HideTechdirt is off for the long weekend! Looking for something to read instead? Check out our new Working Futures anthology »
HideTechdirt is off for the long weekend! Looking for something to read instead? Check out our new Working Futures anthology »

Should Wikipedia Force All Users To Use HTTPS?

from the politics-of-encryption dept

It would be something of an understatement to say that encryption is a hot topic at the moment. But leaving aside deeper issues like the extent to which the Internet's cryptographic systems are compromised, there is a more general question about whether Web sites should be pushing users to connect using HTTPS in the hope that this might improve their security. That might seem a no-brainer, but for the Wikimedia Foundation (WMF), the organization that runs Wikipedia and related projects, it's a more complex issue.

The problem is that HTTPS access is disabled in some countries precisely to prevent users from being able to access sites securely. So when Wikimedia introduced its HTTPS-by-default policy on August 28, it made a couple of exceptions:

Some users live in areas where HTTPS is not an easy option, most times because of explicit blocking by a government. At the request of these communities, we have made an explicit exclusion for users from those affected countries. Simply put, users from China and Iran will not be required to use HTTPS for logging in, nor for viewing any Wikimedia project site.
An interesting post by Erik Möller, the WMF's Deputy Director, raises the question whether such exceptions help or hinder freedom in those countries:
In the long term, the Wikimedia movement is faced with a choice, which is inherently political: Should we indefinitely sustain security exceptions for regions that prevent the use of encryption, or should we shift to an alternative strategy?
Here are some of the considerations he mentions:
If we accommodate [China]'s or Iran's censorship practices, we are complicit in their attempts to monitor and control their citizenry. If a privileged user's credentials (e.g. Checkuser) are misused by the government through monitoring of unencrypted traffic, for example, this is an action that would not have been possible without our exemption. This could potentially expose even users not in the affected country to risks.
Möller goes on to suggest the following:
It could be argued that it's time to draw a line in the sand -- if you're prohibiting the use of encryption, you're effectively not part of the web. You're subverting basic web technologies.

Drawing this hard line clearly has negative near term effects on the citizenry of affected countries. But the more the rest of the world comes together in saying "What you are doing is wrong. Stop it." -- the harder it will be for outlier countries to continue doing it.
That may have been a defensible position last week, when he wrote those words, but it certainly isn't now. Snowden's information about efforts by the NSA and GCHQ to undermine every form of online encryption shows how they are "subverting basic web technologies" in a profound way; it is therefore no longer possible for the West to wag a finger at countries like China that are doing the same. However, Möller also points out:
There _are_ effective tools that can be used to circumvent attempts to censor and control the Internet. Perhaps it is time for WMF to ally with the organizations that develop and promote such tools, rather than looking for ways to guarantee basic site operation in hostile environments even at the expense of user privacy.
This is surely a better strategy. It would allow Wikimedia users in countries where HTTPS is blocked to access Wikipedia and related projects in a discreet way. Such circumvention tools could also be useful for many other sites that face the same problem, and so would be a force for combating censorship and control in general. Finally, if the privacy situation in the West continues to deteriorate, the software might even come in handy there, too.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: challenges, filtering, https, security, wikipedia
Companies: wikimedia foundation, wikipedia


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  1. icon
    AdamBv1 (profile), 11 Sep 2013 @ 9:15am

    Re: Re:

    This right here. We have a chance to effectively put them back to the time when even collecting this information on this scale was impossible. Suddenly collecting it all won't do them any good as they can't read it all.

    Plus once we get in the habit of of using encryption for everything then switching out current encryption for stronger types should be easier because its no longer an afterthought only some people worry about.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.