Opinion: In case you haven’t heard, this year’s Census will not be anonymous. When you fill out the 2016 Australian Census questionnaire — if you don’t somehow avoid it or refuse to take part — your name and address will be linked for the first time to other, previously anonymised data like your status of employment, education and personal health. The Census on the night of August 9th will be conducted almost entirely online, too — so get used to your personal data being transferred around the ‘net.
The previous Census, conducted in 2011, was able to be completed online — the eCensus was relatively popular among Australians, with one third of the population completing it online up from a mediocre 10 per cent in 2006. In 2016, the Census will be conducted majority digitally — although a paper form is an option if requested. Private dwellings around the country will be allocated a unique code by mail “to the resident”, and instructed to visit a website and fill the Census out digitally.
The switch to an online Census makes it $100 million cheaper than the traditional paper questionnaire, which required 65 million sheets of paper and tens of thousands of temporary staff to deliver forms to households, and the digital format means it can be completed equally easily by mobile device, tablet or on a laptop or desktop PC. The Census process itself will be protected by 128-bit SSL, compliant with the government’s Defense Signals Directorate information security manual and on par with the security levels of the banks that Australians trust their personal income and savings to. But it’s not the security of the collection that is in question — it’s how that data will be protected after its collection. It will be retained until at least mid-2020.
The case made by the Australian Bureau of Statistics for retaining personally identifiable data is, in abstract, perfectly reasonable and justifiable. A “richer and dynamic statistical picture of Australia” might sound boring, but it’s an extra layer of information that makes it invaluable to university and private sector researchers looking to investigate things like the correlation between the correlation of the provision of mental health services and geographical location and employment status, or the effect of the closing of Australia’s automotive industry on full-time manufacturing workers in Victoria and South Australia. Even the cost of running future Censuses or of planning public policy can be lowered with a more accurate profile of every Australian individual.
But the price of that accuracy is the fact that the information will be even more valuable to illegitimate users than it will be to government agencies and statisticians. Even the widespread public acknowledgement that this trove of priceless personally identifiable information exists is almost reason enough to halt its collection. If anyone that wants the data that does not already have sanctioned access to it — hackers, if you want to use such a broad term — gets a hold of even a cross-section of personally identifiable Census data, the implications could be phenomenally damaging for Australians.
Any suggestion of how this might happen is conjecture. But the past shows us that this does happen, and the effects can be wide-ranging and life-altering. Nearly 40 million Ashley Madison users had their potential infidelity publicly displayed, leading to suicides. Kmart and David Jones leaked customer names, order details and email addresses. In the US, over 20 million Social Security numbers — a unique national identification key used for taxation, employment and personal credit — were compromised, likely by Chinese hackers. The Australian government even posted the personal details of nearly 10,000 asylum seekers online. If your name and address, tied to your employment status and your level of education and the number of people in your household and your yearly income and the number of cars you own, were shared, it could mean identity fraud on a massive level.
Consider the widespread use of stock-standard security questions around the internet. What was the street you grew up on? What’s your mother’s maiden name? What was the name of the first school you went to? With the rise of the amount of easily accessible and personally valuable data we voluntarily share on Facebook already, honestly answering these questions is not a good idea in the first place, but if there was a government-sanctioned and register of this information — a Census in which “every household must participate” — those questions become even less useful. Potentially — for users that have answered them legitimately, as well as the Census — they become a vector for personal and private and valuable information (emails, Facebook, LinkedIn, MyGov) to be accessed and stolen.
Only a system that is competely air-gapped, firewalled, multi-factor authenticated, cut off from the internet, restricted to only a select white list of authorised devices — in other words, obfuscated and made so ineffective in such a way as to make it unreasonably difficult for the nation’s credentialed researchers to easily access it, let alone an individual or group looking to use that data for nefarious reasons — would be anywhere near suitable enough for Census data to give privacy advocates peace of mind. Even then, the fact that the database exists at all is likely to leave a sour taste in the mouth of many. There’s simply no way to retain such a valuable slice of personally identifiable information in a way that won’t upset the majority of people aware of its retainment.
On The Drum, the Institute for Public Affairs’ Chris Berg says that the safest way to protect data is not to collect it at all. The govermnent’s own Office of the Australian Information Commissioner says that personal information that is not collected or is not stored cannot be mishandled. The Australian Privacy Foundation says that the ABS doesn’t have the authority to compulsorily collect name data. Liberty Victoria says that the usage of the dataset may creep over time, with more and more agencies allowed access — and more opportunity for that data to be breached, mishandled or otherwise accessed by illegitimate parties.
The ABS says that it has always been completely transparent about its plans to retain personally identifiable information this Census, and the privacy impact assessment has been available on its website since the middle of December last year. But it took nearly four months for that fact to become widely discussed, and even then, the most effective and outspoken campaigns against the Census have only been to suggest civil disobedience and the fuzzing or faking of useful or personally identifiable data. That’s not good for the ABS.
Census data can easily be faked, since the system is almost entirely honour-based — and in 2016, a majority-online census is easier to fool than ever, with less consequence for doing so. People love making things up on the internet. This will damage the reliability of the data, and negatively affect the quality of services that government might decide to provide based on that information — moreso than not even having the extra layer of personally identifiable data in the first place. If the suggestion is that the best way out of having your data inevitably stolen is that you fake that data for this year’s Census, then the Australian Bureau of Statistics has shot itself in the foot.