About a month after the White House announced its plan to require federal websites to use secure connections, the American Civil Liberties Union has a message for federal Chief Information Officer Tony Scott: It’s not enough.
In March, the White House proposed that all federal sites use a Hypertext Transfer Protocol Secure connection, designed to prevent outsiders from intercepting users' connections and accessing sensitive information, such as passwords. The CIO’s office suggested a timeline of two years for all federal sites.
In a statement, ACLU asserted that the two-year timeline is too slow, especially for sites used by inspectors general to collect reports about waste, fraud and abuse.
At least 29 of these sites don’t currently use HTTPS protocol, according to ACLU -- including USAID, the Agriculture Department, the Appalachian Regional Commission, and the Consumer Product Safety Commission, among others.
“That these sites do not use HTTPS to protect the submission of sensitive information (and likely have never used it) raises serious questions regarding the technical competence of the respective inspectors general and their ability to adequately protect sensitive information from cyber threats,” the statement said.
Inspectors generals' sites should also use software designed for anonymous whistle-blowing such as Secure Drop, currently used by The Washington Post, The New Yorker and other news organizations.
Agencies should also make sure their email servers use transport encryption protocols often employed by the private sector, such as STARTTLS, ACLU noted.
In the statement, ACLU Acting Director Michael Macleod-Ball and principal technologist, Christopher Soghoian, wrote agencies should make it easier for the public to anonymously access websites.
“While the fact that an American is visiting the White House or IRS website is likely not sensitive, the fact that an agency employee, contractor or member of the public is visiting an inspector general website is,” they wrote. “Similarly, the mere fact that someone in Pakistan or Yemen is visiting the Rewards for Justice website could be extremely sensitive and might even put their life at risk.”
To reduce this risk, visitors could use software preventing outsiders from gathering information on their browsing location or behavior, such as the Tor project. Currently, several federal agencies block visitors using Tor, according to ACLU. But this practice should be changed, they added -- and inspectors general should even inform visitors they can download Tor.
(Image via Jeff Wasserman/ Shutterstock.com)