Facebook's Latest Privacy Improvements Fail to Impress Sophos

Facebook rolled out some modifications to its privacy controls, but critics say they still don't do what's needed to secure user privacy.

A day after security firm Sophos penned an open letter asking Facebook to improve its privacy and security features, Facebook introduced a suite of security tools aimed at helping users stay safe online.

The social networking giant improved its social reporting tools for flagging wall posts and photos as spam, improved its secure browsing options via HTTPS, and added more content explaining privacy and security, according to a post by Arturo Bejar, a Facebook safety engineer, on the Facebook Blog on April 19. Bejar also hinted at a new two-factor authentication mechanism to come soon to make the log-in process even more secure.

While Bejar described the changes as "social solutions to safety," a security researcher remained dissatisfied.

"It's not enough. Facebook has got a longer road ahead of it if it's really serious about protecting its users," Graham Cluley, senior technology consultant at Sophos, said in an email statement.

Cluley had posted an open letter to Facebook on the Naked Security blog on April 18, criticizing Facebook for not pushing out strong privacy and security protections for users. The letter outlined three basic steps Facebook needed to implement.

Facebook is also "improving HTTPS." At this time, if the user wants to use an app that doesn't support encrypted connections, the user has to first disable HTTPS. With the new changes, the site will automatically switch back to the secure HTTPS protocol after the user finishes using that app.

The improvements did not address Cluley's main complaint about HTTPS, in that it isn't enabled by default. Users first have to know about the option to have their Facebook traffic encrypted, and then have to turn it on manually. Cluley also noted that users don't have the option to enable HTTPS when browsing Facebook over mobile devices.

Facebook will be rolling out two-factor authentication to allow users to enter a one-time password generated on a separate device, such as a token or a mobile phone, in order to log into Facebook, according to Bejar. Cluley said it is not possible to determine whether it will be effective without more information.

Facebook users can use the social reporting tool to flag wall posts and photos as spam to their friends as well as to Facebook. Flagging the item would help users warn their network of friends when they "see something they don't like," Bejar said. Users can report bullying incidents, imposter profiles, abusive content and other issues simultaneously to Facebook, the person who posted it and a "trusted adult" who may be able to help address the issue.

The tool is also now available to other areas in Facebook, including profiles, pages and groups.

A recent study found that even when Facebook users recognized something as a scam on Facebook, they rarely told their friends. With this tool, the users would automatically be notifying their friends whenever they tell Facebook.

Facebook also redesigned the Family Safety Center to add more content to educate parents, teens and children about safety and privacy on the site. In addition, Facebook will be creating a guide for educators to answer common questions about Facebook.