The Slightly Disgruntled Scientist

...sorry about the Disqus ads everyone

Arguments about privacy and the 2016 census

Every few years, Australia conducts a nation wide census, surveying every resident about a huge cross section of things, from basic details to cultural and religious background, from socio-economic status to sexuality. This year, for the very first time, they’re (admitting to) keeping our names along with the data they’re collecting.

Many people have voiced concerns about the implications this change has for people’s privacy; many others have responded. And I’ve been a little shocked by how people who are usually in favour of policy that’s (a) evidence based and (b) respectful of people’s rights, are now dismissing critics as “census truthers,” or conspiracy theorists, or worse.

Incivility. ON THE INTERNET. Can you believe it?

The same arguments keep cropping up again and again, and in many ways they’re independent of the census context. I think a lot of this applies whether we’re arguing about the census, or law enforcement, or the conduct of companies rather than governments.

I do not have advice for you on the census; whether to do it or not, and if you do, how. That is for you to decide. This post is about unpicking some of the arguments that have been levelled against critics of the census.

If you want to link directly to one of these sections, you can use these links:

It’s no worse than other government departments

The details that the census ask for aren’t much more than Centrelink, Medicare and the Tax Office already require.

If you think that other governments departments already have the same breadth of personalised, multidimensional data that the census takes, then logically we wouldn’t need the census. We could just use that data. But you know why we can’t — because they don’t. They have nothing like the kind of data the ABS needs. That data doesn’t cover everyone. It doesn’t cover everything. It suffers from biases due to being optional, or gathered under certain circumstances, or any number of other reasons.

You can’t simultaneously claim that we need this extra level of detail now while also claiming it’s nothing new. Any deficiencies in existing data reflect data that is not gathered or linked, and is therefore not a privacy risk to someone.

In other words, if it adds something to our statistical capabilities, it necessarily adds something to the privacy risk.

It’s okay by me, or, people already use intrusive apps

Eh, I don't really care if the government or hackers have that data on me. It doesn't worry me.
Commonly used apps already track and store your identity, location, and many other details about your life. The census isn't as bad as many of them.

(These are pretty much the same argument: I/some people cede control of privacy and don’t care, therefore it’s not an issue for anyone.)

People can opt out of using eg. Facebook. Many do. Or they can use a pseudonym. They can omit their religion and wage, if they like. The worst that happens is they’re kicked off the service. Which can be bad, but not “risking daily fines and prosecution” bad. No app is mandatory. There are no fines for turning your GPS off. It is not a legal requirement to use any of these things, and just because lots of people do, it doesn’t mean everyone does.

Even those who do, and who share things you perceive to be incredibly intimate on public social media still deserve to decide what they reveal about themselves and what they don’t, and to whom.

You might not care about what the ABS collects because you don’t see any change in risk to you, personally. Or you don’t care if your privacy is breached at all, because who cares about your details, and what are they gonna do about it? You may have already broadcast your details to anyone who wants them. Good for you. Maybe everyone you know has too. Good for them.

But here’s the rebuttal: not everyone is you. It’s true. Nor is everyone even like you. And not everyone is like the hypothetical app-using, Twitter-posting, phone-book-listed respondent you’ve constructed in your mind.

If you want policy to be based on evidence instead of the gut feels of a handful of very similar people, if you think that data is important because it reveals populations many people aren’t aware of… well, apply that principle to policies affecting privacy too and stop making blanket statements like this.

You don’t have a threat model/that’s a conspiracy theory

You don't even know what you're scared of! Government overreach? Public dumps of hacked data? Unexpected re-identification by clients of the ABS?
That's a totally implausible conspiracy theory! This isn't some police state where the government will round up people it doesn't like and put them in camps!

The academic way to calculate risk is (probably of event) × (cost of event). Unfortunately, it’s not possible to objectively measure the cost of an event nor, in most cases, the probability. But it’s not a totally useless formula, because it does reflect the way people think about bad things that could happen.

Here’s a fun bunch of disconnected facts:

  • Many Australian politicians, including members of the governing party, seriously suggest immigration laws targeting particular religions and ethnicities.
  • Many Australian politicians (also including government) seriously suggest the ability to revoke citizenship of naturalised citizens, leaving them stateless.
  • Australia has a Department of Immigration who are happy to arbitrarily change the rules of citizenship without notice or announcement.
  • Australia has a policy of putting people of contentious immigration or citizenship status in offshore camps with no oversight or scrutiny.

If none of these things are relevant to your situation, you might calculate the probability as non-existent. You might say it’s just your everyday political posturing to get that precious racist vote. But that’s you, imposing your own idea of plausibility and credibility on that behaviour. You’re not being objective. It is unfair to deride those who, with no more or less subjectivity, do see a real risk. And how would you even quantify the cost if something of that magnitude actually happens?

So there’s a large overlap with the previous point: not everyone is you. But the other problem with this argument is that you’re asking people to make perfect predictions about high-cost, low-probability events. Of course they’ll sound outlandish if you single one out devoid of context.

People are concerned about their data being retained precisely because they don’t know what’s around the corner. Neither do you.

If a hack were going to happen, it would have by now

The ABS already has data potentially worth millions of dollars and that hasn’t been hacked yet.

Presuming to know the motives of all potential hackers, even in terms of money, is pure folly. You don’t even have to go back a week to see this. (I’m willing to bet this statement remains true no matter what week you’re reading this in.)

Some will do it for the pure glee of embarrassing large groups of people. Some will think up ways to use that data for money you wouldn’t have dreamt of. Some will just… see if they can. We knew this in the nineties, and it’s still true.

