2015 was not the year of HTTPS for news organizations
Two weeks ago, I went to a news industry conference and sat in on a session about HTTPS, a protocol for securely communicating over computer networks.
The session was sparsely attended compared to the other sessions at the conference, which surprised me. I started to think about why so many people may have skipped it:
- HTTPS is not an easy technology to understand because there are a lot of jargon-y terms involved.
- No one wants to talk about IT at a news industry conference.
- It’s not a sexy topic, the way we think about topics like “local news” or “structured journalism.”
- The people who attend news industry conferences may not be the ones at their organizations to make decisions about implementing HTTPS.
- Implementing HTTPS at a news organization also has implications for digital advertisements and relationships with ad exchanges — which means a news organization’s advertising department, IT department and editorial staff need to all understand the importance of the protocol and hash out an implementation plan together.
The New York Times spelled out some of the benefits of HTTPS last year: it ensures the contents of the site are authentic, it keeps users’ search and browsing history safe from third-parties, it’s more secure, it leads to better UX and analytics, and Google favors HTTPS in its search results.
@mkramer HTTPS means that your computer/phone and the website you're on will keep your communication secure from digital eavesdropping.
— Ben Novack (@titlecharacter) December 1, 2015
In that post, The Times also asked other news organizations to have sites fully on HTTPS by the end of 2015. Only a handful of organizations — the Times is not one of them — have adopted the protocol. The Washington Post, The Intercept, Vice News, TechDirt, and MuckRock all use HTTPS. Most other large news organizations do not.
I wanted to find out why news organizations haven’t made the switch, so I reached out to Kevin Gallagher, a systems administrator at the Freedom of the Press Foundation. Kevin wrote a very good blog post last year about HTTPS, where he noted that “virtually none of the top news websites—including all those who have reported on the Snowden documents—have adopted the most basic of security measures to protect the integrity of their content and the privacy of their readers.”
Kevin and I talked a bit about the barriers to adoption, and the importance of protecting readers’ privacy online.
@mkramer Your browser and the server build a lockbox and share the key. They send the lockbox back and forth with letters inside.
— Ben Keith (@benlkeith) December 2, 2015
Why is it important for news organizations to adopt HTTPS?
News organizations should adopt HTTPS by default in order to better protect their readers. Plain, unencrypted HTTP connections can potentially allow attackers to spy on what articles you are reading. Such traffic is also easy to filter, allowing for censorship of specific subjects or terms — either in the workplace, at school, or by regimes that don't respect the free flow of information. Regular HTTP is vulnerable to being redirected to the wrong site, where one could receive misinformation. There are other ways that unencrypted connections can be taken advantage of that are even more malicious and could lead to a compromise of personal information.
What challenges do news organizations face in adopting HTTPS?
There are a variety of barriers to HTTPS adoption by news organizations, and some of them are merely technical or infrastructural. For some smaller sites it might be as simple as flipping a switch, and they just haven't considered why it's important yet, while for others, it can be a massive undertaking with many consequences.
The biggest problem is third-party advertising networks which news organizations rely upon for a large part of their revenue. While many of them are starting to support HTTPS, which is a relatively recent development in the industry, there are still several hold-outs. So this means that when news organizations have to stop serving ads from certain partners in order to switch to HTTPS, they would actually start losing money — which is a big deal since newsrooms are struggling for funding to begin with since the decline of print media.
Advertising networks and content delivery networks (CDNs) need to scale to handle millions of connections, and there's a slight performance cost to adding encryption, which can largely be ameliorated through hardware.
There's a whole separate discussion about how the ads themselves are a means for tracking and are terrible for privacy.
What are incentives that can be used to drive adoption of HTTPS?
We believe in a variety of incentives to drive adoption. Having technologists speak directly to managers inside newsrooms about why it's important, writing and advocating about the issue, even inquiries from readers on social media can be effective. Either way, we need to keep track of the industry's progress, applaud the newsrooms who do the right thing, and keep questioning and applying pressure to those that haven't.
Last year, The New York Times insinuated that they were committing to adopt HTTPS and encouraged other groups to do so by the end of 2015. Publicly, so far the results from that pledge have been disappointing.
What are other security measures news orgs should have in place?
Beyond HTTPS, there's a variety of security measures that news organizations should adopt.
Every news organization should take security seriously by hiring security professionals who can train staff on certain tools, answer questions and improve the newsroom's security culture.
Journalists should publish PGP keys so they can be reached via encrypted e-mail.
News organizations should make sure their mail servers support STARTTLS so that e-mails between journalists and sources are encrypted in transit.
They can also set up their website on a Tor hidden service to allow readers to visit them without being tracked or identified.
They can run SecureDrop, our system that allows sources to submit information anonymously.
These are just a few things — there's always more that can be done to become more secure.
What resources should journalists look at if they'd like to learn more about this?
I'd suggest some of the links in the "more resources" section on this page.
I read this piece which was published last year about the state of security in the news industry. Has anything changed in the past year?
Unfortunately, not much has changed. On this particular list, I would point out The Washington Post for praise.
Yesterday Let's Encrypt came out. It's a free, automated certificate authority. Will that make it easier for news organizations to adopt HTTPS?
The advent of Let's Encrypt is an incredible improvement to the ease with which one can obtain and install SSL certificates. It's going to be particularly relevant for smaller news organizations operating on a limited budget.
Note from Melody: My coworker Eric is a strong proponent of HTTPS and has helped me realize its importance for media organizations. At 18F, he also created two videos that explain what HTTPS is and how to implement it for a non-technical audience. The videos were aimed at government agencies — the U.S. government is in the process of moving all of its Web properties to HTTPS — but they are also applicable to news organizations.