Chief Information Officers Council Proposes HTTPS By Default For All Federal Government Websites

Privacy

from the being-the-change-people-have-been-waiting-for dept

In a long-overdue nod to both privacy and security, the administration finally moved Whitehouse.gov to HTTPS on March 9th. This followed the FTC’s March 6th move to do the same. And yet, far too many government websites operate without the additional security this provides. But that’s about to change. According to a recent post by the US government’s Chief Information Officers Council, HTTPS will (hopefully) be the new default for federal websites.

The American people expect government websites to be secure and their interactions with those websites to be private. Hypertext Transfer Protocol Secure (HTTPS) offers the strongest privacy protection available for public web connections with today’s internet technology. The use of HTTPS reduces the risk of interception or modification of user interactions with government online services.

This proposed initiative, “The HTTPS-Only Standard,” would require the use of HTTPS on all publicly accessible Federal websites and web services.

In a statement that clashes with the NSA’s activities and the FBI’s push for pre-compromised encryption, the CIO asserts that when people engage with government websites, these interactions should be no one’s business but their own.

All browsing activity should be considered private and sensitive.

The proposed standard would eliminate agencies’ options, forcing them to move to HTTPS, both for their safety and the safety of their sites’ visitors. To be sure, many cats will still need to be shepherded if this goes into effect, but hopefully there won’t be too many details to trifle over. HTTPS or else is the CIO Council’s goal — something that shouldn’t be open to too much interpretation.

As the Council points out, failing to do so places both ends of the interaction at risk. If government sites are thought to be unsafe, it has the potential to harm citizens along with the government’s reputation.

Federal websites that do not use HTTPS will not keep pace with privacy and security practices used by commercial organizations, or with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and reduces their confidence in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. The proposed HTTPS-only standard will provide the public with a consistent, private browsing experience and position the Federal government as a leader in Internet security.

The CIO’s short, but informative, explanatory page lists the pros of this proposed move, as well as spells out what HTTPS doesn’t protect against. It also notes that while most sites should actually see a performance boost from switching to HTTPS, sites that gather elements for other parties will be the most difficult to migrate. And, it notes, the move won’t necessarily be inexpensive.

The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The proposed compliance timeline provides sufficient flexibility for project planning and resource alignment.

But, it assures us (at least as much as any government entity can…), the money will be well-spent.

The tangible benefits to the American public outweigh the cost to the taxpayer. Even a small number of unofficial or malicious websites claiming to be Federal services, or a small amount of eavesdropping on communication with official US government sites could result in substantial losses to citizens.

The CIO is also taking input from the public, at Github no less.

A very encouraging — if rather belated — sign that the government is still making an effort to take privacy and security seriously, rather than placing those two things on the scales for intelligence and law enforcement agencies to shift around as they see fit when weighing their desires against Americans’ rights and privileges.

Filed Under: encryption, federal government, ftc, https, ssl, tls, websites, white house

Administration Helping Bury Documents Related To Local Law Enforcement Use Of Cell Tower Spoofers

Legal Issues

from the widening-the-gap-between-'us'-and-'them' dept

The recent story about the US Marshals Service stepping in to prevent the ACLU from obtaining documents related to the Sarasota (FL) Police Department’s ownership and use of cell tower spoofers is apparently not an isolated instance. According to an AP report, the US government is actively inserting itself into the “discussion” by ensuring no one gets to talk about the controversial devices.

The Obama administration has been quietly advising local police not to disclose details about surveillance technology they are using to sweep up basic cellphone data from entire neighborhoods, The Associated Press has learned.

Citing security reasons, the U.S. has intervened in routine state public records cases and criminal trials regarding use of the technology. This has resulted in police departments withholding materials or heavily censoring documents in rare instances when they disclose any about the purchase and use of such powerful surveillance equipment.

Beyond the obvious negative impact on the much-vaunted “transparency” this administration claims to personify, there’s also the new disturbing level of overreach — the US government actively interfering with state-level Freedom of Information requests. In addition to the restrictive non-disclosure agreements that law enforcement agencies must sign when purchasing Stingray devices (and these agencies’ general reluctance to share surveillance equipment info with the public), the government itself is taking an active role in erecting a wall between the public and its public servants.

Interviews, court records and public-records requests show the Obama administration is asking agencies to withhold common information about the equipment, such as how the technology is used and how to turn it on. That pushback has come in the form of FBI affidavits and consultation in local criminal cases.

