August 28, 2015 | By Parker Higgins

Russia's Wikipedia Ban Buckles Under HTTPS Encryption

Dueling forces of encryption and government censorship came to a head in Russia this week in the form of an order to block Wikipedia. One Wikipedia article in particular (about charas hashish) was deemed to run afoul of the country's restrictions on content related to drugs. This is just the latest in a deeply troubling campaign of censorship—but because the Wikimedia Foundation uses HTTPS-encrypted connections for all of its sites, the government was left with only the option of ordering the entire site blocked, or leaving the offending page accessible.

The Russian Wikipedia article on charas hashish.

That's because HTTPS encryption protects not just the contents of the communications between browsers and the web sites they're visiting, but also the specific pages on those sites—in other words, everything "after the slash" in a URL.

Contrast that to when you visit an unencrypted site, like a New York Times article: that connection can be monitored by your ISP, the network operator (like your employer, if you're on a work network), or even others on the same wireless connection. There are obvious privacy implications here—after all, that's a lot of people who can look over your shoulder—but also, if you combine that eavesdropping ability with a governmental power to mandate blocks, the result is censorship that can be very granular. Visits to a particular page can be identified and blocked; even keywords in the text of a web page can trigger censorship.

That leads to the argument that granular censorship is preferable in certain cases, because more material is allowed to stay up and accessible. A major counter-argument to that point has long been that blocking large chunks of the Internet is more disruptive, and not as easily enforced, and so less likely to happen at all. Extreme censorship measures are more visible: they encourage residents in those countries to note the existence of censorship, and learn about and adopt censorship circumvention technologies, which are in many cases also more secure against government snooping, and nudges governments away from blocking altogether.

These two arguments were both set forward when the Wikimedia Foundation was considering implementing HTTPS across all its sites. Ultimately, the policy preferred by supporters of the second argument prevailed, and Wikimedia adopted full HTTPS. This week's example of Wikipedia in Russia is one of the first few test cases of governments forced into an all-or-nothing blocking choice; fortunately, it provides at least anecdotal evidence that the theory works. After just a few hours of blocks, Russia reverted its policy, claiming the material had been taken down. (It hadn't, according to Wikipedia editors, though the title and URL of the page had been changed.)

This isn't the first time censorship efforts have been dialed back in the face of HTTPS leading to governments conspicuously overblocking. The government of China briefly suspended access to Github over a handful of software repositories, but relented in the face of public pushback. Similarly, the government of Iran has only occasionally blocked Google services, despite its now-discontinued Reader serving as a proxy for unfiltered news from the open web.

The case for news sites to adopt this kind of encryption, then, is obvious. Unfortunately, for a handful of reasons, the major outlets have been slow to do so. Independent publications like Techdirt and The Intercept were early adopters; The Washington Post became the first major general news organization to do so earlier this summer.

Of course, while HTTPS encryption and other censorship-resistant technologies can help, it would be an oversimplification to boil these issues down to purely technical questions. Countries can block foreign sites en masse, and encourage self-censoring domestic alternatives to emerge. Local sites are much more vulnerable not only to government demands to remove data, but more insidious forms of control. For instance, Russia has also instituted a data retention mandate for sites, set to go into effect on September 1, which includes provisions that will oblige foreign sites to store their logs on local servers, or risk blocking.

Encrypting traffic on the wire is important, but it matters far less if law enforcement can demand you keep—and hand over—access records.That's one reason we oppose data retention mandates where they're proposed—including, recently, in Paraguay and Peru. It's also an important reminder to encourage more users to learn how to use anonymity software, like Tor, to better protect themselves from data collection. But the same calculus may well operate with Russia's data retention bill. Will Russia consistently enforce compliance, or will the economic and popular cost of blocking major websites stay their hand? Will foreign companies, out of fear of being locked out of Russia's market, decide to hand over their users' data to the Russian authorities? Or will they stand firm as Wikipedia did with https, and see the authorities blink?

Online censorship and surveillance are just one element in a pattern of human rights abuses. Web site operators and members of the online community bear an important responsibility to encourage the kinds of security measures that can protect people—and when facing off against invasive measures, may have more power than they realize.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Documentary filmmakers press Justice Department to intervene when police arrest grassroots journalists

Aug 25 @ 7:07pm

Exciting to spot @HTTPSEverywhere on Mr. Robot last night. We promise we won't let the fame go to our heads.

Aug 25 @ 5:21pm

If you have an iPhone, it's important that you upgrade iOS today.

Aug 25 @ 3:53pm
JavaScript license information