In a prying world, news organizations are struggling to encrypt their online products

The old-fashioned newspaper, long maligned for its stodginess and sagging profits, has one advantage over high-tech alternatives: You read it. It never reads you.

The digital sources that increasingly dominate our news consumption, by contrast, transmit information across the fundamentally public sphere of the Internet, leaving trails visible to anyone with the right monitoring tools — be it your employer, your Internet provider, your government or even the scruffy hacker sitting next to you at the coffee shop, sharing the WiFi signal.

This is why privacy advocates have begun pushing news organizations, including The Washington Post, the New York Times and the Guardian, to encrypt their Web sites, as many technology companies increasingly do for e-mails, video chats and search queries.

The growing use of encryption — signaled by the little lock icon in your browser’s address box — has emerged as perhaps the most concrete response to Edward Snowden’s revelations about the ability of the National Security Agency to collect almost anything that exists in digital form, including the locations, communications and online activities of people worldwide.

It’s only fair, say privacy advocates, that The Post and other news organizations that broke these stories heed their key lesson: Online surveillance is pervasive and voracious, especially when data is unprotected.


(Richard Borge/For The Washington Post)

Among the issues potentially illuminated by what you choose to read, advocates say, are your health concerns, financial anxieties, sexual orientation and political leanings. A single article might mean little, but Big Data companies constantly collect and crunch a broad range of personal information to produce profiles of each of us.

“You could paint a pretty detailed picture of a person — their likes and dislikes — if you could see the articles they’re reading,” said Trevor Timm, executive director of the Freedom of the Press Foundation, one of several groups pushing for wider use of encryption.

Encryption may seem a stretch as a press freedom issue, far from what concerned the Founding Fathers when they enshrined the First Amendment in the Bill of Rights. Yet a free press operates best when the public can make reading decisions without fear that their government — or anyone capable of doing them harm — is looking over their shoulder.

Encrypting something as complex as a news site is enormously difficult, according to technical experts within the industry. Several major news organizations offered encryption for some elements of their sites in recent years but largely stopped when problems arose in displaying content quickly and cleanly to readers, said Peter Eckersley, technology projects director for the Electronic Frontier Foundation, which tracks the use of the technology.

In an era when news zings across the globe at the speed of light, making encryption work properly across an entire site is a challenge worth undertaking, advocates say. “No one has done it for real,” Eckersley said.

When a Chinese Internet user, for example, tries to follow international coverage of the looming 25th anniversary of the Tiananmen Square protests, that government’s Internet surveillance and censorship system, known as the Great Firewall, will know. Closer to home, British intelligence reportedly has monitored visits to a Web site for WikiLeaks, which while not a traditional news site shares enough similarities to illustrate risks to reader privacy.

Our stuff didn’t always spy on us. But much of it now can: phones, computers, cable boxes, Internet-ready cars and, soon enough, glasses, watches and even household appliances that continually track use over a “smart” electrical grid.

Whenever that information is transmitted over the Internet without encryption, it’s possible for others to see it, collect it and analyze it. The monitoring tools used by employers and universities can see every Web address accessed by a user. Hackers, using free software, can see the sites viewed by anyone sharing an unsecured WiFi signal. Government intelligence agencies such as NSA monitor Web traffic on a massive scale using equipment wired directly into the fiber-optic cables that form the essential arteries of the Internet.

Journalists have been slow to understand the role we have been playing in the surveillance rising all around us. But the moment newspapers put their work online — as this paper first announced plans to do in 1993, under the now-quaint headline, “Post to Launch Computerized Version of Paper; Service Will Send Information, Ads and Sound Effects to PCs Beginning Next Summer” — readers’ choices became exposed to potential collection and analysis.

It’s clear now that anything that’s potentially useful to anyone is vulnerable on the Internet. And while encryption is not perfect, routine deployment of this technology makes it far more difficult to conduct mass surveillance.

It also complicates the work of censors in China, Vietnam, Iran, Saudi Arabia and elsewhere because requests for articles, when encrypted, appear to anyone monitoring the Internet as a jumble of numbers and letters. Governments can block all the content flowing from encrypted Web sites but can’t choose to allow stories, for example, about President Obama’s latest political drama but not the travels of the Dalai Lama.

