Got a hot tip about federal waste, fraud or corruption? You should think twice about using the government’s own online systems for collecting such complaints.
Many of them promise confidentiality but for years have sent sensitive data – including names, addresses and phone numbers of whistleblowers, as well as the details of their allegations – across the Internet in a way that could be intercepted by hackers or snoops. Or, perhaps worse still, by the agencies named in the complaints.
Twenty-nine of these sites, set up by inspectors generals who in many cases are required by federal law to protect the identities of whistleblowers, do not use encryption technology that has become a standard privacy protection across much of the Internet, according to a review by the ACLU. A State Department site offering up to $10 million rewards for terrorism tips has the same weakness, exposing the identities of tipsters to a range of potentially interested parties, including operators of cyber cafes or government spies in the countries where the tipsters live.
A new initiative from the federal chief information officer, Tony Scott, is pushing for encryption of all federal government Web sites within two years. Privacy advocates say the change should be immediate for sites soliciting confidential information from whistleblowers, both inside and outside the government. Inspectors General, often called “IGs” are the designated internal watchdogs of federal agencies.
“Whistleblowers put their careers and lives at risk when they go to IGs,” said Christopher Soghoian, principal technologist for the ACLU. “That process needs to be as secure as possible. Unfortunately many IGs have not taken the most basic steps to secure that channel.”
Soghoian, who conducted the research, described the problem in a letter to Scott this week.
Another official, technologist Eric Mill of 18F, an office of the General Services Administration working to improve the federal government’s computer systems, said the ACLU review is accurate and raises legitimate concerns. But he said the draft rules for the encryption initiative have provisions to prioritize action for sites dealing with sensitive personal information.
“There are a lot of Web sites across the federal government that don’t use [encryption], and they all should,” Mill said.
After the Post published the ACLU’s findings Wednesday, Justice Department Inspector General Michael E. Horowitz, the chairman of a council that sets policies for inspectors generals, said that he reached out to the ACLU and plans to talk with the IG community about encryption.
“I’m concerned,” said Horowitz, who has asked for an assessment of the security of his own office's online complaint system, “and I want to make sure that whistleblowers or anyobody who comes forward to us has their information protected.”
There has been a rush to encrypt sites across the Web since the disclosures in 2013 by former National Security Agency contractor Edward Snowden about the extent of online spying by the United States and its allies. Most major technology firms, including Google, Facebook, Yahoo and Microsoft, have made major investments in online encryption in the past two years.
Government agencies have been gradually moving in the same direction. In some cases the IG Web sites have been transmitting complaint information without encryption for several years.
Among those to encrypt their entire sites are the White House and CIA. Others have not encrypted their entire sites but have encrypted the submission systems for their inspectors general. Still others, such as the Justice and Treasury Departments, along with the Department of Homeland Security, do not encrypt their main sites or their online tip submission forms.
Sites that are secure start with the letters “https,” rather than “http.” Most browsers also display icon, such as lock, to signal that the connection is secure.
“Really what’s happened is Edward Snowden,” said Waldo Jaquith, director of U.S. Open Data Institute, a nonprofit group pushing for better government data practices. “A new norm really has come along in the last year.”
The government’s 76 inspectors general rely on complaints from federal employees and the public to pursue cases of waste and fraud. Some are anonymous, some are not. Tips traditionally came from letters or telephone hotlines, but online forms are now commonly available for IG Web sites.
The amount of warning about the privacy risks of using such sites varies widely. The Inspector General site for U.S. Agency for International Development notes that any online submission is vulnerable, saying, “We cannot guarantee confidentiality because of the nonsecure nature of electronic systems that we do not control.”
But others assure confidentiality, often citing the federal law protecting the identities of whistleblowers who work for the federal government, despite the lack of encryption. Some sites include places for a tipster to indicate that they want the submission to be anonymous or confidential.
The Treasury Department’s IG Web site, for example, says, “If you wish to elect anonymity or confidentiality, select the appropriate options within Part I of the form and follow the corresponding instructions.”
The State Department’s “Reward for Justice” site says, “All information you provide will be kept strictly confidential.” In a statement, the agency said it has other means to secure the privacy of tipsters for the rewards program but declined to describe them.
Strict confidentiality is impossible if the information is transmitted over the Internet without encryption, experts say. Anyone with access to the Web site’s data as it flows across cyberspace – including wifi providers such as a coffee shop or hotel, or system administrators overseeing a company, government agency or university computer system – can view all unencrypted data easily. Many governments also routinely monitor Internet flows within their countries.
Because most IGs share computer networks with the agencies they investigate, agency leaders could gain access to any unencrypted information flowing to or from their computers, leaving whistleblowers’ identities and complaints exposed. The ACLU and other experts have offered no evidence that such monitoring has happened.
Tom Devine, legal director of the nonprofit Government Accountability Project, which represents whistleblowers, said he is struck by the irony of the government’s “negligence on structural security weaknesses” in the face of its aggressive, “hair-trigger” prosecution of whistleblowers who have made unauthorized disclosures about the federal government.
“It’s hard to defend a relaxed, two-year pace to protect everything when the Justice Department prosecutes at a blitzkrieg pace against whistleblowers who make controversial disclosures,” Devine said.
At the General Services Administration, for example, the IG office encrypts all internal communications, particularly because grand jury information that may arise from a criminal investigation and other confidential information must be protected. But the online complaint form is not protected.
“It’s hard for me to say why,” said Brian D. Miller, who was GSA inspector general from 2005 to 2014 and is now managing director for disputes and investigations at the Navigant business consulting firm. “I suspect an IT person put up the hotline and nobody double-checked to make sure it was encrypted.”
Miller said he suspects the decision was “an oversight,” much like “leaving a witness file on the receptionist’s desk. People aren’t intentionally doing it, but it leaves you vulnerable.”
He said, “We rely on insider information. We rely on whistleblowers. They often have very good information for us. This is something IGs should spend money on.”
The Commerce Department IG, which receives 800 to 1000 complaints on its Web site, added encryption last year after reviewing their security practices.
“It is important to have a system, which includes a secure method that allows for anonymity or confidentiality, whereby Department employees and agents may report or seek guidance regarding potential or actual issues regarding the organization without fear of retaliation,” said Clark Reid, spokesman for Inspector General Todd Zinser.
UPDATE: A spokesperson for the Special Inspector General for Afghanistan Reconstruction said Friday that the agency encrypted its site in response to this story.
Here are the federal entities whose inspectors general do not encrypt online submission forms, according to the ACLU analysis:
Department of Agriculture
Appalachian Regional Commission
Architect of the Capitol
Consumer Product Safety Commission
Corporation for National & Community Service
Corporation for Public Broadcasting
Election Assistance Commission
Federal Housing Finance Agency
Federal Labor Relations Authority
Federal Maritime Commission
General Services Administration
Department of Homeland Security
United States International Trade Commission
Department of Justice
Legal Services Corporation
National Endowment for the Humanities
National Labor Relations Board
National Science Foundation
Office of Personnel Management
Postal Regulatory Commission
U.S. Small Business Administration
Special Inspector General for the Troubled Asset Relief Program
Department of the Treasury
Treasury Inspector General for Tax Administration