This week, the ACLU submitted a letter to the U.S. Chief Information Officer at the White House alerting him to serious cybersecurity lapses by numerous federal agencies. We identified dozens of inspectors general, including those at the Departments of Justice and Homeland Security, who do not use encryption to protect online whistleblower complaints of waste, fraud, and abuse. The State Department’s “Rewards for Justice” online terrorism tip line also does not use encryption.
Our letter was in response to a recent proposal by the CIO to require HTTPS encryption on all publicly accessible federal websites and web services. HTTPS is an industry-standard security technology that protects information transmitted over the World Wide Web from interception or tempering — including the web pages on a site that someone is visiting. HTTPS is used by many major technology companies, including Google, Facebook, and Twitter. It is also used by default by the White House, the CIA, the NSA, and the Federal Trade Commission.
In our letter, we stated that the ACLU welcomes this new proposal and that we share the CIO’s position that “the American people expect government websites to be secure and their interactions with those websites to be private.” The CIO’s proposal would give agencies two years to move their sites to HTTPS.
Our letter reveals the result of a survey we conducted of the websites of inspectors general, in which we discovered that 29 inspectors general do not use HTTPS to protect the sensitive information that is submitted by whistleblowers through their online “hotlines.”
Every possible measure must be taken to ensure that individuals using these official whistleblowing channels to report waste, fraud, or abuse have their private information secured from interception by third parties. Without these measures, both the identity of the whistleblowers and the confidentiality of the information that they submit to the inspector generals are at risk.
Our letter outlined several concerns that we have with the CIO’s “HTTPS-Only Standard” proposal, as well as several recommendations:
- We take issue with the two-year deadline included in the proposal, particularly given that at least 29 government websites do not currently use HTTPS to protect reports of waste, fraud or abuse submitted via their internet hotlines. Alarmingly, these websites include the Departments of Justice and Homeland Security, whose intake presumably includes very sensitive and potentially dangerous or incriminating information. We recommend in our letter that these websites be immediately upgraded to HTTPS in order to protect those submitting the information.
- Government agencies should employ other encryption best practices in addition to HTTPS-by-default, such as ensuring that all email servers support the use of STARTTLS transport encryption, which protects emails as they are transmitted over the internet.
- The proposal should address the problem of metadata leakage—a problem that cannot be solved solely through the use of HTTPS-by-default. Instead, we recommend that government agencies allow users to access their websites through the use of the privacy-enhancing technology Tor. We find it extremely worrisome that several federal agency websites currently block visitors who use Tor to access the website. This practice is unproductive and should be changed by issuing clear guidance prohibiting agencies from blocking access to visitors who are attempting to preserve their privacy and anonymity by using Tor.
- Federal websites that solicit sensitive information should deploy a secure anonymous whistleblowing platform like Secure Drop in order to create a channel for the anonymous transmission of tips.
While the CIO’s HTTPS-Only Standard proposal is a good start, it’s clear that it is not sufficient to protect the information of those visiting or leaking sensitive information through communication channels found on government websites.