Australia’s new encryption law threatens NZ cloud data

Earlier this month, the Australian government rushed through a controversial anti-encryption bill that could have ramifications for tech companies all over the world. The legislation, dubbed the Assistance and Access bill, makes it mandatory for any organisation whose website or data is hosted in Australia to give authorities access to their IT system if requested. 

That could mean providing a backdoor to an encrypted system, or “assisting” authorities to implant malware or otherwise undermine the organisation’s security. 

As I noted last week, Amazon’s local AWS cloud platform is based in Sydney and hosts data from many of New Zealand’s biggest organisations – including Xero, Orion Health and GeoNet. Even some of our government agencies host data on AWS. So this bill, which has no precedent elsewhere in the western world, must be a big concern for AWS.

I reached out for comment from both AWS and Xero. I didn’t hear back from the former, and the latter would only say that it’s “carefully assessing how it will impact Xero and its customers.”

I can understand the reticence of AWS and Xero to offer their opinions. The reality is, this bill threatens the ongoing privacy and security of their customers. It even invites the question: should New Zealand organisations continue to host their data offshore?

It’s a particularly important question for our government to consider. After all, we do not want our citizens’ data to be compromised due to over-zealous Australian politicians.

It’s an even more pertinent issue because our government has gone all-in on cloud computing. It has a “Cloud First” policy, which means that government agencies are “required to use public cloud services in preference to traditional IT systems.” It’s also left up to each agency, individually, to carry out their own risk assessments.

Interestingly though, it doesn’t seem to matter much whether the data is hosted in NZ or offshore. The policy only requires agencies to “store data classified as restricted or below in a cloud service, whether it is hosted onshore or offshore.”

When I spoke with AWS NZ boss Tim Dacombe-Bird for last week’s column, he told me that AWS does have some NZ government agencies as customers. He estimated that 90-95% of public sector data is classified such that it can be deployed in Sydney. 

For the remaining 5-10% of data, he said, there may be a legal requirement for it to be housed in New Zealand and AWS cannot host the data in its Sydney region. In all instances, Dacombe-Bird recommends that customers work with their regulators to ensure compliance.

So if we take AWS figures as guidance, 90-95% of government agency data is eligible to be hosted in offshore cloud facilities. That seems like an awfully high figure, especially when Aussie authorities can go snooping in that data any time they like now.

Catalyst Cloud co-founder Don Christie thinks our government “has not been doing enough due diligence in this area.” 

“There is a sense of cultural cringe about their drive to put NZ citizens’ data and processing on overseas platforms beyond the jurisdictional control of Kiwis,” Christie told me. “This will become a growing issue as we see the attempts of overreach by legislation – such as the Patriot Act in the US and the encryption access bill in Australia.”

Christie believes hosting government data offshore “not only makes NZ susceptible to foreign interference, but weakens the trust and protections New Zealanders might have in these platforms.”

Overall, Christie sees the offshoring of our data as a key sovereignty issue for our country.

“Just as NZ would not outsource its electric power generation to foreign lands,” he said, “nor should it be outsourcing its compute power. Our economic future lies in our data – we should retain control.”

It’s a great point, especially when you inspect the nitty gritty of Australia’s new anti-encryption bill – the full title is the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018. My biggest takeaway: if there is sensitive NZ government data being hosted in Australia, then it’s now completely outside of our control thanks to this bill.

The sheer scope of the bill is understated in the 145-page “explanatory memorandum” [pdf]. For example, the document describes “new powers to secure assistance from key companies in the communications supply chain both within and outside Australia” and states that the bill enhances “agencies’ collection capabilities such as computer access.” This use of otherwise benign terms like “assistance” and “access” cloaks what the bill actually decrees: that companies must give Australian authorities the keys to their IT systems, if demanded. 

While our local AWS office has yet to comment on the bill, other US big tech companies have. The Reform Government Surveillance coalition, which counts Apple, Google, Facebook and Microsoft among its members (but notably, not Amazon), said in a statement that “the new Australian law is deeply flawed, overly broad, and lacking in adequate independent oversight over the new authorities.”

Smaller tech companies, such as the password manager app 1Password, are now questioning whether they want to do business with Australia or its citizens. In a blog post, 1Password’s Jeffrey Goldberg suggested the company may ultimately have to “consider Australian nationality in hiring decisions.”

From a New Zealand perspective, this Australian bill makes one thing very clear: it’s time for us to seriously re-consider whether our data, and particularly government agency data, should be housed offshore. 

Our government, along with the four other Five Eyes partners, is currently obsessed with limiting the influence of Chinese telco Huawei. But this new Australian bill is much more dangerous to our country. 

After all, we have no idea if the Chinese government actually exerts any control over Huawei. But we know for sure that the Australian government can now do what it likes with any cloud data hosted in Australia, thanks to the AA Bill. 

If we’re trying to keep Huawei out for security reasons, then by the same token we should stop our data going in to Australia. Let’s not overlook the overreaching of our Five Eyes partners.