Of roughly 1,600 people surveyed, 60 percent said it is either "highly likely" or "possible" that they will leave Facebook due to concerns over privacy. Just 24 percent said they either wouldn't leave or it is "not likely." The remaining 16 percent of the respondents had already left the site.
Sophos acknowledged that the poll isn't scientific, but if it is taken at face value, Facebook has its work cut out for it. In response to user complaints, the social networking site has already announced plans to simplify its privacy settings, possibly as early as the week of May 24.
"I'm sure users are concerned but I doubt 60 percent would leave Facebook at this point because of their concerns," Gartner analyst Avivah Litan said. "Nonetheless, this survey clearly indicates that Facebook has a major PR problem that is well-deserved. If they don't move quickly and more proactively to improve their privacy practices, they will start seeing users depart and their customer base erode."
While a Facebook version of the Great Migration seems unlikely, Cluley noted that "delete Facebook account" has become a "hot search term on Google" and campaigns such as "Quit Facebook Day" have surfaced.
"Users are steadily becoming more aware of the lack of privacy Facebook provides and this last round of changes has only made matters worse," said Sophos Senior Security Analyst Mike Haro.
Earlier in 2010, Sophos conducted a survey of businesses that rated Facebook ahead of Twitter, LinkedIn and MySpace as the riskiest social networking site. While 33 percent of respondents said their companies were blocking Facebook for productivity reasons, there was also a 3 percent increase in respondents worried about malware on Facebook.
"Businesses are concerned over employee use of social networks that can result in reputation damage, leakage of sensitive information, nondisclosure violations, brand degradation, physical harm to employees and lower employee productivity," Litan said. "They are also worried about 'social media squatting' where fraudsters and other malicious users pose as the CEO or another employee of the company, and can thus cause significant damage to the brand."
Part of avoiding all that means establishing policies that allow employees to take advantage of social networks safely.
"First they need to designate an enterprise owner for policies that govern employee use of social networks," Litan said. "They need to designate 'authorized' users, i.e. those who are empowered to use social networks to represent and speak for the company. They need to establish and communicate social networking policies to their employees."
"Enterprises then need to educate and train their employees on the resulting policies, and finally they need to monitor employee use to ensure policies are being followed," she added.