"I've basically been trying to bribe media organizations at this point to turn on SSL," jokes Christopher Soghoian, the principal technologist and a senior policy analyst at the ACLU's Speech, Privacy and Technology Project. "I have an open offer right now to the technical teams of news organizations: Two bottles of whiskey to anyone who will turn on SSL for their viewers."
When you browse the Web, you leave a trail of digital bread crumbs. But if you visit a Web address that starts with "https," your browser shows a lock icon, indicating that you are being protected with SSL encryption. That stops governments, corporations and hackers from learning which pages you're reading on the site.
With allegations of NSA snooping making headlines on a nearly weekly basis -- and reports highlighting the NSA's use of commercial tracking mechanisms -- privacy advocates argue it's past time for major media organizations to protect their customers' privacy using SSL encryption by default. Web giants such as Google and Facebook have already made the switch to automatic SSL for many of their services.
But so far, no major media organizations have done so. That's perhaps largely due to concerns about the added expense and effort of getting third-party advertising and content delivery systems to implement the security protocol. Still, only one of the five media organizations I reached out to on the issue, technology news site Ars Technica, provided an on-the-record comment by press time.
What news reading habits can reveal
"This is as basic as it gets in privacy," Soghoian argues. "I think many of us would think the government has no business knowing which books you are checking out from the library, and this is the same thing -- they have no business knowing which articles you are reading online."
Kevin Bankston, policy director at the New America Foundation's Open Technology Institute, agrees with Soghoian. "Encrypting Web traffic regardless of the type of service you offer should be the norm going forward," he says, but it's particularly important for news organizations, given the sensitive nature of reading habits.
A recent report indicated that the National Security Agency had monitored the pornography consumption habits of individuals they considered "radicalizers." "If the NSA is monitoring which porn sites people are going to, they're certainly monitoring which news sites people are going to as well," Soghoian says. And that can have serious implications for democracy.
"There are media sites that are associated with particular ends of the political spectrum, and knowing which media sites you visit or which articles you read can tell you a lot about someone," Soghoian explains. "It can tell you about their political beliefs, and that's truly protected First Amendment activity. But [without encryption] the information is just sitting there for governments to obtain, for snoops at Starbucks to obtain, for employers to monitor what employees are doing on corporate networks."
Who might be watching
If the federal government wants to listen in on your phone calls or open your mail, it needs a warrant. But the rules aren't as clear when it comes to information about what Web pages you visit.
In a 1979 opinion, the Supreme Court ruled that phone dialing records are not protected by the Fourth Amendment. The government has argued that this logic applies to other types of "non-content" information about communications.
"Unfortunately, there's a lack of clarity right now under the law about whether URLs are protected as content or non-content under the law," says Soghoian. "If there's no warrant protection, there's not really much standing between your viewing habits and the government. So, technology needs to come in and fill that gap."
The electronic surveillance section of the Department of Justice's Criminal Resource Manual says that due to privacy concerns over URLs user browser histories should not be obtained without "prior consultation with the Computer Crime and Intellectual Property section." That suggests there may be cases where the government believes it can obtain a user's Web browsing history without a warrant.
Experts say SSL encryption has other privacy benefits, as well. Implementing HTTPS could be an obstacle to governments that try to censor their citizens' Internet access using keyword filtering, Halderman says. "If all that the government can see on the network is that you're trying to access The Washington Post and not the content of what that story is, then keyword blocking doesn't work any more," he explains. "All they can do is make an all-or-nothing decision about whether that Web site will be reachable."
Commercial entities may also have reasons to spy on users' Web browsing habits. Soghoian suggests that broadband providers might be interested in users' reading habits to create more complex profiles of subscribers to sell for advertising purposes. Given the multitude of privacy implications, Soghoian believes, "it's outrageous that the New York Times and The Washington Post don't encrypt their subscribers' viewing habits." The Washington Post and the New York Times both declined to comment on this report.
Why news sites don't have encryption by default
Despite his privacy arguments, Soghoian hasn't had much luck persuading news organizations to enable encryption, although a few media sites appear to be preparing to make the shift, including Ars Technica and security news sites run by cybersecurity company Kaspersky Lab.
Soghoian attributes news organizations' reticence to consider encryption by default to two main factors: inertia and and the dependence of media sites on third-party advertising plug-ins. "News organizations have very small IT budgets, and it just hasn't been a priority for them," Soghoian says. "News sites that rely on third-party banner ads are going to need their third-party advertisers to come along and do it, too."
Many news sites, including www.washingtonpost.com, rely on third parties to serve advertisements and countless other plugins for everything from social sharing to traffic counting. Many also use third-party content delivery networks (CDNs), which are large, distributed server systems with data centers connected across the Internet, to help display content to consumers. And all these external connections can make it harder for sites to consider implementing SSL. "From a technical perspective, there's a bit more work the sysadmins need to go to through in order enable HTTPS, and that includes making sure that third-party services they rely on also supply it," explains Halderman.
The tech teams at news sites may be put off by this added workload, concerned about costs, worried that it will degrade the experience of consumers by increasing page load times and concerned that a switch to SSL might reduce the site's reach by excluding it from Google News. But "as far as the overhead of the protocol -- the added server horsepower and so forth -- that's actually much less significant today than it was five or 10 years ago," says Halderman, because the servers powering large sites have become much faster and the way that browsers implement SSL has evolved.
Jason Marlin, the technology director at Ars Technica, says the site is "actively pursuing" using SSL by default but that convincing the third-party tracking and analytics companies to make the leap has been a hold up. "We do have an SSL-capable CDN," Marlin says. In fact, subscribers who pay a yearly fee for an ad-free version of Ars Technica can use SSL right now. "What remains problematic is that when you're a media site that relies on advertising as your primary source of revenue, you really have to really be able to lock down and encrypt or have SSL sources for all of these different scripts and ad platforms you run."
While Ars Technica is talking to those third parties, Marlin says, "to be honest, some of them have no plans in the works." And using SSL to protect Ars Technica's own content, but not those scripts and plugins, could cause confusion among readers because many browsers display a warning if some elements of a page are SSL-enabled, but others aren't. "For a lot of readers, that browser warning is more ominous than not encrypting," Marlin says.
Marlin says Ars Technica doesn't have a firm timeline for when they might be able to implement SSL for all readers by default, but he says commenters have been calling for stronger privacy protections over the past year, "especially with the NSA revelations."
But he also doesn't think that having SSL is a cure-all. "It is a nice and easy way to mitigate some of the more obvious hacking possibilities," he says, but doesn't fix all possible vectors of attack and might lull users into thinking just because there's a locked icon up top, they are completely secure.
And Marlin is not sure how viable such a move is for all media sites right now. "I know that we have to support our business model first and foremost," he says. "People have to be realistic about what we can expect on privacy from media companies because there's always going to be a certain amount of tracking of user information either on ad networks or other means for just usage statistics."