Despite official assurances that New Zealanders' sensitive personal information given to the mandatory Census 2018 is safe and secure, researchers say they have found a critical flaw in how Statistics NZ set up its website.
This not a data breach, University of Melbourne IT security researchers and cryptographers Drs Vanessa Teague and Chris Culnane told the Herald. There is no suggestion there was unauthorised access to the Census 2018 data, they said.
The issue stems from Stats NZ using a third-party provider, Incapsula, to act as a protective gateway into its network and servers. Incapsula protects other government servers and networks too, such as those belonging to the Government Communications Security Bureau.
Teague and Culnane say that when NZers filled out the Census online, it looked like they were connected to the Stats NZ servers, when they were not.
Instead, people connected to the Incapsula gateway, which a network trace showed is hosted in a data centre in Albany.
Connections to Incapsula are done securely through the open standard Transport Layer Security protocol that identifies the server people's computers connect to, and sets up encryption of the data transmitted over the internet. Incapsula operates a TLS proxy, a network device that terminates the connection before it reaches the Stats NZ server, and decrypts the received traffic.
It is done to inspect the traffic so as to remove malicious content such as bots and denial of service attacks.
Once that's done, Incapsula passes on the legitimate traffic to Stats NZ's Census responses collection server.
However, to inspect the traffic, Incapsula decrypts it and the United States-based company is able to see New Zealanders' Census question responses, Teague and Culnane pointed out. Privacy and lack of transparency are at play here.
"The TLS Proxy sees everything that is sent to Stats NZ, and so it has to be fully trusted to keep the data it sees both secure and private," they said. "It gives the false impression that data cannot be read whilst being transmitted to Stats NZ; that data cannot be decrypted by anyone other than Stats NZ; and that the user can be certain they are communicating with Stats NZ," they added.
"Any organisation like Stats NZ has a responsibility to provide accurate and sufficient information about their security so the public can make an informed decision about how they want to interact with government online," Teague and Culnane said.
Stats NZ chief digital officer, Chris Buxton, confirmed the agency uses Incapsula for the Census.
"Given the national scale of the Census and the experience of our colleagues in Australia during their Census in 2016, Stats NZ made the decision to work with an all-of-government approved supplier that could work at a global scale to block DDOS attacks on the census systems," he said.
Incapsula was not named by Stats NZ, and referred to as "a global web security system" and the provider's ability to decrypt and read the data is not mentioned either.
Incapsula's TLS proxy decrypts all the data sent to it for the Census, as it is required to examine and stop any malicious content that an attacker might try to use to compromise Stats NZ systems, Buxton said.
Adding to the researchers' concerns, Stats NZ's digital key that is required to decrypt the data sent over TLS secured connections is now distributed across Incapsula's global network, Teague and Culnane said.
"Our non-exhaustive search found that servers in Australia, the US, as well as New Zealand, all had the Stats NZ key," they added.
Digital TLS keys are supposed to be protected and should only be kept on the servers that they relate to, the researchers said.
If keys are leaked, attackers could use them to impersonate Stats NZ servers.
Buxton said that Incapsula can be trusted to hold the digital credentials to unlock the data.
"Incapsula is a government approved, global security provider, trusted to hold and protect the census private TLS key, and use it for the agreed purpose of ensuring that Census data was protected from malicious attack," he added. .
As for the keys being stored on servers overseas, Buxton said most of the Census data traffic was contained in New Zealand and Australia.
In some cases, households would use virtual private networking tunnels via other countries, and their data would have been routed to the closest server to them, he added.
"It was important that our security protection worked at global scale, so that we were able to defend attacks at the point where they originated without compromising our New Zealand internet systems. Having servers in these locations provided this defence," Buxton said.
The researchers labelled the practice of allowing the keys to be stored on servers outside of New Zealand jurisdiction as a "clear security flaw". They warned the credentials could be used to intercept any encrypted traffic intended for Stats NZ.
Teague and Culnane have reported the flaw to Stats NZ and told the Herald "they acknowledged what we said and appeared to understand the problem."
Buxton said the system for the Census was set up to mitigate a range of risks, including ransomware, malware and DDOS attacks.