The fallout from #CensusFail continues......

It is now the sixth day after Cenus Night 2016 in Australia and information has been slowly seeping out into the public domain.

First there's the genuine attempts to explain the spectacular failure to launch as opposed to the ABS-Turnbull Government propaganda on the subject.......

Reddit user mykro76 via @Qldaar, 10 August 2016:

Sortius, 10 August 2016:

So, I contacted Softlayer support, this was their response @ABSCensus #CensusFail

Patrick Gray at Risky.Biz on #CensusFail, 11 August 2016:

Community and Public Service Union, media release, 12 August  2016:

ABS STAFF ANGRY AT TURNBULL GOVERNMENT OVER CENSUS DEBACLE

The CPSU says the highly qualified and dedicated staff at the Australian Bureau of Statistics must not be blamed for the decisions by the Turnbull Government that are the real cause of Tuesday night’s Census debacle.

The union’s National Secretary Nadine Flood said: “Our members working in the ABS have slugged their guts out for months to make this Census work despite multiple Government decisions that have caused major problems. They know how critical the information collected in the Census is to the nation and they’re absolutely gutted at the damage done to the ABS's reputation and the Census itself.”

“Staff saw these problems coming a mile off. There are 700 fewer staff at the ABS now than when the last Census was conducted five years ago and as a result staff are suffering under massive workloads. Critical planning time was lost as the Government foolishly considered axing the Census, chopped and changed ministers three times and dilly-dallied for nearly a year in appointing a new chief statistician.”

“It’s shameful that Prime Minister Malcolm Turnbull has said ‘heads will roll’ at the ABS over the Census while taking no responsibility for the real cause of this debacle, the decisions made by his Government.”

“It is Governments that are responsible for the reliability of public services and the Turnbull Government cannot dodge responsibility for slashing budgets and jobs. Prime Minister Turnbull should be apologising not finger pointing.”

“This situation in the ABS is just one example of how cuts to public sector staffing and capacity have gone too far, and how it’s ultimately the Australian public that suffers as a result.

Australians are struggling to get through on the Census hotline today, but that’s no less disturbing than the one in three calls to Medicare and Centrelink that go unanswered every day.”

“The dedication of ABS staff has ensured the Census has played a critical role in public policy in Australia for more than a century. It remains an important tool and we are urging Australians to participate despite the Government’s failings.”

Unsurprisingly the privacy concerns haven't gone away........

Digital Rights Watch, 12 August 2016:

The letter, signed by prominent privacy advocates, academics and journalists, reads:

The conduct of this year’s census raises serious and pressing ethical, legal, security and technological concerns. These throw doubt on the value of the exercise and the quality of the data collected.

The Australian government must put the Census 2016 on hold while it consults with the Australian people on the value and ethical ramifications of this and similar mass data-collection exercises. Expert input and advice must be sought to determine best practice ethical, governance and security standards for data collection, use, linkage, storage, and real-world implementation.

These problems, and the difficulties Australians have experienced in accessing and completing both the paper and electronic forms, make imperative the provision of the following two remedies.

We therefore respectfully request:

1. Amnesty for anyone who files a late or incomplete census
2. An independent inquiry into the ABS’s conduct of Census 2016. This should include a comparison of the ethical and institutional governance arrangements for hard-copy and electronic data collection, storage, linkage and use with international and best practice standards. Community consultation should take place in regard to the appointment of heads of this inquiry, precise terms of reference and timeframes for reporting.

Signed by:

Tim Norton, Digital Rights Watch
Amy Gray, Digital Rights Watch
Asher Wolf, journalist
Dr Suelette Dreyfus
Peter Tonoli
Jenna Price
Liam Pomfret, Australian Privacy Foundation
Mark Walkom, Australian Privacy Foundation
Simon Frew, Pirate Party Australia
Felicity Ruby, PhD Candidate
Professor Ariadne Vromen
Tim Cashmere
Mary Kostakidis, Freelance Journalist
Gautam Raju, Campaigner
Jack Skinner
Dr Leslie Cannold
Melissa Castan, Law Lecturer
Dr Ben Harris-Roxas
Professor Robert Sparrow
Robin Doherty, Hack for Privacy
Dr Kristoffer Greaves, Legal Educator
Archie Law, CEO ActionAid Australia
Thomas Kane
Kate Galloway, Law Lecturer
Tom Sulston, Technology Consultant
Trisha Jha
Suzy Wood, IP Lawyer
Justin Clacherty, Future Wise Australia
Cade Diehm, SpiderOak
Trent Yarwood, Future Wise Australia
Julian Burnside AO QC
Dr Matthew Rimmer, Professor of Intellectual Property and Innovation Law, QUT Faculty of Law
Dan Nolan, software engineer

