The problem was technical (due to the way it was initially built, I think it was using facebook domain for zero rating). Currently, encryption is supported: end-to-end on app, for mobile browser facebook apparently still decrypts the traffic.
We encrypt information for Free Basics wherever possible. When people use the Free Basics Android app, their traffic is encrypted end-to-end unless you specify that your service should be HTTP only. For the Free Basics website in a mobile browser, we use a “dual certificate” model to encrypt traffic between a person's device and our servers in both directions. If your server supports HTTPS, we will also encrypt traffic between our servers and yours. Even if your service doesn't yet support HTTPS, where possible we will encrypt that information between our servers and people's devices unless you ask us to not use dual certificate HTTPS. When people use the Free Basics mobile website, information is temporarily decrypted on our secure servers to ensure proper functionality of the services and to avoid unexpected charges to people.
We preserve the privacy of that information while it's decrypted by only storing the domain name of your service and the amount of data being used—the same information that would be visible using end-to-end encryption—as well as cookies that are stored in an encrypted and unreadable format."
https://developers.facebook.com/docs/internet-org/platform-t...
"HTTPS support
We encrypt information for Free Basics wherever possible. When people use the Free Basics Android app, their traffic is encrypted end-to-end unless you specify that your service should be HTTP only. For the Free Basics website in a mobile browser, we use a “dual certificate” model to encrypt traffic between a person's device and our servers in both directions. If your server supports HTTPS, we will also encrypt traffic between our servers and yours. Even if your service doesn't yet support HTTPS, where possible we will encrypt that information between our servers and people's devices unless you ask us to not use dual certificate HTTPS. When people use the Free Basics mobile website, information is temporarily decrypted on our secure servers to ensure proper functionality of the services and to avoid unexpected charges to people.
We preserve the privacy of that information while it's decrypted by only storing the domain name of your service and the amount of data being used—the same information that would be visible using end-to-end encryption—as well as cookies that are stored in an encrypted and unreadable format."