IT analyst: Oz census data processed as plain text

Data appears to be encrypted in transit, but not at rest


An Australian IT consultant has cast doubt about whether the country's Census is as secure as the Australian Bureau of Statistics thinks it is.

The technical infrastructure for the Census is being delivered by IBM using its SoftLayer cloud in Australia.

While the online Census completion process uses transport layer security (TLS) – and is therefore kept from preying eyes – the tunnel terminates not at the ABS, but at IBM's end, claims Justin Warren, chief analyst and managing director of consultancy PivotNine.

Exploring the behaviour of the JavaScript code that implements the form, Warren demonstrated that if a user is interrupted, the saved data that pre-populates the form when the user resumes isn't decrypted at the user's browser.

In other words, he says, it's been saved as clear text in the SoftLayer infrastructure – and would therefore be accessible at the server end.

Warren posted his data grab to Pastebin here.

His work comes as the Australian Privacy Foundation (APF) has called on the government to assure Australians that IBM's involvement in the Census doesn't expose Australians to America's notorious PATRIOT Act.

In this letter, the APF also seeks confirmation that Census data will remain onshore; whether user telecommunications metadata such as IP address is being collected; and whether the JavaScript has been subject to independent verification.

Public resistance to the retention of names in Australia's 2016 census has sparked a long-running #CensusFail hashtag on Twitter, and has demographers concerned at the risk of a boycott resulting in a less-than-optimal data set. ®


Keep Reading

Facebook and Australia do a deal: The Social Network™ will restore news down under and even start paying for it

ANALYSIS Relationship status changes from ‘Separated’ to somewhere between 'In a Domestic Partnership’ and 'It's Complicated'

Brit Conservative Party used 10 million people's names to derive their country of origin, ethnicity and religion according to ICO report

Bought 'estimated onomastic data' tagged onto data of millions of Brit voters

Australia starts second fight with Google, this time over whether app stores leak data, gouge devs, steal ideas and warp markets

Apple also in sights of inquiry that could spark more new laws

Australia sues Google over data collection practices that merged DoubleClick data to create single user profiles

Alleges opt-in that promised “more control” actually sent more data without informed consent. Google 'strongly disagrees'

Labour Party urges UK data watchdog to update its Code of Employment Practices to tackle workplace snooping

Key doc hasn't been updated since 2018, warn politicos and trade union

European Commission to take a closer look at how Amazon uses business data of third-party sellers using its platform

Preliminary view is that antitrust rules have been breached

After 11 years, Australia declares its national broadband network is ‘built and fully operational’

Those 35,000 connections that aren’t built? Celebrate the 11.86 million that were, says Minister

Hey Reg readers, Happy Spreadsheet day! Because there ain't no party like an Excel party

From VisiCalc to Google Sheets, none of them is a database

Biting the hand that feeds IT © 1998–2021