Australia Card Mark 3: Surprise! Without justification we will be collecting biometric data to create one centralised identity for each and every one of you and we will be retaining your metadata for an indefinite period at our discretion

The Turnbull Government received the Commonwealth Digital Transformation Agency (DTA) preliminary report, Initial Privacy Impact Assessment (PIA) for the Trusted Digital Identity Framework (TDIF) Alpha, in December 2016.

The origin of this particular digital identity proposal was a recommendation by the Financial System Inquiry set up by then Treasurer Joe Hockey in December 2015, with an inquiry committee dominated by representatives of banks and the financial services sector.

This preliminary Privacy Impact Assessment is the latest step in establishing a single digital identity for each and every Australian citizen, with all the same privacy and security risks as the formerly proposed Australia Card and Access Card.

It is proposed that an individual’s digital identity information will initially be made available to federal government departments/agencies and later to state government departments/agencies that apply to join the TDIF.

As yet there is no underlying legal authority for the Trusted Digital Identity Framework, much of the security arrangements for this framework are apparently not yet developed and a full independent risk assessment has either not been completed to date or is not publicly available.

Cross-border data transfers of personal information held on Australian citizens may occur under this framework.

It is expected that complaints and correction requests may cause some difficulties in the TDIF because multiple participants may each hold part of the relevant data and responsibility for dealing with complaints and corrections may be difficult to determine.

On 24 March 2017 The Canberra Times reported:

The federal government is experimenting with a system that would allow Australians to use selfies to log onto Centrelink, Medicare and other Commonwealth services.

Prime Minister Malcolm Turnbull's digital re-invention agency is designing a system that would use "bio-metric" facial recognition technology to allow easy log-ins while protecting accounts from identity thieves.

The Digital Transformation Agency insists that no collection or data base of images would be built, the system would be voluntary and the strictest privacy safeguards would be in place.

But privacy activists are worried the idea is simply a high-tech version of the unpopular "Australia card" plan, resurrected more than 20 years after the national ID scheme was dumped.

The government is determined to improve to access to its services online, to save time and money, and to step-up the automation of many of its core activities, particularly in the expensive health and welfare sectors.

But security and privacy has been a huge issues, with many of the problems associated with the much-maligned myGov portal put down to the complex and glitch-prone log-in protocols……

A user of the proposed new system, after establishing their account, would log-in by scanning their traditional forms of ID and as a fail-safe against hacker and identity thieves, take a selfie and upload it from their mobile, tablet or computer.

Central [to] the architecture of the scheme would be an online "identity exchange", a portal that would confirm to a government agency, Centrelink for example, that a user's identity had been verified and cleared to use their account but would not supply the photo or any other data used to make the confirmation.

But talks with "stakeholders" including state and federal privacy authorities as well as online privacy campaigners, have begun to reveal the full complexity of the privacy problems facing the TDIF.

Many of those consulted were surprised they had not already heard of such a game-changing project  and questioned the motivation for the decision.

"Stakeholders queried whether due consideration had been given to the failure of previous centralised models in the Commonwealth identity field, such as the Australia Card and the Access Card," Galexia reported.

There were worries that various parts of the system "would obtain, over time, a large and rich source of personal data that will be attractive to third parties for surveillance...or subject to external attack (e.g. hackers), and  or subject to accidental breach."

"The consequences of surveillance or a breach were likely to be significant," Galexia noted.

""Some stakeholders predicted that, over time, each [agency] would collect biometric information (photographs) and contribute to the development of a national data set of photographs.

"Although there is no intention to retain photographs in the TDIF, and they are destroyed as soon as a verified match has been made, stakeholders believed that 'it was only a matter of time' before the system was changed and photographs were retained and shared."

A prototype of the TDIF system is expected to be ready for testing in mid-2017….

Key stakeholders consulted sometime in October-November by Galexia Pty Ltd for its 5 December 2016 report:

Australia Post

Australian Communications Consumer Action Network (ACCAN)

Australian Privacy Foundation (APF)

Commissioner for Privacy and Data Protection Victoria (CPDP)

Department of Finance, Services and Innovation NSW (DFSI)

Digital Rights Watch           

Information and Privacy Commission NSW (IPC)

Office of the Australian Information Commissioner (OAIC)

Office of the Information Commissioner QLD (OIC)

Queensland Government Chief Information Office (QGCIO)

Queensland SmartService (Digital Productivity and Services Division)

Service NSW

According to Galexia on Page 27 of its report:

In the consultation conducted for this PIA, the following views were expressed on this issue:

* Stakeholders questioned where the decision had ‘come from’ as it appeared to take nearly all stakeholders by surprise;

* Stakeholders queried the link between the decision to establish a single Commonwealth IdP and the recommendations of the Murray Report (which in part endorses the development of multiple IdPs in order to foster competition, choice and innovation);

* Stakeholders queried whether due consideration had been given to the failure of previous centralised models in the Commonwealth identity field, such as the Australia Card and the Access Card. Although stakeholders recognised some differences between those proposals and the TDIF in relation to the overall framework and the Identity Exchange, they viewed the decision to establish a single Commonwealth IdP as a ‘throwback’ to those earlier proposals. Even after detailed discussions and explanation on the details of the TDIF most stakeholders still viewed the single Commonwealth IdP as an updated version of the Australia Card / Access Card;

* Stakeholders were strongly of the view that such an important and far-reaching decision should have been the subject of extensive community consultation and debate, with many stakeholders calling for a public discussion paper and / or legislation; and

* Almost all stakeholders struggled to see any justification for the establishment of a single IdP – a common question was “what is the problem that needs to be solved?”.

