A New Harvard Study Found a Decrease In Censorship Following HTTPS Migration in 2015
Wikipedia, which is one of the most popular sites in the world and the largest free encyclopedia, has been a frequent target for partial or complete censorship by certain governments.
In June 2015, Wikipedia became HTTPS-only, in an effort to make browsing more secure and provide privacy to its users around the world.
While we can all agree that HTTPS is A Great Thing, it’s privacy benefits can actually pose a problem when a government is committed to censorship. “HTTPS prevents censors from seeing which page a user is viewing, which means censors must choose between blocking the entire site [or] allowing access to all articles.”
A main goal of Wikipedia’s mission is to make information freely accessible to the world. Wikipedia was taking a gamble when they moved to HTTPS-only. Would the change increase accessibility to their millions of pages of free knowledge? Or would it lead to harsh crackdowns, cutting some countries off from the site entirely?
A new study from Harvard University’s Internet Monitor answers the question.
Measuring internet activity in 15 countries known to have human rights issues, the study looked at all 292 of Wikipedia’s localized language sites and measured traffic from Wikipedia’s server and client computers located in the countries. This gave them visibilities on both sides of the connection and gave them a better understanding of how access to Wikipedia was handled.
The comprehensive study found that Wikipedia’s HTTPS-only transition has not lead to wide-spread censorship. In fact, the use of HTTPS has actually decreased the observed amount of censorship activity.
HTTPS, Privacy, and Censorship
HTTPS encrypts the URLs you are accessing. It’s still possible to know the hostname you are connecting to – such as “Wikipedia.org” or “WebMD.com.” But anything after the “/” is only known between you and the server.
For general purpose sites – like Wikipedia or Google – this provides you with a good amount of privacy as internet monitors can’t tell if you are looking at an article on censorship in China or a new species of gecko. When the hostname reveals the site’s purpose – like “WebMD.com” does – you have less protection because they know it’s something related to medicine or health.
This is one of the major privacy benefits of HTTPS. It gives internet monitors – such as governments and ISPs aggregating your search history for advertising – a lot less information about your specific activity. However, it also raises concerns when it comes to censorship because it could lead to a ‘blanket ban’ approach.
For example, one of the methods used for internet censorship in Iran involves keyword-filtering URLs. This allows them to block any URL with an undesired word in it without blocking other URLs on the same site. When Wikipedia was available over HTTP, this allowed them to selectively block pages while leaving the rest of the site accessible.
So when Wikipedia restricted their site to HTTPS only in 2015, there were concerns that this would increase censorship because governments only had two choices: block all of Wikipedia, or block none.
The Internet Monitor’s study has found that for the most part, these fears were unfounded. Overall, “there was less censorship in June 2016 than before Wikipedia’s transition to HTTPS-only content delivery in June 2015.”
They found that there was no evidence of censorship in 11 of the 15 countries. In Uzbekistan and Thailand there appeared to be intermittent censorship of Wikipedia. A lack of data and access in Syria and Saudi Arabia was not conclusive, but there was suspicion of censorship/interference.
In many of the studied countries – including Saudi Arabia, Indonesia, Vietnam, and Iran – there had been evidence that a handful of pages were being blocked before Wikipedia’s HTTPS transition. Those countries have now opted not to block the entire site over a handful of ‘offensive’ pages.
Unfortunately, some countries are now taking a more aggressive stance on internet censorship. Since the conclusion of the study, Turkey has blocked Wikipedia in its entirety.
China – who already has The Great Firewall, the most sophisticated internet censorship tool – is developing their own competitor to Wikipedia. Some have speculated this will allow them to put more restrictive blocks on Wikipedia. China has censored “zh.wikipedia.org” – the native Chinese version of Wikipedia – for years. Since 2015 (slightly before Wikipedia became HTTPS-only) they have blocked that version entirely, but the 291 other language versions are accessible.
Kazakhstan proposed their citizens install a “national security certificate” – a root certificate owned by the government that would allow them to man-in-the-middle their connections (though its unclear if they ever enforced the law). They later tried, unsuccessfully, to have the root certificate trusted by Firefox. In this scenario, the privacy protections of HTTPS are defeated because the “middle” party can decrypt and read the data – essentially turning the connection back to HTTP.
Internet censorship has in no way been defeated, but this study gives us concrete evidence that HTTPS can be an effective tool in combating censorship and monitoring.