Australian Bureau of Statistics and Privacy Issues
Lies, damned lies, and statistics
Taking Privacy Away One Step at a Time
Initially, census was a 19th century solution for figuring out how many people were out there. Back then, governments had no databases that could provide such information. Today, it is no longer the case: governments have multiple systems and databases with all the necessary data. The costly 5-yearly exercise they call Census is either a humongous waste of taxpayer money, or an attempt to harvest private information not contained in any existing legitimate database. In either case, census must not be imposed on the population under false pretences.
The favourite pretext of the authorities is their desire to provide us with hospitals, schools and roads. But they already know exactly how many children there are in each and every school, patients in every hospital, passengers in every unit of public transport, and the road traffic counters are a much cheaper and more precise way to get the road usage figures. No census is needed for any of that. So, what is really behind the census?
Australian Bureau of Statistics (ABS) has the means and power, including the power of compulsion, to be the largest collector of personal data in Australia. Australian Census is run every 5 years and is mandatory for every person who was in Australia on census night. ABS obtains people's personal information with the help of promises that once census processing is completed, all data is de-identified, and only then disclosed to other government agencies or sold to third parties via online tools like TableBuilder. However, ABS admitted that it is
bringing together census data with ABS and non-ABS datasets using name and address during census processing to undertake quality studies, ... statistical outputs and research purposes. Even with the names eventually “anonymised” it is known that ABS got access to and linked census data to Personal Income Tax database from Australian Tax Office (ATO), Migrant database from Department of Home Affairs, and Medicare database from Department of Human Services using the “anonymised” name, sex, residential address and date of birth of every person.
Many are not aware of the difference between anonymisation and de-identification of information:
- Anonymisation is an irreversible removal of all identity data of the data contributor, which guarantees that any future re-identification is impossible under any condition.
- De-identification removes and/or encodes the identity data to make it not readily-identifiable, but it preserves the identifying information in some form, which could be re-linked in the future.
What ABS calls “anonymisation” is in fact de-identification. Until the 2006 census, ABS was removing people's names and addresses once census collection was completed. In 2011, they encoded addresses into so-called mesh blocks, allowing for every person to be easily traced back with high probability even without the explicit presence of their name and address because all other information was still kept on file: gender, date of birth, country of birth, ethnicity, marital status, number and age of children, who they live with, their profession, workplace address, education history, school or university addresses, movement history, income, disabilities and so on. Australian census was no longer just a
snapshot of a nation on census night as ABS kept telling us, it became a tool capable of continuous, life-long surveillance of every person in Australia. During the 2011 census, ABS randomly chose 5% (over a million!) of Australian population and managed to link a staggering 82% of “de-identified” files between the 2006 and 2011 censuses within that sample. Those people will be linked again in the census 2016 and may be followed for life, without their knowledge or consent. ABS said
the sample will also be augmented in the future.
For the 2016 census, ABS was planning to use hash-codes of names for the census linking to
achieve between a 5 and 10 percentage point increase in the linkage rate, which means that from that point the individuals will be uniquely identified. They just will be officially known by codes and the corresponding personal data, rather than by their names. The privacy-intrusive trend is obvious.
Changing things one step at a time has been found to be a very effective tactic in practice.What is the problem? This is hardly anything different from what it was before... you are just paranoid... this is not Big Brother, or the Stasi...It is a very hard tactic to counter.
David Vaile, vice-chairman of the Australian Privacy Foundation (APF) and executive director of the Cyberspace Law and Policy Community
David Vaile was right! For the 2016 census, the ABS quietly announced on its website that
The ABS collects name and address information in order to... enable the linkage of census data with other datasets to increase the value of the census. This means that personal information is now not only retained, but also that ABS gets access to other personal data repositories that have nothing to do with census, such as our health records. It is possible that for the 2021 census, after the majority of Australians had been dragged into the eHealth system, it will be linked with census too.
In fact, on 18 December 2015, just before Christmas, when everyone was busy with other things and least likely to keep an eye on the bureaucratic news, ABS published the following announcement on its website:
The Australian Bureau of Statistics has decided to retain names and addresses collected in the 2016 Census of Population and Housing in order to enable a richer and dynamic statistical picture of Australia through the combination of Census data with other survey and administrative data.
Whilst the Census has always been valuable in its own right, when used in combination with other data the Census can provide even greater insight.
... The combination of Census data and health data can help improve Australia's understanding and support of people who require mental health services and assist with the design of better programs of support and prevention.
This decision has been informed by public submissions, public testing and the conduct of a Privacy Impact Assessment.
