The 2016 Census Will Keep Your Name And Address

The 2016 Census Will Keep Your Name And Address

Opinion: In case you haven’t heard, this year’s Census will not be anonymous. When you fill out the 2016 Australian Census questionnaire — if you don’t somehow avoid it or refuse to take part — your name and address will be linked for the first time to other, previously anonymised data like your status of employment, education and personal health. The Census on the night of August 9th will be conducted almost entirely online, too — so get used to your personal data being transferred around the ‘net.

The previous Census, conducted in 2011, was able to be completed online — the eCensus was relatively popular among Australians, with one third of the population completing it online up from a mediocre 10 per cent in 2006. In 2016, the Census will be conducted majority digitally — although a paper form is an option if requested. Private dwellings around the country will be allocated a unique code by mail “to the resident”, and instructed to visit a website and fill the Census out digitally.

The switch to an online Census makes it $100 million cheaper than the traditional paper questionnaire, which required 65 million sheets of paper and tens of thousands of temporary staff to deliver forms to households, and the digital format means it can be completed equally easily by mobile device, tablet or on a laptop or desktop PC. The Census process itself will be protected by 128-bit SSL, compliant with the government’s Defense Signals Directorate information security manual and on par with the security levels of the banks that Australians trust their personal income and savings to. But it’s not the security of the collection that is in question — it’s how that data will be protected after its collection. It will be retained until at least mid-2020.

The case made by the Australian Bureau of Statistics for retaining personally identifiable data is, in abstract, perfectly reasonable and justifiable. A “richer and dynamic statistical picture of Australia” might sound boring, but it’s an extra layer of information that makes it invaluable to university and private sector researchers looking to investigate things like the correlation between the correlation of the provision of mental health services and geographical location and employment status, or the effect of the closing of Australia’s automotive industry on full-time manufacturing workers in Victoria and South Australia. Even the cost of running future Censuses or of planning public policy can be lowered with a more accurate profile of every Australian individual.

But the price of that accuracy is the fact that the information will be even more valuable to illegitimate users than it will be to government agencies and statisticians. Even the widespread public acknowledgement that this trove of priceless personally identifiable information exists is almost reason enough to halt its collection. If anyone that wants the data that does not already have sanctioned access to it — hackers, if you want to use such a broad term — gets a hold of even a cross-section of personally identifiable Census data, the implications could be phenomenally damaging for Australians.

Any suggestion of how this might happen is conjecture. But the past shows us that this does happen, and the effects can be wide-ranging and life-altering. Nearly 40 million Ashley Madison users had their potential infidelity publicly displayed, leading to suicides. Kmart and David Jones leaked customer names, order details and email addresses. In the US, over 20 million Social Security numbers — a unique national identification key used for taxation, employment and personal credit — were compromised, likely by Chinese hackers. The Australian government even posted the personal details of nearly 10,000 asylum seekers online. If your name and address, tied to your employment status and your level of education and the number of people in your household and your yearly income and the number of cars you own, were shared, it could mean identity fraud on a massive level.

Consider the widespread use of stock-standard security questions around the internet. What was the street you grew up on? What’s your mother’s maiden name? What was the name of the first school you went to? With the rise of the amount of easily accessible and personally valuable data we voluntarily share on Facebook already, honestly answering these questions is not a good idea in the first place, but if there was a government-sanctioned and register of this information — a Census in which “every household must participate” — those questions become even less useful. Potentially — for users that have answered them legitimately, as well as the Census — they become a vector for personal and private and valuable information (emails, Facebook, LinkedIn, MyGov) to be accessed and stolen.

Only a system that is competely air-gapped, firewalled, multi-factor authenticated, cut off from the internet, restricted to only a select white list of authorised devices — in other words, obfuscated and made so ineffective in such a way as to make it unreasonably difficult for the nation’s credentialed researchers to easily access it, let alone an individual or group looking to use that data for nefarious reasons — would be anywhere near suitable enough for Census data to give privacy advocates peace of mind. Even then, the fact that the database exists at all is likely to leave a sour taste in the mouth of many. There’s simply no way to retain such a valuable slice of personally identifiable information in a way that won’t upset the majority of people aware of its retainment.

