Census privacy risks are not what they seem

Australians are discovering that next Tuesday's 2016 Census of Population and Housing will collect their names and addresses, and keep them associated with the data for four years. The Australian Bureau of Statistics also plans to pull in data from elsewhere and add it to people's individual census records.

Australians are not happy. There are even calls to boycott the census, despite that making you liable for fines of up to AU$180 per day for not complying -- though admittedly those fines are rarely enforced.

It's hardly surprising that ordinary citizens fear for their privacy. Things like the mandatory retention of telecommunications data are abstract, and invisible. But the ritual of Census Night makes it real. Every Australian has to write a big slab of personal information onto a census form and hand it to a government official knocking at their door. Or, as is being heavily encouraged this time, type it directly into a government computer.

Technologically-aware citizens might well worry about the security of that data entry, or worry that hackers could steal everyone's census data in one go, as happened with the massive data theft from the US Office of Personnel Management (OPM).

Older or more historically-aware citizens might well worry about the potential for census data to be misused by some future, more oppressive government. Nazi Germany and the Holocaust is the traditional example, but there was also America's internment of Japanese-Americans during World War Two.

And citizens with more detailed knowledge of the census and the laws that enable it, such as former Australian Statistician Bill McLennan, might be even more blunt.

"This, without doubt, is the most significant invasion of privacy ever perpetrated on Australians by the ABS," McLennan wrote in a paper [PDF] for the Australian Privacy Foundation.

"I'd expect that a large proportion of Australians, if they really understood what is proposed, wouldn't want their personal information used in this way."

McLennan even said that the ABS demanding names and addresses in this way might even be illegal.

Electronic Frontiers Australia (EFA) has published a comprehensive summary of the concerns, and a guide to how citizens might respond.

Personally, I think the technical risks to privacy are overblown.

A screenshot has been circulating on Twitter, purporting to show that the census website uses the outdated SHA1 algorithm for SSL encryption, but that's for the sub-domain help.census.abs.gov.au.

On the key domain census.abs.gov.au, tests by ZDNet on Sunday showed that the only significant problem was a lack of Perfect Forward Security (PFS). Not ideal, but the score of A- is good enough for this application.

Besides, picking off census forms one by one as they're being filled in isn't exactly an effective strategy for data theft.

As for bulk data theft, the ABS' track record is vastly better than the OPM, which had failed to implement the recommendations of security audits for years.

A 2014 report by the Australian National Audio Office (ANAO), Cyber Attacks: Securing Agencies' ICT Systems, found that in November 2013 the bureau's protection against external attacks was at least as good as the Department of Human Services (which includes Centrelink), the Department of Foreign Affairs and Trade (DFAT), and the Australian Taxation Office (ATO).

While the ABS was lacking some external protections back in 2013, its internal controls were good enough to get the bureau rated as "Internally Secure". The ABS now claims that it's rated in the "Cyber Secure Zone".

That doesn't mean things are perfect. In 2015, two ABS employees were jailed for using unpublished data in an insider trading scam. But by law the ABS is required to keep data "secret". If the bureau does supplement its trove with external data, that data can only come in, not go out.

"The Census and Statistics Act 1905 ensures that Census data is never released in an identifiable form, or released to any court, tribunal or any other agency. This will not change," says the Census website.

"Other government agencies, private agencies and direct marketing companies will not have access to personal information that you provide on the Census form. This is protected by law."

As far as privacy goes, census data is better protected than your income tax return or Centrelink claims, both of which can easily be accessed by other government agencies. But that said, the ABS has reported 14 data breaches since 2013.

Now the more paranoid amongst you might also wonder whether our national security agencies can access census data, legitimately or by other means. You will not be reassured by an exchange on ABC Radio 702 Sydney on July 21 between morning presenter Wendy Harmer and a caller identified only as "Luke".

HARMER: You've seen this data in use, have you Luke?

LUKE: Yeah I have.

HARMER: Yeah who do you work for?

LUKE: I used to work for the Department of Defence.

HARMER: Yes, Department of Defence, yes, and how they use the census data in this way?

LUKE: Um, it's all linked.

HARMER: It's what, sorry? All linked?

LUKE: Yeah.

HARMER: So we're, we're, they know everything about us already?

LUKE: Yes.

HARMER: So is there any point worrying about this?

LUKE: No.

We have no way of knowing whether any of this is true, of course, or even if "Luke" has ever worked for Defence. But such data access would not be inconsistent with my own understanding of how such things might work. Nor would it be a new thing.

This does raise one of my pet gripes, that boundaries between national security and everyday law enforcement are constantly being eroded. Resources and surveillance techniques that were once reserved for existential threats to the nation are increasingly used for straightforward criminal matters -- but that's another story, back to the matter at hand.

According to McLennan, "In large measure, the public has not been consulted about this significant escalation of privacy intrusion".

Nor have privacy advocates been consulted, he said, even though a similar proposal for the 2011 Census was rejected by the then Australian Statistician due to privacy concerns and the possibility of "significant public backlash".

"Not surprisingly this topic has gone viral on the internet, and one thing is certain from these comments, informed Australians are not amused," McLennan wrote.

Meanwhile the ABS has waved away concerns, claiming that "your data is always safe and secure with us", which they can't possibly guarantee, and making the illogical claim that "sexual orientation isn't a topic on the Census form, but we do ask what relationship you are in with others in your household".

Australians have trusted the ABS over the years, but now they're losing that trust. People will be reluctant to fill in the form, more likely to lie. And that in turn poisons the very data that this exercise was trying to purify.

I won't be boycotting the census. But the ABS, and the elected politicians who are meant to oversee it, need to lift their game.

Update 5 August 2016: Edited to correct an error in describing the ANAO ratings.