I am actually sympathetic to the idea of an exemption for raw public data sets not for human consumption. Today the default is HTTP and you have to have a good reason to go HTTPS. The goal here is to flip the default and get people thinking in terms of HTTPS by default. There is always room for exceptions from the rule. A use case like this seems like a reasonable exception. But the risk here is that the purpose or scope of the site changes. Maybe next year they're hosting raw data sets about something more politically charged, and a researcher in a country whose government doesn't like that kind of research could find herself with unwanted attention simply for accessing that public raw data set. Alternatively, someone decides to tamper with that data set in flight. Or someone decides to dual-purpose the site for some reason and serve content to people, forgetting that it isn't an HTTPS site, in which case we're where we are today.
Please read my comment as dealing with this particular axis of tax policy. Obviously, not everyone in the EU wants the EU to be like the US in all respects. It is also wrong to suggest that no one in the EU wants to be like the US in any respect.
Please follow up at https://github.com/WhiteHouse/.... We are keen to understand these issues and find solutions. We also do know a thing or two about web hosting and HTTPS.
On one hand, the EU wants to be more like the US: Create an EU internal market (http://en.wikipedia.org/wiki/Internal_market). Open the borders for trade and business. Let companies set up shop in a single EU state and sell to anyone in any other EU member state without having to do a mess of paperwork, currency conversions, or taxes (aside from VAT). On the other hand, some EU states see other EU states doing things to attract business, and they see their tax revenues going somewhere else, and they want to fix that. EU seems to be in this situation where it has competing goals and competing feelings on how taxes should work and I'm really interested to see how they reconcile that. Either each country needs to be able to operate and tax independently, or they need to work together as a single cohesive union and stop trying to perpetuate their pre-union tax schemes. In many respects this feels like a US state getting upset that a company in the next state over is selling to its people and the other state is getting all of the income tax revenue. Can you imagine what it would be like if you had to deal with income taxes in every US state in which you did business?
(Granted, this is somewhat independent of the whole Bermuda thing, but usually when people complain about these tax avoidance schemes it's about Ireland or something.)
Hi oneiros27, please take a look at the open issues and provide your feedback at https://github.com/WhiteHouse/...
The "additional CPU" nowadays for SSL is fairly trivial. If you've done some experiments that demonstrate a meaningful performance impact, and you can quantify the costs of that, we'd LOVE your feedback so that we can help you mitigate that or convince you that the benefits are worth the costs. We'd like to see data here.
Likewise with the caching issue. The use of CDNs can mitigate some of the performance impact you're worried about. If you're working with a specific scientific project or experiment where you need to shuttle around a lot of data, and are presently using HTTP and HTTP caching solutions to implement that, I would propose there are better ways of efficient data distribution. Again, submit an issue at the link above about this and someone can work with you to talk about your situation.
The IDS problem can be solved by moving the SSL termination to the other side of your IDS. It's not necessary for the origin server to serve HTTPS. It can also be resolved by changing your approach to IDS to one that doesn't require inspection of the payload at a distance from where it's served.
We do see privacy incidents routinely due to someone thinking "gosh, I didn't expect that would be private" or "I forgot to move that to the https site". We also routinely see ISPs and governments inject ads and tracking mechanisms into HTTP responses. We are also just simply concerned about the privacy and safety of people that browse government web sites and by standardizing on HTTPS everywhere, it eliminates the need for these mistakes and oversights and ensures a minimum bar for privacy and data integrity. It also makes it super easy to be FISMA compliant without having to spend extra to lock down a particular feature or product.
Please raise your concerns with the link given above and let's chat.
Privacy is in the eye of the individual. Is the location of an AIDS clinic private information? No, but the fact that you're looking for that information could be intensely private. Is the location of a US embassy private? Job postings? Things we think of as non-private information here could get you detained or worse if your Internet connectivity is monitored by an oppressive government. We want the information on government web sites to be useful and for people to feel safe and comfortable accessing.
Who do you trust to make those judgment calls? Every one of a thousand government contractors building your web sites? Or does it make more sense to just standardize on HTTPS everywhere and simplify your world?
And this doesn't even begin to cover the cases of ISPs injecting ads or tracking or worse into your HTTP responses, which happens all the time.
FWIW, just because the NSA does something doesn't mean every other government employee or agency approves or is culturally aligned with that attitude. This effort represents a genuine push by a self-selected group that is privacy-conscious, interested in doing the technically right thing, and for the first time in a position within the government to actually start making the Right Thing reality. Interested in joining us?
If there are specific concerns you have with the memo as it applies to the federal agencies it's talking about, we'd love to get your feedback on how we can achieve these goals while minimizing the issues you allude to.
This isn't about mandating HTTPS everywhere outside of government, and those agency sites that might perform worse due to losing intermediate caches can always implement the policy using existing CDNs to try and get the content as close to the user as possible.
Is there something about what the memo proposes that looks to be obsolete soon? We're trying to get ahead of the curve here, because it does take time to change things in the government. We'd love to better understand your "when the government gets involved" concerns.
Do you think you might be interested in participating in things like this on a more ongoing basis?
It's not the World Trade Center, and it's not Bali. It's a single cafe and a maximum possible body count than your typical school shooting in the US (which can hardly hold the news media's attention for more than a week any more).
This news wouldn't have made it out of Australia (if even NSW) if it weren't for the Islamic bogeyman angle.
A plastic battleship would be unstoppable.
Four red pegs should do it.
What does any of that have to do with the story here? The tracking device wasn't added by the police or even at the behest of the police, but by the buy-here-pay-here dealer, operating a business of the same respectability as payday lending and rent-to-own stores, who expect their customers to default. This wasn't done for cops but for repo men.
By all means complain about a violation of privacy, but it isn't by the state. Rather this is the result of a financial system that promotes, aggravates, and profits off of poverty.