They decided, huh? Since when government agencies, funded by public taxes, can fundamentally change what they do without explicit public approval?
Informed by public submissions?
Public testing? You are the public. Have you been notified of this significant change? Did you get to test it and agree with it? Have you been given a fair chance to lodge a submission? You can make your conclusions about the worth of the ABS's word, and how much your opinion matters to ABS.
To mitigate the public outrage, ABS keeps repeating that it has been enjoying a good history of personal data protection. But that is irrelevant. Prior 2006, ABS did not keep any personal data, so of course it could not be misused or stolen. Now it is no longer the case. A 100% security of identity can only be guaranteed if no identifying information is kept in any form — encoded or not.
ABS also tried to calm the public by promising that they
will remove names and addresses from other personal and household information, store them securely and separately from one another, and other Census information. They will never be recombined. The ABS never has and never will release identifiable Census data. If these promises were true, if names and addresses will really never be recombined, released or used for any other purpose, why store them? Make your guess.
Hackers do exist, and so does the possibility that the government can change the legislation or amend any policy at any point in the future, and the new law may allow the data to be treated less securely or released without de-identification. There is no law against changing the law! There is no law that could permanently protect the privacy of individuals who were forced to hand their personal information over to ABS, and no one can guarantee that at some point ABS will not be told to release all the “confidential” data it holds, to track people down whenever the new law permits it, or such abused pretexts as “national security” or “public interests” suddenly demand it. And with the new approach to keeping data forever, it will not only affect the data collected at the time, but will also jeopardise the security of decades worth of linked data from the past.
If ABS was truly anonymising our information instead of pretending to hide it behind some semi–“de-identification”, there would be no such danger: one cannot release the data they don't have, no matter what the new law or the government says. Unfortunately, ABS is doing the opposite: instead of future-proofing the security of our private and sensitive information, they routinely propose to retain more identifiable data and to merge census data with information from birth and death registers, immigration data, disease registers, health records, tax files, and their own surveys. All promised to be
for statistical purposes only, of course. Though, one fails to understand why they need names, addresses and dates of birth. Postcode and age bracket, without names are perfectly sufficient “for statistical purposes”. If they want names and DOB, it's not statistics anymore. ABS became Australian Bureau of Surveillance.
As the Australian Privacy Foundation said in its Submission to Australian Bureau of Statistics in February 2016,
an anonymous, specific-purpose, temporary and relatively safe one-off snapshot appears to have been changed into a less-safe, personally identified, lifetime longitudinal dossier, with potentially fewer protections.
Your name, date of birth and address have no statistical importance, and therefore ABS should not be collecting these details. It is vital identity data and can only be used for identifying each particular person, acquiring more information about that person via other government databases, and placing the person under surveillance, often without the person's knowledge, consent, or any option to stop this intrusion on their private life. If ABS was truly interested in statistics only, they would allow people to remain anonymous. An age bracket and a suburb or postcode should be perfectly sufficient for any census or survey.
On 10 August 2016, census 2016 has been hacked, despite ABS's assurances that they are well-prepared and everything is absolutely secured.
In March 2019, researchers reported a major flaw in census security that existed at least since 2017 and can let attackers to re-construct and reveal large parts of the census dataset.
For census 2021, it has been revealed that ABS plans to use utility bill data, government administration records and “observations” by their staff for identifying which buildings are truly unoccupied, and in which occupants may be avoiding census data collection. There also seem to be plans to include questions about gender identity, smoking habits, sexual orientation and chronic health conditions into the 2021 census.
Disregarding Public Concerns
Technically, all the changes — or, as ABS likes to refer to them, “enhancements” — have to pass a thorough process of public consultation. However, despite a large number of opposing submissions from the organisations such as Australian Privacy Foundation, Victoria Privacy Commissioner (+ Supplemental Comments), the NSW Council for Civil Liberties, and the response from the NSWCCL urging ABS to abandon the privacy-violating intentions, each subsequent ABS census implements more and more intrusive features. Clearly, nobody listens to the public concerns anymore.
As far back as 2005, Australian Privacy Foundation voiced their concerns about ABS's grossly intrusive initiative to link census data and pointed out the following:
The data collected in each Census would now be retained, rather than being destroyed once analysis has been completed. This breaches the public expectation that the detailed data only has a short life and that all that is retained is statistics.
The data collected in successive Censuses would now be linked. This breaches the public expectation that the Census is a statistical snapshot.
The data would be very rich, and the individuals it refers to would be readily identifiable, and hence will continue to be greatly attractive to many agencies and corporations. This breaches the vital public expectation that Census data is anonymous.
