Sophos to Facebook: Make Secure Settings the Default
Modernizing Authentication — What It Takes to Transform Secure Access
Web security firm Sophos has posted an open letter to Facebook taking the social networking giant to task for its ongoing safety and privacy issues.
Sophos security experts outlined three steps Facebook should take to better protect its users and improve overall data security in a post on the company's Naked Security blog. Facebook needs to enable privacy and HTTPS by default and start vetting applications that appear on the site, wrote Graham Cluley, a Sophos senior technology consultant, on April 18.
Several Sophos security researchers regularly address the latest malicious Facebook apps and privacy missteps on Naked Security. Many of the scams are reported by the victims themselves, according to Cluley.
Users frequently ask, "Why doesn't Facebook do more to protect us?" said Cluley in the letter.
Privacy needs to be enabled by default, and Facebook has to stop sharing information without users' express agreement, Cluley wrote. If users want to take advantage of the latest feature or get the partner information, they should be encouraged to opt in, instead of having to manually opt out, according to the letter.
Back in January, Facebook announced that developers would be able to collect users' addresses and mobile phone numbers if users added the developers' application. After a storm of protest, the company backed down and "temporarily" suspended the policy.
"Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on," Cluley said.
When Facebook rolled out HTTPS for users, many security experts, including Cluley, approved the move, However, Facebook should have turned it on by default so that all the users are automatically protected, Cluley said. Without the data being encrypted by default, users are at risk of losing personal information to cyber-attackers.
"Worse, you only commit to provide a secure connection 'whenever possible,'" Cluley said, noting that Facebook should enforce a secure connection all the time for all users by default.
For more, read the eWEEK article: Sophos Demands Facebook Make Security, Privacy Default Settings.