The fight to store our information is being fought not just on the battlefield of speed and price, but now on energy and water sustainability, and in the airy heights of data sovereignty
New Zealanders’ vaccine records are being kept on overseas-based Amazon cloud servers, prompting calls that the data be repatriated.
Iwi Māori organisations are leading a charge to keep their information in NZ, under their control, and with providers whose values align with theirs – and the information on My Covid Record and My Vaccine Pass is seen as an example.
The privacy note for My Covid Record says it’s hosted on Amazon Web Services in Australia. And Ministry of Health group manager of national digital services Michael Dreyer confirmed the data for My Vaccine Pass was sourced from the Covid-19 Immunisation Register, hosted on the Salesforce platform in Australia.
“At present these cloud services do not have data centres in New Zealand,” Dreyer said. “The Ministry is aware both AWS and Microsoft are working to change this, at which time we may investigate options to migrate data back to New Zealand.”
Hiria Te Rangi, the kaiwhakahaere of healthy housing organisation Whare Hauora, said the vaccination data should be brought back to New Zealand. “From my perspective, yes all personal health data, regardless of type should be held in Aotearoa,” she said. “I bet many would be amazed and a bit shocked to find that vaccination data, at least, is either in Australia or America.”
She questioned how the people of Aotearoa could have authority over their data if they didn’t know where it was, which laws applies to it, who had access to it, and who it was being shared with.
“We as a people are not asked, or even told what is happening to our own health data,” Te Rangi said. “Did we know that our vaccination data is not stored in New Zealand? Did we know that our health information is shared with private companies? To help the Ministry of Health with the running of the ministry yes, but they are still private companies.”
Ben Tairea, the managing director of data platform Āhau, agreed. “Whakapapa is an integral part of our communities and that information is really important,” he said. “Not only does it speak to how we connect to each other, it also speaks to our connections to the land, and ownership rights over certain property.”
Āhau is a whānau data platform that offers to help communities keep track of whānau whakapapa information, preserve and share cultural records and narratives, own and control whānau data and servers, and build a stronger sense of whānau, community and identity.
“Data can be a very powerful tool as a community starts to mature, and develop an aspiration to grow. I think this is definitely an aspiration around the data being held in Aotearoa, and what that means from a legislative standpoint, from an infrastructure standpoint.”
– Ben Tairea, Āhau
Tairea said the service enabled communities in New Zealand and the Pacific to bring together their collective knowledge, to reinvigorate their cultural heritage and identity.
“Some people know the waiata, some people know the haka, some people know the whakairo, there is all sorts of skills and knowledge across the communities,” he said.
“We also see communities that are very much thinking about the demographic data, and the people within the community and who might need help, where people are living, what skills that people have. Data can be a very powerful tool as a community starts to mature, and develop an aspiration to grow.”
That’s why they wanted their data kept in Aotearoa, he said.
One of Āhau’s iwi customers asked that its data be stored on servers of New Zealand company Catalyst Cloud, because the company’s three data centres were in Aotearoa, and because they saw there being stronger values alignment than with overseas-owned cloud storage firms.
Catalyst Cloud owns data centres in Porirua and Wellington, and leases space in another in Hamilton (thought to be Datacom’s Kapua data centre).
The company’s new chief executive Doug Dixon is now stepping into the debate about repatriating New Zealand data, and he has the backing of some in the Māori tech sector.
In 2019, Newsroom reported that the Department of Conservation had agreed to remove the kākāpō genome from Amazon Web Services cloud servers at a data warehouse near Sydney, and to move it back to a New Zealand-based database.
But other “digital twins” of New Zealand’s native landscapes, sights and sounds would continue to be stored overseas – and there are advocates of repatriation who argue that’s not good enough.
New Zealanders’ personal information
Doug Dixon argued the overseas companies building data centres in New Zealand couldn’t guarantee to keep sensitive data safe from foreign governments.
He said the storing of My Covid Record vaccination information on Amazon’s overseas cloud-based servers was a clear example of sensitive data that should be retained under local control.
The Government should require any vaccine certificate data to be repatriated to New Zealand-owned servers. “Absolutely. That’s an example of data that needs the full protection of New Zealand infrastructure and New Zealand law. They should repatriate it.”
Dixon pointed to America’s CLOUD Act, which he argued would require those companies to hand over data to the US Government. “While both Microsoft and Amazon are in the throes of building local data centres, which means data they hold will ‘reside’ in NZ, data residency is not data sovereignty.”
Amazon Web Services disagreed. A spokesperson said the the CLOUD Act applied only to a narrow category of data: to seek evidence about a crime affecting a US citizen or a crime committed in the United States.
In September, Amazon Web Services announced a $7.5 billion investment to build new a new “cloud region” in New Zealand by 2024, spending $7.5 billion on at least three data centres around Auckland.
