Census 2016, this time it’s personal


Census time again, and those practical jokers at the Australian Bureau of Statistics have managed to spring a beauty on the Australian public. The  joke being that, rather than collecting the data anonymously you are now required to fill in your name and address which the ABS will retain (1). This is a bad idea, in fact it’s a very bad idea, not quite as bad as say getting stuck in a never ending land war in the Middle East, but certainly much worse than experiments in online voting.

Now the good folk at the ABS are not necessarily Nazi’s (2), so they’re not about to use the census data to round up those whose religion or gender doesn’t suit the state. That after all, is what the real Nazi’s did. Nor are they about to use the data to allow the internment of perceived enemy citizens in a global war for existential survival. That after all is what the American government did in WWII. Which kind of highlights how census data even honestly collected and securely stored has been misused in the past and could be misused again in the future. Even the fear that it might be misused can lead to people not answering properly, which is why it’s so important that the ABS be seen a scrupulous about the privacy of peoples data. Failing to act in such a scrupulous manner can undercut the truthfulness with which people will reply.

Unfortunately for us David Kalisch the head of the ABS has an evangelical interest in aggregating all sorts of data that government holds into a central data warehouse, called  the ‘Australian Integrated Data Resource‘. This aggregation is an ongoing project of Kalisch as head of the ABS, along with the other big data players in government who, simply put, want to join up all the data that the government holds into a single data set because it’s more ‘useful’. This is also another incremental move towards what some call the panopticon state. That is, through the linking of traditionally separate datasets such as say heath care and census, the individual can be kept under continuous dataveillance should the state so wish, and history tells us that sometimes governments do so wish.

The problem that Kalisch faces is that the ABS’s charter explicitly forbids the divulging of information that would allow individuals to be identified but in order to link data sets together you actually need to identify individuals, this is one of those you can’t have it both ways problems. Currently the ABS is currently making an end run around this problem by generating anonymous ‘keys’ from respondents names which allows them to release ‘micro data’ sets. There’s just one problem with this approach, it just doesn’t work. In reality anonymised data always contains information that can allow someone with additional information to infer with accuracy who the data belongs to. All you actually need is a post code, date of birth and their sex to easily identify a person. As professor Paul Ohm notes in a length paper on the issue ‘data can either be useful or perfectly anonymous but never both’. Unfortunately for us the current world view of the ABS is based on this flawed idea that in the realm of big data anonymisation really works (3). Even the use of anonymised versions of names to use as linkage keys in statistical and research projects, as proposed by the ABS, is therefore a suspect and dubious undertaking.

There is under the leadership of Kalisch, and his immediate predecessors (4), a disquieting breakdown in the ABS’s traditional disciplined approach of not releasing personal data (5) and further indicating that the the the ABS’s current agenda is to greatly expand the sources of data, to destroy anonymity by keeping data identified, and to consolidate data from many other sources into the aforementioned Australian Integrated Data Resource. If that doesn’t concern you from a privacy perspective I don’t know what does. 

The ABS’s intentions should also concern those who have a responsibility for national security, while a foreign intelligence service might not be interested in you or I they most assuredly would be interested in the personal data of say the current prime minister and cabinet. But I guess ASIO thinks that Australian government departments never get compromised by foreign intelligence organisations, which is true, disregarding the Australian Bureau of Meteorology of course. 

From all this it seems that we are sleepwalking into a surveillance state. So, what can we do about it? Well personally I’m going to ask for a paper version of the census form, fill it out but decline to fill in the name part on the basis that they have no legal power to compel non statistical data from you (see note 4 below). Then we’ll see…


1.  Back in 1971 it was Billy Sneddon who ordered the ABS to destroy names and addresses due to privacy concerns over the new computerised record system.

2.  Although the honourable Michael McCormack the minister responsible for the 2016 census did say in 1993, “unfortunately gays are here, and if the disease their unnatural acts helped spread doesn’t wipe us out their here to stay.”

3. For example in the 27 page long internal risk assessment carried out by the ABS for the 2016 census the risk of de-anonymisation presented by the introduction of cross data set keys is not considered because the ABS assumes that the current policy framework will ensure ‘no information will be released in a manner which would enable the identification of a person or household’. There are a number of other issues the risk assessment failed to consider as well.

4. Bill Mclellan the former head of the ABS has a very different view, “This, without doubt, is the most significant invasion of privacy ever perpetrated on Australian by the ABS.” He also believes and advances a well reasoned argument as to why the ABS cannot compel you to provide your name, because “name” doesn’t fall within the definition of statistical data that can be asked for, as no statistics are planned to be produced and distributed from the census about “name”.

5. See the commentary of Electronic Frontiers Australia and Roger Clarke,


2 responses to Census 2016, this time it’s personal


    On a national scale, the vulnerability to blackmail and bribery that such data collection poses is enormous. Anybody who thinks he can keep such data secure lives a life of fantasy.

    Here in the USA, I see weekly, sometimes daily reports about breaches of government or para-government data stores. The most frequent large breaches expose both private and government data aggregated due to the “Obamacare” mandate for socialized medicine. Those breaches expose not only health, but also financial data of millions of people.

    The Obama administration’s incompetent Office of Personnel Management could not stop Chinese hackers from accessing the investigative records of 25 million people who have held positions of trust in the government or for government contractors. Not only does China have my complete life history, including earnings, credit and debts, taxes, physical and mental health, educational transcripts, military training, and neighbors’ and coworkers’ opinions of me, but they also have related data on my parents, wife, and daughter. Already, scammers have used personally identifying information in an attempt to trick my daughter into paying “fines” she did not owe.

    Unifying all data about citizens is a dream for both law enforcement and totalitarians. It is also the dream of hackers, identity thieves, scammers, blackmailers, and spies.


      Matthew Squair 08/08/2016 at 7:35 am

      We could add the chance of catastrophic human error as well, for example when consultants working for the UK NHS managed to upload 128GB of NHS patient records onto Google analytic cloud servers. The only reliable way not to have a leak is not to hold the data.

      Liked by 1 person