Google now encrypts almost all the traffic flowing from YouTube, the company said in a Monday blog post.
In the post, Google (GOOG) software engineer Sean Watson and product manager Jon Levine said 97% of YouTube’s traffic is now accessible with the “https” web address prefix that denotes extra security.
In effect, this stops others from being able to spy on a YouTube user’s detailed activities on the video site. Unencrypted video streams can also be hijacked by criminals or intelligence agencies to deliver malware onto the viewer’s computer.
Get Data Sheet, Fortune’s technology newsletter.
Why isn’t YouTube entirely encrypted now? “In short, some devices do not fully support modern HTTPS,” Watson and Levine wrote. “Over time, to keep YouTube users as safe as possible, we will gradually phase out insecure connections.”
The range of devices people use to access YouTube was one of the factors that the team had to deal with, as it rolled out encryption over the past two years.
As the post noted, people use the service on everything from flip-phones to smart TVs, and all those devices needed to be tested to make sure that switching from old-school HTTP to the safer HTTPS didn’t break things.
Another factor was the sheer amount of video that needed to be migrated to the safer standard on Google’s content delivery networks.
For more on Google watch our video.
“In the real world, we know that any non-secure HTTP traffic could be vulnerable to attackers. All websites and apps should be protected with HTTPS,” Watson and Levine wrote.
Now that YouTube is almost all encrypted, Google has added the service to its HTTPS transparency report, which keeps track of the company’s progress in boosting the security of its various services.