The Department of Internal Affairs will encrypt all data it stores in Microsoft's New Zealand cloud region as part of its population register rebuild.

The department is revamping its register systems in a programme called Te Ara Manaaki and selected Microsoft’s Azure cloud platform, in Auckland, as its cloud provider.

"As part of our normal implementation of risk assessments, controls will be applied to ensure security of data," a DIA spokesperson told Reseller News.

The statement comes after concerns were raised about the US Cloud Act, which effectively makes data in any US owned cloud service subject to US laws no matter where the data is actually stored.

"All data stored within the Azure cloud platform will be encrypted with a private key known only to DIA," the spokesperson said. "Should any New Zealand data be sought under the US Cloud Act, the request would first be subject to a legal process and without our cooperation the data would be meaningless without first being decrypted."

Doug Dixon, the CEO of local cloud provider Catalyst Cloud, took issue with both statements. The first, he said, was "simply unrealistic from a technical perspective" because it meant customers in Aotearoa would have to do encryption and decryption entirely outside of the "US cloud", reducing the latter to being nothing more than a "slow network storage service for encrypted data".

The second point was "simply wishful thinking", he added.

"The US Cloud Act allows the US to compel the production of data held abroad. Given US cloud providers have access to our data, despite encryption, their technicians can access data if compelled by the authorities," he said.

"Even if we pretend that the courts in Aotearoa had power of veto, it is easy to see the danger of consistently refusing requests of the country that owns the services that power our country. In reality, pressure builds, lines get blurred, and data gets spilled."

At its heart, Te Ara Manaaki is a programme for supporting more online uptake of services. It has already supported new online experiences such as the first-time passport application system, verified RealMe and there are also plans for a new online citizenship application service.

“The civil registration system is changing because, while customers can already order birth, death and marriage certificates online, our system is expensive to maintain and no longer fit for purpose,” registrar-general of births, deaths and marriages Jeff Montgomery said last week.

DIA had listened to customers, stakeholders, and its own people, and undertaken research to learn what was important to shape its services, he said, while also announcing Microsoft's NZ cloud region had been chosen to host the new civil registration system.

"We are focused on giving individuals the ability to access, curate and share their data, rather than it being government capturing and sharing data without consent – we want to move away from that approach.”

Microsoft cloud decision "extraordinary"

However, Dixon said It seemed extraordinary that a key government system, "the basis for a person in New Zealand to assert and verify themselves as a New Zealander", could be hosted in systems owned and operated by another country.

"We believe highly sensitive and important data about births, deaths and marriages should be held by New Zealanders, under New Zealand law, in perpetuity," Dixon said.

"To be clear, data held onshore by an overseas owned cloud provider is not, and can never be, under the exclusive control of New Zealand."

Countries could unilaterally assert global jurisdiction over their companies, including subsidiaries in other countries, he said.

"For example, the United States can exert legal and other pressures on US cloud providers in New Zealand. This includes the application of laws such as the US Cloud Act and FISA 702, which can require them to hand over personal data to US authorities, without any authorisation from New Zealand courts."

Dixon also asked what consultations had been held with Māori before the decision to use Microsoft's cloud service.

"Although there is talk of an opportunity for the government to strengthen its role as a Treaty partner, this good intent is fatally undermined," he said. "Article II of Te Tiriti o Waitiangi promises tino rangatiratanga [absolute chieftainship, or sovereignty] over taonga [treasures], which includes Māori data.

"By exposing Māori data to US jurisdiction and surveillance, out of sight of Te Tiriti and out of Māori control, this is not only a missed opportunity but a significant step backwards.

"This is bad news for Māori, and bad news for all New Zealanders."

DIA, however, had been working with iwi advisors and experts to decide if and how the Crown should collect data about people’s iwi affiliation. It saw the new civil registration system as an opportunity for the government to actually strengthen its role as a Treaty partner.

The Crown stopped recording iwi affiliation information in 1961 so people have no easy mechanism to identify themselves as Māori to the government, nor to identify themselves as affiliated with an iwi or hapū group.

After initial engagement, in 2021 a group of iwi advisors was established to consider this issue. Whether that consultation covered issues of data sovereignty is not known but the department told Reseller News more detailed information would be released over the next week.

Dixon also saw DIA's cloud move as a missed opportunity to invest in New Zealand technology companies and to build national capability and resilience.

"New Zealand is already heavily dependent on overseas cloud providers for the day-to-day running of our nation. We depend on their products, features, prices, availability, terms and conditions, all of which are completely outside of our nation’s control.

"We believe New Zealand must act decisively to build our own cloud capabilities, and reduce our strategic weaknesses."

Dixon pointed to Australian government services minister Stuart Robert who said there was a case now being explored for Australian datasets to be in Australian data centres, run by Australians with Australian providers, and securely housed and routed within Australia.

"We believe New Zealand needs to take stock, consider the long term loss of sovereignty that we have set in motion, and react positively," Dixon said.

A foot in both camps

Datacom is both a Microsoft cloud partner and an independent provider of local infrastructure as a service and hosting services. With a foot in both camps, Reseller News asked the company to outline how it advised clients to manage sovereignty in their shift to the cloud.

Ross Delaney, director of cloud services at Datacom, said data sovereignty was something that came up during virtually every discussion Datacom had with cloud customers.

"With legislation not yet in place, we’re hearing that many organisations are confused and concerned when it comes to how to store their data, who has access and what is required of them from a compliance point of view," Delaney said.

"This in turn has likely impacted the speed at which migrations are taking place, with many first needing to conduct a risk analysis to ensure their cloud approach is in fact the right one."

Datacom's view was that overseas cloud providers had much to offer local organisations – particularly from an innovation and scale point of view. However, there would also always be a need for local or "sovereign" cloud options given the increased focus, and in some cases legal requirement, to keep certain data in Aotearoa.

This was why Datacom believe in a hybrid approach to cloud where customers could choose to keep their data in multiple clouds, whether that be for legislative, cultural or other reasons, Delaney said.

"When selecting which cloud is right for them, one thing we encourage customers to do is to undertake a risk assessment when looking to move data between platforms, ensuring that relevant legislation such as the Privacy Act are considered, as well as any cultural or social license they may have from the customers or the citizens they serve."

