American Civil Liberties Union

This tax season, when you visit the IRS’s website seeking tax information, can you be certain that no one else is monitoring which pages you browse?

Unfortunately, right now the answer to that question is “no.” Unlike Facebook, Twitter, Google Mail (Gmail), and virtually every bank and credit card company, the IRS, like most government agencies, does not use HTTPS for encryption and authentication on its website. If you try typing “mail.google.com” into your browser right now, you will see that the URL you end up at is actually “https://mail.google.com.” That “s” after the “http” may seem insignificant, but it means a lot. It signifies that Google is using Secure Sockets Layer encryption, or SSL, to both encrypt and authenticate its communications. When you visit google.com and you see “https” at the beginning of the address, it lets you know that your connection is secure, and that third parties – such as your internet service provider, employer, or university cannot monitor what you’re doing through the use of network interception technology.

Internet-based text message apps are one of the most common means of communicating today. But when it comes to this relatively new technology, surveillance law is behind the times in important ways, and as is so often the case when the law lags technology, our privacy suffers as a result.

Text messages have for some time been a cash cow for the wireless carriers—back in 2007, annual global SMS revenue was estimated to be 60 billion dollars. Charging consumers 25 cents per 140 character text message is a great way to make money, but when those same consumers are already paying for internet connectivity to their smartphones, the market was ripe for disruption. In recent years, a number of internet companies have entered the text message market. In some cases, they have offered low-cost or free SMS services that interoperate with the carriers’ existing SMS system. In other cases, large companies like Facebook, Apple and WhatsApp have offered closed text message services to their smartphone using customers. Often seeking to reduce their monthly telephone bills, millions of consumers have migrated from smartphone text message services provided by the wireless carriers to smartphone text message services provided by internet companies.

Today, the FTC announced a settlement with Epic Marketplace, an online advertising company that had abused a security flaw in popular web browsers in order to covertly “sniff” other websites visited by consumers.

According to the FTC complaint, for a period including between March 2010 and August 2011, the online advertising company Epic Marketplace probed the browsing history of visitors to popular websites including CNN, the Red Cross, and Orbitz in order to determine which other web sites those consumers had previously visited. The pages revealed by this snooping included those relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy.

When the CIA director cannot hide his activities online, what hope is there for the rest of us? In the unfolding sex scandal that has led to the resignation of David Petraeus, the FBI’s electronic surveillance and tracking of Petraeus and his mistress Paula Broadwell is more than a side show—it's a key component of the story. More importantly, there are enough interesting tidbits (some of which change by the hour, as new details are leaked), to make this story an excellent lesson on the government’s surveillance powers—as well as a reminder of the need to reform those powers.