Then there's those zealous casual employees on the ABS Census team attempting to salvage something from the wreckage…….

The mocking has even spread into mainstream media on Northern Rivers…….

The Daily Examiner, 13 August 2016:

SORRY guys, looks like we caused the Census website to crash, but it was worth it.

We only told one little lie but suddenly our street is crawling with engineers, government types, teachers, plumbers, interpreters, shopping centre magnates and consultants.

Man, we haven't seen so many consultants since they sold Telstra.

Anyway, it was all part of objecting to have to put your name on the Census.

Not sure why we're objecting, everyone knows me and I would be happy if someone stole my identity. I could just slip away quietly and watch the fireworks.

They are as welcome to the $10 in my bank account as they are to my dog, and well, truth be known, Ms L. probably would appreciate the change too, and it'd be cheaper than a holiday for her.

But if it's not good enough for Nick X, then it's not good enough for us, so I didn't use my name.

However I did say that there were 23,000 people staying at our place that night and that's when the fun started.

We ensured half the number were children so the Education Department has acquired land for a primary school, a high school, half a TAFE and a branch of some wannabe regional uni, all within a kilometre.

Westfield is knocking down the other houses in our neighbourhood and building a shopping centre.

The Department of Transport built a bus interchange across the road (guess we didn't make the cut for an airport, but gee it gave Badgerys Creek a fright).

There's a new hospital with no queues on a Saturday night. However that might be because of the lockout laws. Yeah, we didn't see that coming. Apparently when you get that many people together they want to stay up late and party. Well, der. But this is Australia, mate, not Paris or Berlin, New York or London.

We're locked out after dark and the internet doesn't work, but gee the other services are good and I'll drink to that. BYO at home, that is.

Sorry about the website thing.

An important point that shouldn't be lost in all the media noise........

Finally, an estimation of how many premises and or households are still missing in action (including an unknown number involved in acts of civil disobedience)......

It is possible that as of today the Australian Bureau of Statistics only holds an est. 30-45 per cent of all Census forms (paper & online) it anticipated receiving.

The statistical margin of error flowing from that sort of respondent percentage would be too large to make it a credible national snapshot of population and housing.

Singing the post-Census 2016 blues

One would have to live in a deep sink hole in the middle of Australia not to have heard of the mishandling of the 2016 national census, now not so fondly known as #CensusFail.

First the Australian Bureau of Statistics (ABS) decides to keep census participants' names and addresses (without informed consent) for between four years or until after death– whichever takes its fancy.

It does this so it can match the individual with other records held by government departments to create a super database packed to the brim with sensitive information.

This information goes beyond who you are, where you live and the makeup of your household – it's also how much you earn, how much tax you pay, what illnesses you have been diagnosed with, what prescription drugs you take, how many times you visit the doctor, how many speeding fines you paid, if you have been brought before the court, the sentence you received and, much more.

All this is gathered under a unique Statistical Linkage Key (SLK-581) which follows you forever through census after census after census.

This is what these keys look like:

How do I know that this is what an SLK looks like?

Because an SLK is generated according to a standard formula and the Australian Government not only helpfully lets everyone know what that formula is, it even provides an online open access key generator for our use.

Now one would think that because most people were being manoeuvred into encouraged to fill in the Census form online on 9 August 2016 that the platform ABS was using would be very secure.

However, it turns out that in order to allow people with older versions of Windows on their home computer to access the census form online the ABS decided to have the website support the SHA-1 hashing algorithm long considered to be insecure.

Leaving it vulnerable to man-in-the-middle encryption downgrade attacks which can make it easier to intercept data being sent.

