.

This could easily have been avoided if one of the accredited, certified cloud services providers was given that element of the contract. There are a lot of Australians who do take their privacy seriously. They should not have parliamentarians look down their noses at them about their desire to have their data protected, very securely, and about also wanting to see Australian firms being able to do this work if they're capable of doing so. My firm view is that the AWS contract should be taken away from AWS and provided to one of the providers that is on that protected list and is Australian based to build stronger confidence in the way that this app is managed and not just have five million Australians downloading this app, but many more. And we should, as a demonstration of good faith for the five million who did download this app, demonstrate that we take their privacy and their concerns seriously and that this data being managed by an Australian company on Australian soil should be taken seriously.

I'm not asking for us to cut corners. I'm not asking for us to create a lower standard for those companies—not by any stretch of the imagination. And I'm not being protectionist in expanding or extending to this parliament the argument that I'm making right now. As I said earlier and as I emphasise, the Australian firms have been asked by government whether or not they are capable of securely holding and managing sensitive government data. And they have met the government's expectations. They have shown that they are capable of doing this.

You cannot have an industry minister, in the middle of this pandemic, when reconsidering the impact on global supply chains, talking about the impact on Australian industry and the need for us to rethink the way we do business in this country to support Australian industry and then have another minister make a decision that is quite contrary to Australian industry, where that industry is capable of doing the job. I speak on behalf of not just the firms but the tech talent in this country that are quite capable of supporting and developing the app and of ensuring that the data is stored absolutely capably and securely and to the needs and expectations of not only the government but the public. I speak on behalf of those workers, the thousands of them across the country, the thousands that might even live in the member for Warringah's seat as well, as I know they live in my seat and the member for Gorton's seat. In all parts of the country, tech workers, more and more, are supporting these operations, be it within government, business or even the community sector, and would expect that their government would back Australian firms where they are capable of doing the work of managing sensitive data. They were absolutely ignored by this government.

What's interesting is that the public cloud offerings that were extended by Microsoft and Amazon to the Australian government, the US government would not accept. They would expect a higher standard of security and storage of data. So the US government would not accept a US firm offering, but the Australian government has. This is my issue with the way that the cloud services providers in this country have been shabbily treated by a government that reckons it looks after Australian firms but doesn't. This is why we've raised this issue in the substantive amendment that's been moved by the shadow Attorney-General.

The other thing is this—and I've raised this with parliamentarians: I am aware of the fact that the Australian Signals Directorate did an assessment on the security of Australian data on overseas servers. There is a quote going around, and I challenge the Minister for Government Services, the Attorney-General or the Minister for Home Affairs to tell me whether or not this is right—and I'm happy to be proven wrong on this. There is a quote going around about the overseas cloud services providers: 'There is still a risk that foreign nationals may be able to gain limited access to Australian government data.' This is why it's a serious issue. The Australian Signals Directorate has made those assessments about overseas multinationals providing public cloud services for the storage of sensitive Australian government data. The government recognises this as an issue. Even having done that assessment in the last 12 to 18 months, it has still provided a major contract to an overseas multinational to do this work. It's just wrong. This is the point I make: this government could generate massive confidence in this app by addressing the concerns of a sizeable part of the Australian public that do not like the fact that Amazon Web Services got this contract and that did react publicly to that. Their view should be represented in this chamber.

There are even simple things with the way that the app works—or doesn't work, I might add. I would make this observation. There are still older phones that are not capable of running the app. The issue of the iPhone has been well ventilated by the member for Gellibrand. The other issue, too, that people are worried about is power usage on the app. I think the member for Warringah observed that younger people might be a bit more au fait in using this app than older people. But even if you follow the advice of the app that says, 'Apply the power saver mode in the app,' if you go into the app itself to try to find that it's not there. If I then, for example, go into the battery option in settings on the iPhone, it's not there. If I then go into the app itself within the general settings of the iPhone and look at the app settings for the COVIDSafe app as to how to apply the power saver mode, it's not there. Now, it could be there. I'm not saying I'm a tech expert, by any stretch of the imagination. But make it easier for the general public who are not necessarily au fait with these things to be able to apply and use the app. It's these simple steps that have been made a lot more difficult and torturous to navigate in part, to use that dramatic phrase, that could easily be sorted out and should be sorted out with a mentality that is collaborative. That's what happens in the tech sector.

The member for Gellibrand rightly pointed out, for example, that acknowledging vulnerabilities in the app is not an admission of failure. I take on board some of the other points that were raised on the app. Yes, there will be problems. Yes, it will be buggy. Yes, it will need to be updated—absolutely. The government should embrace that if there is a problem with the app that they need to be a lot more forthcoming in acknowledging those problems and they need to respond to them more quickly than the time frame that the member for Gellibrand outlined earlier, where it took eight days for some problems to even get recognised when some in the tech community raised them. The quicker we address them, the more solid the app. The more confidence built in it, the greater usage by the Australian public. I then go back to the point that was rightly raised by the member for Indi: the more we get this used and the more we can track these issues the quicker we can raise the restrictions and the better our local communities and the nation will be as a result.

Comments

No comments