NPR gets failing grade for website security in survey of HTTPS encryption

Print More

(Photo: Santeri Viinamäki/Wikimedia Commons)

NPR is among numerous media websites that received low marks in a study of website security.

A report from the Freedom of the Press Foundation released Thursday gave nearly half of 105 media outlets surveyed a failing grade for a relative lack of HTTPS encryption on their websites. Nonprofit news outlet ProPublica received one of the highest grades.

According to FPF, news sites should use HTTPS encryption because it “protects the privacy and security of both its readers and journalists from a variety of malicious actors. HTTPS can also act [as] an important anti-censorship tool against authoritarian regimes.” When a web user visits an HTTPS-secured site, their web browser will show a lock next to the website’s URL.

On sites using only HTTP, “attackers can potentially see the search terms or articles you are reading, spy on your username and password, or spoof a website to steal your personal information,” the report said. “Unencrypted HTTP traffic is also easier to filter and block, allowing for selective censorship of articles, subjects, specific reporters or outlets by authoritarian governments.”

The report will continue to update grades for outlets as they improve their sites. Patrick Cooper, NPR’s director of web and engagement, told Current the network plans to “jump up this list in 2017.”

“We’ve long handled user data securely, such as with registration and login, and we’ve now expanded that mission to all data we serve,” Cooper said in an email. “That data includes podcast feeds, NPR.org, NPR One, our APIs and news apps, and more.”

NPR added HTTPS to all of its podcasts earlier this fall and is in the process of serving audio, images and scripts through HTTPS. “We’re narrowing down the pieces we need in place to throw the bigger switches,” he said.

NPR was the only public broadcaster on the report. Of more than 60 websites of public radio news stations that Current visited, only five were using HTTPS in a way that was evident from visiting the home page: WBEZ in Chicago, WABE in Atlanta, Arizona Public Media, Nevada Public Radio and Houston Public Media.

Cooper said NPR Digital Services has been “sending key information to Member Stations so they can move in similar directions” and plans to similarly secure member station podcasts and streams early next year.

“As the Washington Post, Wired and the Guardian have documented publicly, upgrading a sprawling news site to HTTPS is a major effort,” he said. “The required staff time is significant, and serving costs have only become affordable for many publishers in the last year or two.”

ProPublica, which received an “A-” in the report, began experimenting with HTTPS on portions of its site in 2013, according to Mike Tigas, news applications developer. Among the first uses was the encryption of projects such as Dollars for Docs, a database that tracks what pharmaceutical and medical-device companies pay to doctors and teaching hospitals.

“If you’re looking up personal information, you’re looking up your doctor, we thought … you should feel safe performing these actions on our website,” Tigas said.

A year ago, ProPublica went all-in on using HTTPS for the bulk of its site, including all articles.

Making the switch isn’t necessarily difficult, he said, but for news sites, dealing with archived content can be a challenge.

“If you’re a news site and you have years and years of old content and you have an article that has an embed from somebody else’s website, that embed has to support HTTPS also,” he said. “If you’re running advertisements on your site, the ad network you use has to support it also.”