Here is a breakdown of website vulnerabilities from High Tech Bridge, 
www.census.abs.gov.au SSL/TLS Security Test on 29 July 2016:

The server does not prefer cipher suites providing strong Perfect Forward Secrecy (PFS). We advise to configure your server to prefer cipher suites with ECDHE or DHE key exchange.

The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.

The server does not send the HTTP-Strict-Transport-Security. We advise to enable it to enforce the user to browse the website in HTTPS.

The server does not send HTTP-Public-Key-Pinning header. We advise to enable HPKP in order to avoid Man-In-The-Middle attacks.

TLS_FALLBACK_SCSV extension prevents protocol downgrade attacks. We advise to update your TLS engine to support it.

Preferred cipher suite for each protocol supported (except SSLv2). Expected configuration are ciphers allowed by PCI DSS and enabling PFS:

TLSv1.0 TLS_RSA_WITH_AES_128_CBC_SHAMisconfiguration or weakness

TLSv1.1 TLS_RSA_WITH_AES_128_CBC_SHAMisconfiguration or weakness

TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA256Misconfiguration or weakness

Third party content (such as images, JavaScript, or CSS) is loaded from external resources. Despite that for some web applications it can significantly improve loading time, it may also put website visitor's privacy at risk, as information about website visitors become accessible to these third-party content providers. ​Moreover, a third-party content delivered via HTTP and not HTTPS channel may also expose your privacy.

HTTP methods (or verbs) that are allowed by the server. Some may be dangerous if not handled properly by the application.

Then other security issues raised their heads including the fact that census answers may not always be encrypted for the entire journey from the keyboard to IBM on the SoftLayer cloud.

By then the Australian Bureau of Statistics was on social media telling people they will be fined if they refuse to answer all the questions on the census form.

Doubts also began to pop up as to whether stream10.census.abs.gov.au would be able to handle the millions of people logging in on Census Night.

Predictably it couldn't and suddenly there is multiple choice blame being handed out.

It's all the fault of:

a) evil hackers;

b) malicious furriners mounting denial of service attacks;

c) lazy people not filling out their online forms out days ahead of time; or

d) political plotters wanting to embarrass the Turnbull Government.

Reddit user mykro76 via @Qldaar on 10 August 2016 is probably closer to the mark:

The call is now going out to ditch the 9 August Census and try again at a later date if the government demographers can get their act together.

This is one example:

#CensusFail: Dear Magistrate, sincerely Anna

Well this is one of the guarded front doors for all the world to see......

Alternative names:

www.census.abs.gov.au

stream00.census.abs.gov.au

stream10.census.abs.gov.au

stream20.census.abs.gov.au

stream12.census.abs.gov.au

stream13.census.abs.gov.au

stream21.census.abs.gov.au

stream22.census.abs.gov.au

stream23.census.abs.gov.au

stream31.census.abs.gov.au

stream32.census.abs.gov.au

stream33.census.abs.gov.au

stream41.census.abs.gov.au

stream42.census.abs.gov.au

stream43.census.abs.gov.au

cdn1.census.abs.gov.au

cdn2.census.abs.gov.au

Excerpt from High Tech Bridge, www.census.abs.gov.au SSL/TLS Security Test, 29 July 2016:

The server does not prefer cipher suites providing strong Perfect Forward Secrecy (PFS). We advise to configure your server to prefer cipher suites with ECDHE or DHE key exchange.

The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.

The server does not send the HTTP-Strict-Transport-Security. We advise to enable it to enforce the user to browse the website in HTTPS.

The server does not send HTTP-Public-Key-Pinning header. We advise to enable HPKP in order to avoid Man-In-The-Middle attacks.

TLS_FALLBACK_SCSV extension prevents protocol downgrade attacks. We advise to update your TLS engine to support it.