“All news Web sites should encrypt their content,” said Martin Johnson, a founder of GreatFire.org, which tracks China’s Great Firewall. (Like others with the group, he uses a pseudonym to evade detection by the government there.) “Not encrypting your content is like saying, ‘We are happy to allow censors around the world to selectively filter our content.’ ”

The prospect of outright censorship is not a small concern for news organizations. The Chinese government has blocked, to varying degrees and for various lengths of time, some of the largest Western news organizations after the publication of unflattering stories about that nation’s leaders and their families. The New York Times and Bloomberg News have been unavailable to online readers in China since 2012 and the Guardian since January, according to GreatFire.org. The Wall Street Journal’s Chinese-language site has been intermittently blocked there as well.

The Times, the Journal, Bloomberg and the Guardian all declined to comment about Web-site encryption.

It’s not just China that seeks to control the spigot of digital news and information. Several nations blocked YouTube in 2012 to keep a controversial film, “Innocence of Muslims,” from being downloaded. Turkey last month blocked YouTube and Twitter to damp the spread of an embarrassing audio recording that seemed to capture leaders discussing possible war with Syria.

There is no way to predict how such nations would respond to a major new move toward encryption. Yet as news organizations battle censorship, privacy issues run on a separate, parallel track. One concerns the ability of people — potential readers — to gain access to journalism. The other concerns the rights of those with access — actual readers — to enjoy whatever they please, privately.

The Intercept, a nonprofit news organization started this year by eBay founder Pierre Omidyar, former Guardian reporter Glenn Greenwald and several other journalists with experience reporting on surveillance, launched its Web site using encryption, providing readers with articles that are much safer from prying eyes. ProPublica, another nonprofit group, offers encryption as an option for readers who know to activate it. Neither relies on ad revenue.

The Post is considering a similar move and has in recent weeks begun experimenting with encryption, said Shailesh Prakash, the company’s chief information officer and vice president for digital product development. If the tests underway are successful and encryption is made easily available throughout the site, The Post could become the first major traditional news organization to protect its users’ privacy in this way.

“I fundamentally believe that this is good for our readers,” Prakash said. “If we can get the experience right for our readers, I feel this is the right thing to do.”

(Disclosure: I advocated this move internally at The Post, with Prakash and others.)

Encryption technology has become less expensive and technically demanding in recent years, in part because computers increasingly have the power to encode and decode Internet traffic rapidly without slowing transmission to a noticeable degree.

Modern browsers can instantly determine, by checking a digital security certificate, the authenticity of a site that offers to make an encrypted connection, typically using a Web address that starts with “https” rather than the more familiar “http.” The “s” is for “secure,” and the Internet traffic that flows on such connections can be read only by the sender and its intended recipient.

Hackers can still break into individual computers, snatching digital communications before the content is encoded or after it’s decoded. But simply reading everything that flows across the Internet becomes very difficult — even for intelligence agencies, criminals and censors.

Encrypting a Web site as elaborate as The Post’s would require substantial resources, as well as time to work out whatever issues arise.

Most Web sites consist of many different elements — for The Post, articles, ads, videos and much more — that your computer’s browser assembles seamlessly and almost instantaneously on the screen. If some of those elements are encrypted and others are not, browsers will balk.

Companies that help sites deliver their Web content often charge substantially higher rates to use encryption, and many ad networks don’t support it at all. Prakash said The Post, in its initial testing, has run into snags with ads not displaying properly when technicians try to encrypt Web pages.

Ars Technica, a site for technology news, has been trying to encrypt its traffic for a year but keeps hitting unexpected problems, such as how to handle links to videos and other outside content that is not encrypted.

The site wants to push ahead but may have to accept that it’s not practical to encrypt everything that’s embedded in its pages. It may resort to erecting signposts for readers warning them when they are moving to an unprotected page, said Jason Marlin, the director of technology for Ars Technica.

“We’d love to lead the way and solve it, and show others how to do it,” Marlin said.

