TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Lessons learned from Australia's '#CensusFail' Related reading: Notes from the IAPP, Dec. 3, 2021



On the other side of the world from our main office here in Portsmouth, NH, a nation-wide privacy issue has hit Australia. Like the U.S., which is due for its census in just four years, the country from down under (depending on where you're standing) is holding its census this year. This week, Tuesday night – yesterday – was the big night. But things didn’t go so well.

For the first time, the Australian Bureau of Statistics hosted its census online on August 9. As the ABS pointed out in a series of videos educating citizens about the census, it was meant to be a “time to pause and play a role in shaping the future of Australia.” Why one night? That’s because they want a snapshot of the country to help distribute government funds to determine what’s needed for infrastructure – like roads, parks, schools, or hospitals. 

The agency clearly thought about getting some good PR out there. The ABS released four family-friendly, easy-to-understand videos of why they’re doing the census, including one specifically on privacy. They said no personal information would be shared with courts or tribunals or with third-party advertisers, and that, after four years, all names and addresses would be deleted. “Because we take your privacy very seriously,” the ABS video notes, “you can have full confidence that nothing will ever be exposed.”

Well there you have it: We take your privacy seriously, so don’t worry about it!  

But that’s the thing: People do worry about their privacy and have seen enough in the news, and perhaps have experienced a privacy breach in their own lives, to know that just promising, “we protect your privacy,” is simply not enough.

That’s why, in recent weeks, privacy advocates and some lawmakers have been expressing concerns about the potential privacy and security issues with the new census. Some senators – notably South Australian Sen. Nick Xenophon as well as other Green senators – have even said they were not going to fill out the government-mandated form. Others pointed out that the ABS and IBM – the company supplying the technology – were unprepared for Tuesday night’s census. Think about it: The ABS expected 65 percent of its 24 million-person population to go to its website and fill out the form. That's a lot of web traffic! 

Australian Privacy Commissioner Timothy Pilgrim was on alert as well. Though he stopped short of saying the database would never be breached, he said – before the census – that his office had worked with ABS closely and that he was “generally satisfied” they were “using good standards to protect that information.”

It turns out the doom-sayers were right: Census night didn’t go well at all. The site itself went down Tuesday from a number of alleged denial of service attacks. The "#CensusFail" hashtag trended on Twitter, and, by Wednesday, Pilgrim announced the OAIC is investigating the incident. “My first priority is to ensure that no personal information has been compromised,” he stated.

Of course, Australia Prime Minister Malcolm Turnbull and other government officials moved immediately to stop the bleeding. Turnbull assured citizens "that their data is safe" and that the site was taken down "out of an abundance of caution." Treasurer Scott Morrison said, "There is no compromise of integrity of the information. There is no need, for any statistical reason, for a re-run of this census." But others, like former NSW Deputy Privacy Commissioner Anna Johnston said the results should be scrapped. 

With so much planning, a PR campaign, and analysis by Privacy Commissioner Pilgrim, it seems like the ABS checked all the right boxes. What could the ABS have done differently?

In this case, the ABS telling people "we promise to protect your privacy" might have been intended to set people at ease, but it may be the case that there have been too many massive breaches, leaks, and cyberattacks for anyone to feel that a promise is worth much at all.

In terms of planning, maybe nothing. We've seen in cases like inBloom that even attempts at full transparency, sometimes presented as a silver bullet, can lead to an organization's downfall. All of a sudden, you've got a target on your back. In this case, the ABS telling people "we promise to protect your privacy" might have been intended to set people at ease, but it may be the case that there have been too many massive breaches, leaks, and cyberattacks for anyone to feel that a promise is worth much at all. And the very statement was probably seen as a challenge to your average activist hacker. 

Perhaps the ABS didn't do enough outreach to educate Australian citizens. Perhaps the marketing could have been a touch more realistic. But perhaps working online with personal data is so difficult that even the best laid plans don't always work out. 

One of the biggest concerns was the change in data retention. For the first time, the ABS plans to keep names and addresses for four years instead of 18 months. They argue it will help them better align government services, but it does fly in the face of the data minimization principle and only increases the potential risk of breach. Planning for bad things to happen seems prudent at this point as part of any massive online product launch.