Preferred cipher suite for each protocol supported (except SSLv2). Expected configuration are ciphers allowed by PCI DSS and enabling PFS:

TLSv1.0 TLS_RSA_WITH_AES_128_CBC_SHAMisconfiguration or weakness

TLSv1.1 TLS_RSA_WITH_AES_128_CBC_SHAMisconfiguration or weakness

TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA256Misconfiguration or weakness

Third party content (such as images, JavaScript, or CSS) is loaded from external resources. Despite that for some web applications it can significantly improve loading time, it may also put website visitor's privacy at risk, as information about website visitors become accessible to these third-party content providers. ​Moreover, a third-party content delivered via HTTP and not HTTPS channel may also expose your privacy.

HTTP methods (or verbs) that are allowed by the server. Some may be dangerous if not handled properly by the application.

Now where are those back doors to all that sensitive personal information? Hmmmm....

Salinger Privacy, 6 August 2016:

Dear Magistrate,

In case the ABS is prosecuting me for non-completion of this year’s Census, I thought I should explain to you my reasons why I have decided that a boycott is the only moral position I can take.

The short version is this:  Yes to a national snapshot.  No to detailed data-linking on individuals.  That’s not what a census is for.

I have wrestled with what my personal position should be.  I am normally a fan of the Census.  It has an important role to play in how we as a people are governed.  As a former public servant with a policy and research background, I believe in evidence-based policy decisions.  As a parent and a citizen, I want good quality data to help governments decide where to build the next school or hospital, or how to best direct aged care funding, or tackle indigenous disadvantage.

But as a former Deputy Privacy Commissioner, and a privacy consultant for the past 12 years, I can also see the privacy risks in what the ABS is doing.

Months ago I wrote an explanation of all the privacy risks caused by the ABS’s decision to keep and use name and address information for data-linking, in the hope that reason would prevail.  I was assuming that public and political pressure would force the ABS to drop the proposal (as they did in 2006 when I was Chair of the Australian Privacy Foundation and we spoke up about it).  Lots of people (as well as one penguin, the marvellous Brenda, the Civil Disobedience Penguin), are now coming to realise the risks and speak out against them, but right now, just a few days out, it looks like the ABS is pushing ahead regardless.

There are those who say that we shouldn’t boycott the Census because it is too important.  To them I say:  Bollocks.  (If you pardon my language, Your Worship.)  We know where that ‘too big to fail’ argument leads: to more arrogance, more heavy-handed treatment of citizens, more privacy invasions.

And there are the demographers who say the Census data should be linked to other health records like PBS prescription records, because if we as patients were asked for our identifiable health data directly, we would refuse to answer.  To them I say:  Hello, THAT’S THE POINT!  It’s my health information, not yours.  You should ask me nicely, and persuade me about your public interest research purpose, if you want access to my identifiable health records.  Maybe then I will say yes.  But going behind people’s backs because they would refuse their consent if asked is not what the National Health & Medical Research Council’s National Statement on Ethical Conduct in Human Research is about.

This morning I suddenly realised: the ABS is behaving like a very, very bad boyfriend.  He keeps on breaking promises, pushing boundaries and disappointing you, but you forgive him each time.  You don’t want to call him out in case then he gets angry and dumps you.  So you just put up with it, and grumble over drinks to your girlfriends.

And this bad boyfriend keeps saying these reassuring things, like “oh we’ll only keep the data for four years”, and “the names and addresses are in a separate database”.  To that I say:  Nice try, but that’s a red herring.

Although there are certainly heightened privacy and security risks of accidental loss or malicious misuse with storing names and addresses, the deliberate privacy invasion starts with the use of that data to create a Statistical Linkage Key (SLK) for each individual, to use in linking data from other sources.  Please don’t believe that SLKs offer anonymity.  SLKs are easy to generate, with the same standard used across multiple datasets.  That’s the whole point: so that you can link data about a particular individual.  For example, Malcolm Turnbull would be known by the SLK URBAL241019541 in the type of datasets the ABS wants to match Census data against, including mental health services (yes, mental health!) and other health records, disability services records, early childhood records, community services records, as well as data about housing assistance and homelessness.

Anyone with access to these types of health and human services datasets can search for individuals by generating and searching against their SLK.  All you need to know is their first and last names, gender and date of birth.  Scott Morrison is ORICO130519681.  Kylie Minogue is INGYL280519682.  Deltra Goodrem is OOREL091119842.  Now tell me that their privacy will be absolutely protected if their Census data is coded the same way.

