May 18, 2015 | By Jeremy Gillula and Jeremy Malcolm

Internet.org Is Not Neutral, Not Secure, and Not the Internet

Facebook's Internet.org project, which offers people from developing countries free mobile access to selected websites, has been pitched as a philanthropic initiative to connect two thirds of the world who don’t yet have Internet access. We completely agree that the global digital divide should be closed. However, we question whether this is the right way to do it. As we and others have noted, there's a real risk that the few websites that Facebook and its partners select for Internet.org (including, of course, Facebook itself) could end up becoming a ghetto for poor users instead of a stepping stone to the larger Internet.

Mark Zuckerberg's announcement of the expansion of the Internet.org platform earlier this month was aimed to address some of these criticisms. In a nutshell, the changes would allow any website operator to submit their site for inclusion in Internet.org, provided that it meets the program's guidelines. Those guidelines are neutral as to the subject matter of the site, but do impose certain technical limitations intended to ensure that sites do not overly burden the carrier's network, and that they will work on both inexpensive feature phones and modern smartphones.

Compliance with the guidelines will be reviewed by the Internet.org team, which may then make the site available for Internet.org users to access for free, by routing the communication through the Internet.org proxy server. That proxy server allows the sites to be “zero rated” by participating mobile phone operators; allows the automatic stripping out of content that violates the guidelines—such as images greater than 1Mb in size, videos, VoIP calls, Flash and Java applets and even JavaScript; and inserts an interstitial warning if a user attempts to leave Internet.org's zero-rated portion of the Internet, so as to prevent users from accidentally being billed for data charges they may not be able to afford and didn't mean to incur.

We agree that some Internet access is better than none, and if that is what Internet.org actually provided—for example, through a uniformly rate-limited or data-capped free service—then it would have our full support. But it doesn't. Instead, it continues to impose conditions and restraints that not only make it something less than a true Internet service, but also endanger people's privacy and security.

That's because the technical structure of Internet.org prevents some users from accessing services over encrypted HTTPS connections. As we mentioned above, a critical component of Internet.org is its proxy server, which traffic must pass through for the zero-rating and the interstitial warning to work correctly. Some devices, like Android phones running Internet.org's app, have the technical ability to make encrypted HTTPS connections through the proxy server without becoming vulnerable to man-in-the-middle attacks or exposing any data (beyond the domain being requested) to Facebook. Internet.org's Android app can also automatically bring up the interstitial warning directly on the phone by using the app to analyze links (as opposed to Facebook serving the warning via its proxy server).

But most inexpensive feature phones that can't run an Android app don't support phone-based warnings or this sort of proxying of HTTPS connections. For these phones, traffic must pass through Internet.org's proxy unencrypted, which means that any information users send or receive from Internet.org's services could be read by local police or national intelligence agencies and expose its users to harm. While Facebook is working to solve this problem, it's extremely difficult from a technical perspective, with no obvious solution.

Even if Facebook were able to figure out a way to support HTTPS proxying on feature phones, its position as Internet gatekeepers remains more broadly troublesome. By setting themselves up as gatekeepers for free access to (portions of) the global Internet, Facebook and its partners have issued an open invitation for governments and special interest groups to lobby, cajole or threaten them to withhold particular content from their service. In other words, Internet.org would be much easier to censor than a true global Internet.

While we applaud Facebook's efforts to encourage more websites to provide support for low-end feature phones by stripping out “heavy” content, we would like to see Internet.org try harder to achieve its very worthy objective of connecting the remaining two thirds of the world to the Internet. We have confidence that it would be possible to provide a limited free Internet access service that is secure, and that doesn't rely on Facebook and its partners to maintain a central list of approved sites. Until then, Internet.org will not be living up to its promise, or its name.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Thanks to the digital rights heroes around the world powering up EFF—your donations have 2X the impact this week! https://eff.org/powerup

Dec 2 @ 6:20pm

EFF stickers at the Lucas Film campus in San Francisco's Presidio. #EFFintheWild https://eff.org/powerup

Dec 2 @ 5:26pm

Old border rules give federal agents free rein to rifle through our phones without warrant, says EFF's @scopesetic
http://www.nytimes.com/2016/1...

Dec 2 @ 4:55pm
JavaScript license information