Australian Bureau of Statistics under Kalisch continues to prove that Census 2016 was expensive as well as a statistical and public relations disaster

Information coming out of the once-proud Australian Bureau of Statistics (ABS) again proves that it approached the most radical change to the national census of population and housing with an almost complete lack of understanding of the mood of the populace¹.

ABC News, 23 December 2016:

Taxpayers spent close to $200,000 to turn the Sydney Opera House green to promote the 2016 census, without any clear reference to the national survey.

The seven sails of the national landmark were lit up for two nights but did not include any information about the census, the website, a hashtag or branding.

Internal documents show it cost taxpayers $192,000 for setup, equipment hire, management and support.

The Australian Bureau of Statistics (ABS) chief statistician David Kalisch described it as a "major public relations opportunity" and said it was likely to attract "social media influencers".

"This will maximise awareness and engagement with the census, and help create a national conversation," Mr Kalisch wrote in the document.

The Opera House turned green for census night and the night before but the social media conversation was dominated by the website's failure.

There was a 40-hour outage caused by four Distributed Denial of Service (DDoS) attacks that had been the subject of a blame game between the Australian Bureau of Statistics (ABS) and contractors for months.

The Opera House was part of a national campaign to light up landmarks with the colour green.

The Melbourne Arts Centre, Canberra's Telstra Tower, Brisbane's City Hall and the Darwin Convention Centre were some of the 20 sites to "go green" for the census…..

The total census campaign media budget was $12 million.

#CENSUSfail is believed to have increased the cost 2016 national census by as much as $30 million.

In late September 2016 the ABS began processing and analysing the data collected to provide high-quality information for all communities across Australia. This process, including the Post Enumeration Survey (PES), will ultimately determine the overall response rate and coverage of the 2016 Census and the Independent Assurance Panel on 2016 Census of Population and Housing data sat for the first time in November 2016.

Currently ABS alleges that the national census response rate exceeds 96 per cent - comprising over 4.9 million online forms and over 3.5 million paper forms representing 8.4 million households/dwellings.

A rather strange statement by the Bureau, given it previously stated in the lead up to the census that it expected to survey close to 10 million dwellings and afterwards that there were exactly 9.8 million dwellings within the survey pool.

The failure to genuinely meet response rate requirements being papered over by the many personal forms in addition to the household ones [Senate Economics References Committee, 24 November 2016, inquiry report, 2016 Census: issues of trust, p.80].  Presumably these personal forms were official census forms which stated the person was in transit (travellers, homeless, & hospital patients) – all est.1.2 million of them if the deliberately vague assertion of the Bureau is to be believed.

The next public confidence hurdle for the failed 9 August 2016 Census comes when preliminary population and dwelling counts are released in April 2017 – given that so many people are aware of friends or acquaintances who deliberately refused to supply name and/or address or filled in their census forms with inaccurate or misleading information in an attempt to avoid having their genuine personal information retained by the federal government indefinitely in a national database for as yet unstated or unexplained purposes.

NOTES:

1. Previous North Coast Voices posts on 2016 Census here.

    Bill McLennan, 2016, Privacy and the 2016 Census.

Yet another example of why the Australian Government's desire for the ultimate big data pool of citizen' personal information is a bad idea

This time it was the Australian Red Cross releasing 1.28 million donor records, containing first name, last name, gender, physical address, email address, phone number, date of birth, blood type, previously blood donations, country of birth, when record was created, type of donation, date of donation and donor eligibility answers including any sexually transmitted disease or drug use history.

This information was publicly available for viewing and download from 5 September to 26 October 2016.

           

IT News, 28 October 2016:

More than one million personal and medical records of Australian citizens donating blood to the Red Cross Blood Service have been exposed online in the country’s biggest and most damaging data breach to date.

A 1.74 GB file containing 1.28 million donor records going back to 2010, published to a publicly-facing website, was discovered by an anonymous source and sent to security expert and operator of haveibeenpwned.com Troy Hunt early on Tuesday morning.

The database was uncovered through a scan of IP address ranges configured to search for publicly exposed web servers that returned directory listings containing .sql files.

The contents of the 'mysqldump' database backup contains everything from personal details (name, gender, physical and email address, phone number, date of birth and occasionally blood type and country of birth) to sensitive medical information, like whether someone has engaged in at-risk sexual behaviour in the last year.

The database collected information submitted when an individual books an appointment - either on paper or online - to donate blood. The process requires donors to enter their personal details and fill out an eligibility questionnaire.

It does not contain data on blood reports or analyses, or responses to the full donor questionnaire all blood bank visitors are required to fill out at the time of their donation.

The database was published on the webserver of a Red Cross Blood Service technology partner that maintains the service's website, not the organisation’s www.donate.blood.com.au site where online bookings are made.

"This is a seriously egregious cock-up - this should never happen," Hunt told iTnews.

"There are no good reasons to put database backups on a publicly-facing website." The issue was compounded by the fact that directory browsing was enabled on the server, he said.

The file was removed on Wednesday. Hunt said there was no evidence of it having been accessed by anyone else, and both he and the anonymous source had deleted their copies.

Australia’s computer emergency response team, AusCERT, has been working with the Red Cross after being notified to the breach by Hunt on Tuesday.

The Red Cross indicated around 550,000 individual donors were impacted.

It attributed the issue to "human error" and said it was "deeply disappointed" to be in this position.

The service has started notifying affected donors today.

The Australian, 29 October 2016:

The Red Cross admitted it did not know how many people had accessed the information, which was publicly available from September 5 until Wednesday.