It will be used in conjunction with further data from government sources such as birth, death and disease registers, and immigration data. This further breaches public expectations about privacy protections for their data.
It may be used in conjunction with data from yet more sources. This would further breach public expectations about privacy protections for their data.
Although some kinds of change to the scheme would require legislation, a great many potential “enhancements” to the scheme could be implemented as and when the Australian Statistician of the day sees fit.
The ABS is trying to maintain the fiction thatbecause names and addresses will not be used, it will be impossible to identify who is included in the [collection]. With such a rich data-set, this is, quite simply, untrue; and the fact that the ABS can utter such a statement gives rise to concerns about the agency's trustworthiness.
In bringing this Proposal forward, the ABS is seriously undermining its hitherto strong reputation. The ABS is also doing great harm to the Census, because the Proposal will significantly reduce people's readiness to complete Census forms, and to do so accurately.
Australian Privacy Foundation, Census 2006 campaign
APF were right then, and their concerns are even more relevant right now.
ABS undermines the vital trust of the public in the government. Without this trust, no free, democratic society can function. This trust is very fragile, and, once damaged, can take a lifetime to restore, submerging the country in chaos and corruption. Wherever there are concerns about, or opposition to a new method of intrusion of individual privacy, we hear the usual reply: that the decision to do so
followed an extensive public consultation process. How many people found it easy to obtain the information about a public consultation taking place? Or, more importantly, how many have seen the contents of all the submissions to a certain public consultation? It cannot be called an “extensive public consultation” if very few knew about it, and the opinions of those who disagreed were disregarded. Unless these consultations are widely advertised and the contents of all submissions are made public, the words about extensive public consultation process are merely a cover-up.
ABS seems to be disregarding the fact that whenever a rich source of data exists, there will always be agencies seeking access to it. And some of those agencies are very powerful. ABS also seems to be ingnoring the fact that until now they have been able to collect the information and develop a reliable set of statistics only because the public had confidence in it. The introduced changes that impact privacy will inevitably erode public confidence and decrease reliability of the collected data. ABS already had to resort to compulsion and coercion to force the participation of some individuals who were avoiding census and surveys because of fears for their privacy and security. What is next?
The ABS says the compulsion is necessary for creating a population sample that provides a balanced and unbiased representation of all population of Australia. Yet the very same ABS was using census and survey forms with carefully arranged and worded questions to get certain answers. For example, the question about religion
What is the person's religion? actually presumes that the person has a religion and induces to select from the list a religion the person was taught at school or grew up with even if they no longer actively practise it. The “no religion” answer option was buried at the end of a long list of common religious affiliations. The result of such careful design is that Australian taxpayers are not only over-subsidising religious institutions, but it also exaggerates religiousness of Australians and allows religions to influence political decisions in such secular areas as public health, which, for example, leads to Australia remaining one of few developed countries where abortion is still the subject of criminal law! If ABS was truly seeking an unbiased representation of Australian population, the question would have been
Do you practice any religion? and the “no religion” option would have been first, above the list of most popular faiths. The truly devoted, religious people would have had no trouble skipping the atheistic answer, while people who are no longer seriously religious would not have been confused. Thus, ABS's claim that lack of bias is so important and justifies the coercion is just another excuse.
Post-census 2016 update: after years of criticism, the ABS has finally moved the “no religion” option to the top of the list in the 2016 census, and immediately, for the first time in the history of census, the “no religion” answer outnumbered believers in any single religion. This proves the point: the ABS appears to be very concerned with bias when people are protecting their own privacy, but had no problems with the bias of its own creation.
In addition to the 5-yearly census of every person in the country, Australian Bureau of Statistics conducts a number of surveys that require more information from individuals, and that the Bureau claims are compulsory: Monthly Population Surveys (MPS), Australian Health Survey, Income and Housing Survey, and many others. The ABS selects the “victim” households, dispatches a letter addressed “to the householder”, and from that point the tenants of the dwelling have little choice but to let their private life become government property or be prosecuted.
The surveys can be lengthy, inconvenient and extremely privacy-invading. People have no right to say ‘no’ to protect their own personal data and their family from potential risks of misuse, identity theft, leaks or hacker attacks. There is no choice and no exit — all because ABS enjoys the power given to it by a dated Census and Statistics Act 1905 to issue Notices of Direction, to force people to supply the information and threaten them with exorbitant fines, courts and jail sentences.
