With today’s passage into U.K. law of the Investigatory Powers Bill — which requires British ISPs to retain the web browsing activity of their customers for a full year, and allows access to that history to government organizations from the GCHQ to the Food Standards Agency — I thought it would be helpful to highlight a simple strategy for Britons to protect their right to privacy: HTTPS.
Eric Mill, writing last year for Vice:
In short, I see power moving away from the leafs and devolving back into the center, where power has been used to living for thousands of years.
What animates me is knowing that we can actually change this dynamic by making strong encryption ubiquitous. We can force online surveillance to be as narrowly targeted and inconvenient as law enforcement was always meant to be. We can force ISPs to be the neutral commodity pipes they were always meant to be. On the web, that means HTTPS.
It’s simple, but it’s not easy — Mariot Chauvin and Huma Islam of the Guardian explain some of the hurdles they encountered when transitioning their massive web property to HTTPS. Even for my relatively tiny site, ensuring that HTTPS works really well took a little bit of effort.
I believe it’s worth the effort for all websites to implement HTTPS. While national security concerns are very real, the logical conclusion to solving investigational gaps is not bulk surveillance for entire countries.
Update: Bruce Schmoetzer reminded me that Let’s Encrypt allows users to create HTTPS certificates for free. However, maintaining the certs can be a pain in the ass if you do it yourself. Some web hosts now support Let’s Encrypt within their administrative panels, and it’s typically all managed for you; that’s probably the most straightforward route to take.