The breach was revealed by an unknown person who alerted Microsoft employee Troy Hunt, who runs a data breach notification service. Mr Hunt reported the breach to cyber-threat group AusCert, which in turn alerted the Red Cross.

The incident is being investigated by the Australian Federal Police, the Department of Health and the Australian Privacy ­Commission.

Red Cross Blood Service chief executive Shelly Park yesterday urged people to continue ­donating blood, saying information was now secure. “To our knowledge, all known copies of the data have been ­deleted. However, investigations are continuing,” Ms Park said.

But Mr Hunt said there was no guarantee the information had been completely erased, adding the breach was the latest ­illustration of how basic mistakes are key contributors to ­personal data being accessed by others.

“There was nothing new in how this data was accessed, this was just plain, old stupidity,” he said. “The real question this raises is should this data have been ­retained in the first place and why a third party needed the information at all.”

According to breachlevelindex.com in the first half of 2016 the Asia Pacific Region experienced 76 significant data breaches, 22 of which were in Australia.

Earlier this year: a Menulog exposed breach exposed 1.1 million records containing customer names, addresses, order histories and phone numbers [the exact quote in the CIO Australia article linked to here was "suffered from a breach of 1.1 million records leaving customer names, addresses, order histories and phone numbers exposed"- The Ideas Suite public relations agency acting on behalf of Menulog 
contacted North Coast Voices and would prefer to characterize this breach as "A former Menulog employee stumbled upon the private details of the company's customers, including customer names and email addresses". It is noted that the journalist quoted does not appear to have been asked by this agency to amend the original 21 September 2016 CIO Australia article as it remains as first published]; a malicious hacked dump of 67,118 Shadi.com customer records, recruitment agency Sarina Russo exposed client financial records which were dumped in a bin next to the office; disability information on nearly 7,000 current/former Sydney University students was exposed; customer accounts details on The Sydney Morning Herald and The Age digital editions, the Do Not Call Register and industry group CompTIA were also breached.

Also in 2016: the Australian Bureau of Statistics released contact names linked to more than 5,000 Queensland businesses in what was described as a “human error”; the Health Department was forced to remove data from its website amid an investigation into whether personal information has been compromised; and the Australian Public Service Commission confirmed it had withdrawn data gathered in its massive annual employee census from public view – but not before the data set containing the details of 96,700 federal public servants has been accessed by unknown persons 58 times. The Queensland Dept. of Premier and Cabinet and Dept. of Tourism were also maliciously hacked - along with the Maitland office of the NSW Dept. of Resources and Energy. 

In the 2015-16 financial year Victoria Police had 453 "information security incidents"  - up 36 per cent on the year before, with 27 incidents of police officers inappropriately accessing computer systems (including the Law Enforcement Assistance Program LEAP) and 40 instances of police data released without authorisation.

In 2015 K-Mart Australia’s online shopper database was hacked. Payroll systems were breached, harvesting extensive personal details (including names, address, dates of birth, tax file numbers, bank account details, gross earnings and superannuation funds and membership numbers) of up to 500 workers a day and the information used to lodge fraudulent tax returns with the Australian Taxation Office.

Additionally in 2015 Telstra customer’s admin and user credentials were stolen - including those of the Australian Federal Police. Similarly, the Patagonia Clothing Company, Aussie Farmers, David Jones, Queensland TAFE experienced data breaches where personal information was hacked and, 31,140 Optus customers’ had their personal and credit history information publicly posted on the website freelancer.com by the debt collection agency ARC Merchantile.

In 2014 Centrelink left revealing personal and financial details of clients lying around at a suburban railway station and the Department of Immigration and Border Protection unlawfully disclosed the personal information of approximately 9,250 asylum seekers by publishing a word document on a public page of the department’s website.

An estimated 800 million records were lost in 2014, mainly through cyber-attacks, and such attacks are thought to cost large Australian enterprises an average of $8.3 million a year.

With this unhealthy mix of ongoing institutional incompetence and determined malicious hacking risking the privacy of so much personal information, is it any wonder that concerned individuals look on the Turnbull Government’s drive to create a national database - which it will continuously update with additional medical, legal, financial, social and family information on each person born and/or residing in this country – as a gigantic honey hive ripe for the robbing?

Oh, and in case social media users are feeling comfortable about their own privacy on major online platforms – in June 2016 the Facebook application known as Uiggy was hacked and 4.3 million accounts were exposed along with names, genders, and Facebook IDs (2.7 million of which had email addresses against them) and on 27 October 2016 there was a Pastebin dump of 32 million Twitter accounts along with an invitation to use the details to hack further.

This type of police surveillance will come as no surprise to Australian blogs which post on local and regional protests

CNN.com, 11 October 2016:

The ACLU of California reported that Geofeedia had been providing law enforcement with data -- including locations -- from the social media accounts of protestors. In response, it said Tuesday that Twitter, Facebook, and Instagram had cut off Geofeedia's access to their feeds.

The extent of law enforcement's social media surveillance was discovered through public records requests of 63 agencies in California, according to the ACLU of California. Emails obtained show the tools were used to monitor chatter around "the Ferguson situation," and that Geofeedia told California law enforcement agencies to find out how police in Baltimore used its tools to "stay one step ahead of rioters," after the death of Freddie Gray in police custody.

Geofeedia provided searchable data from public Instagram posts, troves of publicly shared information from Facebook (FB, Tech30) via the Topic Feed API, and public tweets. Information in Twitter, Facebook, and Instagram posts can be used to infer things like location, personal associations and religious affiliation.

The ACLU says Geofeedia and other social media surveillance tools can unfairly impact communities of color. Movements like #BlackLivesMatter began on social media, and Twitter, in particular, is used as a platform for organizing and amplifying protests.

