Skip to main content

Facebook’s Free Basics: More Open, Better Security, but Still a Walled Garden

DEEPLINKS BLOG
September 30, 2015

Facebook’s Free Basics: More Open, Better Security, but Still a Walled Garden

Last Thursday, Facebook announced changes and clarifications to its zero-rating program formerly known as Internet.org. It’s re-branded the service “Free Basics,” but the overall idea remains the same: mobile users in developing nations can access certain websites without having to pay for the data, by accessing those websites via Facebook’s system. While the changes Facebook has made are positive, we still have some concerns—especially about the dangers posed by Facebook’s central role. But let’s start with the positive.

For one thing, Facebook has made progress in securing the privacy and security of Free Basics’ users. When Internet.org was announced, we noted that the program prohibited users on feature phones from accessing websites over encrypted HTTPS connections. Facebook has now partially addressed this problem, by enabling encryption (for feature phones that support it) from the user’s phone to Facebook’s proxy server, where the data is then decrypted and re-encrypted before being transmitted to the destination website. Even better, Facebook is also enabling encryption between the end user’s phone and its proxy even when the website itself doesn’t support HTTPS—adding a little more security to what would otherwise be an unencrypted connection. While this isn’t true end-to-end encryption, it does make it harder for government agencies to perform bulk surveillance of Free Basics users. Further, Facebook has committed not to inspect the traffic passing through its proxy server while it’s temporarily decrypted, and to log only data that could be seen even if the traffic truly were end-to-end encrypted: namely the domain (but not the rest of the URL) and the amount of data transferred.

Additionally, Facebook has revised the application criteria for websites that want to participate in Free Basics. Sites no longer have to comply with Facebook’s Statement of Rights and Responsibilities, which Facebook could have used to censor services that provide controversial content (e.g., sexual health resources, religious commentary, or even art). In fact, at this point Facebook hasn't rejected any websites from participating for non-technical reasons. And Facebook has made those technical requirements (which are necessary for websites to work properly on low-end feature phones) much more specific. This constrains Facebook from using ambiguous technical criteria to artificially limit which services it allows into the program.  In other words, Facebook seems to be making a good faith effort to base its decisions about who gets into the program on only technical criteria necessary for websites to operate correctly on feature phones—thus increasing the chances that the websites available via Free Basics won't represent a censored, cherry-picked web.

Still a Walled Garden

These are good and important changes, and we applaud Facebook for making them.  But Free Basics still has one unavoidable, inherent flaw: Facebook’s central role, which puts it in a privileged position to monitor its users traffic, and allows it to act as gatekeeper (or, depending on the situation, censor).

Let’s tackle things from the privacy angle first. Given Facebook’s central role, there is no technical restriction that prevents the company from monitoring and recording the traffic of Free Basics users. Unfortunately, this means there is no guarantee that the good faith promise Facebook has made today to protect Free Basics users’ privacy will be permanent. All we have is Facebook's word that it won't decide at some point in the future to go back on this privacy promise, and start analyzing or mining the traffic passing through its Free Basics proxy server. Unfortunately, given Facebook’s recent actions, that word isn’t completely reliable. After all, this is the company that recently decided to feed tracking data from its Like buttons into its advertising system, despite widespread objection, and still refuses to honor Do Not Track (“DNT”) headers.

Even if we gave Facebook the benefit of the doubt and assumed that the champions of privacy within the company will continue to be influential, Facebook’s central role as gatekeeper creates other problems. As we explained before, by inserting itself in between users and the websites they want to access, “Facebook and its partners have issued an open invitation for governments and special interest groups to lobby, cajole or threaten them to withhold particular content from their service.” While censorship on Free Basics of this sort hasn't occurred yet, it’s still true that Free Basics would be much easier to censor than the real global Internet.

Facebook could address this by encouraging the carriers with which it partners to zero-rate all mobile-accessible websites, thus further limiting Facebook's involvement in vetting the content that is available through the platform. Although we understand why carriers might be reluctant to do that, they could still impose a data cap on the amount of zero-rated data, as an incentive for users to upgrade to a paid service. Such a system would solve all of the pro-access goals that Facebook espouses, with a significantly less distorting effect on the end-user's experience of the Internet than the Free Basics service that exists now.

We’re glad Facebook is taking steps to open Free Basics to as many websites as possible and increase its users’ security.  But Free Basics is still a walled garden run by a single gatekeeper, with all the associated privacy and censorship dangers such a system entails. Just as Internet.org wasn’t the Internet, Free Basics isn’t really “free.” We hope that this new service isn’t treated as a substitute for what we really need: good, fast access to the entire Internet for all. 

Related Issues

Back to top

JavaScript license information