What Advice Does a Security Firm Have for Facebook?

Security firm Sophos has penned an open letter to Facebook that minces no words in making its message clear: it is time the world’s most popular social networking site make privacy and security changes. Three changes, to be exact.

Security firm Sophos has penned an open letter to Facebook that minces no words in making its message clear:  it is time the world’s most popular social networking site make privacy and security changes.  Three changes, to be exact.

“A frequent refrain from users who contact us is, ‘Why doesn’t Facebook do more to protect us?,’” Senior Technology Consultant Graham Cluley writes to Facebook on the security company’s Naked Security blog usually used to track the increasingly frequent scams, privacy breaches and hacks to hit Facebook.

Now the company is using the blog to go directly to Facebook with three recommended changes it says are needed to protect the site’s 600 million users.

1) Make Privacy the Default, Not the ‘Opt-In”

“No more sharing of information without your users’ express agreement (OPT-IN). Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on.”

2) Vet and Approve App Developers and Apps

“It is far too easy to become a developer on Facebook. With over one million app developers already registered on the Facebook platform, it is hardly surprising that your service is riddled with rogue applications and viral scams. Only vetted and approved third-party developers should be allowed to publish apps on your platform.”

3) Make HTTPS the Default for Everything

“We welcome you recently introducing an HTTPS option, but you left it turned off by default. Worse, you only commit to provide a secure connection “whenever possible”. Facebook should enforce a secure connection all the time, by default. Without this protection, your users are at risk of losing personal information to hackers.”

Noting the fact that Facebook is so popular and successful it is “not going away,” Cluley ramps up the pressure on Facebook to adopt the changes on its own accord and “act now for the greater good of all.”

Cluley concludes his appeal to Facebook with what he calls a “simple” question that may not be so simple, or is it, for the social networking giant:  “When do you plan to act?”

Do you think the recommendations from Sophos to Facebook are sufficient?  Are they accurate?  How do you expect the social network to respond to Sophos’s direct approach?