ABS claims that the surveys must be compulsory for each “chosen” household in order
to provide a balanced representation of all households in Australia so that the estimates made from the data reflect, as closely as possible, all households. If some households do not participate, this may result in one type of household being represented more often than another type, which may result in biases in the data. But we already know that ABS not only doesn't care about bias, it deliberately introduces it when the agenda requires it.
ABS also likes to stress that it
relies on willing cooperation of the selected householders. Though it is unknown how willing any consent can be if people have no choice and threats are used. It is also unknown how many people are willing to give honest answers when they are being coerced. Voluntary participation can bias the results of surveys, but wouldn't coercion and intimidation do even worse? Most people can give honest answers only when they can be sure that their identity is absolutely and irreversibly safe, which is longer the case when ABS is involved.
What You Can Do to Protect Yourself
According to readers, the only sure and legal way to avoid ABS is to be overseas during the census, or move house after receiving the survey letter. Obviously, for many these are not easily available options. The Public Information Statement re ABS Compulsory Surveys page from APF has some helpful information.
So far, there has been only one widely known case when a person won a court case against ABS's intrusion: Shirley Stott Despoja in 1988, mother of former Senator Natasha Stott Despoja. Although while there is no much chance to fight the insatiable statisticians in court, you can still try to protect your privacy and identity as much as possible. Here are readers suggestions:
Insist on not giving your name or date of birth to ABS
Your name and date of birth have no statistical importance and so ABS should not be collecting it. The only purpose of collecting this data is to identify and trace people beyond the scope of census or survey. But that's not statistics, that's mass surveillance! If ABS know your address, simply giving them your date of birth (even without your name), means they can easily identify you.
This is why it is worth asking ABS for clear, better written, explanations why they are trying to get this data from you and how exactly they are going to use it. Ask for guarantees that ABS won't use your address, date of birth, age, place of birth or any other personal data for snooping in government files, or linking your survey responses to other databases. Demand clear answers what exactly the information like your date of birth will be used for and why simply age range can't satisfy the statistics. Most likely, your date of birth will be used by the ABS to pull more information about you from other data sources like Taxation Office, Medicare and health records. If you are not happy with that, voice your objection and lodge a complaint with the ABS and contact privacy advocate groups for advice. The more people do it, the more chance Australians have of winning their privacy back.
Household Survey Participant FAQs on ABS website clearly say:
Do I have to give my name?
No. The interviewer will ask for your name to assist with the interview, but if you wish, the interview can be conducted anonymously.
Household Survey Participant Information FAQs, abs.gov.au
And so it should be: statistics don't need names! If ABS was truly collecting the information for statistical purposes only, as they claim, they shouldn't need any personally identifiable information at all, ever. However, remember that the surveyors know your address, and they often ask for your date of birth or age. Given that ABS has access to other government databases, tracing a person by the address and date of birth is a matter of seconds. It could be that this anonymity is false and deceptive if the people are traced and identified afterwards.
For Post Enumeration Survey (PES) that is run after each census, ABS demands the person's name, sex, date of birth, age, relationship in household, marital status, country of birth and Indigenous status, allegedly to match the PES the person records to census person records during processing. Ask what is going to happen to your personal information and insist on a written guarantee that after this matching all your identifying information will not be retained by ABS in any form. ABS does not clearly state what happens to the identifying information collected during PES and other surveys.
Don't give ABS your phone number
ABS often asks for a phone number. If ABS wants you to complete a survey online, they will tell you to create an account, which demands a mobile phone number as compulsory. In Australia, phone numbers are tied to your ID and can be used to identify and trace you. It may also be wise not to use your usual personal email address, and instead create a disposable email just for ABS.
Ask for a proof that your household was chosen absolutely randomly, and was not targeted with any intention
ABS claims that they choose their survey victims totally randomly, however there have been numerous complaints from people saying that after they agreed to participate in one survey, they have been told to fill another one, and another one... Apparently, many people prefer to discard the “To the Householder” letter from the ABS, don't make any contact, and don't open their door to any door-knockers; so to keep the plan fulfilled, boxes ticked and salaries coming, people suspect that the ABS take advantage of the softer targets. Therefore, it may be wise to demand written guarantees that the selection is indeed random, and if you are soon chosen for another survey, take the matter further and lodge a complaint.
Demand written guarantees from ABS that it will never attach any identifying information to your answers, attempt to identify you, link your answers to any other data about you, or attempt to trace you later in life
If ABS truly collects data for statistics only, giving you such guarantees should not be a problem for them. However, if they refuse, make your conclusions and take actions.
