Monday, 8 August 2016

#CensusFail: Dear Magistrate, sincerely Anna

Well this is one of the guarded front doors for all the world to see......

Alternative names:

Excerpt from High Tech Bridge, SSL/TLS Security Test, 29 July 2016:

The server does not prefer cipher suites providing strong Perfect Forward Secrecy (PFS). We advise to configure your server to prefer cipher suites with ECDHE or DHE key exchange.
The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.
The server does not send the HTTP-Strict-Transport-Security. We advise to enable it to enforce the user to browse the website in HTTPS.
The server does not send HTTP-Public-Key-Pinning header. We advise to enable HPKP in order to avoid Man-In-The-Middle attacks.
TLS_FALLBACK_SCSV extension prevents protocol downgrade attacks. We advise to update your TLS engine to support it.
Preferred cipher suite for each protocol supported (except SSLv2). Expected configuration are ciphers allowed by PCI DSS and enabling PFS:
TLSv1.0 TLS_RSA_WITH_AES_128_CBC_SHAMisconfiguration or weakness
TLSv1.1 TLS_RSA_WITH_AES_128_CBC_SHAMisconfiguration or weakness
TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA256Misconfiguration or weakness
Third party content (such as images, JavaScript, or CSS) is loaded from external resources. Despite that for some web applications it can significantly improve loading time, it may also put website visitor's privacy at risk, as information about website visitors become accessible to these third-party content providers. ​Moreover, a third-party content delivered via HTTP and not HTTPS channel may also expose your privacy.
HTTP methods (or verbs) that are allowed by the server. Some may be dangerous if not handled properly by the application.

Now where are those back doors to all that sensitive personal information? Hmmmm....

Salinger Privacy, 6 August 2016:

Dear Magistrate,

In case the ABS is prosecuting me for non-completion of this year’s Census, I thought I should explain to you my reasons why I have decided that a boycott is the only moral position I can take.

The short version is this:  Yes to a national snapshot.  No to detailed data-linking on individuals.  That’s not what a census is for.

I have wrestled with what my personal position should be.  I am normally a fan of the Census.  It has an important role to play in how we as a people are governed.  As a former public servant with a policy and research background, I believe in evidence-based policy decisions.  As a parent and a citizen, I want good quality data to help governments decide where to build the next school or hospital, or how to best direct aged care funding, or tackle indigenous disadvantage.

But as a former Deputy Privacy Commissioner, and a privacy consultant for the past 12 years, I can also see the privacy risks in what the ABS is doing.

Months ago I wrote an explanation of all the privacy risks caused by the ABS’s decision to keep and use name and address information for data-linking, in the hope that reason would prevail.  I was assuming that public and political pressure would force the ABS to drop the proposal (as they did in 2006 when I was Chair of the Australian Privacy Foundation and we spoke up about it).  Lots of people (as well as one penguin, the marvellous Brenda, the Civil Disobedience Penguin), are now coming to realise the risks and speak out against them, but right now, just a few days out, it looks like the ABS is pushing ahead regardless.

There are those who say that we shouldn’t boycott the Census because it is too important.  To them I say:  Bollocks.  (If you pardon my language, Your Worship.)  We know where that ‘too big to fail’ argument leads: to more arrogance, more heavy-handed treatment of citizens, more privacy invasions.

And there are the demographers who say the Census data should be linked to other health records like PBS prescription records, because if we as patients were asked for our identifiable health data directly, we would refuse to answer.  To them I say:  Hello, THAT’S THE POINT!  It’s my health information, not yours.  You should ask me nicely, and persuade me about your public interest research purpose, if you want access to my identifiable health records.  Maybe then I will say yes.  But going behind people’s backs because they would refuse their consent if asked is not what the National Health & Medical Research Council’s National Statement on Ethical Conduct in Human Research is about.