But shifting from an encrypted page to an unencrypted one causes some browsers to issue stark warnings that can alarm readers. And some browsers have begun refusing to display pages that have a mix of encrypted and unencrypted elements — a development that has chilled experimentation by some news sites.

“This is a technically very hard thing to do, and a lot of sites struggle to do it,” said Matthew Prince, chief executive of CloudFlare, a company that delivers encrypted content for Web sites securely and without major new costs. He said that fewer than 3 million of the Web’s 650 million sites use SSL, the most popular form of encryption.

This list of sites that encrypt successfully is weighted toward online retailers and financial institutions, but privacy groups such as the ACLU and Electronic Frontier Foundation have also encrypted their sites. EFF also has developed a tool called HTTPS Everywhere — a reference to the encrypted “https” version of Web addresses — that activates encryption for any site that offers it as an option.

Privacy advocates, however, favor encryption by default, meaning that it’s used automatically whenever a browser capable of supporting it logs on. Only the most antiquated browsers, such as Microsoft’s Internet Explorer 6, struggle with encryption.

Web sites that encrypt their traffic may still track their users to gather valuable information. Google is among the world’s leading companies in adopting encryption by default, but it still analyzes its users’ e-mails, search queries and Web browsing for clues to what ads they might respond to. That’s how Google makes its multibillion-dollar profits.

Pretty much any company that gives away content for free, including The Post, analyzes readers’ choices to target ads more effectively and make more money. But for anyone else tempted to look at what you’re reading, encryption provides a rare measure of privacy in our relentlessly wired, surveilled world.

Craig Timberg is a national technology reporter for The Post.
SECTION: {section=business, subsection=technology}!!!
INITIAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=bg52e9xhqr, display_more=true, moderationrequired=false, includefeaturenotification=true, defaultsort=reverseChronological, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, includevoteofftopic=false, allow_videos=false, childrenitemsperpage=3, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, includesorts=true, includeheader=true, defaulttab=all, includeverifiedcommenters=true, includerecommend=true, maxitemstop=3, includereport=true, source=washpost.com, allow_photos=false, maxitems=15, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!!

UGC FROM ARTICLE: {allow_comments=true, allow_photos=false, allow_videos=false, comments_period=14, comments_source=washpost.com, default_sort=, default_tab=, display_comments=true, is_ugc_gallery=false, max_items_to_display=15, max_items_to_display_top=3, moderation_required=false, stream_id=}!!!

FINAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=bg52e9xhqr, display_more=true, moderationrequired=false, includefeaturenotification=true, defaultsort=reverseChronological, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, includevoteofftopic=false, allow_videos=false, childrenitemsperpage=3, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, includesorts=true, includeheader=true, defaulttab=all, includeverifiedcommenters=true, includerecommend=true, maxitemstop=3, includereport=true, source=washpost.com, allow_photos=false, maxitems=15, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!
Comments
SECTION: {section=business, subsection=technology}!!!
INITIAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=bg52e9xhqr, display_more=true, moderationrequired=false, includefeaturenotification=true, defaultsort=reverseChronological, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, includevoteofftopic=false, allow_videos=false, childrenitemsperpage=3, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, includesorts=true, includeheader=true, defaulttab=all, includeverifiedcommenters=true, includerecommend=true, maxitemstop=3, includereport=true, source=washpost.com, allow_photos=false, maxitems=15, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!!

UGC FROM ARTICLE: {allow_comments=true, allow_photos=false, allow_videos=false, comments_period=14, comments_source=washpost.com, default_sort=, default_tab=, display_comments=true, is_ugc_gallery=false, max_items_to_display=15, max_items_to_display_top=3, moderation_required=false, stream_id=}!!!

FINAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=bg52e9xhqr, display_more=true, moderationrequired=false, includefeaturenotification=true, defaultsort=reverseChronological, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, includevoteofftopic=false, allow_videos=false, childrenitemsperpage=3, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, includesorts=true, includeheader=true, defaulttab=all, includeverifiedcommenters=true, includerecommend=true, maxitemstop=3, includereport=true, source=washpost.com, allow_photos=false, maxitems=15, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!
Show Comments
Most Read Business