IT analyst: Oz census data processed as plain text
Data appears to be encrypted in transit, but not at rest
An Australian IT consultant has cast doubt about whether the country's Census is as secure as the Australian Bureau of Statistics thinks it is.
The technical infrastructure for the Census is being delivered by IBM using its SoftLayer cloud in Australia.
While the online Census completion process uses transport layer security (TLS) – and is therefore kept from preying eyes – the tunnel terminates not at the ABS, but at IBM's end, claims Justin Warren, chief analyst and managing director of consultancy PivotNine.
In other words, he says, it's been saved as clear text in the SoftLayer infrastructure – and would therefore be accessible at the server end.
The resume function sends back your answers so far to populate the form. #CensusFail— Justin Warren (@jpwarren) August 7, 2016
So IBM can absolutely look at your partially completed answers. #CensusFail— Justin Warren (@jpwarren) August 7, 2016
Warren posted his data grab to Pastebin here.
His work comes as the Australian Privacy Foundation (APF) has called on the government to assure Australians that IBM's involvement in the Census doesn't expose Australians to America's notorious PATRIOT Act.
Public resistance to the retention of names in Australia's 2016 census has sparked a long-running #CensusFail hashtag on Twitter, and has demographers concerned at the risk of a boycott resulting in a less-than-optimal data set. ®
Sponsored: Becoming a Pragmatic Security Leader