Google, the most widely used Web browser in the world, thinks a majority of state and local government websites aren’t doing enough to protect the people visiting them. And starting in July, that browser is going to start prominently telling those users that the sites they’re visiting aren’t secure.
And as of right now, a lot of those governments disagree — at least on paper — that they need to do anything about it.
The security measure in question is encryption, and specifically the basic encryption implied by a website having a URL that starts with HTTPS instead of HTTP. Of the 50 state government websites, 29 have front pages that are not encrypted. Of the 10 most populous cities in the nation, six have non-HTTPS front pages.
In California, Los Angeles’ and San Diego’s are, but San Jose’s isn’t.
The government website and digital services company ProudCity embarked on a project about a year ago to gather information on trends among local government websites and estimated that fewer than 20 percent of city websites in the U.S. had HTTPS. Vision Internet, another government website builder, estimates that about 25 percent of its clients had encryption before they stepped in.
A lack of encryption means, in so many words, that hackers would have an easier time seeing, stealing or manipulating information traveling between the user and the website.
If an unencrypted Web page carries sensitive information, that information could be visible to hackers. And toward that end, a lot of the government websites that don’t encrypt their main landing pages do encrypt the pages that actually ask users for information — whether that’s renewing a driver’s license, paying for a parking ticket, signing up for notifications or something else.
Even if a page doesn’t handle sensitive information, there are still reasons to encrypt, according to Google spokesperson Ivy Choi.
“HTTPS is the only way for sites to ensure that the site they create is the site that users actually see, because without HTTPS, an attacker can modify the site in any way they want,” Choi wrote in an email. “For example, if a government site is on HTTP, an attacker could change or delete the information on the site, or add offensive imagery, etc.”
A big concern is photos and videos, which are often hosted on different servers but embedded into a government’s website. In those cases, even if the site itself is encrypted, a hacker could get in by targeting those assets.
And then there’s third-party software, long a weak point in government websites. Embedded third-party software can offer hackers a back door that allows them to do a lot of things.
There are a few reasons so many state and local government websites don’t encrypt. But they mostly boil down to the same thing: If there’s no sensitive information coming across a Web page, why make the extra effort?
The attitude has manifested itself in the form of policies, written or unwritten, in state governments. Take the unencrypted main landing page for the state of California, for example. The state has a policy stating that encryption is necessary for “confidential, sensitive or personal information.”
“CA.gov doesn’t contain any sensitive information; it’s not a transactional website,” said Bryce Brown, a spokesman for the California Department of Technology. “It’s only a central portal from which you can access other websites and their services.”