Love thy reader, securely

“Mass surveillance, interception, and metadata collection is all around the Internet, and HTTPS is the first step we must take to make our readers feel secure.”

Thanks to the Internet, we’re reaching new audiences all over the world, including some places where we’re not exactly welcome.

basile-simonIs there any reason we wouldn’t want to protect our readers? Or worse: Is there any reason why, through our inaction, we would want to endanger them?

Surely we’d give the nay to both these questions, but let’s face it: We’ve been doing nothing more than paying lip service to issues like security, data protection, and censorship. We are not protecting our readers. And we are endangering many of them. In some cases, we even fight them back when they try to protect themselves.

2015 was supposed to be the year we all moved to HTTPS — sadly, it didn’t happen. HTTPS provides a first layer of security for our digital news offerings. It guarantees the authenticity of our content through certificate authorities. Most importantly, because all traffic is encrypted over HTTPS, individual browsing histories are protected from curious eyes. This encryption also helps prevents Man In The Middle (MITM) attacks — where content is altered or even completely removed.

Some governments, though, are exploiting the lack of attention news orgs have given to security to spy on their own cititzens. The Freedom of the Press Foundation’s call to the news industry to switch to HTTPS to “protect the integrity of their content and the privacy of their readers” hasn’t been followed by enough action.

But there’s also a case for delivering our content to people who cannot access it at the moment because of state censorship. Whether this is done by putting us out there on Tor or by pushing on-demand content through encrypted messaging apps, there’s a business opportunity to reach more and more people. However, the technical means to protect them will have to be kept in the minds of editors, executives, project managers, and developers alike.

We didn’t welcome nearly enough the first initiatives in the secure communications space (e.g. Tor, Signal/TextSecure, Telegram), and we might want to pay a little bit more attention to these, as we desperately need more and more innovation in this space to help us.

Mass surveillance, interception, and metadata collection is all around the Internet, and HTTPS is the first step we must take to make our readers “feel secure,” as The Washington Post put it when they made the move to HTTPS in June 2015. So what is the rest of the industry waiting for?

Also in 2016, the industry will understand the rationale behind ad-blocking. We will get that our ads make our web sites dreadfully slow on mobile, costing our readers money downloading all that extra ad-serving data.

We’ll stop giving up valuable screen real estate to dodgy third parties whose ads often contain malicious code and/or trackers. We’ll finally deny them precious access to our audience’s reading habits.

We will explore other ways of generating revenue from our audiences: better, less intrusive, lighter ads; sponsored content; publishing on streamlined platforms such as Apple News, Google AMP, and Facebook Instant Articles. Sure, this will involve some difficult chats with advertisers, But frankly, we’re not making much money off online advertising as it is, and those difficult chats should be happening already.

We already have a blueprint, initial though it may be, for changes we can make to protect our readers. There’s ample opportunity for truly innovative and experimental developments in secure distribution of news.

Some solutions may depend on collaborations between news organizations, publishers, or departments. We all stand against censorships and abuse of any kind. Let’s get together, because we all depend on our readers and audiences, and we even owe them many things — chief among them respect.

Basile Simon is a hacker/journalist at BBC News Labs.