Never mind four years; the ABS could destroy all the actual name and address data after only four days or four seconds – but if they have already used it to generate an SLK for each individual Census record, the privacy damage has been done.

(Oh, and that line about how “we’ve never had a privacy breach with Census data”?  To that I say:  Great!  Let’s keep it that way!  DON’T COLLECT NAMES.)

So I say no.  No.  I am not putting up with that bad boyfriend any longer.  I believe in the importance of the Census, which is why I am so damn pissed off (sorry again Your Worship) that the ABS is being such a bad boyfriend to the Australian people: trashing not only our privacy, but the value of our data too.  It’s time to break up with them.

I have come to this decision with a heavy heart.  I am normally a law-abiding citizen.  Plus, I don’t really fancy facing a $180 fine for every day that I refuse to comply with a direction to complete the Census, with no cap on the number of days.  (Seriously, what kind of heavy-handed law is that?  Are you really going to keep hitting me with daily fines for the rest of my life, Your Worship?)

I know that I could give the ABS misinformation instead.  Say my name is Boaty McBoatface and that I am a 97 year old man living with 8 wives, that I have 14 cars, my language at home is Gibberish and that my religion is Jedi.  Giving misinformation is a common, rational response by about three in ten people who want to protect their privacy when faced with the collection of personal data they have no choice about.  Of course, that is also a crime in relation to the Census, but at least that one maxes out at an $1,800 fine.

But I won’t do that, because I do believe in the integrity of the census data.  I don’t want people to have to give misinformation in order to protect themselves.  We shouldn’t be placed in that position.

The definition of ‘census’ is “an official count”.  I actually want to stand up and be counted.  Butonly counted; not named or profiled or data-matched or data-linked, or anything else.  The privacy risks of doing anything else are just too great.

I have thought about just refusing to provide my name.  But even if I don’t give my name, if the ABS is determined to link my Census data with other datasets, there would be enough other information in my Census answers (sex, age, home address, previous home address, work address) to let them proceed regardless.  It won’t be enough to protect my privacy.

So until the ABS reverses its decision to match Census data about individuals with other datasets about individuals, I am not going to answer the Census questions at all.

I am sorry, Your Worship.  I don’t like being forced to choose, because I believe Australians deserve to have both good quality statistical data for government decision-making, AND their privacy respected.  But on Tuesday night, I will choose privacy.

The Census should be a national snapshot, not a tool for detailed data-linking on every individual.  Now convict and fine me if you disagree.

Yours sincerely,

Anna Johnston

"Stick your census in your ear you won't get any data here"

First Dog on the Moon

Creating the Digital Australia Card in 2016: ABS Census has holes in its security fence

Hard copy version of the Australia Card

  a national identity card rejected by the Australian population in 1987

The aim of the Census of Population and Housing is to collect accurate data on the key characteristics of the people in Australia on Census night, and the dwellings in which they live.

However, on  census night 2016 (and every national census thereafter) the names and addresses of those completing the compulsory national survey, along with the names of others in the same household, will be retained to allow data matching across as many agencies as the Australian Bureau of Statistics will from time to time decide it requires to form a complete longitudinal profile of every person living in this country.

Given that the census requires all questions to be answered on pain of a legally enforceable penalty and given that the questions asked are of an intimate nature - including a person's bathing and toileting regime (Question 20) - I do not think it unreasonable for those compelled to respond to publicly query security measures the ABS has allegedly put in place to safeguard privacy.

Nor do I think it unreasonable for persons so compelled to refuse to record their names alongside their answers to the census questions in light of the legitimate concerns that remain unresolved.

Especially as it is clear that the security of any database cannot be fully guaranteed and the Australian Bureau of Statistics (ABS) is not immune from data breaches and illegal use of data by staff.

Indeed as "Name of each person" (at points 2. & 53.) appears to be the only detail on the census form which is not couched as a question, I rather suspect that the ABS itself may not be entirely sure it has an enforceable right to compel a response despite what is asserted in Census and Statistics Regulation 2016.  

