The 2016 Census was not well publicised until a few weeks before the Census was scheduled. Although it had been announced in late 2015 that the Census would be largely completed online (with paper formats for remote users and others who opted in to that method) the issue of data retention had not been an issue, until it came to public attention that names would be retained for a period of four years. Fears related to privacy invasions led a group of Senators, including Nick Xenophon and Scott Ludlam, to declare that they would not be placing their names on the Census. The next wave of public concern then focussed on the possibility that people not including their name or other details would be fined for incorrect or incomplete Census returns. Added to this were the concerns about vague plans for future data linkage projects and the de-identification of data through Statistical Linkage Keys. These plans were clear to demographers and statisticians, but opaque to the general public.
The controversy affecting the Census however reached a new low when, at 7:45pm AEST on Census night, the Census website was shut down. Early submitters had apparently had no issues with submitting their returns, but the majority of Australians who sat down to the deed after dinner found that they could complete the form but were unable to submit it, receiving only an error message and being told to try again later. As #CensusFail started to trend on Twitter, the Australian Bureau of Statistics (‘ABS’) had decided to shut the site down. David Kalisch, the Chief Statistician responsible for the Census, announced the next day that the Census had been targeted by four Distributed Denial of Service attacks (‘DDoS’) and that, while the initial three had been resisted, the fourth attack prompted concerns regarding the strength of security of the system and to ensure that there was no compromise of data, the Census site was shut down. Some even claimed that this was a direct response by Chinese hackers to Australian swimmer Mack Horton calling his Chinese rival Sun Yang a drug cheat. The Census site remained closed for several days, with the above message appearing on the website, reassuring those who had not be able to submit that they would not be fined.
Despite the claims made by the ABS that the site was closed due to the DDoS attacks, the Minister in Charge of the Census, Assistant Treasurer Michael McCormack stated on Wednesday 10 August: ‘This was not an attack nor was it a hack but rather, it was an attempt to frustrate the collection of Bureau of Statistics Census data.’ Alastair MacGibbon, the special adviser to the PM on cybersecurity, confirmed that the failure of the system was not due to cyberattack, but rather that ‘there was a confluence of events’. At the same time, the Privacy Commissioner, Timothy Pilgrim, announced that there would be an investigation into whether any privacy breaches had been implicated in the DDoS attacks. (It was quickly concluded that there had been no privacy breaches).
Technical experts quickly backed up the claims by the Assistant Treasurer that there was no significant evidence of DDoS attacks at the relevant time on Tuesday night. Therefore focus shifted to the questions of whether the system had been adequately prepared, tested and inevitably, funded. Whatever the answer to these questions, the Prime Minister Malcolm Turnbull stated, when the Census website was finally restored on Thursday 11 August, that ‘heads would roll’ (although whose heads these would be had yet to be determined).
So what lessons may be learned from this whole sorry saga? Public perceptions of privacy risks are not well understood or addressed. Despite the attempts by Edward Snowden, Ludlam and others to put privacy on the agenda, a reasoned discussion of what privacy means has yet to be had in Australia. Similarly, cybersecurity remains a dark and mystical art, far less well-understood than the dark arts of Voldemort. Experts could be found on both sides of the debate affirming or denying with equal conviction that an attack had taken place. And for the average citizen, with 2.33 million forms having been submitted before the shutdown, many have either asked for the old fashioned paper form, or relegated Census completion to the too hard basket, reassured that a fine is unlikely (needles may still be difficult to find in a digital haystack of uncertain robustness). Another big question of course concerns the cost of the platform (approximately $10 million) and the further expenses of stress testing the system ($470 000) with assurances that the site would be able to handle the expected traffic. It is to be hoped that a moment which may yet provide the stage for a reasoned consideration of key issues of privacy and cybersecurity in Australia will not be overtaken by the politics of recrimination.
MELISSA deZWART teaches law at the University of Adelaide.