Digital democracy reforms tends to advance or retreat in fits and starts, but when exigent circumstances require more from us and our governments, change can happen unexpectedly. On May 26, I requested an absentee ballot, intending to cast my vote … Continue reading
Category Archives: security
What cities can learn from Gainesville’s experiment with radical transparency
There’s much to be learned from the experience of the city Gainesville, Florida, where a commissioners voted in 2014 to publish the public’s email correspondence with them and the mayor online.
More than five years on, the city government and its residents have are ground zero for an tumultuous experiment in hyper-transparent government in the 21st century, as Brad Harper reports for the Montgomery Advertiser.
It’s hard not to read this story and immediately see a core flaw in the design of this digital governance system: the city government is violating the public’s expectation of privacy by publishing email online.
“Smart cities” will look foolish if they adopt hyper-transparent government without first ensuring the public they serve understands whether their interactions with city government will be records and published online.
Unexpected sunshine will also dissolve public trust if there’s a big gap between the public’s expectations of privacy and the radical transparency that comes from publishing the emails residents send to agencies online.
Residents should be offered multiple digital options for interacting with governments. In addition to exercising their rights to freedom of expression, assembly and petition on the phone, in written communications with a given government, or in person at hearing or town halls, city (and state) governments should break down three broad categories of inquiries into different channels:
Emergency Requests: Emergency calls go to 911 from all other channels. Calls to 911 are recorded but private by default. Calls should not be disclosed online without human review.
Service Requests: Non-emergency requests should go 311, through a city call center or through 311 system. Open data with 311 requests is public by default and are disclosed online in real-time.
Information Requests: People looking for information should be able to find a city website through a Web search or social media. A city.gov should use a /open page that includes open data, news, contact information for agencies and public information officers, and a virtual agent or “chat bot” to guide their search.
If proactive disclosures aren’t sufficient, then there should be way to make Freedom of Information Act requests under the law if the information people seek is not online. But public correspondence with agencies should be private by default.
Digital technologies are disrupting democracies, for both good and ill
Elon University and Pew Research Center asked experts what the impact of digital disruption will be upon democracy in 2030: Perspectives differ! About half predicted that humans will use technology to weaken democracy over the next decade, with concerns grounded … Continue reading
White House moves WhiteHouse.gov to HTTPS by default, tying privacy to security
A .gov website that uses HTTPS encryption by default for its visitors is a superb example of “privacy by design.” On March 6th, the Federal Trade Commission enabled encryption for FTC.gov. When I visited whitehouse.gov tonight, I found that the White House digital team had flipped the site for what’s likely the most prominent government website in the world. The White House Web team confirmed the change just after midnight.
The @Whitehouse is taking steps to improve your privacy. Starting today we use HTTPS by default: https://t.co/V14GDg1Ne1
— WH.gov (@WHWeb) March 11, 2015
According to Leigh Heyman, director of new media technologies at the White House, over the next few days, the team be migrating other domains, like the bare domain name, whitehouse.gov, and m.whitehouse.gov, over to HTTPS as well, joining http://www.whitehouse.gov.
“Americans care about their privacy, and that’s what the White House’s move to HTTPS by default is about,” said Eric Mill, an open government software engineer at 18F. “The White House’s use of HTTPS protects visitors’ personal information and browsing activity when they connect to whitehouse.gov across the vast, unpredictable network of computers that is the internet.”
If you’re unfamiliar with HTTPS, it’s a way of encrypting the way you connect to a Web server online. Specifically, HTTPS refers to layering the Hypertext Transfer Protocol (HTTP) on top of the Secure Sockets Layer (SSL) or Transport Layer Security (TLS). What that means in practice is that your requests to the Web server and the pages results from it are encrypted and decrypted. Why does that matter? Consider, for instance, if someone is looking up sensitive health information online and visits a government website without HTTPS that also has data collection.
“Use of https is generally considered to be good practice, however, as opposed to unencrypted, regular http, although it adds a small amount of extra processing and delay to do the encryption,” commented Eugene Spafford, a Purdue University computer science professor and founder and executive director of the Center for Education and Research in Information Assurance and Security.
