Menu

The Deconstruction of Fallen Stars

4 min read February 25, 2019 at 6:02pm on Privacy and Technology

You probably remember the 2016 Census, because it made a bit of a splash at the time. 

Allegedly, it was able to be completed online, but it failed spectacularly. The official report surrounding events alleges it was a teensy, tiny denial of service attack. Many believe that it was actually just grossly underprovisioned for the Australian habit of doing everything at the last minute and that the more correct name for the DDoS was "traffic".

The Bureau of Statistics' crisis comms at the time (and indeed their non-crisis social media use) was widely mocked and rated a couple of quite specific mentions in the report by the National Cybersecurity Advisor, Alastair MacGibbon.

Fast-forward to February 2019:

Replies from @ABSStats to people mentioning the security issues with #Censusfail
@ABSStats replying to people mentioning an article reporting vulnerabilities

So it doesn't look like they've sorted out their comms strategy yet. But what were all these annoying people tweeting at them?

Research from a group at Macquarie University which found that data could potentially be reidentified, that's what. Here is the primary paper

The other reason that the 2016 Census earned the moniker of the "#Censusfail" was the fact that the 2016 Census was planned to retain identifiable data for statistical purposes, despite widespread opposition - from privacy organisations (plural), digital rights organisations (also plural) with reporting across the media spectrum. Although we didn't make our position formally known, here is an article by our senior legal advisor, Kate Galloway, and we were in agreement with the position of our colleagues at Digital Rights Watch

The paper by Ashgar and Kaafar is quite dense and mathematical, but the discussion points out that the authors appropriately notified ABS of their findings, but that disconcertingly, their query algorithm allowed the retrieval of cell counts of 1 - that is, individual-record level detail.

I will reproduce the ABSs response in full and then cast a critical eye over it.

 

 

The ABS response to these concerns
The ABS Response, deconstructed below

"The ABS is strongly committed to privacy."

This reply directly proves Justin Warren's Second Law, which - knowing Justin and having worked with him and his Electronic Frontiers Australia colleagues on a number of these issues - will both amuse and frustrate the hell out of him.

"...the ABS needs to be on the front foot in identifying and addressing any emerging risks to the data we hold..."

"We completely ignored privacy experts and digital civil society when they told us this was a terrible idea."

"We have been working, and will continue to work, with leading experts..."

"We thank the researchers for telling us before they gave us an atomic wedgie in the privacy literature"

"...ensure we are using the best approaches possible to protect individuals' data".

Except for not collecting it in the first place. We won't do that.

"includes reducing the amount of detail to be accessed by certain TableBuilder applications, strengthening the terms of use of TableBuilder and also regularly monitoring the job logs to forestall any possible attacks"

More seriously, the researchers mention in the paper that the first of these means a shift to disallow all but highly-aggregated data to unregistered users.  This means two things:

  1. That unregistered users could access the data without identification prior to the change
  2. That henceforth we will know who has misused the data after it has occurred

Similarly, terms of use can be ignored, and audit logs are for enforcement, not prevention.

Much as with #myHealthRecord (and the MBS/PBS data) Future Wise very strongly believes that monitoring and sanctions are inadequate. Privacy is a one-way door, and throwing the book at someone after individuals have lost their privacy may act as a deterrent (although it didn't with Medicare Numbers on the Dark Web, Police misusing their databases or misuse of myHealthRecord); but does not protect privacy of individuals.

There is no evidence of anyone's privacy being compromised with the use of TableBuilder.

There is also no evidence of where I've left my car keys at the moment.

But I haven't gone looking for them yet.

Conclusions

Sadly, being able to say "we told you so" doesn't really bring any satisfaction. And like the efforts of the ABS to date, also doesn't enhance citizens' privacy.

It is rather difficult to fight away the cynicism that comes from repeatedly being asked to make submissions then having them ignored again and again and again. The announcement of the plan to retain the 2016 data was right before Christmas and so was deliberately designed to limit debate.

The only way to keep data safe is to not collect it. Acknowledging that this is not compatible with the goals of the census, then the Bureau - surely, of all government agencies - must embrace the principles of privacy by design. 

Until they do, we must continue to hold them to account, and this means not tolerating boilerplate obfuscations like the one they published today, no matter how many times we are referred back to it. 

Image credit :Private sign, text and type by Dayne Topkin via Unsplash - CC0