If you had plans to anonymously turn over sensitive data to the feds, you might want to think twice.

That hot tip you're sending in could be snaking its way through an unencrypted network, according to the American Civil Liberties Union (ACLU).

In a letter submitted to the White House, the group alerted U.S. Chief Information Officer Tony Scott to "dozens" of inspectors general (including those at the Departments of Justice and Homeland Security) who do not protect online whistleblower complaints.

The letter was written in response to Scott's recent proposal for an HTTPS-only standard, which would require all public federal sites and services to use the secure protocol.

"Although we are generally supporting of your proposal, we believe that this [two-year timeline] is not soon enough for some sensitive sites," ACLU director Michael Macleod-Ball and principal technologist Christopher Soghoian wrote.

At least 29 inspectors general reportedly do not currently use HTTPS to protect online disclosures of waste, fraud, or abuse. That includes the Departments of Agriculture and Treasury, the Consumer Product Safety Commission, the Corporation for Public Broadcasting, the U.S. International Trade Commission, the National Archives, and the Smithsonian. Not to mention the State Department's "Rewards for Justice" online terrorism tip line.

The danger, according to the ACLU, lies in the transmission of information. When someone visits one of these official sites to file a report, their tip could be intercepted, putting not only the whistleblower's identity at risk, but also the confidentiality of their intelligence.

"HTTPS does a lot more than protect the submission of sensitive information," the letter said, citing major tech players like Google, Facebook, Yahoo, and Twitter, all of which protect their sites with HTTPS by default.

Scott's HTTPS-only standard could go a long way to making the Internet safer, for informers and everyone else surfing the net. But the ACLU doesn't think the government should stop there.

"While HTTPS by default is a great first step, agencies should be employing other encryption best practices, too," firm said, suggesting similar technology like STARTTLS, which is already widely employed in the private sector.

According to The Washington Post, Justice Department Inspector General Michael E. Horowitz, who heads the council that oversees inspectors generals, said he will discuss encryption with his fellow IGs. "I want to make sure that whistleblowers or anybody who comes forward to us has their information protected," he told the paper.

Further Reading

Security Reviews