A new regulation that remakes the Statistics Regulations 1983 which in turn does not include "name" in Prescribed matters in relation to which statistical information may be collected even if the Census and Statistics(Census) Regulation 2015 does.

How the statisticians have been laying down the groundwork for the creation of the longitudinal database capable of producing individual profiles......

Australian Bureau of Statistics Annual Report 2014-15:

The ABS worked closely with the National Mental Health Commission, the Department of Health, and the Department of Human Services to provide timely statistics on mental health by linking information on the use of medical services with Census data.

A pilot project to inform policy development through the combination of Census and social security information was established between the ABS and the Department of Social Services.

ABS is moving beyond the public data environment to draw insights from retail scanner data...

Australian Bureau of Statistics Annual Report 2013-14:

The Australian Census Longitudinal Dataset (ACLD) brings together data from the 2006 Census with data from the 2011 and future Censuses…..

The Australian Census and Migrants Integrated Dataset was created by integrating data from the 2011 Census and the Department of Immigration and Border Protection (DIBP) Settlement Data Base (SDB) of the 1.3 million people who migrated to Australia under a permanent Skilled, Family or Humanitarian stream visa and arrived in Australia between 1 January 2000 and 9 August 2011.

Australian Bureau of Statistics Annual Report 2012-13:

The Technology Services Division (TSD) supports all areas of the ABS in the delivery of business outcomes through the effective and innovative application of information technology…. TSD is also challenged in its ability to maintain the range of technology skill sets required for support and to build new capabilities for the future, including addressing growing requirements for effective security measures in the face of more sophisticated cyber security threats.

The whole sorry saga........

IT NEWS, 1 August 2016:

The Australian Bureau of Statistics has been forced to answer questions about the security of its online Census website after it was revealed to be using an insecure and deprecated form of encryption to protect the sensitive personal details of the nation’s citizens.

Tests of the strength of encryption used on the main Census website, first highlighted by security consultant and software engineer Ben Dechrai, reveal the website supports the SHA-1 hashing algorithm long considered to be insecure.

SHA is a component of a Secure Sockets Layer (SSL) certificate that is used to prevent the modification of data.

All major web browser operators have said they will stop accepting SHA-1-based signatures by next January. Internet Explorer owner Microsoft recently said it would bring that date forward to September 2016 after research showed real-world ‘collision attacks’ could open the door to digital signature forgeries even before 2017.

The Australian Signals Directorate deprecated SHA-1 from its list of approved cryptographic algorithms in December 2011 after finding the risk of a successful attack on the platform was “higher than acceptable”. The US National Institute of Standards and Technology (NIST) has said SHA-1 should “not be trusted” past January 2014.

Despite this, the ABS is still supporting SHA-1 to ensure those using older versions of web browsers are able to fill out the online form on Census night.

“As the overwhelming majority of browsers and operating systems are SHA-2 compliant, most people completing the Census will be secured using SHA-2,” a spokesperson said.

“However there are some older browsers and operating systems that only support SHA-1. To enable users with these older systems to complete their Census online, the online Census also supports older SHA-1.”

But users will still face the risk of a man-in-the-middle downgrade attack, which uses available backwards compatibility to force a computer to a lower and more vulnerable version of encryption, Dechrai said.

"[It] increases the likelihood of a user's data being intercepted," he said.

The security expert suggested a better approach was either to stick with the current paper forms or introduce a tiered model of online security.

“[They should make] the page where people click to start the Census less secure, so it works on older browsers, [then] do browser detection, and if the browser is too old, prompt them to upgrade, or order the paper form,” he said.

“Only supported browsers show the "Start" button [which loads the submission form from a properly secured server].”

The ABS was also criticised for choosing not to implement perfect forward security, which would protect past communications and sessions from compromise should attackers be able to access long-term secret keys.

The agency argued that perfect forward security would disrupt its other security protections.

“As part of our total platform security for the online Census, we need to be able to detect and respond to any malicious traffic,” the spokesperson said.

“Implementing perfect forward secrecy would reduce the effectiveness of other security layers, and as such may compromise overall security.”

However, Dechrai said that while perfect forward security could disrupt web application firewalls and intrusion detection systems, it was a “solvable problem”.

