Thursday, 4 August 2016

Creating the Digital Australia Card in 2016: ABS Census has holes in its security fence

Hard copy version of the Australia Card
  a national identity card rejected by the Australian population in 1987

The aim of the Census of Population and Housing is to collect accurate data on the key characteristics of the people in Australia on Census night, and the dwellings in which they live.

However, on  census night 2016 (and every national census thereafter) the names and addresses of those completing the compulsory national survey, along with the names of others in the same household, will be retained to allow data matching across as many agencies as the Australian Bureau of Statistics will from time to time decide it requires to form a complete longitudinal profile of every person living in this country.

Given that the census requires all questions to be answered on pain of a legally enforceable penalty and given that the questions asked are of an intimate nature - including a person's bathing and toileting regime (Question 20) - I do not think it unreasonable for those compelled to respond to publicly query security measures the ABS has allegedly put in place to safeguard privacy.

Nor do I think it unreasonable for persons so compelled to refuse to record their names alongside their answers to the census questions in light of the legitimate concerns that remain unresolved.

Especially as it is clear that the security of any database cannot be fully guaranteed and the Australian Bureau of Statistics (ABS) is not immune from data breaches and illegal use of data by staff.

Indeed as "Name of each person" (at points 2. & 53.) appears to be the only detail on the census form which is not couched as a question, I rather suspect that the ABS itself may not be entirely sure it has an enforceable right to compel a response despite what is asserted in Census and Statistics Regulation 2016.  

A new regulation that remakes the Statistics Regulations 1983 which in turn does not include "name" in Prescribed matters in relation to which statistical information may be collected even if the Census and Statistics(Census) Regulation 2015 does.

How the statisticians have been laying down the groundwork for the creation of the longitudinal database capable of producing individual profiles......

Australian Bureau of Statistics Annual Report 2014-15:

The ABS worked closely with the National Mental Health Commission, the Department of Health, and the Department of Human Services to provide timely statistics on mental health by linking information on the use of medical services with Census data.

A pilot project to inform policy development through the combination of Census and social security information was established between the ABS and the Department of Social Services.

ABS is moving beyond the public data environment to draw insights from retail scanner data...

Australian Bureau of Statistics Annual Report 2013-14:

The Australian Census Longitudinal Dataset (ACLD) brings together data from the 2006 Census with data from the 2011 and future Censuses…..

The Australian Census and Migrants Integrated Dataset was created by integrating data from the 2011 Census and the Department of Immigration and Border Protection (DIBP) Settlement Data Base (SDB) of the 1.3 million people who migrated to Australia under a permanent Skilled, Family or Humanitarian stream visa and arrived in Australia between 1 January 2000 and 9 August 2011.

Australian Bureau of Statistics Annual Report 2012-13:

The Technology Services Division (TSD) supports all areas of the ABS in the delivery of business outcomes through the effective and innovative application of information technology…. TSD is also challenged in its ability to maintain the range of technology skill sets required for support and to build new capabilities for the future, including addressing growing requirements for effective security measures in the face of more sophisticated cyber security threats.

The whole sorry saga........