The company, which hosts data for some of New Zealand’s biggest corporates and government agencies, said this would provide their customers with data residency preferences the choice to securely store their data in New Zealand.
And the same month, the company launched a New Zealand Information Security Manual conformance pack, developed in conjunction with the Government Communications Security Bureau to help government agencies and New Zealand organisations continuously assess the compliance of their Amazon cloud environment against more than 150 security controls.
“Amazon Web Services is vigilant about our customers’ privacy and security,” spokesperson Pam Wong said. “Our customers own their data, control its location, and who has access to it.”
She said disclosure under the CLOUD Act required a formal warrant obtained through “rigorous, legal processes” to ensure compliance with the law. “It does not grant law enforcement agencies unfettered access to data stored in the cloud.”
Microsoft is also building a cluster of three data centres in Auckland. The company’s national technology officer Russell Craig said that would help customers to meet their local data residency needs, as most Microsoft Cloud services enabled customers to specify where their customer data would be stored.
The CLOUD Act amended US law so law enforcement could compel US-based service providers to disclose data in their possession, custody, or control, regardless of where that data was located, he said. “This law, however, does not change any of the legal and privacy protections that previously applied to law enforcement requests for data – and those protections continue to apply. Microsoft adheres to the same principles and customer commitments related to government demands for user data.”
Rising electricity consumption
Data centres are using growing quantities of electricity worldwide but despite that, those being built in New Zealand are mostly near their North Island customers – not near the hydro lakes of the South Island. Neither Catalyst Cloud, Amazon Web Services nor Microsoft was willing to disclose how much electricity its data centres use, variously citing security and commercial sensitivity.
Doug Dixon said all three data centres (the two they owned and the capacity they contracted in Hamilton) were powered by Meridian, the country’s biggest renewable electricity generator. Catalyst’s Wellington and Porirua data centres were already certified renewable, but he could not speak for the Hamilton centre.
The company didn’t disclose how much power it used, as this would provide an indication of how data they stored. “It would give our competitors and the public a picture of how big we are commercially,” he said. “I would like us to double in size every year. You might say, that’s bad because we’re using more electricity. But more renewable energy being used here means less coal being burned to power the Australia data centres.”
A study by Dutch academics Martijn Koot and Fons Wijnhoven, published this year in the science journal Applied Energy, forecasts that data centres will consume 500 to 1000 terawatt hours of electricity by the year 2030.
To put that in perspective, 1000 TWh is more than 20 times New Zealand’s entire electricity production – and that’s why there is increasing worldwide concern about the power usage of data centres.
The Netherlands academics and other experts warn of the impact of the growth in data centres on global greenhouse gas emissions. The US Department of Energy says the power used by one large data centre is equivalent to that consumer by about 80,000 US households.
Companies like Amazon Web Servers, Microsoft and Catalyst say they are becoming more efficient and using less energy. Amazon’s announcement of New Zealand data centres follows announcements from Microsoft, Australia’s CDC and UK-based Lake Parime or similar, albeit smaller, centres in NZ. Only Lake Parime’s is to be built in the South Island, near the hydro lakes.
But Russell Craig cited a study commissioned from WSP USA, finding that for localised deployments, Microsoft Cloud was 79 to 93 percent more energy efficient than a traditional on-premise data centre. “We continue to focus on R&D for efficiency and renewable energy and will also launch a new data-driven circular cloud initiative using the Internet of Things, blockchain and artificial intelligence to monitor performance and streamline our reuse, resale and recycling of data centre assets, including servers,” he said.
‘Imperative for national resilience’
Doug Dixon was publicly named as the new Catalyst Cloud chief executive this week, though he has already begun work in the role. He told Newsroom that he had begun his tech career working in retail, like travel company lastminute.com and online furniture retailer mydeco.com – and selling lounge suites, an outage might not be the end of the world.
But it was when he went to work for the telco Kordia, then ACC and ANZ, that he realised how critical is was to provide secure storage of sensitive data like health and banking records. “I have learned first-hand how vital it is for New Zealand to have a locally owned cloud provider,” he said.
With public cloud spend in New Zealand expected to grow year on year by more than 22 percent, Dixon saw this as both a huge opportunity but also a cause for concern.
“We should all care that, as a country, we have outsourced our critical infrastructure to other countries, pouring billions of dollars into overseas cloud providers,” he said. “While we welcome international investment in Aotearoa’s digital economy, it is vital that we have out own sovereign cloud computing infrastructure.
“Investing in Aotearoa’s own cloud is imperative for our national security, data privacy, data sovereignty, inclusion, resilience and economic prosperity.”
Catalyst Cloud chair Gavin Thompson backed the call for locally-owned cloud infrastructure, “keeping data and revenues safely in New Zealand”.