This morning I suddenly realised: the ABS is behaving like a very, very bad boyfriend.  He keeps on breaking promises, pushing boundaries and disappointing you, but you forgive him each time.  You don’t want to call him out in case then he gets angry and dumps you.  So you just put up with it, and grumble over drinks to your girlfriends.

And this bad boyfriend keeps saying these reassuring things, like “oh we’ll only keep the data for four years”, and “the names and addresses are in a separate database”.  To that I say:  Nice try, but that’s a red herring.

Although there are certainly heightened privacy and security risks of accidental loss or malicious misuse with storing names and addresses, the deliberate privacy invasion starts with the use of that data to create a Statistical Linkage Key (SLK) for each individual, to use in linking data from other sources.  Please don’t believe that SLKs offer anonymity.  SLKs are easy to generate, with the same standard used across multiple datasets.  That’s the whole point: so that you can link data about a particular individual.  For example, Malcolm Turnbull would be known by the SLK URBAL241019541 in the type of datasets the ABS wants to match Census data against, including mental health services (yes, mental health!) and other health records, disability services records, early childhood records, community services records, as well as data about housing assistance and homelessness.

Anyone with access to these types of health and human services datasets can search for individuals by generating and searching against their SLK.  All you need to know is their first and last names, gender and date of birth.  Scott Morrison is ORICO130519681.  Kylie Minogue is INGYL280519682.  Deltra Goodrem is OOREL091119842.  Now tell me that their privacy will be absolutely protected if their Census data is coded the same way.

Never mind four years; the ABS could destroy all the actual name and address data after only four days or four seconds – but if they have already used it to generate an SLK for each individual Census record, the privacy damage has been done.

(Oh, and that line about how “we’ve never had a privacy breach with Census data”?  To that I say:  Great!  Let’s keep it that way!  DON’T COLLECT NAMES.)

So I say no.  No.  I am not putting up with that bad boyfriend any longer.  I believe in the importance of the Census, which is why I am so damn pissed off (sorry again Your Worship) that the ABS is being such a bad boyfriend to the Australian people: trashing not only our privacy, but the value of our data too.  It’s time to break up with them.

I have come to this decision with a heavy heart.  I am normally a law-abiding citizen.  Plus, I don’t really fancy facing a $180 fine for every day that I refuse to comply with a direction to complete the Census, with no cap on the number of days.  (Seriously, what kind of heavy-handed law is that?  Are you really going to keep hitting me with daily fines for the rest of my life, Your Worship?)

I know that I could give the ABS misinformation instead.  Say my name is Boaty McBoatface and that I am a 97 year old man living with 8 wives, that I have 14 cars, my language at home is Gibberish and that my religion is Jedi.  Giving misinformation is a common, rational response by about three in ten people who want to protect their privacy when faced with the collection of personal data they have no choice about.  Of course, that is also a crime in relation to the Census, but at least that one maxes out at an $1,800 fine.

But I won’t do that, because I do believe in the integrity of the census data.  I don’t want people to have to give misinformation in order to protect themselves.  We shouldn’t be placed in that position.

The definition of ‘census’ is “an official count”.  I actually want to stand up and be counted.  Butonly counted; not named or profiled or data-matched or data-linked, or anything else.  The privacy risks of doing anything else are just too great.

I have thought about just refusing to provide my name.  But even if I don’t give my name, if the ABS is determined to link my Census data with other datasets, there would be enough other information in my Census answers (sex, age, home address, previous home address, work address) to let them proceed regardless.  It won’t be enough to protect my privacy.

So until the ABS reverses its decision to match Census data about individuals with other datasets about individuals, I am not going to answer the Census questions at all.

I am sorry, Your Worship.  I don’t like being forced to choose, because I believe Australians deserve to have both good quality statistical data for government decision-making, AND their privacy respected.  But on Tuesday night, I will choose privacy.

The Census should be a national snapshot, not a tool for detailed data-linking on every individual.  Now convict and fine me if you disagree.

Yours sincerely,

Anna Johnston

No comments: