January 28, 2016 | By Parker Higgins

Medium's Sitewide Encryption Confronts Censorship in Malaysia

Blogging platform Medium is now blocked in Malaysia, apparently in an effort to censor an investigative news outlet critical of the government. The Sarawak Report has mirrored its articles on Medium at least since its own site was blocked in mid-2015, when it published allegations of corruption.

Medium's legal team has done an admirable job keeping the relevant post online in the face of government demands. It's published an account saying the company "stand[s] by investigative journalists" and that the post will stay up until it "receive[s] an order from a court of competent jurisdiction." But this story also demonstrates the censorship-resistant properties of online encryption like HTTPS, which Medium has enabled across its entire site.

That's because HTTPS conceals information both about what particular page readers are viewing, as well as the contents of that page, from people snooping on their connection. That's important, because unencrypted connections can face a wide range of eavesdroppers, all the way from other people sitting in the same coffee shop, to members of the same household, to employers providing a computer at work, to Internet service providers, to governments—anybody who can insert themselves between you and the website you're trying to visit.

With an encrypted connection, those eavesdroppers get only the domain of the site—in this case, medium.com—not which particular blogger or article you're reading. That makes for more privacy, in that particular reading habits are not as easily surveilled and analyzed.

Of course, the eavesdroppers also can't read the contents of the pages. In the case of news sites, like the Sarawak Report, that might seem like a moot point. After all, unlike private messages, the contents of the articles are visible for anyone who looks through the site. But taken together, these two properties mean that the government can't analyze individual pages in transit for keywords to trigger blocks.

As a result, governments seeking to block individual pages are forced to make much more conspicuous and disruptive moves against entire domains. On numerous occasions, we've seen those governments back away from wholesale censorship where granular censorship was not an option—in China, it was GitHub; in Iran, it was Google Reader (serving as a proxy for general news sites); and last summer in Russia, it was Wikipedia.

So it's important that sites turn on HTTPS by default. And some—though still far too few—have begun to do so. The Washington Post has started across some sections of its site. The New York Times made an impassioned call for news outlets to implement it by the end of 2015, but still hasn't made the transition. Sites like Techdirt, The Intercept, and EFF's own Deeplinks have long been HTTPS-only. The Freedom of the Press Foundation, which helps develop and fund tools to protect press freedom and reader privacy, has encouraged more news sites to follow suit.

Medium and the Sarawak Report have made a good choice in using infrastructure that is harder for would-be censors to subvert. For people affected by this local block, we recommend reading up on tools like Tor, which can be used to circumvent censorship and anonymize your traffic.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

We're glad to see that adoption of HTTPS encryption has skyrocketed. https://pardonsnowden.org/new... h/t @PardonSnowden

Oct 20 @ 12:42pm

The Student Privacy Pledge stops short of fully protecting students and their information. https://www.eff.org/deeplinks...

Oct 20 @ 10:44am

Snowden's effect on tech? People have adopted better security habits.

Oct 20 @ 10:06am
JavaScript license information