Facebook is now end-to-end encrypting its Internet.org website and issuing dual certificates for its Free Basics mobile browser.
Internet.org is a Facebook-led initiative to make the internet and its information available to every person on Earth. In step with that, Free Basics is the company's free mobile offerings for markets “where internet access may be less affordable,” according to the company's project page. These services include allowing people to browse selected “health, employment and local information websites without data charges.”
While the social media company partners with other technology groups to bring every country and citizen online, it also admitted that the countries it serves often don't have internet infrastructure equipped for strong security.
“Networks are more constrained, devices are generally older, and modern security protocols sometimes aren't supported at all,” Facebook wrote in press release. “While we're coming up with solutions to bring more people online, we also need to think about how to connect them securely.”
In response, Facebook is encrypting information “wherever possible,” even if a developer only supports HTTP. On mobile devices, the dual certification model allows for traffic encryption between a user's device and Facebook's servers, as well as Facebook's servers and the developer's.
That said, even when people search for potentially sensitive health data or controversial information on their mobile devices, data will be briefly decrypted on Facebook's servers.
This step is to “ensure proper functionality” and to “avoid unexpected charges,” Facebook wrote.
Ebba Blitz, president of Alertsec, wrote in an emailed response to SCMagazine.com that she's skeptical of this decryption step, which is outside the norm for encrypted communications.
“If Facebook sits as a middle man and stores information, then developers can't control which information will be stored,” Blitz wrote. “I think that this raises privacy concerns. They say that they only store snippets of data, but how can this be trusted? This gives me chills and a sense that Big Brother is watching us.”
The company stated that it only stores the domain name of the service visitors access, the amount of data being used and stored cookies.
Although this encryption move might initially spur developers to use Internet.org's platform, Blitz argued the purpose of encryption “gets lost if it's decrypted in the process.”