"Communities of color rely on platforms to organize, to persuade, and to spread information," Matt Cagle, technology and civil liberties policy attorney at the ACLU of Northern California, told CNNMoney. "But here, the social networks left a side door open for surveillance by the police."

Law enforcement agencies invest thousands in the tools that aggregate and surveil conversation data --the Daily Dot reported that the Denver Police Department spent $30,000 on these types of tools in May. The ACLU launched an investigation in Denver in response to this report.

Based on information in the @ACLU's report, we are immediately suspending @Geofeedia's commercial access to Twitter data.

— Policy (@policy) October 11, 2016

In an email obtained by the ACLU of California through public records requests, Geofeedia claims "over 500 law enforcement and public safety agencies" use its services.

After the ACLU's report on Tuesday, Twitter tweeted that Geofeedia's access had been revoked.

"In addition to cutting off data access, the social networks should take additional steps to implement clear rules that prohibit the use of user data for surveillance, and oversight measures to ensure developers are not using the user data for surveillance," Cagle said.

The organization is joining with the Center for Media Justice and Color of Change to ask social media sites to commit to better protecting users engaged in political and social discourse.

Malkia Cyril, the executive director of the Center for Media Justice, said that people are using social media to expose human rights abuses, turning these platforms into modern day news outlets. However, the sites aren't not subject to the same kind of scrutiny or standards, she said.

"I wasn't surprised," Cyril told CNNMoney. "But I do think the average user should be shocked and dismayed at the scope and the scale of what the ACLU found."

Government Data Retention: think this won't happen again?

Think the situation set out below won't happen again in some shape or form?

What about when government outsourcing to the private sector means access to those government databases quietly collating personal and sensitive information on all individuals living in Australia?

Victorian Ombudsman, media release, 12 September 2016:

WorkSafe: complex claims process needs fixing

  

Victoria’s workers compensation scheme must be recalibrated to ensure that complex claims are resolved in a fair and timely manner, a Victorian Ombudsman investigation has found.

Tabling the Investigation into the management of complex workers compensation claims and WorkSafe oversight today, Victorian Ombudsman Deborah Glass said that while the workers compensation scheme is operating well in the vast majority of cases, the current system fails some particularly vulnerable people.

“The overall system is not broken, but the problems we identified in complex cases – some 20 per cent of the overall claims – go beyond a few isolated examples of bad behaviour. They cannot simply be explained away as a few bad apples spoiling the barrel,” said Ms Glass.

WorkSafe underwrites the Victorian workers compensation scheme with claims management functions outsourced to private insurers. During the investigation period the agent insurers for Worksafe were Allianz, CGU, Gallagher Bassett, Xchanging and QBE. The system currently incorporates a series of financial incentives for agents, including when claims are terminated or workers return to employment.

The investigation examined complex and often extended claims across different industries, roles and injuries (both mental and physical) to assess whether:

•          agents unreasonably denied liability or terminated claims
•          agents took such actions in order to obtain financial rewards available under the contract with Worksafe
•          Worksafe provides effective oversight of the agents and their claims management processes.

Key recommendations from the investigation call for a review of dispute resolution processes within the system and improvements in oversight of complex claims by WorkSafe.

“We found agents cherry-picking evidence to support a decision to reject or terminate a claim – as little as one line in a medical report – while disregarding overwhelming evidence to the contrary. We found Independent Medical Examiners (IMEs) – whose opinions agents use to support their decision making on compensation – receiving selective, incomplete or inaccurate information. We also saw evidence of decisions being influenced by financial incentives to terminate claims.

“In effect, we found cases in which agents were working the system to delay and deny seriously injured workers the financial compensation to which they were entitled – and which they eventually received if they had the support, stamina and means to pursue their cases through the dispute process,” said Ms Glass.

The investigation attracted significant public interest after it was launched, with dozens of workers and others involved in the system contacting the Victorian Ombudsman to offer assistance or make submissions.

The investigation involved detailed reviews of claims across all five agents. A random sample of agent email records was examined and interviews conducted with injured workers and their families, executives from the five agents and former agent staff. Stakeholders including the Accident Compensation Conciliation Service, the Australian Medical Association, the Police Association of Victoria and the Community and Public Sector Union made submissions.

“Action must be taken to address the complex end of the system where terminations are rewarded. WorkSafe needs to examine its incentives – and the use of IMEs – to ensure the system rewards sustainable decisions and to target its oversight accordingly. The process for resolving disputes also demands careful reconsideration – it is in the interests of workers, employers and the public at large that the resolution of claims should be both timely and fair.

“WorkSafe has begun addressing many of these issues, and we have already seen improvements since my investigation began in 2015, but this work must go on. The cases we investigated are not merely files, numbers or claims; they involved people’s lives, and the human cost should never be forgotten,” said Ms Glass.

Investigation into the management of complex workers compensation claims and WorkSafe oversight

Notes to editors

•          The Victorian workers compensation scheme is funded by a compulsory system of insurance that covers employers for the cost of providing compensation to injured workers.
•          Worksafe manages around 90,000 workers compensation claims a year.
•          The Victorian Ombudsman investigation conducted a detailed review of 65 complex workers compensation claims; most claims involved decisions made in 2014 – 2015.
•         Insurers acting as Worksafe agents at the time of the investigation were: Allianz, CGU, Gallagher Basset, QBE and Xchanging. The Victorian Government decided in April 2016 not to renew QBE’s contract and QBE ceased acting as a Worksafe agent on June 30 2016. EML replaced QBE on the panel of agents. EML decisions and actions have not been examined during this investigation

UPDATE

A data breach in the making.......

