Sophos asks Facebook to start thinking about protecting its users by enabling default privacy and security features and not requiring them to opt out of information sharing.
Web security firm Sophos has posted an open letter to Facebook
taking the social networking giant to task for its ongoing safety and privacy
Sophos security experts outlined three steps Facebook should
take to better protect its users and improve overall data security in a post on
the company's Naked Security blog
. Facebook needs to enable privacy and HTTPS
by default and start vetting applications that appear on the site, wrote Graham
Cluley, a Sophos senior technology consultant, on April 18.
Several Sophos security researchers regularly address the
latest malicious Facebook apps and privacy missteps on Naked Security. Many of
the scams are reported by the victims themselves, according to Cluley.
Users frequently ask, "Why doesn't Facebook do more to
protect us?" said Cluley in
Privacy needs to be enabled by default, and Facebook has to
stop sharing information without users' express agreement, Cluley wrote. If
users want to take advantage of the latest feature or get the partner
information, they should be encouraged to opt in, instead of having to manually
opt out, according to the letter.
Back in January, Facebook announced that developers would be
able to collect users' addresses and mobile phone numbers
if users added the developers'
application. After a storm of protest, the company backed down and
"temporarily" suspended the policy.
"Whenever you add a new feature to share additional
information about your users, you should not assume that they want this feature
turned on," Cluley said.
When Facebook rolled out HTTPS
for users, many security
experts, including Cluley, approved the move, However, Facebook should have
turned it on by default so that all the users are automatically protected,
Cluley said. Without the data being encrypted by default, users are at risk of
losing personal information to cyber-attackers.
"Worse, you only commit to provide a secure connection
-whenever possible,'" Cluley said, noting that Facebook should enforce a secure
connection all the time for all users by default.
Some users had their network traffic rerouted through Korea
before hitting Facebook servers in March. It's still unclear why that
happened, but that's a lot of unencrypted user data passing through unknown and
potentially malicious servers. Users with HTTPS enabled on their accounts had less
cause for worry, as their traffic was encrypted.
Facebook should also start vetting developers and
applications before allowing them on Facebook, according to the letter. "It is
far too easy to become a developer on Facebook," Cluley said. Facebook should
be setting up a way to vet and approve third-party developers before they
publish applications designed to be accessed from Facebook, he said.
Considering there are more than 1 million developers registered
on the platform, it is "hardly surprising" that the site is "riddled" with
rogue applications and viral scams, according to Cluley.
The majority of the security threats facing Facebook users
come from phishing scams and rogue Facebook apps and not attackers trying to
breach Facebook servers or hijack the log-in system. The scams range from the
oft-requested "dislike" button to an application that promises to show users who is
viewing their profile. Instead of the promised app, users are shown a survey
scam and are directed to a site that downloads malware onto the computer, or to a
phishing page asking for sensitive
"Why wait until regulators force your hand on privacy?"
Cluley asked, noting that users are saying they want these issues
On Twitter, many users agreed with the letter and added
other suggestions, such as actually removing
when an account is deleted.