Back to News & Commentary

Why Won鈥檛 the IRS Deploy Basic Web Security?

Chris Soghoian,
Principal Technologist and Senior Policy Analyst,
老澳门开奖结果 Speech, Privacy, and Technology Project
Katie Haas,
Speech, Privacy, and Technology Project
Share This Page
April 12, 2013

This tax season, when you visit the IRS鈥檚 website seeking tax information, can you be certain that no one else is monitoring which pages you browse?

Unfortunately, right now the answer to that question is 鈥渘o.鈥 Unlike Facebook, Twitter, Google Mail (Gmail), and virtually every bank and credit card company, the IRS, like most government agencies, does not use HTTPS for encryption and authentication on its website. If you try typing 鈥渕ail.google.com鈥 into your browser right now, you will see that the URL you end up at is actually 鈥.鈥 That 鈥渟鈥 after the 鈥渉ttp鈥 may seem insignificant, but it means a lot. It signifies that Google is using Secure Sockets Layer encryption, or SSL, to both encrypt and authenticate its communications. When you visit google.com and you see 鈥渉ttps鈥 at the beginning of the address, it lets you know that your connection is secure, and that third parties 鈥 such as your internet service provider, employer, or university cannot monitor what you鈥檙e doing through the use of network interception technology.

In contrast, the IRS website not only does not use HTTPS by default, but manually typing in 鈥溾 will result in a scary error message, due to the fact that the IRS administrators haven鈥檛 bothered to configure their hosting service to supply a valid HTTPS certificate.

Although the IRS website doesn鈥檛 ask for sensitive login information that must be encrypted like online banking sites or email providers, there does exist sensitive information on the website. For example, perhaps you are looking for information on the IRS website about tax credits or deductions associated with , the , or sensitive medical procedures and services such as , or counseling for . In all of these scenarios, you should be able to obtain tax information without your internet provider, employer or university knowing what you are looking for. However, because the IRS does not use HTTPS encryption to protect its website, the specific pages you view on the IRS website can be easily intercepted by others, when you are browsing the web using an open WiFi network.

If Google, Twitter and Facebook can deliver HTTPS to their users, we should certainly have it for our visits to government websites. This is especially important as the April 15 tax deadline approaches, and more and more Americans turn to government websites for reliable information.

Like many companies, the IRS uses a third party Content Distribution Network to deliver web content to visitors. Instead of connecting to a server run by the IRS, visitors to the IRS website are actually connecting to one of many servers owned by Akamai, a company that provides the same service for many of the most popular websites on the web. Akamai (pdf) of web content, and has done so since 鈥攂ut it charges a premium for this service. The IRS could easily move their entire website to HTTPS, they鈥檇 just have to pay for it (and for now, it seems, they don鈥檛 want to).

The Central Intelligence Agency also uses Akamai, but has a correctly configured HTTPS certificate, and even uses HTTPS by default. If the CIA can find the funds in their technology budget to provide a HTTPS connection to a website that few Americans are likely to visit (and which is largely used for recruiting and marketing purposes), surely the IRS, which annually receives sensitive and private data from millions of Americans, should be able to do so too.

In 2010 then FTC Commissioner Pamela Jones Harbor all cloud computing companies to enable HTTPS by default. A year later, Senator Chuck Schumer Amazon, Twitter, Facebook and Yahoo, urging them to move their websites to HTTPS. The pressure worked鈥擳witter and Facebook both eventually protected their websites with HTTPS by default.

Commissioner Harbor and Senator Schumer showed bold leadership by using their soapboxes to pressure companies to take cybersecurity seriously. Although the soapbox is great, there is an even better way for the government to lead鈥攁nd that is by example.

Learn More 老澳门开奖结果 the Issues on This Page