Many of the U.S. government Web sites that encourage whistleblowers and tipsters to submit information about fraud, waste and abuse lack basic online security to protect users' information and identities, according to a study by the American Civil Liberties Union (ACLU). Based on its findings, the organization is urging U.S. Chief Information Officer (CIO) Tony Scott to fast-track his proposal for standard encryption for online government services.
Scott has proposed an "HTTPS-Only" initiative that would require all publicly accessible federal Web sites and services to use the encrypted HTTPS protocol instead of the unencrypted HTTP protocol. However, his proposal calls for the stronger standard to be phased in over two years, while the ACLU says the changeover should take place as soon as possible.
In its survey of federal Web sites, the ACLU identified 29 inspector general offices that do not use the HTTPS protocol to protect information sent via their online tip hotlines. Agencies without encrypted whistleblower tip sites include the Consumer Product Safety Commission, the Election Assistance Commission, the Federal Labor Relations Authority, the Department of Homeland Security, the Department of Justice, and the Department of the Treasury.
Protecting Both Data and Users
"For far too long, many in the technology industry incorrectly believed that HTTPS was only necessary to protect the submission of sensitive information, such as credit card and Social Security numbers," the ACLU said in an April 14 letter to Scott. "HTTPS does a lot more than protect the submission of sensitive information. It protects information about which Web pages on a site a user is visiting and protects content submitted by the user or delivered by the site from tampering en route. As a result, HTTPS can protect Web site visitors from so-called 'man-in-the-middle attack' in which their computers are infected with malware."
The ACLU letter noted, for example, that the State Department does not currently encrypt its "Rewards for Justice" tip form for reporting information about potential terrorists. "(T)he mere fact that someone in Pakistan or Yemen is visiting the Rewards for Justice Web site could be extremely sensitive and might even put their life at risk," the group warned.
In addition to deploying HTTPS for at least some Web sites immediately, the federal government should also provide greater security for metadata related to online sessions by allowing users to use the privacy-enhancing Tor technology, the ACLU added. It also recommended adoption of the STARTTLS encryption technology to protect data sent between e-mail servers and secure, anonymous whistleblowing platforms such as Secure Drop, which is also used by news organizations such as The Guardian, The New Yorker, and The Intercept.
Unencrypted 'No Longer Reasonable'
While most Web sites continue to use HTTP rather than HTTPS, many large technology companies -- including Google, Yahoo and Facebook -- have adopted the encrypted standard for their sites.
The growing move toward HTTPS by such companies has been "largely motivated by a desire to protect user data from interception," the ACLU said in its letter. However, the group added, "as evidence has surfaced that unencrypted connections are being leverage(d) by sophisticated actors to deliver malware, cybersecurity is now also a motivating factor. As one widely respected security engineer observed last year, '(unencrypted) cleartext (data) is no longer reasonable.'"
A program announced last year by the Electronic Frontier Foundation, an advocacy group promoting online privacy and civil liberties, aims to make it easier for other Web sites to implement HTTPS through its "Let's Encrypt" secure certificate initiative. It is expected to launch sometime this summer.
The U.S. CIO's office had set an April 14 deadline for members of the public to submit comments and feedback on its proposed HTTPS-Only initiative. The office did not say when a final decision on the proposal would be made.