By Matt Bevan, ABC radio
The number of mistakes made by the Australian Bureau of Statistics leading up to and on census night was astonishing—and nearly all of them were due to poor communication skills, writes Matt Bevan.
The idea of counting the population of your jurisdiction has been around for a while—6,000 years actually, since the ancient Babylonians. A census is central to the story of the birth of Christ. That such an old idea could be so contentious is pretty astonishing.
The ABS decided to retain name and address information for four years instead of 18 months, and then failed to adequately explain to the public why they were doing it. The ABS actually announced this intention in November last year. The fact they allowed the public concerns to peak the day before the census was a massive error in communication.
Then, when privacy concerns were raised, they assured the public everything was very safe and secure, and there was no way any hackers were getting in. While this makes sense in reassuring the public, it also serves as a challenge for hackers to have a crack.
The privacy debate was underlined by a threat—if you don’t fill out your census correctly you will face a fine.
As census day approached, the ABS had rolled out a lovely advertising campaign involving a pause logo—meant to embody the idea of pausing to reflect on who we are. Cute.
They were also encouraging people to share their ‘#MyCensus moment’. I’m sure someone at a marketing company was very happy.
But, they say the bookies always have it right, and online bookmakers had the possibility of a site crash priced at $1.50 leading into the big day.
And so the predictable happened.
At 10:08 am, monitoring systems detected the first denial of service attack, a comparatively simple procedure involving a lot of requests being sent to a targeted server all at once. It’s analogous to 100 people trying to get through a single doorway at the same time. It gets jammed up, and nobody gets through.
Another attack came at 11:46 am. At 11:50 am, the ABS blocked all international connections to their servers and figured that was that. The public had not been told about any of this.
There were more attacks at 4:58 pm and 6:15 pm.
At 7:30 pm, though, everything went horribly, horribly wrong. A massive denial of service attack began, just as millions of Australians finished dinner and logged on to complete their census. At 7:45 pm, the ABS shut down the site to prevent a loss of data.
The public were still kept in the dark.
In fact … though the site was inaccessible from 7:30 pm, the ABS Twitter account kept replying to people complaining about it, saying this:
Standard practice when someone reports that a website is broken is to test it before you declare that the problem is at the user’s end.
Then, at 8:26 pm, the ABS Twitter account started spamming Twitter users, saying everything was fine, and they should log on now.
Despite declaring at 8:38 pm that there was a problem with the website, the spam continued. Over the following 76 minutes, the ABS fired off 76 tweets encouraging people to log on, even when they knew full well that the website had been shut down. Meanwhile, the public was giving up. Journalists and politicians alike threw in the towel and went to bed.
At 11:00 pm, the ABS gave up. They said the website was down and wouldn’t be restored that night. The website had been off for over three hours. Meanwhile, many members of the public, genuinely concerned that they would be fined if they couldn’t log on, had stayed up past their bedtimes.
The following morning, on ABC News Radio, ABS chief statistician David Kalisch blamed overseas attackers.
Just over four hours later, the assistant treasurer denied both that there was any attack, and that its source was overseas.
It’s difficult to fault the statistical and technical staff at the ABS for what happened. The statistical staff wanted to do more with the name and address data, so they asked to keep it for longer. The technical staff detected an attack and took security precautions.
Now, it could be argued that the techies should’ve expected a denial of service attack, but that’s another story.
In this instance, the failure was in communication. The ABS failed to explain their decisions, failed to inspire the public, failed to tell the public there was a problem, and then failed to explain themselves afterwards.
Let’s hope the data collection doesn’t fail too.