There are serious privacy concerns with the forthcoming Australian census.
The Australian Census is Australia's biggest survey. Conducted every five years by the Australian Bureau of Statistics (ABS), it asks a range of questions of all 10 million households and 24 million people. The results are intended to guide government policy over the next few years.
Unfortunately, there's been some significant changes for the 2016 census that may have a negative impact on security and people's privacy. The ABS seems to be ignoring these concerns.
What questions are asked?
Questions cover a wide range of topics, including race, ancestry, religion, salary range, type of work, workplace address, home ownership, rent or mortgage repayments, number of children and so on.
Retention of names and addresses is, for the first time, compulsory. In previous censuses, Australians had to opt in for their names and addresses to be retained. Even then, after 18 months names and addresses were destroyed. Now all names and addresses will be kept for at least 4 years.
You can't avoid this by failing to fill in the form or even putting in false information. Delayed forms are subject to $180/day in fines, and there is also a fine for providing incorrect details.
Unsurprisingly, many individuals and privacy organisations are extremely unhappy about this change.
There are a number of important concerns with the retention of names and addresses.
There is significant potential for direct abuse by government employees. If the data is kept for many years, anyone could gain access over time. Large numbers of employees may have access.
A related concern is data matching with other government databases, which having names and addresses collected enables. The ABS claims that "individuals' names will [...] be substituted with a linkage key, a computer generated code, completely anonymising the personal information". This is not very reassuring, because as long as names and addresses are retained with their linkage keys, any individual can be identified.
Also, Governments are not known for secure IT systems, and it is quite likely that the data will be leaked at some point. This would make all Australians potential victims of identity theft.
ABS privacy assessment
The ABS made their own privacy impact assessment. They "identified a small number of potential risks to personal privacy associated with the retention of names and addresses from responses to the 2016 Census, but concluded that in each case the likelihood of these risks eventuating was ‘very low’".
Their internal assessment is unconvincing, and only an audit by an experienced external security organisation could be expected to provide a realistic assessment.
Compounding privacy issues is that the census will be filled in on-line by most people. So a treasure-trove of information on all Australians will for the first time have a degree of exposure to the Internet. Naturally, the ABS sees no issue with this, as it will save them considerable amount of money compared to paper forms. But given the enormous amount of personal information on almost all Australians, it will be a tempting target for cyber-criminals.
It turns out that the census website still supports SHA-1, a hash algorithm that has been considered broken for some time. This is understandable, as it is required by older versions of some web browsers, but it does make the site more vulnerable.
There is little justification for the retention of names and addresses in the 2016 Australian census. The potential problems are serious. This requirement should be immediately discarded prior to census night on 9 August 2016.