Zuck'ed up: Facebook opens up free internet in India – but bans HTTPS

Encryption not allowed through Internet.org's service

Facebook's Internet.org has loosened the stranglehold on its free internet service in India and other countries.

Now potentially any website can be accessed for free via the service as long as the site ditches HTTPS, JavaScript, and other things.

The social network offers free mobile internet access to people in India, Tanzania, Kenya, Colombia, Ghana, and Zambia – provided they have a phone that can run the Opera web browser, it can connect to a mobile data network, and they stick to 38 selected websites – which range from Facebook and Wikipedia to health-information sites and a Reuters feed of farm prices. People visiting sites via Internet.org will not be billed for their mobile data use.

It sounds nice, but as many have complained, it is a touch anticompetitive, and runs roughshod over the principle of net neutrality – a principle Facebook fully backed last May.

A web startup in India that isn't on the Internet.org list will have little to no hope of getting off the ground against a rival that is, for example.

Last month, while defending Internet.org to net neutrality supporters, Facebook CEO Mark Zuckerberg said offering a little bit of the internet for free was better than none. He also defended the walled garden approach, claiming it was necessary for technical reasons.

Today, Zuck U-turned and announced that any website can apply to join the Internet.org list, provided it complies with the rules. (The exodus of businesses from the Internet.org program over the net neutrality principle may well have helped change Zuckerberg's mind.)

Among those rules: no encrypted connections. Facebook explained that because all the on-the-house web traffic has to go through Internet.org's proxy servers, it cannot support HTTPS (SSL/TLS). Sites will either have the encryption stripped, or will be flat out rejected from the program. (So much for "a continued commitment to security.")

Other banned content types include JavaScript, SVG images and WOFF fonts, iframes, video and large images, Flash files, and Java applets. Any VoIP, file transfer, or high-volume photo sites will also be rejected.

The social network reckons this is needed to squeeze web traffic over slow mobile links in rural, under-developed areas.

Facebook has posted a full set of technical guidelines for web developers to follow if they want their sites added to the program. Under the more general guidelines, Internet.org says it prefers sites capable of running efficiently over 2G. To sign up, skip over to this webpage, here. ®

Updated to add

Zuckerberg has since posted on Facebook to say HTTPS via Internet.org is going to "happen soon."

Other stories you might like

  • US lawsuit alleges tool used by hospitals shares patient data with Meta
    Booking appointments and other interactions with hospital portals can lead to some medical details being shared for advertising, class action claims

    Social media megacorp Meta is the target of a class action suit which claims potentially thousands of medical details of hospital patients were shared with its Facebook brand.

    The proposed class action [PDF], filed on Friday, centers on the use of Facebook Pixel, a tool for website marketing and analytics.

    An anonymous hospital patient, named John Doe in court papers, is bringing the case — filed in the Northern District of California — alleging Facebook has received patient data from at least 664 hospital systems or medical providers, per the suit.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading

Biting the hand that feeds IT © 1998–2022