“Better architecture is a bit more complex, but doable,” he said….

IBRS security advisor James Turner said he was "horrified" by the "naivety" of the ABS' response to public concerns.

"ABS executives had to know that privacy would be a huge issue raised around this change of protocol," Turner said.

"I think most people are looking at the ABS responses as "we think this is cool, so we're doing it and we don't care about your privacy". 

"[It] doesn't seem to understand that it gets one shot at this. If there is a breach, then the horse has well and truly bolted. It won't even matter if they promise not to do it again, because the data has already gone."

The Australian Bureau of Statistics' failure writ large in this disingenuous Letter from the ABS on 2016 Census on the Little Bird Network, 28 July 2016:

Hello,

Thank you for your query about the 2016 Census on Monday 18 July 2016.

Yes.
Names and addresses are specified in the Census Regulations as Statistical Information, like all other Census topics. This requires the ABS to collect this information as part of the Census. The requirement for all topics, including names and address, on the Census forms to be filled completely and accurately is consistent with 105 years of Australian Census practice, the Census and Statistics Act 1905 and legal advice to the ABS from the Australian Government Solicitor. The only exception is religion, which the legislation specifies is optional.

Failure to complete the form, regardless of how many questions, is subject to the potential penalty of 180 dollars. This penalty can apply to each day that the form has not been completed and returned to the ABS, for example 180 dollars every day until the form is received by the ABS. Fines for knowingly providing false or misleading statements or information will be 1800 dollars.

If you need help or more information, search our online Help. If you can’t find the information you’re looking for, call 1300 214 531.

Thank you.

Australian Bureau of Statistics

Please do not reply to this email, this address is not monitored.

Help – census.abs.gov.au/help
Privacy – census.abs.gov.au/privacy

The Sydney Morning Herald, 2 August 2016:

"The whole concept behind privacy is control of your personal information," said Kat Lane, vice chair of the Australian Privacy Foundation. 

"What we need to understand as a society is that it needs to be a choice whether you share your data with the world and whether you don't."

Ms Lane said Australians needed to be assured by the government that they would not be prosecuted and fined for not putting their names on the census if they did not wish.

"[The Australian Bureau of Statistics] didn't factor in a large amount of media coverage over what is a significant change...the consultation process was so poor, they should be announcing that no one should be prosecuted."….

Sixty-five per cent of Australian are expected to complete the census online this year, doubling the online response rate of 2011.

Those who do complete the survey online will receive a 12-digit code enabling them to fill out the form online. ……

Guy Eilon, Australian vice president of defence grade global cyber-security firm Forcepoint, said providing personal information to the census online is, "in many ways, no different" to posting a status on Facebook, or banking online.

"Ultimately, there will always be risks in situations where personal data is collected and stored, from the biggest bank to the smallest business," he said.

"In these circumstances all parties...must act in a transparent way, and ensure they put in place the most appropriate security, privacy and governance processes."

Households who would still like to fill out a paper form are told to contact the ABS to receive one, but community groups are complaining that the process is not so simple.

"Despite the ABS putting on 300 concurrent phone lines, many of those applying for paper census forms cannot get through", said  Paul Versteege, policy coordinator for the Combined Pensioners and Superannuants Association.

"The Census Inquiry phone line is overwhelmed and people are being told to call back later. Many  people are not online and are concerned they won't receive their paper forms in time and will be fined $180 a day for every day they are late."

Telephone connectivity issues have applied to both the ABS support hotline and the hotline to request a paper census form.

Ms Lane said the unresolved privacy concerns of Australian's could mean many "might actually want to move to the paper", but are as yet unable to source a form.

"I'm not doing it online, so I don't know what I'm doing on August 9."….

The Register, 1 August 2016:

The Australian Bureau of Statistics (ABS) has so badly mishandled the question of retaining names that its senior leadership need to consider their futures.

The ABS is – sorry, was – probably one of Australia's most trusted bureaucracies, alongside the Bureau of Meteorology, the Australian Electoral Commission, and Geosciences Australia.

