The 2016 Australian Census is a privacy nightmare and it needs re-tooling, fast.
Just before Christmas 2015, the Australian Bureau of Statistics quietly released some interesting news about the 2016 census. Unlike prior surveys, in which it was optional to connect your identifying information (especially your name and address) to your census responses, this year identifying information will be collected and stored for all Australians. Like it or not, every piece of information you give to the ABS this year will be stored and connected to your name. In perpetuity.
Nobody really noticed this pre-Christmas announcement and it’s only been in the past week or two that this news has filtered through to the media at large. As you can imagine, this has caused some consternation among those who value privacy. It has also made people who value the census rather concerned because there is a real risk that when people realise their census responses — which include household income and religion — will be able to be traced back to them whether they want it or not, that they will fill their census form with garbage data. In the wake of the past few years of revelations about government data matching, citizens are rightly worried about the privacy implications of this change.
Anecdotes are not evidence, but the people I’ve spoken to largely intend to lie on their census forms in response to what seems like blatant and unwarranted encroachment into their privacy.
Government agencies rely on census data for a range of things, not least of which is in deciding which areas of the country require provision of essential government services. Good census data is important.
So it came as a shock to me when I discovered this week that the ABS is planning to push the vast majority of the country away from paper forms and onto an online version of the census. When I asked around, almost nobody seemed aware of this fact — again the implications haven’t really made the press.
The push towards online provision is not, on its own, particularly worrying. In fact, it will allow the census to be conducted in a way that will save untold millions of sheets of paper, and will provide reductions in the cost of administration. Sending people to 10 million households to drop off and collect census forms is expensive.
The concern comes when viewed in connection with the compulsory matching of personal data to census responses. The 60–80% of people who the ABS believes will be able to fill in the census online will now risk having their IP addresses (and everything else that goes along with their https headers) matched with that personal data. You might be able to put a fake name on your census form, but unless you know how to mask your IP address you’re going to be matched with your data anyway. Even with a dynamic IP address, your ISP knows who you are and the government will be able to work out your identity via your metadata (which ISPs are now forced to record) if it really wants to do so.
The risk however does not stop with the government. On census night up to 8 million individual web browsers will send the personal information of up to 20 million Australians over the web and write that information to a database that must, by design, be in some way open to the internet at large. Even if we assume the Australian government can engineer a system capable of handling so many concurrent connections (and it is reasonable to have doubts about this), the honeypot of information about individual Australians will surely be an attractive target to a wide range of malicious actors.
If you’re the kind of person who values your privacy, the obvious response is to boycott the census entirely. This is not something I advocate, given the importance of the census. There is also a fine of $170 a day (according the the nice person I spoke to at the ABS yesterday) for each day that passes with your census not completed. Civil disobedience may come at a price.
To ensure faith in the collection of the census, and faith in the privacy of personal information, the collection of identifying data must be scrapped. Continuing down the current path risks the integrity of the census and the destruction of the value of information it produces.
The census is in August. The government and the Australian Bureau of Statistics have a responsibility to make these changes. Now.
If you have concerns about the 2016 Australian Census, I urge you to contact the Australian Bureau of Statistics and let them know. Here’s where you can do so.
Ross Floate works in Melbourne at Floate Design Partners helping clients build sustainable digital capabilities, better products, and damned fine publications.