About This Report

In early April, a major security flaw affecting perhaps 500,000 or more websites was announced and fixed. But the patch to the “secure socket” program that is supposed to encrypt and protect user information on secure websites was only made after more than two years of vulnerability on some of the most heavily trafficked sites, including Facebook, Google, YouTube, Yahoo and Wikipedia. Analysts warned that untold numbers of internet users might have had key personal information compromised either in their use of those websites, or their use of email, instant messaging, and even supposedly secure virtual personal networks.

This report covers public response to the revelation of the security code flaw. It was conducted among 1,501 adults between April 23-27 on landline and cell phones and in English and Spanish. It has a margin of error of plus or minus 2.9 percentage points in the overall sample and 3.1 points among the internet users in the sample (N=1,303).

The software bug was named “Heartbleed” and it was accidentally introduced to the OpenSSL encryption program on New Year’s Eve 2011. OpenSSL is an open-source program that is used by many of the sites and email programs that have the “https” prefix and “green lock” icon in their URLs. Some security commentators called Heartbleed “catastrophic”  and said it one of the worst vulnerabilities ever discovered on the web.

The flaw basically allowed people to “break the lock” on sophisticated encryption software, get into the memory of security systems and gather up whatever personal information was there, including usernames, passwords, and the actual content of accounts such as credit card data or other sensitive personal information.

This report is a collaborative effort based on the input and analysis of the following individuals.

Lee Rainie, Director, Internet Project
Maeve Duggan, Research Assistant, Internet Project
Alec Tyson, Research Associate, U.S. Politics Project

Find related reports about privacy, safety, and security at