Facebook Announces Encryption For Internet.Org Websites, But Caveats Remain

Earlier this year, Facebook said that it can't let participating websites in its Internet.org project use encryption, because that would prevent the company from doing the necessary optimizations to lower the data consumption of those websites.

Now, Facebook announced that it will allow HTTPS encryption for Internet.org websites, but the websites' own encryption will only be valid, up to Facebook's own servers. There, the data gets decrypted, Facebook applies its compression algorithms to it, and then it encrypts the sites with its own certificate and sends it along to the user.

In a way, Facebook becomes the "man in the middle" between the website and the user. This could present certain privacy issues, but Facebook said the data it gathers is limited:

“We preserve the privacy of that information while it's decrypted by only storing the domain name of the service you visit and the amount of data being used—the same information that would be visible using end-to-end encryption—as well as cookies that are stored in an encrypted and unreadable format," said the company in the announcement.

Poor Privacy Record

Although this collection of information may be limited for now, Facebook doesn't have the best track record in regards to keeping its privacy promises. For instance, soon after the company launched the "Like" button in 2010, a Dutch researcher discovered that Facebook was using it to track everyone, even when they don't click on the button. Facebook initially said that it was only a "bug." It said the same thing a year later when another researcher found out Facebook was still tracking users after they log out of the service.

Recently, Facebook changed its mind on having the Like button track users, as well. Therefore, who is to say that if or when Internet.org starts to see use by potentially tens of millions or hundreds of millions of people, Facebook won't do the same thing because it would find mining that data irresistible?

Security Risk

What Facebook didn't mention in its announcement is that for websites that require user logins, those login credentials would also have to go through Facebook's servers, in unencrypted form, before they get encrypted again. Therefore, Facebook's solution presents a security issue, as well.

Facebook said that it would delete any sensitive data, but with the Indian government recently suggesting that it would require companies to store data for at least 90 days, Facebook could be forced to intercept those logins and hand them over to the government.

The Indian government later retracted its initial draft policy after strong online backlash, but whether this policy, or one similar to it, comes back in a different form now or in a few years, it still means Facebook is putting itself in a position where it could be forced to hand out data that normally it wouldn't be able to give if users would just login directly to websites, rather than through Facebook.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.