Whistleblowers who report waste and fraud in US Federal agencies like the Department of Justice and the Department of Homeland security are being left vulnerable to exposure by the lack of basic encryption on whistleblower websites.
The issue was brought to the attention of Tony Scott, the US Chief Information Officer, by an open letter from The American Civil Liberties Union.
The letter, penned by acting director Michael W. Macleod-Ball, is a response to a US government proposal called the HTTPS-Only Standard. The standard would require the use of HTTPS on all publicly accessible federal websites and web services within two years.
Macleod-Ball praises the initiative but highlights a pressing need for some sites to adopt HTTPS far faster than the proposal’s two year deadline:
Although we are generally supportive of your proposal ... we believe that this deadline is not soon enough for some sensitive sites, such as those used by inspectors general, at least twenty-nine of which do not currently use HTTPS to protect reports of waste, fraud or abuse submitted via their internet hotlines.
HTTPS is the secure, encrypted form of the Hypertext Transfer Protocol (HTTP) and it provides two important protections for people who don’t want their communications snooped on.
It uses signed certificates to prove the identity of the website you’re talking to and it ensures that communications with that website are encrypted.
Without HTTPS it is trivial for an attacker on the same network as you to read whatever information you’re sending to a website or even to insert themselves between you and the website you’re talking to (a so-called man-in-the-middle attack).
For whistleblowers who might assume that their identities are being protected that’s a serious oversight.
The HTTPS-Only Standard’s authors probably aren’t responsible for the current state of affairs and to their credit they acknowledge the need for government sites that deal with sensitive information to switch to HTTPS as a matter of priority.
For existing websites and services, agencies should prioritize deployment using a risk-based analysis. Web services that involve an exchange of personally identifiable information (PII), where the content is unambiguously sensitive in nature, or where the content receives a high-level of traffic should receive priority.
The ACLU’s letter names 29 branches of the Federal government that don’t safeguard the information shared by whistleblowers as it passes across the internet:
USAID; the Department of Agriculture; Amtrak; the Appalachian Regional Commission; the Architect of the Capitol; the Consumer Product Safety Commission; the Corporation for National & Community Service; the Corporation for Public Broadcasting; the Election Assistance Commission; the Federal Housing Finance Agency; the Federal Labor Relations Authority; the Federal Maritime Commission; the General Services Administration; the Department of Homeland Security; the United States International Trade Commission; Department of Justice; the Legal Services Corporation; the National Archives; the National Endowment for the Humanities; the National Labor Relations Board; the National Science Foundation; the Office of Personnel Management; the Postal Regulatory Commission; the US Small Business Administration; the Smithsonian; the Special Inspector General for Afghanistan Reconstruction; the Special Inspector General for the Troubled Asset Relief Program; the Department of the Treasury; and the Treasury Inspector General for Tax Administration.
HTTPS has been around a long time but for most of the web’s history its use has been confined to login screens, credit card payments and other obviously highly sensitive interactions.
As our collective awareness of web security and privacy issues has gradually improved (helped along by programs like Firesheep) the use of HTTPS has increased too but until a few years ago there were few people who thought it should be used everywhere, by default.
That all changed when Edward Snowden broke cover and told us just how much information the NSA (and I assume every other globally significant spy cabal) is hoovering up from the internet.
Since then, there has been a surge of interest in encryption; a renewed effort to ensure the encryption we rely on actually works properly and is is free from backdoors; and a whole range of organisations adopting HTTPS and pushing to make it the rule rather than the exception.
Indeed, the increased interest in HTTPS is so all-encompassing that even the US government that triggered it, unintentionally, has now been caught up in it.
Private and secure connections are becoming the Internet’s baseline, as expressed by the policies of the Internet’s standards bodies, popular web browsers, and the Internet community of practice. The Federal government must adapt to this changing landscape...
It’s important that the organisations named by the ACLU’s letter transition to HTTPS as quickly as possible but, as both the letter and the standard point out, it would represent a good start rather than complete protection for whistleblowers.
HTTPS might protect the content of a communication between a user and a website but it’s still possible to eavesdrop on the metadata that reveals who’s talking, if not the content that reveals what’s being said.
In his letter Macleod-Ball uses the example of someone in Pakistan or Yemen visiting the Rewards for Justice website; the mere fact of their visiting the site is, he says, extremely sensitive information that isn’t protected by HTTPS and which could put the users’ lives at risk.
An easy solution to the metadata problem is available in the form of the anonymous Tor browser but several federal agencies actually block users who visit their sites using Tor.
Governments are large, sprawling, many-headed beasts that often disagree with themselves. If any further proof were needed then it ought to be amply provided by the fact that Tor – a tool that protects you better than any other from spying on the web – is itself a product created and given away by the same government that spies on everything you do and doesn’t want you to use it.