The 2016 Census might have been an epic clusterfail, but at least the government didn't release two separate, scathing and (at times) hilarious reports about said failure. Oh wait...
At the start of this year, our biggest concerns with the 2016 Census were all about privacy. The majority of Australians were set to complete the survey online for the first time, and for the first time, names and addresses were going to be stored for four years.
Privacy advocates were up in arms, security experts were seriously concerned about data breaches, and Australians were generally just a little confused about all those weird "moment to pause" ads.
It was a simpler time.
On Census night, August 9, the online eCensus system crashed, the folks in charge at the Australian Bureau of Statistics scrambled to front up to the public, and #CensusFail was born.
Now, the government has released two separate reports on the failures of the 2016 Census, from the Prime Minister's advisor on cyber security, Alastair MacGibbon [PDF], and the Senate Economics References Committee.
They are excoriating, and make for excellent reading (if you're into government reports). You're not? Thankfully we've done the digging for you...
Donald Trump might be good at "the cyber" but Australia's top brass are not.
The MacGibbon report goes through a minute-by-minute timeline of the Census fiasco, the mistakes, the missed calls and the mixed messages on social media. The verdict?
"The Attorney-General's Department should develop a 'Cyber Bootcamp' for senior government executives and ministers... [to educate them] about cyber security fundamentals and how to talk about issues with the public."
Roger that, MacGibbon.
One example was its move to post a message on Facebook saying the Census site was experiencing an unexpectedly "high volume" of people filling out their forms (it wasn't), more than half an hour after the site went down.
"The ABS severely underutilised social media" to keep the public informed, according to MacGibbon, and this lack of transparent communications "lost them trust, and opened the door to speculation."
The ABS had a plan to deal with social media complaints -- sorry, a "social media crisis escalation matrix" -- but it was seriously flawed.
Sure, there'd be negative comments on social media. But the ABS decided these posts were only a serious concern, a so-called "red level scenario," if the person had more than 10,000 followers or the post had over "30 engagements."
Okay, so what if I have 10,001 followers and I make a sick #censusfail burn? The ABS response was to do nothing and "hold all social media communications."
The ABS and its IT partner IBM had a plan for a DDoS attack. It involved invoking a strategy called "Island Australia" and geoblocking overseas traffic to prevent threats while Australians continued filling their forms online.
IBM ran the first testing of this Island Australia contingency just four days before Census night, by which point the eCensus site was already live and taking submissions. They also only tested it for 10 minutes. By comparison, Akamai's State of the Internet report says the average DDoS attack lasts 16.14 hours.
MacGibbon's verdict? "Inadequate."
The Senate committee reporting on the Census has decided that retaining names and addresses was a bigger deal than the ABS was willing to concede.
"The census affects all Australians, and even if the changes themselves were relatively minor -- a point not conceded by many -- the cumulative privacy impacts are inevitably large," the report said.
"We may live in an age where more and more personal data is voluntarily shared electronically, but we also cannot assume that Australians do not take their privacy seriously."
These findings were outlined in a section of the report titled "Say my Name, Save my Name" proving once and for all that the Senate's knowledge of Destiny's Child is on fleek.
The ABS famously conducted its Privacy Impact Statement late last year, and announced its intention to retain names and addresses a week before Christmas. There were three submissions from members of the public, with many in the industry not surprisingly saying they missed the memo.
The Senate Committee report said consultation by the ABS "manifestly inadequate" and that it should "actively" consult with groups outside the government in future, releasing its Privacy Impact Statements at least 12 months before the Census.
MacGibbon's final assessment is that the ABS has a culture problem. According to MacGibbon, it laid "clear blame" on IBM without acknowledging its own failings, it failed to get the public on side and then keep them in the loop when things went wrong, and the ABS claiming that a high Census response rate was a sign that "there is no problem" is not good enough.
"While [the ABS] has said 'sorry' on a number of occasions it has steadfastly refused to own the issue and acknowledge responsibility."
The most interesting part of all this? After almost 200 pages of official reports into #CensusFail and the DDoS attacks, we still don't know who was behind it all.
The ABS did not respond to CNET's request for comment on its social media presence, DDoS testing or ongoing privacy concerns. However, the office of Federal Minister for Small Business Michael McCormack responded with the minister's comments, and on the ABS's behalf. (The ABS is an independent statutory authority, separate from both the government and opposition).
"Given the thorough nature of the MacGibbon Review and Mr MacGibbon's expertise in cyber security, the government and ABS have agreed to all of his recommendations," the minister said. "The ABS accepts responsibility for its role in the Census outage, and has acknowledged and apologised for its poor judgments."
McCormack added that "the government has already acted -- we didn't need to wait for highly partisan, political report by the Senate."
The Senate committee that compiled the report was made up of three members of the Liberal Party, three Labor Senators and Senator Nick Xenophon.
Updated at 4:00 p.m. AEDT: Included ABS response.