Internet.org Is Not Neutral, Not Secure, and Not the Internet
Facebook’s Internet.org project, which offers people from developing countries free mobile access to selected websites, has been pitched as a philanthropic initiative to connect two thirds of the world who don’t yet have Internet access. We completely agree that the global digital divide should be closed. However, we question whether this is the right way to do it. As we and others have noted, there’s a real risk that the few websites that Facebook and its partners select for Internet.org (including, of course, Facebook itself) could end up becoming a ghetto for poor users instead of a stepping stone to the larger Internet.
Mark Zuckerberg’s announcement of the expansion of the Internet.org platform earlier this month was aimed to address some of these criticisms. In a nutshell, the changes would allow any website operator to submit their site for inclusion in Internet.org, provided that it meets the program’s guidelines. Those guidelines are neutral as to the subject matter of the site, but do impose certain technical limitations intended to ensure that sites do not overly burden the carrier’s network, and that they will work on both inexpensive feature phones and modern smartphones.
We agree that some Internet access is better than none, and if that is what Internet.org actually provided—for example, through a uniformly rate-limited or data-capped free service—then it would have our full support. But it doesn’t. Instead, it continues to impose conditions and restraints that not only make it something less than a true Internet service, but also endanger people’s privacy and security.
That’s because the technical structure of Internet.org prevents some users from accessing services over encrypted HTTPS connections. As we mentioned above, a critical component of Internet.org is its proxy server, which traffic must pass through for the zero-rating and the interstitial warning to work correctly. Some devices, like Android phones running Internet.org’s app, have the technical ability to make encrypted HTTPS connections through the proxy server without becoming vulnerable to man-in-the-middle attacks or exposing any data (beyond the domain being requested) to Facebook. Internet.org’s Android app can also automatically bring up the interstitial warning directly on the phone by using the app to analyze links (as opposed to Facebook serving the warning via its proxy server).
But most inexpensive feature phones that can’t run an Android app don’t support phone-based warnings or this sort of proxying of HTTPS connections. For these phones, traffic must pass through Internet.org’s proxy unencrypted, which means that any information users send or receive from Internet.org’s services could be read by local police or national intelligence agencies and expose its users to harm. While Facebook is working to solve this problem, it’s extremely difficult from a technical perspective, with no obvious solution.
Even if Facebook were able to figure out a way to support HTTPS proxying on feature phones, its position as Internet gatekeepers remains more broadly troublesome. By setting themselves up as gatekeepers for free access to (portions of) the global Internet, Facebook and its partners have issued an open invitation for governments and special interest groups to lobby, cajole or threaten them to withhold particular content from their service. In other words, Internet.org would be much easier to censor than a true global Internet.
While we applaud Facebook’s efforts to encourage more websites to provide support for low-end feature phones by stripping out “heavy” content, we would like to see Internet.org try harder to achieve its very worthy objective of connecting the remaining two thirds of the world to the Internet. We have confidence that it would be possible to provide a limited free Internet access service that is secure, and that doesn’t rely on Facebook and its partners to maintain a central list of approved sites. Until then, Internet.org will not be living up to its promise, or its name.