Harris, the largest manufacturer of cell tower spoofers, specifically directs law enforcement to consult with the FBI during the purchase process, as well as before deploying the devices. The company claims this is all above board because it’s “regulated” by its status as a government contractor. That might mean something if it wasn’t so closely aligned with these government agencies’ desire to keep the technology secret.

And, of course, the government has used its go-to defenses to justify its secrecy efforts. Above, it mentioned “security.” A supporting affadavit filed by an FBI agent in a Freedom of Information lawsuit adds another:

A court case challenging the public release of information from the Tucson Police Department includes an affidavit from an FBI special agent, Bradley Morrison, who said the disclosure would “result in the FBI’s inability to protect the public from terrorism and other criminal activity because through public disclosures, this technology has been rendered essentially useless for future investigations.”

Morrison said revealing any information about the technology would violate a federal homeland security law about information-sharing and arms-control laws…

Once you strip out all the panicky trappings, the FBI is basically asserting that it, and the law enforcement agencies it’s speaking in support of, should be allowed to do what they like with zero accountability. These agencies want to have the ability to collect massive amounts of data without being slowed by warrant requests or minimization processes.

These exposure fears are unfounded, and those using them to justify withholding information know this. This secrecy has been used to seal returned warrants and court orders on closed investigations, giving lie to the claim that these agencies are concerned about damaging current and future investigatons. And, realistically, the only way terrorists or criminals are going to be able to completely avoid Stingray surveillance is to not use or carry cell phones, something that seems highly unlikely. For this to be any use to them, they would have to know in advance where it’s being deployed and when.

The real reason behind the collaborative burial of information is the agencies’ desire to do what they want without limitations or paper trails. This sort of behavior should be an indicator of a law enforcement agency that’s gone rogue, rather than an all-too-common collaborative effort between local and national government agencies.

Filed Under: cell phones, cell tower spoofing, doj, federal government, freedom of information, spoofing, stingray, transparency, us marshals
Companies: harris

US Marshals Step In To Keep Florida Police Department's Stingray Documents Out Of The Hands Of The ACLU

Legal Issues

from the big-brother-protected-little-brother dept

The incredible wall of secrecy erected by law enforcement agencies around their use of “stingray” devices (cell tower spoofers) continues. Harris, the manufacturer of most of these devices, gets the secrecy ball rolling with non-disclosure agreements, which law enforcement agencies have liberally interpreted as a right to refuse public records requests and, in one case, an excuse not to seek warrants before deploying the devices.

In a very surprising move, the US government has inserted itself between a Florida police department and the ACLU by seizing requested documents. The ACLU has been seeking information on the Sarasota Police Department’s use of cell tower spoofers, only to find itself being further separated from the relevant documents every step of the way.

The reason the ACLU wanted to dig deeper into the Sarasota PD’s files presented itself in the first response.

The Sarasota Police initially told us that they had responsive records, including applications filed by and orders issued to a local detective under the state“trap and trace” statute that he had relied on for authorization to conduct stingray surveillance. That raised the first red flag, since trap and trace orders are typically used to gather limited information about the phone numbers of incoming calls, not to track cell phones inside private spaces or conduct dragnet surveillance. And, such orders require a very low legal standard.

Trap and trace/pen register statutes are routinely being abused as a way to route around warrant requirements. The NSA’s bulk record collection was partially “justified” by a very liberal reading of pen register statutes. What once was a warrantless, targeted, limited-time collection has now become a catch-all for stingray surveillance and NSA programs.

The Sarasota Police set up an appointment for the ACLU to view its stingray files (as is required under Florida law), but that meeting was cancelled shortly before it was supposed to take place.

[A]n assistant city attorney sent an email cancelling the meeting on the basis that the U.S. Marshals Service was claiming the records as their own and instructing the local cops not to release them. Their explanation: the Marshals Service had deputized the local officer, and therefore the records were actually the property of the federal government.

This interdiction by the US government to lock up documents the ACLU is seeking is astounding enough, but what every other entity involved did is even more so.

Nathan Wessler at the ACLU points out that, US Marshals or no, the police department is required to hold onto any documents requested for at least 30 days. Instead, it allowed the US Marshals to move the records off-site to an undisclosed location. With those files out of reach for an undetermined amount of time, the ACLU approached the court which would have signed off on trap and trace orders requested by the Sarasota Police only to find out that no such records exist.

The court doesn’t even have docket entries indicating that applications were filed or orders issued. Apparently, the local detective came to court with a single paper copy of the application and proposed order, and then walked out with the same papers once signed by a judge.

