Admins can see the Census?
That's why we chose IBM. The admins won't understand English.
An Australian IT consultant has cast doubt about whether the country's Census is as secure as the Australian Bureau of Statistics thinks it is. The technical infrastructure for the Census is being delivered by IBM using its SoftLayer cloud in Australia. While the online Census completion process uses transport layer security …
Of course it's exposed to PATRIOT. The US has proven it doesn't care where the data is, just that it's stored on equipment managed by a USanian company (see also Microsoft Ireland vs US Govt where it's not even the US company, but an international subsidiary of the US company and the USG still claims access).
...since the year dot.
Not to say there's no reason for concern over sensitive data being TRANSMITTED in plain text, but IBM themselves have had their hands on the raw data since the days database lookups were performed with a knitting needle.
Although certainly not best practice, the danger really is rather low. Random census data is unlikely to contain anything juicy, and if a black hat is close enough to a worthwhile target to spy on and play silly buggers with their internet, the privacy of their census data is the least of their problems.
> the privacy of their census data is the least of their problems.
That isn't the only issue at stake. Unthinking cloud usage reduces our local IT capabilities so that when it is important, we no longer have an industry capable of executing. We also shouldn't be throwing cash at companies making such mistakes. If it were a custom local software instance there's a chance to get it fixed. One of the problems with cloud is that all customers are unimportant.
If they want to embrace technology in this "digital government" they should be using blockchain. Countries like Estonia use this for voting and government stuff.
The system is not secure whatsoever. No bot should be able to access it for instance. They have remotely loaded javascript and the client code is not scrambled.
I chose paper. They want very detailed information not just name and address, but names of people not at home. Name of employer, their address, the name of your business then of course how much you earn. No relevance to "planning" whatsoever.
Sure outsourced ATO companies now get all this info so more chance of breaches but so will criminals.
No questions whatsoever about health, debts, housing, internet.
OK people. Here is in point form what I consider a maybe breach of security and privacy. Pretty much setting up people to be targeted not only by corporations but criminals.
1) name
2) address (they ask about the address multiple times even though the code and form has the address in it. lol
3) How much they earn
4) The workplace name
5) The workplace address
6) A persons business name.
I don't believe there is a single question in here that is useful whatsoever for planning. A massive waste of $500 million. A wasted opportunity.
We should see truthful information here like how much people spend on food, debts with banks, debts with utilities, how shit their faulty copper NBN is, housing affordability, multiple pages on health, etc etc.
The bulk is asking useless information that breaches personal security and has no worth whatsoever other than corporate and criminal interests.
The Christian lobby will find it useful where to attack and infiltrate next in areas with large amount of "no religion" responses.
I used real data for the bits that they knew anyway or which they can find by looking in the phonebook or asking our local post office (we live in tiny population rural Aus). Lied on salary, religion and for place of work I told them that my employer has not given me leave to publish that.
Perhaps I missed it in the article, but I don't see how data not being decrypted in the browser implies that the data is stored as plaintext. The same observations could be made if data at rest *is* encrypted, but is decrypted server-side before being sent over TLS.
It's certainly possible that IBM / ABS / whoever *is* storing data unencrypted, but this isn't sufficient evidence to prove that claim.
If the data arrives in plain-text at the browser-end of a TLS tunnel, it must therefore have entered the tunnel at the server-end as plain-text. Since the TLS tunnel terminates at IBM, ergo, IBM must have access to the plain-text.
As far as I can see, you are correct that this is NOT evidence of it being "at rest" in plain-text. But it is evidence that someone other than the ABS has access to this data.