On The Drum, the Institute for Public Affairs’ Chris Berg says that the safest way to protect data is not to collect it at all. The govermnent’s own Office of the Australian Information Commissioner says that personal information that is not collected or is not stored cannot be mishandled. The Australian Privacy Foundation says that the ABS doesn’t have the authority to compulsorily collect name data. Liberty Victoria says that the usage of the dataset may creep over time, with more and more agencies allowed access — and more opportunity for that data to be breached, mishandled or otherwise accessed by illegitimate parties.

The ABS says that it has always been completely transparent about its plans to retain personally identifiable information this Census, and the privacy impact assessment has been available on its website since the middle of December last year. But it took nearly four months for that fact to become widely discussed, and even then, the most effective and outspoken campaigns against the Census have only been to suggest civil disobedience and the fuzzing or faking of useful or personally identifiable data. That’s not good for the ABS.

Census data can easily be faked, since the system is almost entirely honour-based — and in 2016, a majority-online census is easier to fool than ever, with less consequence for doing so. People love making things up on the internet. This will damage the reliability of the data, and negatively affect the quality of services that government might decide to provide based on that information — moreso than not even having the extra layer of personally identifiable data in the first place. If the suggestion is that the best way out of having your data inevitably stolen is that you fake that data for this year’s Census, then the Australian Bureau of Statistics has shot itself in the foot.


  • Just look up “de-anonymization” for an indication of how this can be easily misused.

  • Attention: George Orwell – Big Brother is alive and well.

    I’m not opposed to the census in general as it does help in planning Gov’t direction, etc. What really gets up my nose is, as discussed above, the non-anonymisation (is there such a word?) and storage of identifiable personal data.

    While this sort of data has been kept for ages (Mrs Magani uses the UK census data from the 19th Century for genealogy), in an age of paper records, this can be kept under control rather easily. With digital records, this is far less easy and an air-gapped system is probably the closest we can get.

    Just as an aside, if you decide to go the obfuscation route, I would most humbly suggest you obfuscate your IP as well. They wouldn’t keep that, surely…

    • I was orininally thinking i wonder if i can shred the census and had that in, i wasn’t aware it was digital this year, although i suppose i can always request a paper form, or perhaps instead of shredding just redact the data.

      In the case of digital i reckon fill it in via VPN, and for any text input answers, hash the data, although i take it the mailed out code will link to the address, so it will still be trackable to you anyway.

      What is your name: 71bfdc95a0fe38174f949e390acb1e5fccad78f40073e476c7bfea28a690bc731a9eeba51fbeee9e05a926a0ac726a80b3147c419ca0eccf8d1412f48942114d

      What is your address: e2fa84ec843205c409e0689a8dc2a1c5a55d75a8ca80d88d3f8629b1aeedffed6a7af88f713cf16b58556b588cecc6fc8c37832659baed9aab545118917c57c7

      What is your religion: 4ad35c2d3a1754661ca16b5b6719dde12c0779631b2c847e709b553c5b4e81e1697ced07c3890e7b18a3321fea3494742b698a523138807548d7c70b92ac7038

      Actually i just realised, they would need to know who filled it in and who didnt in order to fine those that didn’t. So if your going to anonymise the data then you may as well not bother at all and just pay the fine.

      They can shove that into their algorithms and smoke it.

  • There will be data matching and sharing between departments, all it needs is a ministerial letter, it doesn’t even need a vote in the house.

    CES records will be matched to Tax and the census to look at marital status and spouse employment. MyHealth records will be matched to the census to look at mental health, sexual health and others.

    the correlation of the provision of mental health services and geographical location and employment status

    And soon enough some public servant will maybe even be framing questions like:

    Give me the names of all married people who are on the dole
    Give me the names of all gay people with AIDS
    Give me the names of all people earning over $100,000 who have a mental illness
    Give me the names of all people born in 1960 who have less than 500,000 in their super
    Give me the names of single parents who voted Liberal

  • I can see this census not only having a large Jedi population, but showing that Skywalker has become a very common surname… really, I have no idea why they thought it was a good idea. They may get a bunch of data back from it, but a great deal of it will be BAD data.

    As for IP anonymisation, you can just fill it in from work or public wifi. No VPN or anonymisation service necessary.

  • One day, after we are all long gone, maybe we’ll take comfort knowing our great, great grandchildren might be able to know what our lives were like back in 2016 when they research their family history.

Show more comments

Comments are closed.

Log in to comment on this story!