Another breach of records requirements and, again, tied to the Sarasota PD’s stringray usage.

The ACLU has now filed an emergency motion seeking to block the Sarasota PD from turning over any more files to the US Marshals Service. It also asks the court to find that the department violated state law by turning over the requested documents to the US government.

The obvious question here is why both of these agencies are so reluctant to turn over these documents. If they’re willing to break state records laws (the local court being complicit in this activity), the information contained must be pretty damaging. What has been discovered already points to the department’s deliberate avoidance of a paper trail, what with the single document requests and the misuse of the trap and trace statute to avoid filing warrant requests.

If you’ve got nothing to hide, then you have nothing to fear, as the saying goes. The government expects us to live by that adage as it deploys warrantless surveillance, but it seems unable to hold itself to the same standard.

Filed Under: federal government, florida, foia, public records, sarasota, sarasota police department, state secrets, sting ray, transparency, us marshals
Companies: aclu

Feds Own Cybersecurity Efforts Are A Joke: Employees Have 'Gone Rogue' To Avoid 'Ineptitude' Of IT Staff

Failures

from the get-your-house-in-order dept

One of the key parts of the various cybersecurity bills that have been pushed over the past few years is the idea that the federal government would help the private sector better protect against attacks. Of course, for that to makes sense, you’d think that the federal government would have its own “cybersecurity” house in order. However, a report from the Senate shows what even it describes as “ineptitude” by various government agencies. Pick your agency and you’ll find problems. Let’s take a look at Homeland Security, one of the agencies that has been vying for control of the federal cybersecurity budget. Turns out that DHS’s own cybersecurity team repeatedly failed to install basic security updates for easy targets of hackers like Microsoft applications and Java (tip: if you’re using Java, you’re probably not secure). As the report notes, this is “the sort of basic security measure just about any American with a computer has performed.” But not DHS cybersecurity employees!

What else? Well, just in DHS, there were the following problems:

Sensitive databases protected by weak or default passwords. At NPPD, which oversees DHS’s cybersecurity programs, the IG found multiple accounts protected by weak passwords. For FEMA’s Enterprise Data Warehouse, which handles reports on FEMA’s disaster deployment readiness and generates other reports accessing Personally Identifying Information (PII), the IG found accounts protected by “default” passwords, and improperly configured password controls.

Computers controlling physical access to DHS facilities whose antivirus software was out of date. Twelve of the 14 computer servers the IG checked in 2012 had anti-virus definitions most recently updated in August 2011. Several of the servers also lacked patches to critical software components.

Oh, and then there’s the following concerning our good friends at ICE, Immigrations and Customs Enforcement, the group that styles themselves as Hollywood’s personal police force:

To take just one example, weaknesses found in the office of the Chief Information Officer for ICE included 10 passwords written down, 15 FOUO (For Official Use Only) documents left out, three keys, six unlocked laptops– even two credit cards left out.

Moving on to the Nuclear Regulatory Commission. Here things are so bad that the report notes that NRC employees believe their own IT staff is “inept” and they’ve “gone rogue.”

Perceived ineptitude of NRC technology experts. There is such “a general lack of confidence” in the NRC’s information technology division that NRC offices have effectively gone rogue–by buying and deploying their own computers and networks without the knowledge or involvement of the department’s so-called IT experts. Such “shadow IT” systems “can introduce security risks when unsupported hardware and software are not subject to the same security measures that are applied to supported technologies,” the NRC Inspector General reported in December 2013.

And this has resulted in a bunch of problems, such as storing sensitive data on unsecured shared drives, including the details of the NRC’s cybersecurity programs. Also on an unsecured shared drive? A commissioner’s passport photo, credit card image, home address and phone number. The NRC also failed to report security breaches:

How often does the NRC lose track of or accidentally expose sensitive information to possible release? The NRC can’t say, because it has no official process for reporting such breaches.

Moving on to everyone’s favorite government agency: the IRS. The report notes that every year the GAO finds 100 cybersecurity weaknesses in IRS systems, and the IRS fixes half of them. Then the GAO does another audit… and finds another 100 problems with the IRS’s cybersecurity. Among the problems? Failure to encrypt sensitive data. Failure to fix known vulnerabilities. And, the ever popular weak passwords:

Examples of easily-guessed passwords are a person’s username or real name, the word “password,” the agency’s name, or simple keyboard patterns (e.g., “qwerty”), according to the National Institute of Standards and Technology. In some cases, IRS users had not changed their passwords in nearly two years. As a result someone might gain unauthorized access to taxpayers’ personal information and it “would be virtually undetectable,” potentially for years. GAO has cited IRS for allowing old, weak passwords in every one of its reports on IRS’ information security for the past six years.

