How should the people in charge of the 2016 census, eager to move Australians online to conduct the vast, compulsory survey, deal with the denial of service attacks that were expected against its IT infrastructure? Such attacks, after all, are the lot of many companies and government agencies, large and small, and a high-profile event like the census — already coping with massive traffic as Australians filled out their forms — would surely attract them.
“Island Australia” — a redundant, faintly silly name — was the solution agreed between the Australian Bureau of Statistics and its contractor, IBM, which hadn’t even had to go through the rigours of an open tender process to get the multimillion-dollar contract. That is, in response to a denial of service attack on the census site, they would simply shut off any traffic from outside Australia — otherwise known as geoblocking.
[Why you should boycott the census]
As we learnt yesterday in a hearing of the Senate Economics Committee’s inquiry into the debacle, it was a stupendously dumb idea. The Special Adviser to the Prime Minister on Cyber Security, Alastair MacGibbon, noted that ABS failed to properly interrogate the plan: if it had done so, it might have spotted that a key part of the site IBM had built, relating to password resets, was itself hosted offshore. Institute “Island Australia” and the site wouldn’t be able to function properly — anyone needing to reset their password would have been unable to.
Then again, MacGibbon — who in the aftermath of the August 9 debacle looked like the only adult in a roomful of frantic infants — suggested the ABS displayed a surprising lack of curiosity about what IBM was providing for the census; “vendor lock-in,” he called it. He also repeatedly noted that the DOS attacks on the ABS site that did eventuate were small enough that they should have been easily handled by the site.
[You’ve decided to boycott the census. Now what?]
What the committee failed to pursue, however, was why “Island Australia” — basically, geoblocking — was considered at all appropriate in 2016 for Australians accessing a “service” — such as it was — from their government. Having compelled citizens, with the threat of large fines, to engage in what is planned as a lifelong, compulsory longitudinal study of every Australian, people wishing to do the basics of IT self-protection by using a VPN to disguise their IP address were to be blocked from filling out the census as a core strategy of the ABS and IBM in response to expected attacks. This is no trivial problem: up to 20% of Australian households use VPNs to encrypt their traffic and hide their locations. They are not second-class online citizens that should be chucked overboard at the first sign of trouble, especially when the denial of service attacks were of such a trivial scale as to barely register.
Or perhaps the ABS would prefer to be able to retain the IP address of Australians as part of its permanent information collection about every individual. After all, the bureau is open about retaining and using your IP address and trying to find out as much about your online activity as possible. Maybe there was more than just stupidity behind “Island Australia”.
“After all, the bureau is open about retaining and using your IP address and trying to find out as much about your online activity as possible.”
Which was sufficient reason for me to do a paper form. Also pleased to see them say, or at least reported as having said, that nobody in the history of the census had been prosecuted for not providing their name.
Here’s to civil disobedience. I wonder if not providing your name means you are less likely to be harassed by them for ongoing surveillance, oops, I mean census enhancement programmes.
I know a few people who didn’t fill out a Census form at all. They’d be stupid to identify themselves of course, but I’m sure there’s lots of them. Some of them were previously even rock-solid supporters of the Census.
As this debacle has demonstrated, the government appears to know nuttin’bout’nuttin when it comes to cyber.
Anyone who ever tried to use the woeful myGov site would be aware that it insists on sending a new p/w text each time it is accessed – tough luck if you are O/S, don’t have a mobile or out of signal coverage – and the point of it was for oldies such as myself, grey nomads & the housebound to avoid the schlep to the reeking, overcrowded CES offices.