And again, you don’t know what the future holds. You don’t know whether some government department will one day migrate their data to a new system, leaving it vulnerable while they work out the kinks. You don’t know whether a flaw will be discovered in the systems that secure this data. You don’t know whether some other factor will suddenly make this data much more vulnerable or valuable.

This is not some fatalistic fantasy of borrowed trouble. All data security measures have a life span, and most have flaws. The only 100% reliable way to secure data is not to collect it in the first place, and claiming a system is unhackable is pure hubris.

We need it for evidence based policy

Tracking the changes in individuals' circumstances will allow for far more precise modelling, forecasting and metrics for evidence based policy. In particular, small populations and marginalised groups will be better represented in the data.

While there are potential benefits in terms of policy, I am extremely sceptical that we are anywhere near the point where the effectiveness of our policies are limited by the inability to track changes in an individual’s circumstances. Rather, I see them as limited by our political culture. When we are at the point where we actually use the data we have exhaustively, great, let’s go from there.

Take an example given by the ABS: accurately calculating Indigenous Australians' life expectancy, so that we know whether policies aimed at “closing the gap” are working.

But we already know policies that are evidence based, have been driven by input from the communities themselves, and are not difficult to implement. They just aren’t ever put into place. Lack of individually linked data is really not what’s holding that back.

Hell, some of them come down to “stop disproportionately targeting them with discretionary legal penalties” and here we are, proposing a new way to incur discretionary legal penalties.

Why wouldn’t you trust the ABS?

The ABS is governed by some of the strictest laws about data usage in the country. They’ve long contributed to evidence based policy and are one of the most trusted government departments in the country.

Trust in decision making entities, whether government departments or individuals, comes down to how they account for their decisions. What line of reasoning will the ABS use to respond to new situations?

I was disappointed to discover that the ABS have been deceiving the public for some time now, by keeping names and addresses for longer than they claimed to, and tracking more than a million people without consent.

I was even more disappointed to see the ABS' rationalisation for this, which boiled down to “we wanted to.” Followed shortly by “just be happy we’re at least telling you about it now.”

If this is the basis upon which the ABS will make future decisions that impact the entire country — ie. that they are entitled to know everything about us, and that transparency is optional — then, no, I do not trust them any longer. Or rather, I trust them only to make decisions that derive from those principles, and not from respect for those whose data they demand.

The other dimension to this is the security of the data itself. The ABS have said little more than their data hasn’t been compromised and never will be. I cannot take this kind of claim remotely seriously. This is the infosec equivalent of a perpetual motion machine, and betrays such a lack of understanding that without any other information, no, I cannot just trust that they know what they’re doing.

Some stories about privacy

When I was a child, some of the adults in my life seemed stupidly obsessed with their privacy and physical security. Sometimes there were rules about locking doors behind you at all times, or not giving out someone’s address. Phone calls from unknown parties had to be dealt with in a certain way. Relatives were told of this. When someone forgot to de-list their number from the phone book, it had to be changed and updated in a hundred different places, with great care, and palpable stress. Break ins, even if nothing was stolen, were met with seemingly extreme reactions — on one occasion even moving house.

In fact, especially if nothing was stolen.

I saw it as ridiculous. I’d object to the inconvenience and embarrassment and call people paranoid. I was not aware of the context of all this concern — why would I be? I was a child, surrounded by caring, responsible adults who shielded me from it.

I did not know about the hell these people were in. I did not know about the very different reasons they each had. I did not know about them having to tell real estate agents over and over again, “do not give my details out to anyone, no one I know will ask you for them.” I did not know that police stations, churches or schools were stupid enough to just tell people where you or your kids were, even though there were rules against that. I did not have to deal with a circle of government departments pointing at each other bleating “it’s nothing they couldn’t have gotten from them!” I did not know that every avenue of exposure closed off was one less source of stress.

And thankfully, I didn’t have to deal with me, an ignorant child who just saw over-the-top paranoia.

This was all before the internet was available for home use, and relied upon for daily life. I cannot imagine the new dimensions of fear this has opened up for people. But at least I know that I can’t imagine it.

If you talk to people who are concerned about their own privacy, you will hear stories at the intersection of all of the points I’ve raised above, and more. And if you’re tempted to dismiss it all as anecdata, consider this: if you have a logical position that cannot be refuted with any counterexamples whatsoever, then your position is not as logical as you think it is. (Or it’s axiomatic, so perhaps you need to revisit your oddly specific axioms.)

You might be perfectly comfortable with your current level of privacy and exposure. You might also be naive. Or nihilistic. You could be a huuuuuuge fan of the kind of policy and accountability that is only possible with high quality statistics — I certainly am.

But there are plenty of people who have very good reason to value their privacy more than you value your own; for whom any increase in risk is a big deal; who don’t really reap the benefits of evidence driven policy where we have it and are unlikely to in the foreseeable future. They now have to choose between risking prosecution or risking yet another potential for exposure.

Remember that the usual collective response to intrusions of privacy is to simply find ways to conceal our data, and then to conceal the fact that we’re doing that, and then to share the method. Some of these methods work, some don’t. All of them will compromise the quality of (and confidence in) the census data, or of law enforcement, or whatever your concern is today.

Go ahead and call concerned folk truthers or imbeciles or paranoid cranks on the old socmed, or vent however you want. I confess that I, too, am prone to incivility on occasion. But if privacy concerns are only ever met with complacent derision, we’ll all suffer from what’s lost.


Comments powered by Talkyard.