Singing the post-Census 2016 blues

One would have to live in a deep sink hole in the middle of Australia not to have heard of the mishandling of the 2016 national census, now not so fondly known as #CensusFail.

First the Australian Bureau of Statistics (ABS) decides to keep census participants' names and addresses (without informed consent) for between four years or until after death– whichever takes its fancy.

It does this so it can match the individual with other records held by government departments to create a super database packed to the brim with sensitive information.

This information goes beyond who you are, where you live and the makeup of your household – it's also how much you earn, how much tax you pay, what illnesses you have been diagnosed with, what prescription drugs you take, how many times you visit the doctor, how many speeding fines you paid, if you have been brought before the court, the sentence you received and, much more.

All this is gathered under a unique Statistical Linkage Key (SLK-581) which follows you forever through census after census after census.

This is what these keys look like:

How do I know that this is what an SLK looks like?

Because an SLK is generated according to a standard formula and the Australian Government not only helpfully lets everyone know what that formula is, it even provides an online open access key generator for our use.

Now one would think that because most people were being manoeuvred into encouraged to fill in the Census form online on 9 August 2016 that the platform ABS was using would be very secure.

However, it turns out that in order to allow people with older versions of Windows on their home computer to access the census form online the ABS decided to have the website support the SHA-1 hashing algorithm long considered to be insecure.

Leaving it vulnerable to man-in-the-middle encryption downgrade attacks which can make it easier to intercept data being sent.

Here is a breakdown of website vulnerabilities from High Tech Bridge, 
www.census.abs.gov.au SSL/TLS Security Test on 29 July 2016:

The server does not prefer cipher suites providing strong Perfect Forward Secrecy (PFS). We advise to configure your server to prefer cipher suites with ECDHE or DHE key exchange.

The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.

The server does not send the HTTP-Strict-Transport-Security. We advise to enable it to enforce the user to browse the website in HTTPS.

The server does not send HTTP-Public-Key-Pinning header. We advise to enable HPKP in order to avoid Man-In-The-Middle attacks.

TLS_FALLBACK_SCSV extension prevents protocol downgrade attacks. We advise to update your TLS engine to support it.

Preferred cipher suite for each protocol supported (except SSLv2). Expected configuration are ciphers allowed by PCI DSS and enabling PFS:

TLSv1.0 TLS_RSA_WITH_AES_128_CBC_SHAMisconfiguration or weakness

TLSv1.1 TLS_RSA_WITH_AES_128_CBC_SHAMisconfiguration or weakness

TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA256Misconfiguration or weakness

Third party content (such as images, JavaScript, or CSS) is loaded from external resources. Despite that for some web applications it can significantly improve loading time, it may also put website visitor's privacy at risk, as information about website visitors become accessible to these third-party content providers. ​Moreover, a third-party content delivered via HTTP and not HTTPS channel may also expose your privacy.

HTTP methods (or verbs) that are allowed by the server. Some may be dangerous if not handled properly by the application.

Then other security issues raised their heads including the fact that census answers may not always be encrypted for the entire journey from the keyboard to IBM on the SoftLayer cloud.

By then the Australian Bureau of Statistics was on social media telling people they will be fined if they refuse to answer all the questions on the census form.

Doubts also began to pop up as to whether stream10.census.abs.gov.au would be able to handle the millions of people logging in on Census Night.

Predictably it couldn't and suddenly there is multiple choice blame being handed out.

It's all the fault of:

a) evil hackers;

b) malicious furriners mounting denial of service attacks;

c) lazy people not filling out their online forms out days ahead of time; or

d) political plotters wanting to embarrass the Turnbull Government.

Reddit user mykro76 via @Qldaar on 10 August 2016 is probably closer to the mark:

The call is now going out to ditch the 9 August Census and try again at a later date if the government demographers can get their act together.

This is one example:

Australians continue to be uneasy concerning the Australian Bureau of Statistics increased intrusion into the private lives of the population

Australians continue to be uneasy concerning motives of the Australian Bureau of Statistics ahead of expanded data collection and retention from August 2016 Census information.

ABC News, 22 July 2016:

Privacy advocates are calling on the Australian Bureau of Statistics (ABS) not to collect names of individuals in next month's census, due to privacy concerns.

For the first time, the ABS will keep Australians' names and addresses on file for four years instead of 18 months.

Meanwhile, it has emerged the ABS has been using people's names and addresses to cross-reference data with records kept by other Australian departments since 2006.

Before this, they were largely used for administrative purposes, to ensure everyone completed the census.

The revelations have prompted concern on talkback radio and social media, with some people declaring they will boycott the census because of the changes.

The Australian Privacy Foundation is calling on the ABS to stop using people's names for data analysis.

"We all gave our names in good faith, thinking they'd be deleted," said the foundation's vice-chair Kat Lane.

"We've now since found out they're not being deleted at all, they're being stored and made into unique identifiers.

"We don't want the ABS to have very sensitive personal details like names. We want them to be deleted."….

The head of The Statistical Society of Australia, Dr John Henstridge, said he did not believe the ABS did enough to consult with the community.

"I think it probably needed more of a publicity campaign about this and being a bit more open," he said.

"If people don't want to cooperate with the census because they are concerned about how the data might be used then that is a real concern."

The 2016 census will be held on August 9.

Given it was only last year that an ABS employee was gaoled for three years and three months for unlawful use of statistical data after pleading guilty to four charges of abuse of public office, one charge of insider trading, and one charge of identity theft, I strongly suspect that everyone has a right to feel concerned.

Especially as the independent Review of ABS Sensitive Information Controls conducted once the fraud was discovered revealed an organisation which had grown rather sloppy about employee access and compliance.

Now that all names and addresses will be kept effectively in perpetuity by the Bureau, one can expect that the number of times staff are approached to unlawfully supply information (or seek unauthorised information on their own behalf) will rise.

Centrelink records highlight how staff with access to sensitive information are tempted to breach regulations and even break the law – for example in 2006 it was reported that  there had been 580 breaches in 2005-06, in 2011-12 there were 126 formal investigations for substantiated privacy breaches, in 2013 another 68 breaches were revealed and in 2014 sensitive information was removed from the agency and left on a railway station platform.

Misuse of information and communications technology is endemic across the public sector and the Australian Bureau of Statistics now appears intent on exacerbating this problem.