IT NEWS, 1 August 2016:
The Australian Bureau of Statistics has been forced to answer questions about the security of its online Census website after it was revealed to be using an insecure and deprecated form of encryption to protect the sensitive personal details of the nation’s citizens.
Tests of the strength of encryption used on the main Census website, first highlighted by security consultant and software engineer Ben Dechrai, reveal the website supports the SHA-1 hashing algorithm long considered to be insecure.
SHA is a component of a Secure Sockets Layer (SSL) certificate that is used to prevent the modification of data.
All major web browser operators have said they will stop accepting SHA-1-based signatures by next January. Internet Explorer owner Microsoft recently said it would bring that date forward to September 2016 after research showed real-world ‘collision attacks’ could open the door to digital signature forgeries even before 2017.
The Australian Signals Directorate deprecated SHA-1 from its list of approved cryptographic algorithms in December 2011 after finding the risk of a successful attack on the platform was “higher than acceptable”. The US National Institute of Standards and Technology (NIST) has said SHA-1 should “not be trusted” past January 2014.
Despite this, the ABS is still supporting SHA-1 to ensure those using older versions of web browsers are able to fill out the online form on Census night.
“As the overwhelming majority of browsers and operating systems are SHA-2 compliant, most people completing the Census will be secured using SHA-2,” a spokesperson said.
“However there are some older browsers and operating systems that only support SHA-1. To enable users with these older systems to complete their Census online, the online Census also supports older SHA-1.”
But users will still face the risk of a man-in-the-middle downgrade attack, which uses available backwards compatibility to force a computer to a lower and more vulnerable version of encryption, Dechrai said.
"[It] increases the likelihood of a user's data being intercepted," he said.
The security expert suggested a better approach was either to stick with the current paper forms or introduce a tiered model of online security.
“[They should make] the page where people click to start the Census less secure, so it works on older browsers, [then] do browser detection, and if the browser is too old, prompt them to upgrade, or order the paper form,” he said.
“Only supported browsers show the "Start" button [which loads the submission form from a properly secured server].”
The ABS was also criticised for choosing not to implement perfect forward security, which would protect past communications and sessions from compromise should attackers be able to access long-term secret keys.
The agency argued that perfect forward security would disrupt its other security protections.
“As part of our total platform security for the online Census, we need to be able to detect and respond to any malicious traffic,” the spokesperson said.
“Implementing perfect forward secrecy would reduce the effectiveness of other security layers, and as such may compromise overall security.”
However, Dechrai said that while perfect forward security could disrupt web application firewalls and intrusion detection systems, it was a “solvable problem”.
“Better architecture is a bit more complex, but doable,” he said….
IBRS security advisor James Turner said he was "horrified" by the "naivety" of the ABS' response to public concerns.
"ABS executives had to know that privacy would be a huge issue raised around this change of protocol," Turner said.
"I think most people are looking at the ABS responses as "we think this is cool, so we're doing it and we don't care about your privacy". 
"[It] doesn't seem to understand that it gets one shot at this. If there is a breach, then the horse has well and truly bolted. It won't even matter if they promise not to do it again, because the data has already gone."
The Australian Bureau of Statistics' failure writ large in this disingenuous Letter from the ABS on 2016 Census on the Little Bird Network28 July 2016:

Thank you for your query about the 2016 Census on Monday 18 July 2016.
Names and addresses are specified in the Census Regulations as Statistical Information, like all other Census topics. This requires the ABS to collect this information as part of the Census. The requirement for all topics, including names and address, on the Census forms to be filled completely and accurately is consistent with 105 years of Australian Census practice, the Census and Statistics Act 1905 and legal advice to the ABS from the Australian Government Solicitor. The only exception is religion, which the legislation specifies is optional.
Failure to complete the form, regardless of how many questions, is subject to the potential penalty of 180 dollars. This penalty can apply to each day that the form has not been completed and returned to the ABS, for example 180 dollars every day until the form is received by the ABS. Fines for knowingly providing false or misleading statements or information will be 1800 dollars.
If you need help or more information, search our online Help. If you can’t find the information you’re looking for, call 1300 214 531.
Thank you.
Australian Bureau of Statistics
Please do not reply to this email, this address is not monitored.
Help –
Privacy –

The Sydney Morning Herald, 2 August 2016:

"The whole concept behind privacy is control of your personal information," said Kat Lane, vice chair of the Australian Privacy Foundation. 

"What we need to understand as a society is that it needs to be a choice whether you share your data with the world and whether you don't."

Ms Lane said Australians needed to be assured by the government that they would not be prosecuted and fined for not putting their names on the census if they did not wish.

"[The Australian Bureau of Statistics] didn't factor in a large amount of media coverage over what is a significant change...the consultation process was so poor, they should be announcing that no one should be prosecuted."….

Sixty-five per cent of Australian are expected to complete the census online this year, doubling the online response rate of 2011.

Those who do complete the survey online will receive a 12-digit code enabling them to fill out the form online. ……

Guy Eilon, Australian vice president of defence grade global cyber-security firm Forcepoint, said providing personal information to the census online is, "in many ways, no different" to posting a status on Facebook, or banking online.

"Ultimately, there will always be risks in situations where personal data is collected and stored, from the biggest bank to the smallest business," he said.

"In these circumstances all parties...must act in a transparent way, and ensure they put in place the most appropriate security, privacy and governance processes."

Households who would still like to fill out a paper form are told to contact the ABS to receive one, but community groups are complaining that the process is not so simple.

"Despite the ABS putting on 300 concurrent phone lines, many of those applying for paper census forms cannot get through", said  Paul Versteege, policy coordinator for the Combined Pensioners and Superannuants Association.

"The Census Inquiry phone line is overwhelmed and people are being told to call back later. Many  people are not online and are concerned they won't receive their paper forms in time and will be fined $180 a day for every day they are late."

Telephone connectivity issues have applied to both the ABS support hotline and the hotline to request a paper census form.

Ms Lane said the unresolved privacy concerns of Australian's could mean many "might actually want to move to the paper", but are as yet unable to source a form.

