The need for up gradation of at least a dozen US government websites is growing. These websites do not use encryption so far, bringing the whistleblowers at risk, according to the American Civil Liberties Union.
The ACLU released a letter on Tuesday and sent it to the U.S.’ top technology chief, Tony Scott. The letter concluded that at least 29 websites that may be used for reporting abuse do not make use of encryption.
There is a great push to try and move websites to using SSL/TLS (secure sockets layer/transport security layer) encryption in the recent past.
A majority of the e-commerce websites makes use of SSL/TLS but the authorities are pushing them for a broader adoption. This is due to the increase in state sponsored espionage and cyber crime activities.
The plan of the government is getting all its websites upgraded inside a span of two years for using encryption. This would help avoid the data that is exchanged between the PC and website to be read in case of tampering or interception of the same.
According to the ACLU, “the timeline is not soon enough for some sensitive sites”. These sensitive websites are of the Justice Department, Treasury Department and the Department of Homeland Security.
ACLU further added, “When individuals use these official whistle-blowing channels to report waste, fraud or abuse, the information they submit is transmitted insecurely over the Internet where it can be intercepted by others.”
Here are some of the important points of the letter from the ACLU:
1: We take issue with the two-year deadline included in the proposal, particularly given that at least 29 government websites do not currently use HTTPS to protect reports of waste, fraud or abuse submitted via their internet hotlines. Alarmingly, these websites include the Departments of Justice and Homeland Security, whose intake, presumably includes very sensitive and potentially dangerous or incriminating information. We recommend in our letter that these websites be immediately upgraded to HTTPS in order to protect those submitting the information.
2: Government agencies should employ other encryption best practices in addition to HTTPS-by-default, such as ensuring that all email servers support the use of STARTTLS transport encryption, which protects emails as they are transmitted over the internet.
3: The proposal should address the problem of metadata leakage—a problem that cannot be solved solely through the use of HTTPS-by-default. Instead, we recommend that government agencies allow users to access their websites through the use of the privacy-enhancing technology Tor. We find it extremely worrisome that several federal agency websites currently block visitors who use Tor to access the website. This practice is unproductive and should be changed by issuing clear guidance prohibiting agencies from blocking access to visitors who are attempting to preserve their privacy and anonymity by using Tor.
4: Federal websites that solicit sensitive information should deploy a secure anonymous whistleblowing platform like Secure Drop in order to create a channel for the anonymous transmission of tips.