Home

Report: Congressional Websites Not Ready for Secure Connection

(Bill Clark/CQ Roll Call File Photo)

Go to any congressional website and you’re sure to find a form for constituents to contact their lawmakers. But a recent analysis found most congressional websites are not equipped to protect that data as it is transmitted.  

The Sunlight Foundation, a group that advocates for government transparency, recently published an analysis of congressional websites that revealed only 15 percent of sites are ready to implement a secure browsing connection, known as Hypertext Transfer Protocol Secure. This code is visible at the beginning of a Web address and usually appears with a padlock next to it. “HTTPS is basically a way of ensuring that the connection between you and a website is protected by encryption, and any data you share while on that site, like credit card, contact or personal information is, for the most part, safe,” Sunlight Labs Director James Turk said in a statement to CQ Roll Call. “In this case, if a constituent is using a congressional page to contact his or her representatives, information they input in the contact form could be compromised by a third party.”  

Turk explained that without HTTPS, the data could be compromised as a constituent types information into the Web form. In other words, the stored data is not at risk, but the transmission of that data is vulnerable.  

Eric Mill of 18F, a group within the General Services Administration that addresses technology issues in the federal government, explained HTTPS in a February blog post .  

With an ordinary connection, Mill likened sending information to mailing a postcard, “where every computer in between you and the website gets to see your information.” But connecting over HTTPS is “like sending a locked briefcase that only the website’s computer can open.”  

The Sunlight Foundation’s in-depth analysis of individual member and committee sites found that only a small percentage of congressional sites are ready to implement HTTPS, though the House fares better than the Senate. Nearly 20 percent of House member sites were correctly implementing the code, while only 2 percent of Senate Web pages did so.  

“It is important to note that this evaluation ... is not a reflection on individual members of Congress or their websites, but is reflective of the entities that host those websites,” wrote the report’s author, Tim Ball.  

But in the Senate, it is up to individual offices to request the certificate to implement this feature.  

One of the two Senate websites that received an “A” score from the Sunlight Foundation is Sen. Barbara Boxer's. The California Democrat's spokesman, Zachary Coile, said the office implemented HTTPS in 2007. “We felt it was a good way to ensure that we were protecting the security and privacy of constituents visiting the site,” he wrote in an email.  

“If constituents share personal information with us — for example, their phone number or their address as part of a casework request — using HTTPS helps ensure the security of that information,” Coile wrote.  

Coile explained that to implement the security feature, the office makes a request to the Senate Sergeant-at-Arms office, which oversees Senate administration and security, for the specific certificate.  

A source with the SAA told CQ Roll Call such certificates are available upon request. In other words, the onus is on an individual office to request the security feature.  

On the House side, a spokesperson for the chief administrative officer, which oversees information technology security, declined to comment, citing security concerns. But individual offices that received an "A" rating indicated HTTPS is part of the general protocol for websites.  

A spokesperson for Rep. Sean P. Duffy, R-Wis., who received an "A" rating and was first elected in 2010, said his site has been HTTPS compatible from the start,  part of a "general protocol upgrade." They were required to test HTTPS compatibility when their website launched.  

The executive branch is in the process of ensuring all federal websites implement HTTPS . But whether the legislative branch will do the same remains unclear, though many of the new members of the House received "A" ratings from Sunlight, which could signal a transition to HTTPS on the House side.  

In the meantime, the Sunlight Foundation and others are hoping their report will cause lawmakers to re-examine website-security policies.  

"Constituents visit official congressional websites to share far more than opinions,” said Seamus Kraft, a former congressional staffer and executive director of the OpenGov Foundation, which promotes civic participation. “They visit to work with their elected officials to address serious, sensitive and often personal matters.”  

“While HTTPS isn't a silver-bullet solution, ensuring the Congress-to-constituent connection is locked down and trustworthy is crucial, and it would be a step in the right direction," Kraft said.  

Related: New House Cybersecurity Policies Show Ongoing Threat Most Legislative Workers Likely Not Affected by OPM Hack  See photos, follies, HOH Hits and Misses and more at Roll Call's new video site. Get breaking news alerts and more from Roll Call in your inbox or on your iPhone.