In just over two weeks, it’ll be Census night in Australia – that time every five years when every household is asked (in a “let us make you an offer you literally can’t refuse” kind of way) to sit down and fill out a detailed questionnaire about anyone who’s staying there that night. Now to be clear, while it’s easy to snark about the draconian penalties levied against Census refusers, I’m not actually anti-Census per se – I do think it’s valuable to have the kind of demographic data they collect, and have looked up the answers to various Census questions myself to satisfy my curiosity on assorted things. However, the last Census in 2016 was marred by scandal and calls to boycott(external link) after the ABS announced a dramatic weakening of privacy protections for people’s answers, and as far as I can tell none of those issues have been addressed.

As I understand it, the main issue is this: Rather than treating the answers to each question as entirely separate from one another, as was done in the past, the ABS now wants to keep answers linked in order to maintain individual profiles for each Census respondent. Further to this:

  • They claim the right to provide (or sell) this data to any “partner” they choose, for any purpose they deem appropriate, just so long as they don’t reckon it’s “likely” anyone can be personally re-identified from that data. Many people are fine with government and academic research using their Census data, but are much less keen on commercial use of it.
  • Where this data is provided, they insist it will be “de-identified” – as in, individual records won’t have names and addresses directly attached, but some other unique identifier. However, it’s well-known that it’s trivial to re-identify records given enough data points, and the census has loads. Indeed, the ABS itself was able to re-identify 82% of the anonymised sample they tried from the 2006 Census(external link). Yet at the same time, in public they downplay the risks so much that many aren’t confident they can be a good judge as to what kinds of releases of raw data are “likely” to result in re-identification.
  • They also now use names and addresses to link Census data to records held by other government departments, including Immigration and the ATO.
  • The ABS has chosen some subset of Census respondents (about 5%) to follow particularly closely over time, linking their answers from Census to Census to keep track of them for life. There was no “opt-in” process for this, nor were the chosen ones even informed.
  • There are questions about the security of their IT systems. The Australian government, in general, has a reputation for being bad with technology (among other examples, see: last Census, when the website crashed(external link) because the government and their contractor, IBM, hadn’t anticipated all ten million Australian households trying to visit the website on the same evening – in an issue that is totally incidental to the privacy concerns). Some people do not feel confident that their systems are sufficiently hardened to prevent access by motivated hackers. And, after all, the only way to guarantee that private information can never be leaked is to not store it at all.

The ABS has tried to head off criticism of their real-name data retention policy by stating that this time, they’ll delete name data within 24 months of collection and addresses after 36(external link) (previously the window was 48 months). However, if “de-identified” records are trivially re-identifiable anyway, this feels kind of meaningless.

It is illegal to discourage people from doing the Census. What I did see in 2016 was people questioning the ABS’s legal right to demand name and address data(external link); the Act only actually empowers them to require “statistical” data, so unless they start publishing e.g. how many people in Australia are named Jessica, my name is not statistical data. Of course, your name and address were compulsory fields in the online form, so I had to request a paper form in order to provide only accurate statistical data. I did, though, and they never followed up to demand the missing non-statistical info, so I guess it worked out fine. (Of course, who knows what’s happened to my data since I handed it over. The fact that they can cross-reference their data with that held by the ATO/Medicare/etc. suggests that if they really wanted my name they probably got it. At least I did my best.)

I guess it’s a sign of the times that I’ve seen waaaaaay less fuss in the lead-up to the 2021 Census, even though none of the issues have been resolved. Only in the past week or so have I seen anything on social media – and it’s just been a couple of short statuses, no real articles or anything.

Honestly, I suspect that the pandemic has caused some “privacy fatigue”. These days I have to use an app to register myself – my name and phone number – whenever I walk into pretty much anywhere, something I would have thought an outrageous privacy violation if you’d told me about it five years ago. But in the face of the Delta variant and the need for rapid contact tracing, it just seems like a sacrifice that has to be made for now. If we find that these kinds of requirements stay in place when there’s no longer a public health need for them, well, that’ll be another issue. But, much as it wouldn’t be the first “temporary emergency measure” to remain in place permanently, it’s disruptive and annoying enough that I don’t think it will. Why would it, when other forms of surveillance – smartphone app-based tracking, Bluetooth beacons, security cameras with facial recognition – can be used without most people even being aware of it, let alone annoyed?

At any rate… I will be interested to see what kind of coverage happens over the next two weeks. Last time around, privacy advocates were saying that the best way to opt out of this invasive data collection was to take a mid-week holiday to Auckland, but thanks to border closures, that’s not an option now (even for those privileged enough to have been able to schedule holidays on that kind of basis in the “before times”). The second-best thing was what I did, which was request a paper form and just not answer the non-statistical questions. But this time around, I just feel like I have so much less energy to create a hassle for myself with the ABS, and I’m finding it hard to imagine that the data it collects on me personally could have adverse consequences for me if it “got out”, or indeed that it even compares with the level of info that, say, Google or Facebook already have on me, which they definitely do use for commercial purposes.

I don’t know. It depresses me that privacy is too difficult to protect these days without such enormous hassle. And there is a limit to how much hassle I’m willing to accept. This might be yet another of those battles that atomised individuals acting independently can’t win, and as far as collective battles go, well, there are probably higher priorities.

The issue also feels ridiculous because this’d be such an easy issue for the ABS to fix – just separate that cover letter from the rest of the form (the way electoral commissions do for postal voting) and tally the answers to every question separately! We don’t need privacy violations to get the useful demographic data the Census is supposed to provide. After all, to collect demographic data we don’t need to be maintaining files on individuals. All this guff about “it’s necessary to maintain the high quality of data the ABS has come to be known for” is bullshit. It’s all about creating extra data products to be sold to commercial entities so our neoliberal government can be satisfied the Census is “cost-neutral” or even a “revenue earner” or whatever. All this when it should just be done as a public good, one of the many things we pay our taxes for.

Update (29/7/21): Apparently(external link), to opt out of the online form this year and request a paper one, you’re required to give them your mobile phone number. The request form also asks for some other data that you can skip giving (your name and number of your census form), but the mobile number is unavoidable(external link). There’s also the suggestion that the paper form might be loaded with individually-identifying markers(external link), to the point your best option might be swapping forms with a friend… 🤯 Jesus Christ this is a lot.