Websites that are not encrypted will receive a lower ranking on Google’s search engine, in a move designed to push site owners towards adopting technology that protects users’ data against hackers.
The step is the latest in a series that Google has made to
improve the security of the web – something it has focused on
since Edward Snowden's National Security Agency (NSA) spying
allegations broke last year, which detailed information about
mass government surveillance by the US and some of its allies,
including the UK.
All major websites use encryption when a person submits their login details, but some sites then downgrade to an unencrypted connection.
“We hope to see more websites using HTTPS in the future,” Google said in a blog post.
Christopher Soghoian, a principal technologist from the American
Civil Liberties Union, told the Washington Post that “this is
a huge deal” and “the ultimate carrot for websites”
to use encryption.
Kevin Mahaffey, chief technology officer and co-founder of mobile-security company Lookout Inc., said that users effectively put their data into a more secure envelope when they deal with encrypted websites.
“If you were sending a letter with your credit card information and Social Security number, would you send it in a secure envelope or a clear envelope?” he asked.
Google already uses a number of practices which directly relate to a website's performance and affect its rankings – including penalizing sites that load slowly.
“This is a lot like Consumer Reports saying that the overall
rating of a car is higher because it has airbags,” said
Until now, the issue of whether a site was encrypted or unencrypted affected less than one percent of Google searches.
In the past, websites have avoided encryption because of cost concerns and a slower response time, but now the cost of encryption has declined and the experiences of Google and Facebook – which do use encryption – suggest that it doesn’t necessarily have to slow a website down.
Google already encrypts user searches, as well as all emails sent by Gmail. In June, Google published a new report disclosing information about email providers that don’t encrypt emails.
Both Google and other major web companies have faced allegations that they have been complicit with the NSA in their surveillance and information gathering, and earlier this year set up the “Reform Government Surveillance” coalition in an effort to maintain credibility.
But LinkedIn said in June that it was still upgrading to https as supposed to http – which is unencrypted – and people using LinkedIn in some regions found they were being flipped to an unencrypted connection after logging in.