FYI.

This story is over 5 years old.

The White House Wants to Encrypt Every US Government Site

The White House jumps on the “encrypt all the things” bandwagon.
​Image: Sean Hayford Oleary/Flickr

​The White House seems to be taking online privacy seriously.

Last week, the administration switched to HTTPS encryption by default on its site, making visits to WhiteHouse.gov more secure and private. Now, the White House is upping the ante and asking all government websites to follow its example.

"The American people expect government websites to be secure and their interactions with those websites to be private," the administration wrote in a website announcing its new initiative called The HTTP​S-Only Standard. "All browsing activity should be considered private and sensitive."

Advertisement

With this initiative, the White House is ordering government agencies to make every new website encrypted by default. For existing sites, government agencies have two years to switch encryption on, according to the initiative's guidelines.

"All browsing activity should be considered private and sensitive."

Encrypting a site consists of putting a layer of protection on top of regular HTTP traffic, using Transport Layer Security (TLS) or the older Secure Sockets Layer (SSL). Other than adding a simple "S" at the end of the URL, making a website encrypted by default effectively makes every connection to it more secure.

With HTTPS on by default, it's harder for a hacker in a coffee shop or a repressive government to spy on your activities on a website, or to steal the information you send to the site, including passwords and other personal information. It also makes it harder for an attacker to impersonate and trick you into connecting to the wrong website, or to censor certain parts of the website in question (that's how China, for example, is able to block certain Wikipedia pages without blocking the entire site).

That's why a growing movement has been pushing to have more and more websites adopt encryption by default.

Last year, digital rights organization Acc​ess launched a campaign named "En​crypt all the Things." The World Wide Web Consortium (W​3C), the Internet's main international standards organization, recently said in a p​aper that HTTPS should be deployed more widely, and Google has been pushing for this too by favor​ing HTTPS websites over non-encrypted ones.

Advertisement

Now, the White House is jumping on this bandwagon as well.

"The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public," the administration wrote in the announcement. "Today, there is no such thing as insensitive web traffic."

"Today, there is no such thing as insensitive web traffic."

The HTTPS-Only Standard site does not just serve as an announcement, but also as a guide for other government agencies to implement encryption properly.

Other than WhiteHouse.gov, other websites like CIA.gov, NSA.gov, and FTC.gov have already implemented HTTPS by default. But many others are still unencrypted, including the sites of the FBI, the Internal Revenue Service (IRS), and even the Department of Homeland Security, which is the federal agency in charge of cybersecurity across the US government.

It's unclear if the two-year deadline will be enough time for these agencies. There are various challenges to switch on encryption by default, and it comes at a certain cost, as the White House notes in its announcement.

(The White House did not respond to Motherboard's request for comment by the time of publication. We will update this post if and when we hear back.)

But "the tangible benefits to the American public outweigh the cost to the taxpayer," the administration wrote.

In any case, even if some agencies might miss the deadline, and as we noted last week, the movement to encrypt all the things seems now unstoppable and is sweeping the US government.

Major NGOs, law firms, news orgs, and now US government websites all moving to HTTPS by default. Encrypt all the things.

— Christopher Soghoian (@csoghoian) March 17, 2015

Amie Stepanovich, the senior policy counsel at Access, said that while this is good news, it's important to remember the paradox of the White House pushing for more web encryption while ​others ​inside the ​government are criticizing the encryption technology offered by Apple, for example.

"This announcement is coming at a time when U.S. officials are spreading misleading information about the importance of strong encryption tools and technologies and encouraging companies to undermine users by building in vulnerabilities," Stepanovich told Motherboard. "We are encouraged by these acts, but the government cannot have its cake and eat it, too—it must publicly recognize the need for vulnerability-free communications."