How about an organization like the SEC, who deals with tons of sensitive information? Apparently, they’re so careless and cavalier about this stuff they used personal email accounts, unencrypted information and often used unsecured open WiFi connections — including once at “a convention of computer hackers.”

Team members transmitted sensitive non-public information about major financial institutions using their personal e-mail accounts. They used unencrypted laptops to store sensitive information, in violation of SEC policy–and contravening their own advice to the stock exchanges. Their laptops also lacked antivirus software. The laptops contained “vulnerability assessments and maps and networking diagrams of how to hack into the exchanges,” according to one SEC official.

The investigation also found that members of the team took work computers home in order to surf the web, download music and movies, and other personal pursuits. They also appeared to have connected laptops containing sensitive information to unprotected wi-fi networks at public locations like hotels–in at least one reported case, at a convention of computer hackers.

And yet these folks claim they can help secure everyone else’s computers?

Filed Under: cybersecurity, dhs, federal government, homeland security, irs, nrc, sec, senate

Can Someone Explain How Sponsoring NASCAR Is A Good Use Of Taxpayer Funds, If Funding Sesame Street Is Not?

Politics

from the just-curious-which-standard-to-use dept

I’m sort of amazed at the silly and childish political games being played concerning attempts to cut funding here and there, but, seriously can anyone give me a logical explanation why the same folks who are so quick to demand that we stop funding NPR and PBS are so vehemently in favor of sponsoring NASCAR? Frankly, as a fan of both NPR and PBS, but not a fan of governments overspending, I actually think the complaints against pulling the funding from both are a bit overblown. I think there are some creative things that both NPR and PBS could do to make up the difference if they lost federal funding. However, if we are going to cut public broadcasting, then it seems only reasonable to cut sponsoring NASCAR as well, doesn’t it? I’m curious how folks who claim to support smaller government are defending such sponsorship of a private, for-profit operation with taxpayer funding?

Filed Under: budget, federal government, funding, nascar, npr, pbs

US Government Seeks 'Willful Denial' Software That Will Block Wikileaks Data From Federal Employees

(Mis)Uses of Technology

from the are-they-serious? dept

It’s been both depressing and amusing to watch the federal government react to Wikileaks with some of the dumbest policy decisions possible. First, we saw the Library of Congress block access to Wikileaks’ site, not realizing that the site was barely a part of how the documents were being distributed, while still frustrating Congressional Research Service analysts who needed to access the site as a part of their research. Then, we had reports of the Defense Department crudely blocking access to any website that had Wikileaks in the title, followed by the Air Force’s decision to block access to news sites, such as the NY Times, that are discussing Wikileaks.

This is all downright bizarre. Basically, this is content that everyone else in the world can access and read about, except for government employees who don’t look at it at home. The whole exercise seems like a complete waste of time and money by the US government, and it’s about to get worse. According to some reports, the federal government is reaching out to security firms to see if they can build a system to block all access to Wikileaks content from within the federal government’s computer system. One company asked about this notes that it’s different than what they normally do, which is focused on keeping documents in a network (too late for that), rather than architecting a system to keep documents out.

At what point will the government finally admit that if a classified document is leaked and widely available, it’s counterproductive to keep pretending that it’s still classified. It doesn’t help anyone, and it just makes the government look silly and in denial. I prefer my government to respond to reality, not pretend reality doesn’t exist.

Filed Under: denial, federal government, firewall, us government, wikileaks
Companies: wikileaks

NASA Once Again Auctioning Off Patents Your Tax Dollars Paid For

Patents

from the why-the-exclusivity dept

One of the few good things in the US concerning copyright law was the decision to make sure that all federal government documents, that are released, are released into the public domain rather than covered by any sort of government copyright (such as crown copyright found in other countries). However, for some reason, the government has not done the same thing when it comes to federally funded research that is turned into patents. A couple of years ago, we questioned why NASA was auctioning off patents that were taxpayer funded. It appears that NASA doesn’t care.Ben points us to the news that NASA is about to auction off a bunch of other patents as well, including five patents around “automated software generation.” There’s simply no reason not to put this research into the public domain where it can actually be used to benefit both commercial and non-commercial projects. By auctioning off a patent monopoly, it will almost certainly be using taxpayer-funded research to stifle innovation.

