The Washington PostDemocracy Dies in Darkness

Washington Post starts to automatically encrypt part of Web site for visitors

June 30, 2015 at 12:01 a.m. EDT
A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris in this April 15, 2014 file photo.  (REUTERS/Mal Langsdon/Files)

The Washington Post will begin encrypting parts of its Web site Tuesday, making it more difficult for hackers, government agencies and others to track the reading habits of people who visit the site.

The added security will immediately apply to The Post's homepage as well as stories on the site's national security page and the technology policy blog The Switch. The encryption will roll out to the rest of the site over the coming months.

"The biggest gain is letting users feel secure," said Shailesh Prakash, the company's chief information officer.

Most browsers will note the added security with a display icon, a small lock, in the Web address bar. Secure sites also start with the letters "https" rather than "http." (The S is for secure.)

Encrypted traffic is standard for many sites, including online banking and Web-based e-mail services, and is becoming increasingly common across the Internet. The Obama administration has made encrypting traffic a priority: Earlier this month, the White House ordered all public federal Web sites to start using https technology by the end of 2016.

But the news media has lagged. Last year, the New York Times published a blog post challenging news organizations to begin automatically encrypting their sites' traffic by the end of 2015. But the Times has yet to make the security feature automatic for its readers.

Although some smaller online-only outlets, including the Intercept and TechDirt, use https technology by default, The Post is the first major general news organization to roll out the added security measures to all of its readers.

Almost everything a user does on the Web leaves a trail of digital bread crumbs. And a person's news habits can be especially revealing, privacy advocates say.

"The articles you read paint a picture of your life. They can reveal your political interests, suggest your sexuality, your interest in medical issues and other sensitive topics that are really no one else's business but your own," said Christopher Soghoian, a privacy researcher and technologist with the American Civil Liberties Union, who has long urged news organizations and other groups to encrypt their Web sites.

The type of encryption being rolled out by The Post, known as https or SSL, establishes a private connection between the Web site and the user, making spying or hijacking Web traffic much more difficult.

The technology also has the potential to make online censorship more difficult for government regimes: When visitors go to a site using the technology, someone monitoring their traffic can only see the domain they are visiting - not the specific page. So a country won't have the option to filter only some content; it would be forced to block an entire site.

The Post expects there to be some drop-off in online advertising revenue in response to the change, although it is unclear how much, said Jeff Burkett, the company's senior director for sales operations and product strategy. The new security measures will require advertisers to make sure their content is also secure, an extra step that may drive some away, he said.

The Post will monitor the site to make sure ads are secure.

"Every third party we use on the site needs to be https-compliant, or it either stops working or the browser will warn about it being insecure," said Greg Franczyk, chief digital architect of The Post's Web site. That will include content from advertising partners, but also content that reporters embed in their stories, such as videos or social media posts.