Computer World, 13 September 2016:

The National Cancer Screening Register Bill 2016 and the National Cancer Screening Register (Consequential and Transitional Provisions) Bill 2016 are currently before the House of Representatives. The bills will create the National Cancer Screening Register, which will replace nine existing registers including the states’ cervical cancer register.

In May the Department of Health announced it had awarded the contract to establish and operate the register to Telstra. The $220 million contract has an initial term of five years with an option for a 10-year extension……

Labor “strongly supports” the move to establish a national register, King said today.

However, the MP said that the bills have been “rushed” into parliament because the government had decided to award the contract to Telstra before any debate on the register’s merits and associated privacy and data protections.

There was no debate over “whether it is even appropriate for such sensitive data to be placed into the hands for the first time of a for-profit provider,” King said……

The decision will “put some of the most sensitive data into the hands of a private telecommunications company.” “It’s a big question and a big call,” she said. “Not one that we, frankly, support”.

The new national register will hold information about every Australian eligible for cancer screening programs. “The register is not opt-in and an individual will only be able to opt out… of the register once it’s actually implemented,” King said.

Data held in the register will include individuals’ names, addresses, dates of birth, contact details, gender and sex, as well as Medicare item number, Medicare claims information and preferred GP or other health providers.

The register will also contain “extremely private and intimate health data” usually only disclosed to an individual’s GP, King said.

“Labor accepts that this information is necessary for the operation of the register, but we do not accept that Telstra – frankly with a questionable record of privacy breaches – should have Australians’ most private and sensitive health data.”

The fallout from #CensusFail continues......

It is now the sixth day after Cenus Night 2016 in Australia and information has been slowly seeping out into the public domain.

First there's the genuine attempts to explain the spectacular failure to launch as opposed to the ABS-Turnbull Government propaganda on the subject.......

Reddit user mykro76 via @Qldaar, 10 August 2016:

Sortius, 10 August 2016:

So, I contacted Softlayer support, this was their response @ABSCensus #CensusFail

Patrick Gray at Risky.Biz on #CensusFail, 11 August 2016:

Community and Public Service Union, media release, 12 August  2016:

ABS STAFF ANGRY AT TURNBULL GOVERNMENT OVER CENSUS DEBACLE

The CPSU says the highly qualified and dedicated staff at the Australian Bureau of Statistics must not be blamed for the decisions by the Turnbull Government that are the real cause of Tuesday night’s Census debacle.

The union’s National Secretary Nadine Flood said: “Our members working in the ABS have slugged their guts out for months to make this Census work despite multiple Government decisions that have caused major problems. They know how critical the information collected in the Census is to the nation and they’re absolutely gutted at the damage done to the ABS's reputation and the Census itself.”

“Staff saw these problems coming a mile off. There are 700 fewer staff at the ABS now than when the last Census was conducted five years ago and as a result staff are suffering under massive workloads. Critical planning time was lost as the Government foolishly considered axing the Census, chopped and changed ministers three times and dilly-dallied for nearly a year in appointing a new chief statistician.”

“It’s shameful that Prime Minister Malcolm Turnbull has said ‘heads will roll’ at the ABS over the Census while taking no responsibility for the real cause of this debacle, the decisions made by his Government.”

“It is Governments that are responsible for the reliability of public services and the Turnbull Government cannot dodge responsibility for slashing budgets and jobs. Prime Minister Turnbull should be apologising not finger pointing.”

“This situation in the ABS is just one example of how cuts to public sector staffing and capacity have gone too far, and how it’s ultimately the Australian public that suffers as a result.

Australians are struggling to get through on the Census hotline today, but that’s no less disturbing than the one in three calls to Medicare and Centrelink that go unanswered every day.”

“The dedication of ABS staff has ensured the Census has played a critical role in public policy in Australia for more than a century. It remains an important tool and we are urging Australians to participate despite the Government’s failings.”

Unsurprisingly the privacy concerns haven't gone away........

Digital Rights Watch, 12 August 2016:

The letter, signed by prominent privacy advocates, academics and journalists, reads:

The conduct of this year’s census raises serious and pressing ethical, legal, security and technological concerns. These throw doubt on the value of the exercise and the quality of the data collected.

The Australian government must put the Census 2016 on hold while it consults with the Australian people on the value and ethical ramifications of this and similar mass data-collection exercises. Expert input and advice must be sought to determine best practice ethical, governance and security standards for data collection, use, linkage, storage, and real-world implementation.

These problems, and the difficulties Australians have experienced in accessing and completing both the paper and electronic forms, make imperative the provision of the following two remedies.

We therefore respectfully request:

1. Amnesty for anyone who files a late or incomplete census
2. An independent inquiry into the ABS’s conduct of Census 2016. This should include a comparison of the ethical and institutional governance arrangements for hard-copy and electronic data collection, storage, linkage and use with international and best practice standards. Community consultation should take place in regard to the appointment of heads of this inquiry, precise terms of reference and timeframes for reporting.

