By putting the Australian Bureau of Statistics in charge of the upcoming same-sex marriage postal survey, the Australian Government is failing to learn from its previous privacy blunders, Monique Mann writes.
On 9 August it was announced that the Australian Bureau of Statistics (ABS) would run a non-binding and voluntary postal survey on the issue of same-sex marriage.
The ABS will obtain information from the Australian Electoral Commission (AEC) so that they can send postal ballots to registered voters. The ABS is conducting the survey in absence of parliamentary approval for the AEC to administer the vote.
There are powers for the Australian Statistician to collect statistical information but there are questions about whether public views on same-sex marriage fall within this scope. This relates to the legal limits on the agency’s powers to collect information which will be considered in the upcoming High Court challenge.
Having the ABS run the postal ballot also meant there were privacy concerns for the 110,000 silent voters on the electoral roll. In response, on 17 August, it was announced that the AEC would send postal ballots to silent electors.
However, this by no means resolves the privacy issues raised by the ABS administering the survey.
Initially, on 10 August, the ABS promised that no identifiers would be included on the postal ballot. Former NSW Deputy Privacy Commissioner Anna Johnston and I expressed our concern about the potential for voter fraud. We also pointed out that the inclusion of personal identifiers would be incredibly problematic for privacy.
In response, the ABS reversed its position and stated that barcodes will be included on the postal ballot, and will be used“…for “mark-in” purposes only and is a single-use, anonymous, code.” Again, Johnston and I outlined our concern for privacy on the public record.
The ABS has stated there will be no linkage of information, drawing attention to the secrecy provisions of the Census and Statistics Act 1905, and reassuring the public that survey responses will be anonymous. It is open to question why the ABS would reiterate secrecy provisions if the ballots are truly anonymous in the first instance.
Despite these reassurances, if the ballot paper contains an identifier such as a barcode, then this is not a secret vote. If voters believe their vote is not secret then there is potential for a chilling effect where individuals may self-censor and vote in a way that is more conformist. This is concerning with a vote on a politically divisive topic such as same-sex marriage. Both secrecy of voting, and the privacy of one’s views on such matters, are paramount for the healthy functioning of a democratic society.
Other commentators have argued that the ABS is poorly equipped to run the plebiscite, not least because of its bungled administration of the 2016 Census. Indeed, the plebiscite must be considered with respect to the Census and in particular the introduction of statistical linkage keys (SLKs). The ABS retains individual names and addresses and has used these to create SLKs that enable the integration of information. SLKs are explicitly designed to allow for data integration and longitudinal tracking. There are no clear limits on how these will be used in the future or what information may be linked, including that of postal surveys run by the ABS.
Professor Matthew Rimmer and I relayed our fears about the creation of SLKs to the Senate inquiry on the 2016 census. Our submission documented inadequate protections of anonymity, confidentiality and privacy and outlined the potential for data breaches. Notwithstanding the inquiry into “issues of trust” and the ABS, it is disappointing that many of the issues remain unresolved with respect to the same-sex marriage survey.
If postal ballots are in fact identifiable or potentially re-identifiable, this creates information security risks. There are internal risks from ABS officers with access and there is a history of ABS staff misusing both their position and ABS data. For example, ABS analyst Christopher Hill was convicted of misuse of public office and insider trading using ABS information. There have been numerous examples of Australian Government data breaches including sensitive medical information being released, confidential information of almost 100,000 Australian Public Service employees being published, and the recent revelation that any Australian’s Medicare information is readily available for sale online.
Let’s also not forget that the ABS was subject to intense criticism as a consequence of its failure to plan and prepare for a series of Distributed Denial of Service (DDOS) attacks that shut down the ABS website during the 2016 census. Events like this show that the ABS is unprepared to counter risks to information security.
The Australian Government has demonstrated considerable appetite to collect, digitise, integrate and store personal information. A postal survey with a barcode identifier on the ballot must be understood in the context of a range of other recent laws and policies that raise serious privacy and information security concerns such as mandatory data retention, automated data matching, and the creation of a unique single digital identifier.
Alongside barcodes on ballot papers, these developments reveal the Australian Government’s lack of concern for the privacy impacts of new information technologies and the increased security concerns that come with them. The reversal of the agency’s position from first stating that it would not collect identifiers to introducing a barcode, also shows that the ABS has not thought through how the postal ballot will operate in practice. A privacy impact assessment was neither conducted nor released, and there was no consultative process with the public or civil society. These were the main recommendations arising from the inquiry into the Bureau’s mismanagement of the 2016 Census.
In short, it seems that they have not learned from past experience.