There's clearly benefits from conducting the census online. It could save upwards of $100 million to tax payers, limits the environmental impact from all the printed paper, and, in theory, would provide a more accurate snapshot for gauging the data. 

It makes sense that the government would want everyone to fill out the forms in one day, but that creates so much traffic. It's not surprising their system went down. It also made the census an easy target for moderately sophisticated adversaries. True, it doesn't appear that data was compromised, but a simple DDoS attack - from, say, protesters - is a simple way to bring the whole project down. This will be something for other organizations to think about when unrolling new services and sites. 

There is hope for the ABS's project, and I think being able to conduct important government/citizen business online is something we need to work through and establish in a sophisticated and secure manner. In the U.S., the initial roll out of was an utter disaster. With time, though, it's become a viable, usable, and important site for citizens applying for health insurance. 

Other government organizations are also learning the hard way that cybersecurity and the privacy of information is paramount. The hacks of the Democratic National Committee in the U.S. could play a major role in determining the next president. More ominously, democratic countries around the world are moving toward electronic voting systems. Just imagine the issues arising from a hacked election. 

The march toward a more digitized world is seemingly ineluctable, but incidents like Australia's census should serve as an important lesson for designing for and educating citizens and consumers about these services. The benefits are real, but so are the harms. 

 Top images courtesy of the ABS website

1 Comment

If you want to comment on this post, you need to login.

  • comment Lyn Boxall • Aug 10, 2016
    I'd note that there are a few more factors to know about this census from a privacy perspective.  To set the scene, my husband and I are Australian citizens, but have lived in Singapore for nearly 20 years.  By chance, my husband was in Australia on Tuesday night.  And he's pretty aware of privacy and information security because that's the work I do so it's not an infrequent topic of conversation.
    First, there was a lot of paper.  A paper form was delivered to every address a few days ahead of the census day.  But where there was no one home, and at least for rural properties with no letter box, the form was simply stuck on the front gate or front door.  The paper form, flapping in the breeze, was easily visible when driving past.  Every passerby was thereby told that there was no one home.  My husband arrived at our property on Sunday, so its emptiness was obvious to passersby for only a few days.  But sometimes there's no one there for several weeks.
    Second, and not a privacy issue but merely silly, the census questions make no allowance for the fact that someone required to answer them might not be living in Australia.  My husband as well as all foreign tourists and visiting business people were faced with a perplexing list of questions about what they'd done the previous week, for example.  Surely, all the census needed to know about visitors was (1) that they were a visitor and (2) maybe their home country, length of visit and whether it was for business or pleasure - though this is all on their immigration cards too, so why collect it again?
    Third, each census form delivered had a serial number printed on it.  This was supposed to be entered into the online portal.  If it's purpose is to make sure that all census forms were complete then that's fair enough.  If that's the purpose, it wasn't explained.  (If it was explained in the publicity campaign leading up to the census that was useless for someone who'd only arrived in the country a few days earlier.  I suppose it might also assume that 100% of people in Australia watch TV regularly so that the publicity reaches them.)
    Fourth, there was a so-called 'tracking code'.  It's purpose was explained to be to enable the government to monitor changes in information given by the individual.  Information included things like how many hours they worked on a particular day, what they received in social service benefits and that kind of thing.  It's a mystery to me how some of this could be tracked; other parts of it could presumably be tracked through government records but I don't imagine that would be the expectation of most people or that they'd understand from the explanation that this was going to be done.  There was no opt out allowed for any of it, by the way.
    Fifthly, a true census is a snap shot.  As soon as it is confirmed that a household has completed it, the data could and should be anonymised.  Tracking changes in behaviour for four years is inconsistent with the purpose of a census and misleading to the average individual.
    Finally, of course, the completed census for each individual included all the information needed for identity theft.  Having heard from press reports that the website had been hacked, my husband decided not to use it.  Instead, he will complete the form in hard copy and post it by snail mail.  I'm sure many others will do the same.  Of course, the flaw in that approach is that the data will be input by someone else into the same IT system and so he will achieve little or nothing from an information security perspective.
    One wonders how 'the powers that be' could have got it all so wrong.  Privacy laws in Australia have applied to the government since 1988 so there's really no excuse.