More than a year after Edward Snowden first blew the whistle on indiscriminate government spying on Internet users, most countries are still dragging their feet on policy reforms, whilst some – like the UK – are regressing. But political stalling is no excuse for the private sector to sit back. There is plenty that tech companies can and must do themselves to protect our privacy – as Snowden himself recognised when he argued that companies could make mass surveillance “impossible” by implementing end-to-end encryption..
So what is the significance the recent announcement by Google that it will begin to prioritise secure sites (those using HTTPS/TLS) in search results?
In short, Google will begin to use HTTPS/TLS as a ranking ‘signal’. That means that if all other factors are equal, a site using HTTPS will rank higher in results than a site that just uses HTTP. At first this signal will be weak “affecting fewer than 1% of global queries” according to Google – but they add: “over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”
This is an important step forward, especially considering Google’s overwhelming dominance of global search. Following previous steps to beef up Gmail encryption, it’s a further sign that the company is serious about tackling the gaping holes in user security exposed by Snowden. We urge other search providers to follow Google’s lead immediately.
But tweaking search rankings to reward HTTPS compliance is not enough. Making HTTPS a success has significant financial and practical costs, and tech companies must take concerted action to make sure these costs won’t discourage or penalise smaller Web users, especially in the developing world.
HTTPS certificates cost money. The costs are negligible for large companies or wealthy individuals in the Global North, but for smaller businesses or individuals in developing countries, the $30 – $100 in annual costs typically required could be prohibitive. In India, 68% of the population are estimated to live on less than $2 per day (World Bank, 2010). Is it realistic to expect the average blogger or NGO in this country (and many others) to pay for a certificate? And if not, should their voice be less powerful in search rankings?
Getting certified can be a hassle. Again, this is going to hit marginalised voices hardest of all. A major Western organisation will have the staff and expertise to comply, but we need to ensure everyone, everywhere can get certified as easily as possible, or we will just end up magnifying dominant voices on the Web. This is a good opportunity for small ethical startups to walk the extra mile for their users all over the World and take both the business and the social opportunity to help their users in a decentralized way.
HTTPS can slow sites down. Granted, the effect is relatively minor when connections are fast. Yet in many countries where connection speeds remain slow, this could have a significant impact on access to information and drive users away from HTTPS sites. Commentators have also raised other various technical issues, including those around static IP addresses.
Luckily, tackling these barriers should not be hard, especially for well-resourced companies like Google (whose earnings last quarter amounted to almost $16bn). The following steps will go a long way to make the Web safer for everyone, without marginalising smaller voices and developing world innovators. We’re calling on major Web businesses to
1. Follow Google’s lead and incentivise HTTPS adoption by customers and suppliers – as well as adopting HTTPs and enhanced encryption for all of their own services, websites and applications.
2. Create a mechanism to dramatically reduce or eliminate the costs of obtaining SSL certification for qualifying non-profits, micro users and SMEs. This could include offering free or heavily discounted certificates (as software companies have been doing for years now through TechSoup) or supporting start-ups that provide low-cost certification.
3. Establish a multi-lingual training portal to provide simple, user-friendly ‘how to’ guidance for those who want to adopt HTTPS for their sites.
4. Invest more in technical efforts to improve HTTPS, tackle latency issues and tackle its security flaws, while also accelerating development of new and better security solutions. This could include the establishment of a collaborative expert group, investment in research and subsidies for small actors and a commitment to transparency and due diligence when there are breaches in the security architecture. We learned from the OpenSSL "heartbleed" saga that this is essential – vital security components we rely upon are either fragile in their trust (see Diginotar case), underfunded or both.
The Web We Want promotes the protection of personal user information and the right to communicate in private. This progressive move by Google is a significant step towards making this the rule, rather than the exception. Now, it is time to step up efforts to fix the architecture and make it really easy for small actors to adopt.
What do you think? Let us know in the comments below or on Twitter via @webwewant.
(Note: Our sites are largely set to HTTPS by default – both webwewant.org and webfoundation.org are fully HTTPS. However, on our sites a4ai.org and thewebindex.org, content and data rich pages are sluggish to load on slow connections if we force HTTPS on all pages. Since these sites contain vital information for those fighting for a free and open web in the developing world, we’ve decided to set only the sensitive pages of those sites – such as contact forms – to HTTPS to enhance access to information. We’re a real life case study of the tough decisions facing those who want to balance user security with access to information.)