"I'm not doing it online, so I don't know what I'm doing on August 9."….

The Register, 1 August 2016:

The Australian Bureau of Statistics (ABS) has so badly mishandled the question of retaining names that its senior leadership need to consider their futures.

The ABS is – sorry, was – probably one of Australia's most trusted bureaucracies, alongside the Bureau of Meteorology, the Australian Electoral Commission, and Geosciences Australia.

But since deciding that this year's Australian census will retain participants' names and use them for ill-defined data-matching purposes, the Bureau has so alienated people there are serious calls for name-boycotts and a persistent discussion about the scale of fines (AU$180 a day up to a maximum $1,800, if you're interested). Those calls can undermine the census and its mission of providing policy-makers with useful data.

And the ABS persistently ignores questions put to it. Its first response when asked about the retention of names is something like the Tweet below, which talks about collection, not retention.

It's a mess that the ABS created for itself.

It takes a lot to make me say “security is now no longer the primary consideration”, but that's what the ABS has achieved.

Its data is useless without the trust of the public, and I've never seen public goodwill burned as quickly as has happened since Australians learned – somewhat after the decision was made – that the Bureau wants to keep their names.

And since then, the bureau has acted in a high-handed, condescending and dismissive manner……

Here's a speech from 2015, which is in no way reassuring, by the chief statistician David Kalisch.
The exact concerns being raised now, he dismissed last year: “Technology, expertise and confidentiality are not the issues or the constraints. It can take some time and resources for government agencies to provide better access to their data, even to an organisation such as the ABS with all the data protections and community support you would require.”
Ahem, confidentiality and technology certainly should be considered “constraints”, when the aim is to create a named identifier for all citizens, which Kalisch clearly admires.
Moreover: the ABS is not mandated to be the data integrator Kalisch imagines and desires. Kalisch is already advocating scope creep when he should be resisting it in the name of privacy.
In the presence of such sensitivities, transparency and trust are indispensable – but the bureau dispensed with both.
And at last, I will come to the generally-demanded “tech angle” to this story: it's perfectly feasible to tie data to a unique identifier without the name being that identifier.
If two data sets – the Census and the Pharmaceutical Benefits Scheme, for example – contain enough data points to consistently identify me, then a hash of that data would work just as well for anonymous analysis.
Richard Chirgwin with a date of birth and an address will produce the same SHA-256 key (c2483d63179b71b37334f730385272c81b5d6bd3ae6edffb49234cfeb7f7d9a6, I just tried it) no matter the source system – but the hash cannot be reversed to deliver my personal data.
If the data records with name are sufficient to identify me uniquely across two government systems, a hash of that data will be just as unique and will provide the same analytical link.
The ABS – and the data users defending it – must explain why names are indispensable to the mission.
But the cack-handed mishandling of the public debate is so destructive, it should be the next chief statistician to give the explanation. 
Bootnote: As a clarification, I need to point out: I am saying Census data (with a hash as an identifier) should never be brought together with a second source (example above, the PBS) with names intact on either side.
Should a researcher demonstrate a use-case to construct Census-versus-PBS queries, the names in PBS data should be hashed before the two datasets are brought together., 3 August 2016:

THE Government today admitted organisers of next week’s online census were unprepared for a flood of public inquiries about the August 9 national headcount….

Earlier, independent MP Andrew Wilkie today warned of confusion and concern, and called for assurances no one will be fined for not completing the Census form.

“I have been shocked by the number of people who have approached me and my office with all sorts of concerns about the national Census scheduled for next week,” Mr Wilkie said today.

“A big problem is the difficulty and cost being experienced by many people attempting to contact the Australian Bureau of Statistics by phone.

“Typically they are experiencing very lengthy delays, if they can get through at all, and even having to pay for the calls.”

Mr Wilkie said examples of the “confusion in the community” came from visits to his Hobart office today by seven constituents.

“One had received a paper Census form even though he didn’t request or want it, one had been visited by a census official at home, two had received a letter at home with a code to use online, one had received three letters at her home, and two hadn’t been contacted at all,” he said.

“The one who got a paper Census form is baffled by the two different serial numbers it contained, received no detailed instructions and found no mention of the specifics of fines.

“Despite the collection of names in previous censuses the logic for this has not been communicated to the public, if indeed there is any logic at all. Nor has any explanation been given for why the ABS holding this information for much longer than normal is warranted.”
Remembering the history of census taking and past governmental misuse of national census data is important in deciding whether such punitive, political and/or criminal instances could occur again in the future......


Political motives
Australian Bureau of Statistics, 2011

Persecution and Genocide
A final word.......

No comments: