In an initiative that was met with widespread approval earlier this year, U.S. Chief Information Officer Tony Scott proposed requiring all government websites to use HTTPS encryption, which would make browsing on federal sites more private and secure. Scott called for all federal web services to transition within two years. The ACLU, however, believes that timeline is inadequate. In a letter sent to Scott's office yesterday, the ACLU found that the websites of 29 inspectors general, which serve as portals for government employees to report wrongdoing, currently use the unencrypted HTTP, leaving whistleblowers vulnerable to interception, manipulation, and impersonation.
"When individuals use these official whistleblowing channels to report waste, fraud or abuse, the information they submit is transmitted insecurely over the internet where it can be intercepted by others," wrote acting director of the Washington Legislative Office Michael W. Macleod-Ball and principal technologist Christopher Soghoian. "This not only puts the identity of whistleblowers at risk, but also the confidentiality of the information they provide to inspectors general."
According to the ACLU's research, those government websites that still use HTTP include the inspectors general offices for the Department of Justice and the Department of Homeland Security. The State Department's "Rewards for Justice" program, which helps apprehend terrorists, has a submission form that is unencrypted as well, the ACLU found.
"That these sites do not use HTTPS to protect the submission of sensitive information (and likely have never used it) raises serious questions regarding the technical competence of the respective inspectors general and their ability to adequately protect sensitive information from cyber threats," states the ACLU's letter.
Scott's own proposal asserts that federal websites that do not use HTTPS leave Americans "vulnerable to known threats, and reduces their confidence in their government." The CIO also indicates websites that deal with sensitive content should prioritize their transition to HTTPS.
In addition to a more urgent transition timeline, the ACLU recommends stronger encryption technology for government email and the removal of agency bans on visitors using Tor, a web privacy tool.
In a statement to BuzzFeed News responding to the ACLU's letter, CIO Scott said, "As our dependency on the internet has grown, the risk to users' privacy and safety has grown along with it. Today, there is no such thing as insensitive web traffic, and public services should not solely depend on the benevolence of network operators."
Scott went on to say that the transition to HTTPS is a critical policy, ensuring that government websites provide citizens with privacy and reliability. "Even a small number of unofficial or malicious websites claiming to be Federal services, or a small amount of eavesdropping on communication with official US government sites could result in substantial losses to citizens," he said.
"We look forward to incorporating the substantive feedback provided during the public comment period, including ensuring agencies prioritize action for websites that involve an exchange of sensitive content."