The government stores our most important data on US-owned cloud infrastructure, making it subject to US laws. Software architect Tamawera Owens explains.
Before blowing up your whole view of digital identity in New Zealand, let me assure you that you’ve probably done nothing wrong. You’ve likely sought to understand data sovereignty and you might even read privacy policies. You would be forgiven for trusting the government to protect the information you share with it. But what you might not know is your personal data – your digital identity – is governed by American law. And that comes with great risk.
We’ve been here before: In 1826, several Hauraki Gulf islands were sold for eight muskets. The next year, 3,000 acres of land was traded for 50 blankets. Our tūpuna making these decisions weren’t foolish, they just had incomplete information about the English concept of ownership and laws such as the 10-owner rule, which let individuals sell communal land without the consent of other owners.
History is now repeating itself due to lack of information. Like our tūpuna, many New Zealanders today don’t understand what’s truly happening with our data. If eight muskets once bought islands, what are we now trading for cloud convenience?
We’ve seen the government gut the expertise needed to oversee digital transformation, including dedicated Māori and Pacific data advisers and 1,120 roles (almost half of that workforce) from Health NZ’s data and digital teams. Alongside the Fast-track Approvals Act giving ministers the power to bypass normal checks and balances, there is an emerging pattern of the government prioritising speed over proper process. This is the same mindset now being applied to our digital infrastructure and identity systems.
Digital services are being modernised at a rapid pace. The government’s chief digital officer promises a seamless digital experience, developing an all-of-government app under the Service Modernisation Roadmap. Agencies are racing to deliver interfaces and integrated services. But fundamental questions about who controls the infrastructure – and which laws govern it – are treated as implementation details, not matters of national sovereignty.
There are two flagship apps used by the government: the Govt.nz app and NZ Verify (Whakatūturu App). The former is described as making it “easier and safer for people to access government services”, while the latter is used to verify international digital credentials. These are marketed as secure, privacy-protecting systems with credentials stored locally on your device.
While technically true, it’s fundamentally misleading.
The backend databases and authentication systems run on cloud infrastructure from Microsoft Azure, which stores data offshore, and Amazon AWS, which stores data locally in New Zealand. Despite the local storage by AWS, both American-owned companies are subject to US legal requirements including government surveillance capabilities and data access requests
I have three critical concerns with this:
- Our authentication data sits on US-owned servers, subject to American laws including the CLOUD Act.
- The RealMe system already stores login data offshore in Microsoft’s Azure cloud. New Zealand was the world’s first country to store citizen authentication data offshore in a public cloud. We set the precedent that this is normal.
- New Zealanders are told their data stays on their devices, but the infrastructure making the system work is controlled by foreign corporations under foreign legal jurisdiction.
The Crown has an obligation to protect our taonga, including our data. Te Kāhui Raraunga, the working arm of the Data Iwi Leaders Group, has detailed why this matters: Crown agencies must uphold Māori data governance requirements when procuring new technologies. But given the principles of Māori data governance – free, prior and informed consent, collective privacy, and data sovereignty – it’s unclear whether the Crown has truly considered the risks their flagship apps create.
Data sovereignty isn’t about where servers are located. It’s about who has ultimate authority when conflict arises.
When New Zealand data sits on American infrastructure, American law is the final authority. No matter how many policies we write, how carefully we word our contracts, we’ve ceded ultimate decision-making power to a foreign government.
This isn’t just a Māori concern – it’s a matter of national sovereignty affecting every New Zealander.
We’re at a crossroads. We can accept offshore storage because it’s cheaper and faster, pretend US corporations will respect our sovereignty, believe voluntary won’t become mandatory and assume nothing will go wrong, or, we can recognise that digital identity infrastructure is too important to risk with offshore corporations.
While the system works as designed, it’s built to depend on foreign infrastructure subject to foreign laws.
We can’t stop technology advancing, nor should we want to. But we can insist that critical national infrastructure – especially identity systems touching every aspect of our lives – remain under New Zealand control, operated under New Zealand law and subject to New Zealand courts. This is about sovereignty, self-determination, and the future we want to build.
