Something I've been trying to push, quite hard, is HTTPS. There used to be three problems with it: 1) it was expensive to get a certificate. But that was only if you wanted the certificate to prove your identity: for mere encryption, you could just self sign. That's all in the past now anyway, since comodo, cacert and others give out free trusted certs. 2) you could only have one cert per IP. Since "Server Name Indication" is now in all major browsers and has been for some time (since FF2.0, Opera8, Mozi1.8, IE7), this is no longer the case. (http://en.wikipedia.org/wiki/Server_Name_Indication) 3) It used to be heavy on the CPU. This is still true for ridiculous-bandwidth sites, but other than that shouldn't be an issue. Browsers could be user-configured to attempt to connect to domains over https by default (regardless of whether the link began http or https), and fail back to http only if the site didn't offer https. Then, if a majority of sites offered https as standard, browsing from the UK would become semi-safe again (and from the US, and anywhere with a government or ISPs that spy on people, ie every single country in the world). Sure, snoops would still be able to tell which server you connected to, but not to retrieve your username, password, all blog posts and forum posts you make, who you talk to, what you say... they couldn't even tell which site you went to, for those sites on shared hosts (ie the majority of the smaller sites out there). SSL (or TLS, its successor) should be the *default* nowadays, not the exception. All of us with websites owe it to our readers to do so, just as we owe it to them to opt out of Phorm. If we don't do this, we're tacitly permitting our sites to be used as profiling tools to snoop on our visitors: an idea so abhorrent, it'd be enough to make me take all my sites down, if HTTPS weren't available. [Speaking of Phorm, to opt out, you apparently need to email: website-exclusion@phorm.com with something like: "Please exclude the following domains from the WebWise service, and any similar services run or controlled by your organisation: *.example.com *.example.org ..."]