WavebreakmediaMicro - Fotolia

US government websites to use encryption by 2017

A US government HTTPS-Only Standard directive requires that all federal websites accessible to the public must encrypt all data exchanges

The US government has published a directive requiring all federal websites to use HTTPS encryption by 31 December 2016.

The move comes despite a growing list of law enforcement and national security officials in the US and Europe who have voiced opposition to the ubiquitous encryption of online services.

In January 2015, UK prime minister David Cameron drew criticism for plans that could block encrypted messaging apps under planned new surveillance powers.

The US government HTTPS-Only Standard directive requires that all federal websites accessible to the public must encrypt all data exchanges between the websites and their users.

“Unencrypted HTTP connections create a vulnerability and expose potentially sensitive information about users of unencrypted federal websites and services,” said US chief information officer Tony Scott.

“This data can include browser identity, website content, search terms and other user-submitted information,” he wrote in a blog post.

Scott said the US government move is in line with many commercial organisations that have adopted HTTPS-only policies to protect visitors to their websites and services.

He said the HTTPS-Only Standard will eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide.

While the directive gives federal websites just over 18 months to comply, commentators have described the deadline as “realistic” given the fact that government IT tends to be slow-moving.

According to a site set up to monitor the transition, only 31% of US federal websites were using  HTTPS as of 29 May 2015 and not all made it mandatory, reports Slate.

Read more about the draft Communications Data Bill

However, some government agencies have made switching to HTTPS a priority, such as the Federal Trade Commission (FTC) which made it mandatory in March 2015 when the HTTPS directive was proposed.

“Transit encryption is an important safeguard against eavesdroppers and has been the subject of previous investigations where we alleged companies failed to live up to their security promises when collecting personal information,” FTC chief technologist Ashkan Soltani said in a blog post at the time.

In May 2015, a coalition of top cryptologists and several large technology firms, including Apple and Google, sent a letter urging the US government to preserve strong encryption.

The letter was aimed at counteracting growing pressure from law enforcement and security agencies to build back doors into electronic communications systems.

A week later, the Queen’s Speech confirmed that the UK government will introduce new legislation to modernise the law on communications data, this time to be known as the Investigatory Powers Bill.

Like the shelved Communications Data Bill, the new legislation will be aimed at giving police and intelligence agencies the power to monitor online communications.

Big Brother Watch chief executive Renate Samson said it will be interesting to see whether the content of the new bill has radically changed from the bill that was shelved.

“We have yet to see real evidence that there is a gap in the capability of law enforcement or the agencies’ ability to gain access to our communications data,” she said in a statement.

Samson said the government has yet to produce any concrete evidence that access to communications data will make the country safer.

Read more on Privacy and data protection