Signed by:

Tim Norton, Digital Rights Watch
Amy Gray, Digital Rights Watch
Asher Wolf, journalist
Dr Suelette Dreyfus
Peter Tonoli
Jenna Price
Liam Pomfret, Australian Privacy Foundation
Mark Walkom, Australian Privacy Foundation
Simon Frew, Pirate Party Australia
Felicity Ruby, PhD Candidate
Professor Ariadne Vromen
Tim Cashmere
Mary Kostakidis, Freelance Journalist
Gautam Raju, Campaigner
Jack Skinner
Dr Leslie Cannold
Melissa Castan, Law Lecturer
Dr Ben Harris-Roxas
Professor Robert Sparrow
Robin Doherty, Hack for Privacy
Dr Kristoffer Greaves, Legal Educator
Archie Law, CEO ActionAid Australia
Thomas Kane
Kate Galloway, Law Lecturer
Tom Sulston, Technology Consultant
Trisha Jha
Suzy Wood, IP Lawyer
Justin Clacherty, Future Wise Australia
Cade Diehm, SpiderOak
Trent Yarwood, Future Wise Australia
Julian Burnside AO QC
Dr Matthew Rimmer, Professor of Intellectual Property and Innovation Law, QUT Faculty of Law
Dan Nolan, software engineer

Then there's those zealous casual employees on the ABS Census team attempting to salvage something from the wreckage…….

The mocking has even spread into mainstream media on Northern Rivers…….

The Daily Examiner, 13 August 2016:

SORRY guys, looks like we caused the Census website to crash, but it was worth it.

We only told one little lie but suddenly our street is crawling with engineers, government types, teachers, plumbers, interpreters, shopping centre magnates and consultants.

Man, we haven't seen so many consultants since they sold Telstra.

Anyway, it was all part of objecting to have to put your name on the Census.

Not sure why we're objecting, everyone knows me and I would be happy if someone stole my identity. I could just slip away quietly and watch the fireworks.

They are as welcome to the $10 in my bank account as they are to my dog, and well, truth be known, Ms L. probably would appreciate the change too, and it'd be cheaper than a holiday for her.

But if it's not good enough for Nick X, then it's not good enough for us, so I didn't use my name.

However I did say that there were 23,000 people staying at our place that night and that's when the fun started.

We ensured half the number were children so the Education Department has acquired land for a primary school, a high school, half a TAFE and a branch of some wannabe regional uni, all within a kilometre.

Westfield is knocking down the other houses in our neighbourhood and building a shopping centre.

The Department of Transport built a bus interchange across the road (guess we didn't make the cut for an airport, but gee it gave Badgerys Creek a fright).

There's a new hospital with no queues on a Saturday night. However that might be because of the lockout laws. Yeah, we didn't see that coming. Apparently when you get that many people together they want to stay up late and party. Well, der. But this is Australia, mate, not Paris or Berlin, New York or London.

We're locked out after dark and the internet doesn't work, but gee the other services are good and I'll drink to that. BYO at home, that is.

Sorry about the website thing.

An important point that shouldn't be lost in all the media noise........

Finally, an estimation of how many premises and or households are still missing in action (including an unknown number involved in acts of civil disobedience)......

It is possible that as of today the Australian Bureau of Statistics only holds an est. 30-45 per cent of all Census forms (paper & online) it anticipated receiving.

The statistical margin of error flowing from that sort of respondent percentage would be too large to make it a credible national snapshot of population and housing.

"Stick your census in your ear you won't get any data here"

First Dog on the Moon

Creating the Digital Australia Card in 2016: ABS Census has holes in its security fence

Hard copy version of the Australia Card

  a national identity card rejected by the Australian population in 1987

The aim of the Census of Population and Housing is to collect accurate data on the key characteristics of the people in Australia on Census night, and the dwellings in which they live.

However, on  census night 2016 (and every national census thereafter) the names and addresses of those completing the compulsory national survey, along with the names of others in the same household, will be retained to allow data matching across as many agencies as the Australian Bureau of Statistics will from time to time decide it requires to form a complete longitudinal profile of every person living in this country.

Given that the census requires all questions to be answered on pain of a legally enforceable penalty and given that the questions asked are of an intimate nature - including a person's bathing and toileting regime (Question 20) - I do not think it unreasonable for those compelled to respond to publicly query security measures the ABS has allegedly put in place to safeguard privacy.

Nor do I think it unreasonable for persons so compelled to refuse to record their names alongside their answers to the census questions in light of the legitimate concerns that remain unresolved.

Especially as it is clear that the security of any database cannot be fully guaranteed and the Australian Bureau of Statistics (ABS) is not immune from data breaches and illegal use of data by staff.

Indeed as "Name of each person" (at points 2. & 53.) appears to be the only detail on the census form which is not couched as a question, I rather suspect that the ABS itself may not be entirely sure it has an enforceable right to compel a response despite what is asserted in Census and Statistics Regulation 2016.  

A new regulation that remakes the Statistics Regulations 1983 which in turn does not include "name" in Prescribed matters in relation to which statistical information may be collected even if the Census and Statistics(Census) Regulation 2015 does.

How the statisticians have been laying down the groundwork for the creation of the longitudinal database capable of producing individual profiles......

Australian Bureau of Statistics Annual Report 2014-15:

The ABS worked closely with the National Mental Health Commission, the Department of Health, and the Department of Human Services to provide timely statistics on mental health by linking information on the use of medical services with Census data.

A pilot project to inform policy development through the combination of Census and social security information was established between the ABS and the Department of Social Services.

ABS is moving beyond the public data environment to draw insights from retail scanner data...

Australian Bureau of Statistics Annual Report 2013-14:

The Australian Census Longitudinal Dataset (ACLD) brings together data from the 2006 Census with data from the 2011 and future Censuses…..

The Australian Census and Migrants Integrated Dataset was created by integrating data from the 2011 Census and the Department of Immigration and Border Protection (DIBP) Settlement Data Base (SDB) of the 1.3 million people who migrated to Australia under a permanent Skilled, Family or Humanitarian stream visa and arrived in Australia between 1 January 2000 and 9 August 2011.

