Why Won’t the IRS Deploy Basic Web Security?

This tax season, when you visit the IRS’s website seeking tax information, can you be certain that no one else is monitoring which pages you browse?

Unfortunately, right now the answer to that question is “no.” Unlike Facebook, Twitter, Google Mail (Gmail), and virtually every bank and credit card company, the IRS, like most government agencies, does not use HTTPS for encryption and authentication on its website. If you try typing “mail.google.com” into your browser right now, you will see that the URL you end up at is actually “https://mail.google.com.” That “s” after the “http” may seem insignificant, but it means a lot. It signifies that Google is using Secure Sockets Layer encryption, or SSL, to both encrypt and authenticate its communications. When you visit google.com and you see “https” at the beginning of the address, it lets you know that your connection is secure, and that third parties – such as your internet service provider, employer, or university cannot monitor what you’re doing through the use of network interception technology.

In contrast, the IRS website not only does not use HTTPS by default, but manually typing in “https://www.IRS.gov” will result in a scary error message, due to the fact that the IRS administrators haven’t bothered to configure their hosting service to supply a valid HTTPS certificate.

Although the IRS website doesn’t ask for sensitive login information that must be encrypted like online banking sites or email providers, there does exist sensitive information on the website. For example, perhaps you are looking for information on the IRS website about tax credits or deductions associated with adoption, the death of a spouse, or sensitive medical procedures and services such as abortions, breast reconstruction surgery or counseling for drug addiction. In all of these scenarios, you should be able to obtain tax information without your internet provider, employer or university knowing what you are looking for. However, because the IRS does not use HTTPS encryption to protect its website, the specific pages you view on the IRS website can be easily intercepted by others, particularly when you are browsing the web using an open WiFi network.

If Google, Twitter and Facebook can deliver HTTPS to their users, we should certainly have it for our visits to government websites. This is especially important as the April 15 tax deadline approaches, and more and more Americans turn to government websites for reliable information.

Like many companies, the IRS uses a third party Content Distribution Network to deliver web content to visitors. Instead of connecting to a server run by the IRS, visitors to the IRS website are actually connecting to one of many servers owned by Akamai, a company that provides the same service for many of the most popular websites on the web. Akamai supports HTTPS delivery (pdf) of web content, and has done so since at least 2001—but it charges a premium for this service. The IRS could easily move their entire website to HTTPS, they’d just have to pay for it (and for now, it seems, they don’t want to).

The Central Intelligence Agency website also uses Akamai, but has a correctly configured HTTPS certificate, and even uses HTTPS by default. If the CIA can find the funds in their technology budget to provide a HTTPS connection to a website that few Americans are likely to visit (and which is largely used for recruiting and marketing purposes), surely the IRS, which annually receives sensitive and private data from millions of Americans, should be able to do so too.

In 2010 then FTC Commissioner Pamela Jones Harbor publicly called on all cloud computing companies to enable HTTPS by default. A year later, Senator Chuck Schumer wrote to Amazon, Twitter, Facebook and Yahoo, urging them to move their websites to HTTPS. The pressure worked—Twitter and Facebook both eventually protected their websites with HTTPS by default.

Commissioner Harbor and Senator Schumer showed bold leadership by using their soapboxes to pressure companies to take cybersecurity seriously. Although the soapbox is great, there is an even better way for the government to lead—and that is by example.