Filed Under: auction, federal government, nasa, patents, taxes

Why Does The US Gov't Get To Patent Research Paid For By Public Tax Dollars?

Patents

from the questions,-questions... dept

An anonymous reader links us to a report from The National Institute of Standards and Technology (NIST), which came out earlier this year, that highlights how, in 2008, the US government brought in $170 million (pdf) by licensing federally (i.e., taxpayer-funded) technology and patents to private companies. It details which agencies are getting how many patents, showing that the government appears to get, on average, between 1,000 and 1,500 patents per year. Now, to be clear, I think it’s a good thing that the government is looking to move some of these technologies into the private sector, but it does raise questions about why taxpayer funded research gets locked up behind a patent. In the US, federal government created works are not allowed to be protected by copyright protections, as people realized that it was ridiculous to lock up content created by their own government. Why doesn’t the same apply to patents as well? If the goal is really to get the technology out to the private sector, why lock it up and look to license it? That makes it more expensive and less accessible. The report highlights how the government has been ramping up these efforts, such that it grew “revenues” from this licensing program by 46% from 2004 to 2008. This is one situation where it seems like a profit-motive might be quite misplaced.

Filed Under: federal government, licensing, patents

Is The Federal Government The Most Interesting Tech Startup For 2009?

Predictions

from the perhaps... dept

A few weeks back I got to see the federal government’s CTO, Aneesh Chopra, speak twice during his first trip to Silicon Valley. I’ve seen him speak before (before he was appointed, when he was CTO for Virginia), but I have to admit I was pretty skeptical going in. For plenty of reasons that you can guess, I’m pretty jaded by people in government, and it’s rare to come across people who seem to be doing things for anything other than “political” purposes. But I have to admit that the amazing thing that came through in both Chopra’s talks was that they were both entirely about actually getting stuff done, with a focus on openness and data sharing. Chopra talked, repeatedly, about figuring out what could be done both short- and long-term, and never once struck me as someone looking to hoard power or focus on a partisan or political reason for doing things. It was never about positioning things to figure out how to increase his budget. In fact, many of the ideas he was discussing was looking at ways to just get stuff done now without any need for extra budget. Needless to say, this is not the sort of thing you hear regularly from folks involved in the government.

But, of course, talk is cheap (especially in politics). And, while Chopra (and Vivek Kundra, the government’s CIO) both actually have a nice track record of accomplishing these sorts of goals in their past jobs, the proof is in what’s actually getting done. We’d already mentioned at least one success story with the IT dashboard at USASpending.gov, but can it continue? I have to admit, a second thing that impressed me about Chopra was that, even with such a success, he didn’t focus on it. The fact that he got together such a site in such a short period of time is impressive enough, and while he mentioned it in his talks, most of them were much more focused not on what he’d already done, but on what he was going to do — and the plans all seemed quite achievable.

So I have to agree with Anil Dash, that one of the most interesting tech “startups” to watch this year is the federal government of the US. The tech projects that they’re already coming out with are compelling and well done. As Anil notes:

What’s remarkable about these sites is not merely that they exist; There had been some efforts to provide this kind of information in the past. Rather, what stands out is that they exhibit a lot of the traits of some of the best tech startups in Silicon Valley or New York City. Each site has remarkably consistent branding elements, leading to a predictable and trustworthy sense of place when you visit the sites. There is clear attention to design, both from the cosmetic elements of these pages, and from the thoughtfulness of the information architecture on each site. (The clear, focused promotional areas on each homepage feel just like the “Sign up now!” links on the site of most Web 2.0 companies.) And increasingly, these services are being accompanied by new APIs and data sources that can be used by others to build interesting applications.

That last point is perhaps most significant. We’ve seen the remarkable innovation that sprung up years ago around the API for services like Flickr, and that continues full-force today around apps like Twitter. But who could have predicted just a year or two ago that we might have something like Apps for America, the effort being led by the Sunlight Foundation, Google, O’Reilly Media and TechWeb to reward applications built around datasets provided by Data.gov. The tools that have already been built are fascinating. And, frankly, they’re a lot more compelling than most of the sample apps that a typical startup can wring out of its community with a developer contest.

There’s plenty going on in the administration that I disagree with and am troubled by — but efforts on the tech side are something worth applauding, while also watching to see what the folks there can do in the next few years.

Filed Under: aneesh chopra, cto, federal government, innovation, plans, priorities, technology, vivek kundra