“HTTPS primarily provides three things: greater authentication, stream privacy, and message integrity. A quick look at the site doesn’t reveal (to me) anything that would likely require privacy or heightened message integrity. The most immediate consequence is that parties connecting to the website can have increased confidence of the site’s authenticity because a signed certificate will be employed. Of course, most people don’t actually verify certificates and their roots (cf. Superfish), so this isn’t an ironclad identification.”
Why does this matter?
“This immediately creates a strong baseline of privacy and security for anyone in the world, American or otherwise, who visits the White House website — whether to read their blog, learn more about the President, download official policies, or anything else inside whitehouse.gov,” said Mill.
“At a basic level, what a person sees and does on whitehouse.gov should be between them and the White House. When someone reads official policies published on whitehouse.gov, they should be confident that policy is real and authentic. The White House’s use of HTTPS by default means those promises just got a lot stronger.”
Appears that https://t.co/r3sBUG5BWy has moved to HTTPS by default @whitehouse @whweb pic.twitter.com/Vg9eNIjG8E — ashkan soltani (@ashk4n) March 11, 2015
Ashkan Soltani, the FTC’s chief technologist, explained why that federal agency shifted at the Tech@FTC blog:
As a quick primer, HTTPS encryption secures your communications while in transit with websites so that only you and the website are able to view the content. The lock icon now appearing in your browser represents that the communication is encrypted and eavesdroppers are unable to look in. At this time, secure browsing is generally not a requirement for federal websites, but it is considered an industry best practice. Transit encryption is an important safeguard against eavesdroppers and has been the subject of previous investigations where we alleged companies failed to live up to their security promises when collecting personal information. It’s an important step when websites or apps collect personal information, and is a great best practice even if they don’t.
What broader trends does this tap into?
The White House moving to HTTPS is part of a larger move to lead by example in promoting privacy and security best practices, related Soltani, over email.
“I believe we’ll see a slow shift over the next few years of websites and services moving to HTTPS by default,” he said, “something a number of standards bodies including ISOC, IETF, and IAB have also called for.”
Along with FTC.gov, Mill highlighted the Privacy and Civil Liberties Oversight Board (PCLOB), the independent agency charged with balancing the rights of American citizens against the security steps taken in the wake of the terrorist attacks of 9/11, to HTTPS.
They’re far from alone: “Last month, 18F worked with 19 other .gov domains to go the distance to ensure browsers would always connect to them over HTTPS,” said Mill.
“Tt’s important to understand that what’s happening now in the federal government is what the broader internet has been working on for a while: making privacy the default.
The standards bodies that guide the internet’s development are recommending that the internet be encrypted by default, instructing their working groups to prioritize encryption in new protocol development, and declaring a more secure future for the web. The fastest versions of HTTP today already require encryption in major browsers, and it’s becoming easier to imagine a future where web browsers proactively warn users about unencrypted websites.
This is also why every .gov that 18F builds with its partner agencies uses HTTPS, full stop. We work hard to demonstrate that HTTPS can be fast, inexpensive, and easy. It’s a better future, and a practical one.”
The kind of privacy and security the White House is offering its visitors is what we should come to expect from the entire web, not just websites someone thinks are “sensitive”. All Web browsing is sensitive, and the White House’s leadership here reinforces that.”
It looks like Chris Soghoian, the principal technologist at the Speech, Privacy and Technology Project in the American Civil Liberties Union, is going to have a good day tomorrow.
This year, I’m hoping the @WhiteHouse will finally lead by example by turning on HTTPS encryption by default. CC @AMacOSTP @smithmegan.
— Christopher Soghoian (@csoghoian) January 1, 2015
While the Obama administration has taken its lumps on digital privacy after revelations of bulk surveillance of the Internet backbone by the National Security Agency, this is undeniably an important step towards securing the traffic of millions of people who visit whitehouse.gov every month.
Now that the White House is leading by example, hopefully other federal, state and local government entities will also adopt the standard.
“Everyone should want a simple feeling of privacy as they use the web, and confidence that they’re at the real and exact website they meant to visit,” said Mill. “While not everyone is highly attuned to watching for that padlock in their browser, the more websites that add it — especially high profile ones like the White House — the more that people can depend on that promise being met.”
All of our hats go off to the @WhiteHouse, who just moved https://t.co/nB5fFgt4fR to HTTPS by default! pic.twitter.com/yXv6IJKuTL
— 18F (@18F) March 11, 2015