The Australian Bureau of Statistics (ABS) billed Census 2016 as “the night the nation pauses” but there was certainly no pausing for IT technicians scrambling to fix a major outage on Census night. Despite claims that the ABS load-tested the website at 150 per cent of the number of people expected to access the site, the ABS website still crashed, leaving millions of Australians unable to complete their favourite quadrennial survey. So what lessons can be learned from #Censusfail?
Census 2016 and the Digital Age
According to the Australian Bureau of Statistics, 65 per cent of the population, over 15 million Australians, were expected to complete the Census online on the night of Tuesday 9 August. Leading up to Census night, over six million households received a unique twelve-digit code and were invited to complete the Census online.
In anticipation of such a high traffic load on the Census website in a short period of time, the ABS opened a tender process in 2015 for IT companies to compete for a project to load test its website. The AusTender website reveals that one IT company was ultimately selected and responsible for “Census load testing” and “Load Testing Services for Census 2016”.
What is a Load Test?
A load test is a process used to test the behaviour of an application or software system under a specific expected load. This form of IT ‘stress-testing’ can simulate multiple users accessing a server through simultaneous connections, under both normal and anticipated peak load conditions.
According to the ABS, the Census website was equipped to handle one million form submissions per hour, which was twice the capacity they expected to meet on the night. While they may have assumed the forms to be completed over the course of the entire day, the reality was that most Australians only logged on to complete it in the evening, causing a sharp increase in site traffic around 7pm. Whether this was already taken into account by the ABS or whether the load testing was inadequate will be revealed in the coming days.
IT Service Agreements
The ABS contracted the IT company to ensure its servers could handle the traffic through a series of load tests. The obligations of the IT company would have been set out in an IT Service Agreement. Most IT Service Agreements generally set out clauses such as:
- rights and responsibilities of the parties;
- fees and expenses;
- term of the service agreement;
- intellectual property;
- warranties of the service; and
- liability and indemnification.
Failure to provide a particular service may give rise to liability as set out in the agreement. Indemnification clauses generally set out how to handle circumstances where a warranty is breached, a negligent or wrongful act is performed, or an agreement is breached. Referring to the IT Service Agreement will set out for the ABS what options are available as a result of the outage and whether the contracted IT company failed to meet its service standard. Indeed, the IT company may have tested it exactly as requested by the standards set by the ABS – the outage may have been a result of a failure by the ABS to adequately predict the server loads on Census night or an external factor outside the control of the ABS and the contracted IT company.
Attacked by Overseas Hackers
In the morning following Census night, the ABS said it believed a series of hacking attacks led to the ABS website being shut down. Four distributed denial of service attacks (DDoS) were detected – three of which during the day but the fourth attack, which took place after 7:30pm ultimately took the site down. The ABS took the precaution of taking the site offline to ensuring the integrity of the data.
DDoS attacks are considered a high tech crime offence as the act results in unauthorised access to, or modification of, restricted data or unauthorised impairment of data (section 308I). High tech crime offences are defined in Commonwealth legislation within Part 10.7 of the Criminal Code Act 1995 (Cth) under computer offences. The maximum penalty for unauthorised access to, or modification of, restricted data is two years imprisonment. At time of writing, the ABS was still investigating the cause of the attack.
Census Deadline: September 23
Australians have until September 23 to complete their forms online or in paper form. For those who received access codes, the codes will remain valid until September 23. The ABS has assured people that they will not be fined for late submissions after the technical collapse.
What do you think about #censusfail? Let us know your thoughts on Twitter and tag @legalvision_au.