As every man goes through life he fills in a number of forms for the record, each containing a number of questions...There are thus hundreds of little threads radiating from every man, millions of threads in all...Each man, permanently aware of his own invisible threads, naturally develops a respect for the people who manipulate the threads.
-- Alexander Solzhenitsyn
Every 5 years, Australians in 9 million households sit down to fill out the same form, counting the kids in their lounge room and the dollars in their paycheck for the Australian Census. The data on more than 20 million Australians is compiled and anonymised to paint a picture of the country.
Only this year, the picture won't be so anonymous.
For the first time ever, the Australian Bureau of Statistics will collect and retain names and addresses of every person in Australia for the 2016 Census.
The ABS quietly announced the plans last year, inviting public feedback on the issue over three weeks in December. Only three members of the public responded.
But since then, the chorus of dissent has been rising, with some opponents going as far as calling for a boycott.
The ABS has downplayed privacy concerns, but with the biggest blueprint of Australians' lives about to become much more identifiable, experts say there are serious implications in removing anonymity from the country's most important data record.
So why should we care?
We are anonymous
When asked why the changes are necessary, the ABS responded by saying the "destruction" of names and addresses in the past has "limited" Australia's ability to make planning decisions from other data collected in the Census.
And this year, the ABS wants to take the data from the Census and "unleash its power."
Whilst Census data is valuable in its own right, when enhanced by other data the Census can provide even greater insights. For example, the combination of Census data and education data can provide insight into employment outcomes...[and lead to] better targeting of educational funding.
...No one data set in isolation can provide the information to help solve these problems.
The ABS Privacy Impact Statement [PDF], released in December last year, stated names would be "anonymised" and addresses "geocoded" and that this information would be stored separately from other Census data.
Census Program Manager Duncan Young also told CNET that all data was "decoupled" so names and addresses are separated from each other. This data is also stored separately to other census information, such as birthplace and education, and individual ABS staff members are unable to access all this information together.
When the ABS uses Census data to analyse trends, they use "anonymous keys" rather than names. So why retain the names? Young says they need to ensure their John Smith matches the John Smith in other databases, such as Medicare and Centrelink records.
But can we trust that big data is ever truly anonymous?
In a world where more and more information is being digitised, security expert David Vaile from UNSW's Cyberspace Law and Policy Community warns that "no mechanism of de-identification gives protection that doesn't decline over time."
One researcher has even shown how raw Census data stripped of names and addresses can be used to identify people, based on unique combinations of attributes. About half the US population can be identified by gender, place and date of birth alone -- even when there's no name or address recorded -- according to Professor Latanya Sweeney of Carnegie Mellon University.
Young counters this by saying that ABS never releases raw data that could be de-anonymised. But once Census information is collected and stored, critics argue that connections are there to be made.
Joining the dots
Just as it talks up the importance of anonymisation, the ABS has also detailed its plans to combine Census responses with things like health and education data to track "outcomes for individuals and families" receiving social service assistance, for example, or to track whether unemployed adults move for employment.
With this kind of qualitative information up for grabs, David Vaile warns that "everybody and their dog" will want to get their hands on ABS stats.
(For its part, the ABS concedes that Census data will continue to be used by "the public and private sectors" for planning decisions.)
And here lies another concern for Australians -- the information is not only detailed and accurate, but also very valuable.
According to Chris Berg, a board member of Digital Rights Watch and senior fellow at the Institute of Public Affairs, name and address data helps to paint a "very, very accurate picture" of every Australian.
"Social scientists and Governments like this sort of mass information because it actually gives a better picture of an individual or a better picture of the population," he said. "You can create an accurate picture of someone's relationships, you can create an accurate picture of someone's financial situation...[or] their education levels."
And these accurate pictures have not always been used to benefit citizens.
In 2007, it was revealed that the US Census Bureau handed over Census data during World War II to locate Japanese-Americans to be moved into internment camps. De-classified documents have also revealed how the British Government proposed a plan to use Census data for the forced relocation of Irish Catholics in Northern Ireland in the 1970s.
Duncan Young of the ABS says names and addresses will not be retained after four years (for the last Census in 2011, the ABS kept this information for 18 months). Beyond this point it will only retain the numerical keys that identify each Australian.
But with the ABS planning to store information on its citizens for longer, Berg says there are "serious privacy risks" inherent in this year's Census. And with two thirds of respondents expected to complete this year's survey online, the spectre of data security and a potential privacy breach looms large.
Big Data, Big Risks
The Federal Government and its agencies are no strangers to data breaches.
In 2014, the Department of Immigration and Border Protection published the personal details of almost 10,000 asylum seekers online due to a copy-and-paste error by an employee. Last year, an internal email error led to the leak of passport details of 31 world leaders attending the G20 conference.
Even the ABS itself has not been immune. In 2014, the Bureau was pushed to conduct a massive review after an employee allegedly leaked market-sensitive economic data to a trader who was accused of profiting millions from the information.
(The ABS said the breach was "unprecedented" and it has taken action to ensure that "sensitive information in the possession of the ABS is more secure.")
But according to Berg, "there's no such thing as completely secure data."
"When you say, 'I trust the security systems that the ABS has put in,' you're also saying, 'I trust all the people that work at the ABS and have access to that,'" Berg said.
The ABS heralds its security record, but an organisation is only as good as its people. It takes just one error to put masses of potentially personally-identifiable information on every Australian at risk.
And it's not just internal breaches that raise concerns. David Vaile warns that the expanded ABS record will create "an irresistible 'honeypot' for hackers and cyber criminals in an age when no IT security can keep out motivated intruders."
But what if the biggest threat to Australian privacy hasn't yet presented itself?
"I'm genuinely worried about what future governments might decide to do with this information," Berg said. "It's all well and good for the ABS of 2016 to say they have secured our data...but what happens in 4 years or 10 years or 30 years when all our information is still sitting with the ABS?"
He says the only way to protect against future privacy violations is to limit the information collected now.
"Once they collect the data then the game is all over."
One former Census officer told CNET as many as one in five residents they surveyed during the 2011 Census were concerned about providing personal information, and were only reassured when told that names and addresses were destroyed.
By changing the stakes this year, David Vaile says the ABS could be making a major misstep.
"To make it work people have to trust it. But they [the ABS] have to be trustworthy."
For his part, Duncan Young says there has always been a "small percentage of the population that have chosen not to participate in the Census for a variety of reasons," and he expects that this number will stay low in 2016.
"It's unfortunate that their data...isn't going to help create an accurate picture of the country," he said. "I see [non-participation] as a very low risk because the Australian people will trust the census and see its value."
Regardless of how many people boycott the Census this August, the damage to the credibility of Australia's biggest statistical institution may have been done.
While the Census is legally mandatory (the penalty for not participating is AU$180 per day, at the discretion of the courts), privacy groups are calling for a boycott. One academic, Australian Privacy Foundation and Electronic Frontiers Australia board member Roger Clarke, has even published a comprehensive guide for conscientious objectors.
"If people don't feel that their privacy is being adequately protected...then they're going to be less likely to answer the census accurately or they're more likely 'not to be at home,'" said Berg.
By asking more of the Australian public, the ABS could be damaging the accuracy and usefulness of the rest of information it collects, as well as eroding the public trust in one of Australia's most established institutions.
In its bid to "unleash" the power of big data, the ABS could be creating Australia's biggest privacy monster.
Update, June 30 at 12:10 p.m. AEST: Added additional comments from the ABS.