Image: Sean Hayford Oleary/Flickr
The White House seems to be taking online privacy seriously.Last week, the administration switched to HTTPS encryption by default on its site, making visits to WhiteHouse.gov more secure and private. Now, the White House is upping the ante and asking all government websites to follow its example."The American people expect government websites to be secure and their interactions with those websites to be private," the administration wrote in a website announcing its new initiative called The HTTPS-Only Standard. "All browsing activity should be considered private and sensitive."With this initiative, the White House is ordering government agencies to make every new website encrypted by default. For existing sites, government agencies have two years to switch encryption on, according to the initiative's guidelines.Now, the White House is jumping on this bandwagon as well."The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public," the administration wrote in the announcement. "Today, there is no such thing as insensitive web traffic."
Advertisement
Encrypting a site consists of putting a layer of protection on top of regular HTTP traffic, using Transport Layer Security (TLS) or the older Secure Sockets Layer (SSL). Other than adding a simple "S" at the end of the URL, making a website encrypted by default effectively makes every connection to it more secure.With HTTPS on by default, it's harder for a hacker in a coffee shop or a repressive government to spy on your activities on a website, or to steal the information you send to the site, including passwords and other personal information. It also makes it harder for an attacker to impersonate and trick you into connecting to the wrong website, or to censor certain parts of the website in question (that's how China, for example, is able to block certain Wikipedia pages without blocking the entire site).That's why a growing movement has been pushing to have more and more websites adopt encryption by default.Last year, digital rights organization Access launched a campaign named "Encrypt all the Things." The World Wide Web Consortium (W3C), the Internet's main international standards organization, recently said in a paper that HTTPS should be deployed more widely, and Google has been pushing for this too by favoring HTTPS websites over non-encrypted ones."All browsing activity should be considered private and sensitive."
Advertisement
The HTTPS-Only Standard site does not just serve as an announcement, but also as a guide for other government agencies to implement encryption properly.Other than WhiteHouse.gov, other websites like CIA.gov, NSA.gov, and FTC.gov have already implemented HTTPS by default. But many others are still unencrypted, including the sites of the FBI, the Internal Revenue Service (IRS), and even the Department of Homeland Security, which is the federal agency in charge of cybersecurity across the US government.It's unclear if the two-year deadline will be enough time for these agencies. There are various challenges to switch on encryption by default, and it comes at a certain cost, as the White House notes in its announcement.(The White House did not respond to Motherboard's request for comment by the time of publication. We will update this post if and when we hear back.)But "the tangible benefits to the American public outweigh the cost to the taxpayer," the administration wrote.In any case, even if some agencies might miss the deadline, and as we noted last week, the movement to encrypt all the things seems now unstoppable and is sweeping the US government."Today, there is no such thing as insensitive web traffic."
Amie Stepanovich, the senior policy counsel at Access, said that while this is good news, it's important to remember the paradox of the White House pushing for more web encryption while others inside the government are criticizing the encryption technology offered by Apple, for example."This announcement is coming at a time when U.S. officials are spreading misleading information about the importance of strong encryption tools and technologies and encouraging companies to undermine users by building in vulnerabilities," Stepanovich told Motherboard. "We are encouraged by these acts, but the government cannot have its cake and eat it, too—it must publicly recognize the need for vulnerability-free communications."Major NGOs, law firms, news orgs, and now US government websites all moving to HTTPS by default. Encrypt all the things.
— Christopher Soghoian (@csoghoian) March 17, 2015