Five years of Secure The News
Harris Lapiroff
December 22, 2021
At the end of 2016, Freedom of the Press Foundation launched Secure The News to track and grade HTTPS adoption by news organizations, with the goal of motivating more news organizations to offer this critical security and privacy feature to their readers. Today, five years later, we’re happy to say that this goal has been largely achieved, and we are retiring the project while archiving and preserving its historical data.
HTTPS is a foundational building block of the secure web. It’s the protocol that ensures the connection between a reader and a website is encrypted such that information about their activity — articles they’re reading, quizzes they’re taking and more — is safe from prying eyes. HTTPS protects web users from eavesdroppers, be they criminals sniffing packets on public Wi-Fi or governments with access to raw traffic logs.
When Secure The News launched in 2016, HTTPS had been increasingly adopted by tech giants and e-commerce sites, but only 53% of the news sites we were tracking supported HTTPS at all — and only 13% made it the default way for readers to connect. As Wired reported on the project at its launch: “For now, it's a grim report card: 75 of the 104 sites received a D or F, and only 4 received an A for their encryption efforts.”
Threats to press freedom around the world are at an all-time high. Sign up to stay up to date and take action to protect journalists and whistleblowers everywhere.
Thanks for signing up for our newsletter. You are not yet subscribed! Please check your email for a message asking you to confirm your subscription.
Wired continued:
The goal of that harsh grading, says FPF engineer Garrett Robinson, is to pressure the majority of news sites that haven't considered implementing encryption to add it, and to incentivize those who do use it to make security tweaks that won't ever be visible to most visitors. "We're trying to promote the adoption of best practices for digital security by news organizations with the intention of protecting the security and privacy of their readers, their sources, and their employees," says Robinson. "This ought to be the standard for the web and for the news industry."
Almost immediately, after journalists saw their employer was getting a ‘D’ or ‘F’ score on Secure The News, things began to change. Many news outlets, including the New York Times, started citing Secure The News in their announcements about switching their sites to HTTPS.
We thought some sites would be miffed at us for all the low grades, but the opposite was true: IT staff at major outlets would email us thanking us because they were able to use the Secure The News scoreboard to convince their bosses they needed to make the switch. In the most notable example, a sysadmin at a large news outlet emailed us to point out an error: his outlet’s Secure The News score was actually too high. He wanted to make sure his outlet was getting a failing grade, so he could then show his bosses they needed to invest in HTTPS.
As of our final scans this month, 99% of the 135 news sites in our database supported HTTPS and 98% of them made it the default way for readers to connect. There are, of course, many reasons why so many news websites are now encrypted by default, and Secure The News was only one factor. It is thanks to a massive combined effort of news organizations and the larger open web community, but the results are clear: a huge privacy and security win for news readers.
A site is considered passing if it passes a test more often than it fails in a given month. Code
We also tracked more detailed security measures. Fifty percent of news sites have added the HTTP Strict Transport Security header, or HSTS, that instructs modern browsers to only connect using HTTPS. In 2020 we also added tracking of news websites that had an “Onion service,” a technology that allows users to access websites with a high degree of anonymity using Tor. While the number of news sites providing Onion services remains small — it grew from 3% to 4% over the course of our tracking — we hope to see this number continue to rise as news organizations take more measures to protect their readers.
This project has officially sunset, but you can view a copy of it through the Internet Archive. We’re also making available the results of every scan we’ve run since the project launched as a bundle of JSON files: Download the data archive.
We continue to fight for privacy, security, and press freedom through SecureDrop, The U.S. Press Freedom Tracker, digital security trainings and resources for journalists and organizations, and more. If you have ideas for ways you'd like to see Freedom of the Press Foundation advocate privacy and security in the news in the future, please let us know!