Be aware of ABS's promises to keep your information “confidential”, or to “delete” or “remove” your name and address once statistical processing is completed
Most people think that their identifying information is going to be destroyed, but it is actually kept by the ABS: ABS simply moves names and addresses in a separate file, which allows them to say that they “removed” the identifiable data. From abs.gov.au website, it is clear that identifiable information is not destroyed, it is stored in a separate file that can be easily linked back to the rest of the person's information:
Data records are de-identified as soon as possible. Once quality has been assured, names and addresses are removed, because this information is not needed for the production of statistics. Removal provides added protection against any breach of security of confidential information.
Internally generated identifiers are usually attached to each record, but cannot be used to identify a respondent. Nevertheless, the combination of these identifiers and the name and address to which they refer can be used to make records identifiable. Hence any linked files are carefully protected and only available on a strict need to use for work basis.
So, if we are told that
personal privacy is paramount at the ABS, that personal information
is not needed for the production of statistics, that ABS collects information
only for statistical purposes, and that
ABS has never and will never release identifiable personal information to any outside organisation, agency or project, then why is the personal information kept at all? Why not destroy it once and forever, and by doing so actually guarantee its safety? Why retain it? Why wait for a breach, a hacker attack or a new law that will permit a new usage of this information? ABS doesn't give any answer to these questions.
ABS keeps saying that they haven't had a privacy breach before. That's great, but it doesn't mean it can't happen in the future. Hacking technology is getting more sophisticated. And the public should keep in mind that before 2006 there was no linking between census data and other ABS surveys and government databases, and people weren't traced and followed through their lives. A breach before 2006 would only leak data from one census or survey. A breach now will compromise the privacy of the whole life or individuals and their whole families.
Do a thorough legitimacy check
If you open your door to someone claiming to be ABS data collector, make sure the person is really working for ABS. A plastic card dangling on someone's neck is not a magic pass into everyone's personal life. How can we know their ID card is legit? Would that card be accepted as an ID by Driver Licensing Authorities, Centrelink, Police, Border Security or any bank? No? Then why should the public accept it? Take a photo of the collector's ID and tell them to come later. In the meantime, call the ABS office using their official phone number (not the number the surveyor may give you) and confirm the identity of the door-knocker. We all know that these days anyone can print out any sort of cards and start knocking people's doors, and ABS created a perfect opportunity for criminals gaining access to people's homes and personal information by masquerading as ABS collectors, and numerous ABS-related scam incidents have already happened.
Check the list of the current ABS surveys on abs.gov.au website, do a research about the survey you were “chosen” for and learn what you can say and do to maximise the protection of your sensitive information. ABS subcontracts all sorts of companies and individuals to do surveys for them, so you never know whose hands your private or sensitive information is passed through. Keep that photo of the ID card you have taken, and if any identity theft, fraud or house break-in happens in your family, pass the facts about the recent ABS survey and the ID of the surveyor to the police.
And, by law, you are not obliged to let ABS employees into your house.
Record everything for yourself while objecting ABS's recording
Tell the ABS data collector that you will be filming/recording the interview, and keep the copy of all questions and answers. At the same time refuse for the ABS to make any audio or video recordings of you. It is your home and your private life — you set the rules. These days, ABS surveyors use laptops to record your answers, so you can insist on watching what they are entering and take a photo of each screen, for your protection and for making sure the answers are entered correctly. Remember, the ABS may have the power to force you to give the answers, but you still have the rights to access the information collected and held about you and make sure it is correct.
Complain and protest
Voice your concerns, disapproval or objections regarding privacy issues. Write to the ABS and to your member of parliament. Make your concerns public on online discussion boards and social media. The more people are aware and discuss the issue, the higher the chance of positive changes. Disregard any silly comments from people mentioning paranoia or tin foil hats — those people are either ignorant or benefiting in some way from the current privacy erosion trend. You have valid concerns and every right to be worried about the privacy and security of your personal data.
Australian Privacy Foundation published the “What Concerned People Are Doing” lists about census and about surveys. While the Census and Statistics Act 1905 provides for the compulsory provision of census and survey forms and of accurate data, those provisions are unlikely to be sufficient to ensure an effective census or survey in the face of widespread public opposition.
Public advisory statement re ABS compulsory surveys, Australian Privacy Foundation
Commencing with the 2006 Census, the ABS is now keeping personal data, which can be associated with the person's identity without their consent, Australian Privacy Foundation
Why you might want to become a Jedi Knight for this year's Census, Salinger Privacy
If you're worried about privacy, you should worry about the 2016 census, ABC News
Census Nightmares: The more we know, the less we trust it?, Meg Carter, Institute for Social Research