Australian Bureau of Statistics Annual Report 2012-13:

The Technology Services Division (TSD) supports all areas of the ABS in the delivery of business outcomes through the effective and innovative application of information technology…. TSD is also challenged in its ability to maintain the range of technology skill sets required for support and to build new capabilities for the future, including addressing growing requirements for effective security measures in the face of more sophisticated cyber security threats.

The whole sorry saga........

IT NEWS, 1 August 2016:

The Australian Bureau of Statistics has been forced to answer questions about the security of its online Census website after it was revealed to be using an insecure and deprecated form of encryption to protect the sensitive personal details of the nation’s citizens.

Tests of the strength of encryption used on the main Census website, first highlighted by security consultant and software engineer Ben Dechrai, reveal the website supports the SHA-1 hashing algorithm long considered to be insecure.

SHA is a component of a Secure Sockets Layer (SSL) certificate that is used to prevent the modification of data.

All major web browser operators have said they will stop accepting SHA-1-based signatures by next January. Internet Explorer owner Microsoft recently said it would bring that date forward to September 2016 after research showed real-world ‘collision attacks’ could open the door to digital signature forgeries even before 2017.

The Australian Signals Directorate deprecated SHA-1 from its list of approved cryptographic algorithms in December 2011 after finding the risk of a successful attack on the platform was “higher than acceptable”. The US National Institute of Standards and Technology (NIST) has said SHA-1 should “not be trusted” past January 2014.

Despite this, the ABS is still supporting SHA-1 to ensure those using older versions of web browsers are able to fill out the online form on Census night.

“As the overwhelming majority of browsers and operating systems are SHA-2 compliant, most people completing the Census will be secured using SHA-2,” a spokesperson said.

“However there are some older browsers and operating systems that only support SHA-1. To enable users with these older systems to complete their Census online, the online Census also supports older SHA-1.”

But users will still face the risk of a man-in-the-middle downgrade attack, which uses available backwards compatibility to force a computer to a lower and more vulnerable version of encryption, Dechrai said.

"[It] increases the likelihood of a user's data being intercepted," he said.

The security expert suggested a better approach was either to stick with the current paper forms or introduce a tiered model of online security.

“[They should make] the page where people click to start the Census less secure, so it works on older browsers, [then] do browser detection, and if the browser is too old, prompt them to upgrade, or order the paper form,” he said.

“Only supported browsers show the "Start" button [which loads the submission form from a properly secured server].”

The ABS was also criticised for choosing not to implement perfect forward security, which would protect past communications and sessions from compromise should attackers be able to access long-term secret keys.

The agency argued that perfect forward security would disrupt its other security protections.

“As part of our total platform security for the online Census, we need to be able to detect and respond to any malicious traffic,” the spokesperson said.

“Implementing perfect forward secrecy would reduce the effectiveness of other security layers, and as such may compromise overall security.”

However, Dechrai said that while perfect forward security could disrupt web application firewalls and intrusion detection systems, it was a “solvable problem”.

“Better architecture is a bit more complex, but doable,” he said….

IBRS security advisor James Turner said he was "horrified" by the "naivety" of the ABS' response to public concerns.

"ABS executives had to know that privacy would be a huge issue raised around this change of protocol," Turner said.

"I think most people are looking at the ABS responses as "we think this is cool, so we're doing it and we don't care about your privacy". 

"[It] doesn't seem to understand that it gets one shot at this. If there is a breach, then the horse has well and truly bolted. It won't even matter if they promise not to do it again, because the data has already gone."

The Australian Bureau of Statistics' failure writ large in this disingenuous Letter from the ABS on 2016 Census on the Little Bird Network, 28 July 2016:

Hello,

Thank you for your query about the 2016 Census on Monday 18 July 2016.

Yes.
Names and addresses are specified in the Census Regulations as Statistical Information, like all other Census topics. This requires the ABS to collect this information as part of the Census. The requirement for all topics, including names and address, on the Census forms to be filled completely and accurately is consistent with 105 years of Australian Census practice, the Census and Statistics Act 1905 and legal advice to the ABS from the Australian Government Solicitor. The only exception is religion, which the legislation specifies is optional.

Failure to complete the form, regardless of how many questions, is subject to the potential penalty of 180 dollars. This penalty can apply to each day that the form has not been completed and returned to the ABS, for example 180 dollars every day until the form is received by the ABS. Fines for knowingly providing false or misleading statements or information will be 1800 dollars.

If you need help or more information, search our online Help. If you can’t find the information you’re looking for, call 1300 214 531.

Thank you.

Australian Bureau of Statistics

Please do not reply to this email, this address is not monitored.

Help – census.abs.gov.au/help
Privacy – census.abs.gov.au/privacy

The Sydney Morning Herald, 2 August 2016:

"The whole concept behind privacy is control of your personal information," said Kat Lane, vice chair of the Australian Privacy Foundation. 

"What we need to understand as a society is that it needs to be a choice whether you share your data with the world and whether you don't."

Ms Lane said Australians needed to be assured by the government that they would not be prosecuted and fined for not putting their names on the census if they did not wish.

"[The Australian Bureau of Statistics] didn't factor in a large amount of media coverage over what is a significant change...the consultation process was so poor, they should be announcing that no one should be prosecuted."….

Sixty-five per cent of Australian are expected to complete the census online this year, doubling the online response rate of 2011.

Those who do complete the survey online will receive a 12-digit code enabling them to fill out the form online. ……

Guy Eilon, Australian vice president of defence grade global cyber-security firm Forcepoint, said providing personal information to the census online is, "in many ways, no different" to posting a status on Facebook, or banking online.

