On the other side of the world from our main office here in Portsmouth, NH, a nation-wide privacy issue has hit Australia. Like the U.S., which is due for its census in just four years, the country from down under (depending on where you're standing) is holding its census this year. This week, Tuesday night – yesterday – was the big night. But things didn’t go so well.
For the first time, the Australian Bureau of Statistics hosted its census online on August 9. As the ABS pointed out in a series of videos educating citizens about the census, it was meant to be a “time to pause and play a role in shaping the future of Australia.” Why one night? That’s because they want a snapshot of the country to help distribute government funds to determine what’s needed for infrastructure – like roads, parks, schools, or hospitals.
The agency clearly thought about getting some good PR out there. The ABS released four family-friendly, easy-to-understand videos of why they’re doing the census, including one specifically on privacy. They said no personal information would be shared with courts or tribunals or with third-party advertisers, and that, after four years, all names and addresses would be deleted. “Because we take your privacy very seriously,” the ABS video notes, “you can have full confidence that nothing will ever be exposed.”
Well there you have it: We take your privacy seriously, so don’t worry about it!
But that’s the thing: People do worry about their privacy and have seen enough in the news, and perhaps have experienced a privacy breach in their own lives, to know that just promising, “we protect your privacy,” is simply not enough.
That’s why, in recent weeks, privacy advocates and some lawmakers have been expressing concerns about the potential privacy and security issues with the new census. Some senators – notably South Australian Sen. Nick Xenophon as well as other Green senators – have even said they were not going to fill out the government-mandated form. Others pointed out that the ABS and IBM – the company supplying the technology – were unprepared for Tuesday night’s census. Think about it: The ABS expected 65 percent of its 24 million-person population to go to its website and fill out the form. That's a lot of web traffic!
Australian Privacy Commissioner Timothy Pilgrim was on alert as well. Though he stopped short of saying the database would never be breached, he said – before the census – that his office had worked with ABS closely and that he was “generally satisfied” they were “using good standards to protect that information.”
It turns out the doom-sayers were right: Census night didn’t go well at all. The site itself went down Tuesday from a number of alleged denial of service attacks. The "#CensusFail" hashtag trended on Twitter, and, by Wednesday, Pilgrim announced the OAIC is investigating the incident. “My first priority is to ensure that no personal information has been compromised,” he stated.
Of course, Australia Prime Minister Malcolm Turnbull and other government officials moved immediately to stop the bleeding. Turnbull assured citizens "that their data is safe" and that the site was taken down "out of an abundance of caution." Treasurer Scott Morrison said, "There is no compromise of integrity of the information. There is no need, for any statistical reason, for a re-run of this census." But others, like former NSW Deputy Privacy Commissioner Anna Johnston said the results should be scrapped.
With so much planning, a PR campaign, and analysis by Privacy Commissioner Pilgrim, it seems like the ABS checked all the right boxes. What could the ABS have done differently?
In this case, the ABS telling people "we promise to protect your privacy" might have been intended to set people at ease, but it may be the case that there have been too many massive breaches, leaks, and cyberattacks for anyone to feel that a promise is worth much at all.
In terms of planning, maybe nothing. We've seen in cases like inBloom that even attempts at full transparency, sometimes presented as a silver bullet, can lead to an organization's downfall. All of a sudden, you've got a target on your back. In this case, the ABS telling people "we promise to protect your privacy" might have been intended to set people at ease, but it may be the case that there have been too many massive breaches, leaks, and cyberattacks for anyone to feel that a promise is worth much at all. And the very statement was probably seen as a challenge to your average activist hacker.
Perhaps the ABS didn't do enough outreach to educate Australian citizens. Perhaps the marketing could have been a touch more realistic. But perhaps working online with personal data is so difficult that even the best laid plans don't always work out.
One of the biggest concerns was the change in data retention. For the first time, the ABS plans to keep names and addresses for four years instead of 18 months. They argue it will help them better align government services, but it does fly in the face of the data minimization principle and only increases the potential risk of breach. Planning for bad things to happen seems prudent at this point as part of any massive online product launch.
There's clearly benefits from conducting the census online. It could save upwards of $100 million to tax payers, limits the environmental impact from all the printed paper, and, in theory, would provide a more accurate snapshot for gauging the data.
It makes sense that the government would want everyone to fill out the forms in one day, but that creates so much traffic. It's not surprising their system went down. It also made the census an easy target for moderately sophisticated adversaries. True, it doesn't appear that data was compromised, but a simple DDoS attack - from, say, protesters - is a simple way to bring the whole project down. This will be something for other organizations to think about when unrolling new services and sites.
There is hope for the ABS's project, and I think being able to conduct important government/citizen business online is something we need to work through and establish in a sophisticated and secure manner. In the U.S., the initial roll out of Healthcare.gov was an utter disaster. With time, though, it's become a viable, usable, and important site for citizens applying for health insurance.
Other government organizations are also learning the hard way that cybersecurity and the privacy of information is paramount. The hacks of the Democratic National Committee in the U.S. could play a major role in determining the next president. More ominously, democratic countries around the world are moving toward electronic voting systems. Just imagine the issues arising from a hacked election.
The march toward a more digitized world is seemingly ineluctable, but incidents like Australia's census should serve as an important lesson for designing for and educating citizens and consumers about these services. The benefits are real, but so are the harms.
Top images courtesy of the ABS website.