Open, private and secure by default: US Census Bureau to switch API from HTTP to HTTPS
In a PDF emailed to developers today, the United States Census Bureau announced that it was making an important change to its application programming interface (API), the set of instructions that enable software developers to access its raw statistical data: it was moving the Census API from HTTP to HTTPS:
To improve security and privacy, and by federal government mandate, the U.S. Census Bureau will stop receiving Application Programming Interface (API) calls at <http://api.census.gov/data/> on August 28, 2017.
If you use the Census Data API only through a web browser (like Safari, Firefox, Chrome, Internet Explorer, Opera, etc.), this change will not affect you. The only noticeable changes after the deadline will be a green lock icon appearing inside the search box and the web addresses of the Census Data API pages you visit will start with https://.
If you maintain software that uses the Census Data APIs, please take action before the deadline to ensure uninterrupted service.
Unfortunately, the email confused enough recipients that the agency sent out a tweet to inform the public that we don’t need to worry about the API going offline, open data being removed from the Internet or a quiet attack by the Trump administration on transparency.
Instead, this is good news: one of the nation’s premier statistical agencies is shifting to a secure connection by default for secure public access to information on the World Wide Web.
Users are reporting that the #CensusAPI is going down. This is not the case. We’re switching from HTTP to HTTPS. Sorry for the confusion!
— U.S. Census Bureau (@uscensusbureau) May 31, 2017
In shifting to a secure method for exchanging information over the Internet that adds encryption of the Hypertext Transfer Protocol (HTTP), the agency is not just (tardily) complying with an Obama White House mandate.
The Census Bureau migration, however, is part of a much broader effort that will help rebuild public trust in federal government Web services.
In 2015, the Obama White House Office of Management and Budget, which issued a memorandum [M-15-13] that required “that all publicly accessible Federal websites and web services only provide service through a secure HTTPS connection” by the end of 2016.
The federal government has made laudable progress since 2015, although this work is far from finished. In the months since the Obama White House mandated HTTPS by default for federal websites, a majority of federal websites have moved to the more secure protocol.
The public — and OMB, Congress, inspector generals and industry observers — have been able to see how compliance grew over time at pulse.cio.gov, the online dashboard run by the U.S. Chief Information Officers Council that tracks adoption of two core digital best practices on the Web: use HTTPS and participate in the digital analytics program.
As the Federal CIO Council made clear in a 2015 post on the HTTPS-Only Standard, “the American people expect government websites to be secure and their interactions with those websites to be private.”
Unfortunately, in 2017 about half of the American public do not trust the federal government to protect our data.
If that’s going to change, the United States should be open, secure and protect the privacy of its people by default when it discloses information to the public. When those principles are written not only in the legal code but software code, the public benefits.
When weaponized disclosures erode public trust by disclosing the private information of the survivors of domestic abuse online, the public suffers.
Few databases are as essential or reflect who we are as a people as the accumulated knowledge collected and curated by the U.S. Census Bureau, one of the core institutions of government that’s literally written into our Constitution.
It’s great to see stewards of public knowledge about the public disclosed information to the public in a way that not only informs the people but honors and respects our privacy and security.