Internet security firm Sophos has written an open letter to Facebook, asking the company to address some of the ongoing safety and privacy issues on the social network. The message is titled "An open letter to Facebook about safety and privacy" and is brief but to the point. It outlines three steps that Sophos believes Facebook should take to better protect its users:
- Privacy by default: no more sharing of information without your users' express agreement (opt-in). Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on.
- Vetted app developers: it is far too easy to become a developer on Facebook. With over 1 million app developers already registered on the Facebook platform, it is hardly surprising that your service is riddled with rogue applications and viral scams. Only vetted and approved third-party developers should be allowed to publish apps on your platform.
- HTTPS for everything: we welcome you recently introducing an HTTPS option, but you left it turned off by default. Worse, you only commit to provide a secure connection "whenever possible." Facebook should enforce a secure connection all the time, by default. Without this protection, your users are at risk of losing personal information to hackers.
The first and third suggestions are critical and really need to be implemented as soon as possible. As for the second suggestion, while I agree there definitely needs to be more oversight added to the app approval process, the sheer number of Facebook developers and apps makes the implementation of such a change much more difficult.
Toward the end of the letter, Sophos suggests that it's only a matter of time before Facebook will be legally accountable for protecting its users. As such, it urges the company to act sooner rather than later.
Sophos frequently posts about scams propagating on Facebook, some of which I've also written about in order to warn readers. It looks like the security company has concluded that enough is enough. Facebook's servers and login system have a solid track record when it comes to security, and so the real security threats are from phishing scams and rogue Facebook apps.
There is no way that spam, malware, and phishing will ever be eliminated from Facebook – the social network is much too large and the practice is thus way too profitable. Scammers will always come up with a new set of tricks, as they do on other platforms.
That being said, Sophos' three suggestions would certainly make it harder for the bad guys, and would likely reduce the overall quantity of crap, for the lack of a better word, on the website. The end result would be a better experience for Facebook users, and who can argue with that.