"Ultimately, there will always be risks in situations where personal data is collected and stored, from the biggest bank to the smallest business," he said.

"In these circumstances all parties...must act in a transparent way, and ensure they put in place the most appropriate security, privacy and governance processes."

Households who would still like to fill out a paper form are told to contact the ABS to receive one, but community groups are complaining that the process is not so simple.

"Despite the ABS putting on 300 concurrent phone lines, many of those applying for paper census forms cannot get through", said  Paul Versteege, policy coordinator for the Combined Pensioners and Superannuants Association.

"The Census Inquiry phone line is overwhelmed and people are being told to call back later. Many  people are not online and are concerned they won't receive their paper forms in time and will be fined $180 a day for every day they are late."

Telephone connectivity issues have applied to both the ABS support hotline and the hotline to request a paper census form.

Ms Lane said the unresolved privacy concerns of Australian's could mean many "might actually want to move to the paper", but are as yet unable to source a form.

"I'm not doing it online, so I don't know what I'm doing on August 9."….

The Register, 1 August 2016:

The Australian Bureau of Statistics (ABS) has so badly mishandled the question of retaining names that its senior leadership need to consider their futures.

The ABS is – sorry, was – probably one of Australia's most trusted bureaucracies, alongside the Bureau of Meteorology, the Australian Electoral Commission, and Geosciences Australia.

But since deciding that this year's Australian census will retain participants' names and use them for ill-defined data-matching purposes, the Bureau has so alienated people there are serious calls for name-boycotts and a persistent discussion about the scale of fines (AU$180 a day up to a maximum $1,800, if you're interested). Those calls can undermine the census and its mission of providing policy-makers with useful data.

And the ABS persistently ignores questions put to it. Its first response when asked about the retention of names is something like the Tweet below, which talks about collection, not retention.

It's a mess that the ABS created for itself.

It takes a lot to make me say “security is now no longer the primary consideration”, but that's what the ABS has achieved.

Its data is useless without the trust of the public, and I've never seen public goodwill burned as quickly as has happened since Australians learned – somewhat after the decision was made – that the Bureau wants to keep their names.

And since then, the bureau has acted in a high-handed, condescending and dismissive manner……

Here's a speech from 2015, which is in no way reassuring, by the chief statistician David Kalisch.

The exact concerns being raised now, he dismissed last year: “Technology, expertise and confidentiality are not the issues or the constraints. It can take some time and resources for government agencies to provide better access to their data, even to an organisation such as the ABS with all the data protections and community support you would require.”

Ahem, confidentiality and technology certainly should be considered “constraints”, when the aim is to create a named identifier for all citizens, which Kalisch clearly admires.

Moreover: the ABS is not mandated to be the data integrator Kalisch imagines and desires. Kalisch is already advocating scope creep when he should be resisting it in the name of privacy.

In the presence of such sensitivities, transparency and trust are indispensable – but the bureau dispensed with both.

And at last, I will come to the generally-demanded “tech angle” to this story: it's perfectly feasible to tie data to a unique identifier without the name being that identifier.

If two data sets – the Census and the Pharmaceutical Benefits Scheme, for example – contain enough data points to consistently identify me, then a hash of that data would work just as well for anonymous analysis.

Richard Chirgwin with a date of birth and an address will produce the same SHA-256 key (c2483d63179b71b37334f730385272c81b5d6bd3ae6edffb49234cfeb7f7d9a6, I just tried it) no matter the source system – but the hash cannot be reversed to deliver my personal data.

If the data records with name are sufficient to identify me uniquely across two government systems, a hash of that data will be just as unique and will provide the same analytical link.

The ABS – and the data users defending it – must explain why names are indispensable to the mission.

But the cack-handed mishandling of the public debate is so destructive, it should be the next chief statistician to give the explanation. 

Bootnote: As a clarification, I need to point out: I am saying Census data (with a hash as an identifier) should never be brought together with a second source (example above, the PBS) with names intact on either side.

Should a researcher demonstrate a use-case to construct Census-versus-PBS queries, the names in PBS data should be hashed before the two datasets are brought together.

News.com.au, 3 August 2016:

THE Government today admitted organisers of next week’s online census were unprepared for a flood of public inquiries about the August 9 national headcount….

Earlier, independent MP Andrew Wilkie today warned of confusion and concern, and called for assurances no one will be fined for not completing the Census form.

“I have been shocked by the number of people who have approached me and my office with all sorts of concerns about the national Census scheduled for next week,” Mr Wilkie said today.

“A big problem is the difficulty and cost being experienced by many people attempting to contact the Australian Bureau of Statistics by phone.

“Typically they are experiencing very lengthy delays, if they can get through at all, and even having to pay for the calls.”

Mr Wilkie said examples of the “confusion in the community” came from visits to his Hobart office today by seven constituents.

“One had received a paper Census form even though he didn’t request or want it, one had been visited by a census official at home, two had received a letter at home with a code to use online, one had received three letters at her home, and two hadn’t been contacted at all,” he said.

“The one who got a paper Census form is baffled by the two different serial numbers it contained, received no detailed instructions and found no mention of the specifics of fines.

“Despite the collection of names in previous censuses the logic for this has not been communicated to the public, if indeed there is any logic at all. Nor has any explanation been given for why the ABS holding this information for much longer than normal is warranted.”

Remembering the history of census taking and past governmental misuse of national census data is important in deciding whether such punitive, political and/or criminal instances could occur again in the future......

Punishment

The Sydney Morning Herald, 26 June 1966

Political motives

Australian Bureau of Statistics, 2011

Persecution and Genocide

A final word.......