But since deciding that this year's Australian census will retain participants' names and use them for ill-defined data-matching purposes, the Bureau has so alienated people there are serious calls for name-boycotts and a persistent discussion about the scale of fines (AU$180 a day up to a maximum $1,800, if you're interested). Those calls can undermine the census and its mission of providing policy-makers with useful data.

And the ABS persistently ignores questions put to it. Its first response when asked about the retention of names is something like the Tweet below, which talks about collection, not retention.

It's a mess that the ABS created for itself.

It takes a lot to make me say “security is now no longer the primary consideration”, but that's what the ABS has achieved.

Its data is useless without the trust of the public, and I've never seen public goodwill burned as quickly as has happened since Australians learned – somewhat after the decision was made – that the Bureau wants to keep their names.

And since then, the bureau has acted in a high-handed, condescending and dismissive manner……

Here's a speech from 2015, which is in no way reassuring, by the chief statistician David Kalisch.

The exact concerns being raised now, he dismissed last year: “Technology, expertise and confidentiality are not the issues or the constraints. It can take some time and resources for government agencies to provide better access to their data, even to an organisation such as the ABS with all the data protections and community support you would require.”

Ahem, confidentiality and technology certainly should be considered “constraints”, when the aim is to create a named identifier for all citizens, which Kalisch clearly admires.

Moreover: the ABS is not mandated to be the data integrator Kalisch imagines and desires. Kalisch is already advocating scope creep when he should be resisting it in the name of privacy.

In the presence of such sensitivities, transparency and trust are indispensable – but the bureau dispensed with both.

And at last, I will come to the generally-demanded “tech angle” to this story: it's perfectly feasible to tie data to a unique identifier without the name being that identifier.

If two data sets – the Census and the Pharmaceutical Benefits Scheme, for example – contain enough data points to consistently identify me, then a hash of that data would work just as well for anonymous analysis.

Richard Chirgwin with a date of birth and an address will produce the same SHA-256 key (c2483d63179b71b37334f730385272c81b5d6bd3ae6edffb49234cfeb7f7d9a6, I just tried it) no matter the source system – but the hash cannot be reversed to deliver my personal data.

If the data records with name are sufficient to identify me uniquely across two government systems, a hash of that data will be just as unique and will provide the same analytical link.

The ABS – and the data users defending it – must explain why names are indispensable to the mission.

But the cack-handed mishandling of the public debate is so destructive, it should be the next chief statistician to give the explanation. 

Bootnote: As a clarification, I need to point out: I am saying Census data (with a hash as an identifier) should never be brought together with a second source (example above, the PBS) with names intact on either side.

Should a researcher demonstrate a use-case to construct Census-versus-PBS queries, the names in PBS data should be hashed before the two datasets are brought together.

News.com.au, 3 August 2016:

THE Government today admitted organisers of next week’s online census were unprepared for a flood of public inquiries about the August 9 national headcount….

Earlier, independent MP Andrew Wilkie today warned of confusion and concern, and called for assurances no one will be fined for not completing the Census form.

“I have been shocked by the number of people who have approached me and my office with all sorts of concerns about the national Census scheduled for next week,” Mr Wilkie said today.

“A big problem is the difficulty and cost being experienced by many people attempting to contact the Australian Bureau of Statistics by phone.

“Typically they are experiencing very lengthy delays, if they can get through at all, and even having to pay for the calls.”

Mr Wilkie said examples of the “confusion in the community” came from visits to his Hobart office today by seven constituents.

“One had received a paper Census form even though he didn’t request or want it, one had been visited by a census official at home, two had received a letter at home with a code to use online, one had received three letters at her home, and two hadn’t been contacted at all,” he said.

“The one who got a paper Census form is baffled by the two different serial numbers it contained, received no detailed instructions and found no mention of the specifics of fines.

“Despite the collection of names in previous censuses the logic for this has not been communicated to the public, if indeed there is any logic at all. Nor has any explanation been given for why the ABS holding this information for much longer than normal is warranted.”

Remembering the history of census taking and past governmental misuse of national census data is important in deciding whether such punitive, political and/or criminal instances could occur again in the future......

Punishment

The Sydney Morning Herald, 26 June 1966

Political motives

Australian Bureau of Statistics, 2011

Persecution and Genocide

A final word.......