Facebook has introduced a number of security improvements aimed at better safeguarding users’ privacy. These enhancements came a day after Sophos published an open letterasking the site to tighten up its security.
By all accounts, Sophos, which did not return TechNewsWorld’s call, was not impressed. Not that Facebook hastily revamped its controls because of Sophos — as it said in a blog post, it announced these tools were coming during President Obama’s White House Conference on Bullying Prevention last month.
Before considering whether Sophos is being too hard — or not hard enough — on Facebook, a look at the changes is in order.
Security Upgrades
For starters, Facebook has revamped its Family Safety Center, seeding it with more in-depth articles for parents and teens, videos on safety and privacy, and other resources. Soon to be unveiled are a free guide for teachers, written by safety experts Linda Fogg Phillips, B.J. Fogg and Derek Baird.
Facebook also unveiled a new social reporting tool that allows people to notify members of their community about items they consider dangerous or otherwise don’t like. This tool will be able for its Profiles, Pages and Group sections.
It is also introducing two-factor authentication to prevent unauthorized access to an account. If the feature is activated, Facebook will ask for a code anytime a user tries to log on from a new device.
Facebook is also enhancing its HTTPS security option, so that after a member is finished using a non-HTTPS application on the site, the session will automatically revert to HTTPS.
Sophos found the improvements lacking, according to news accounts, which is understandable from its perspective: Facebook didn’t even touch the company’s main complaint: Most users don’t even realize that HTTPS is an option. Sophos called for it to be turned on by default.
Sophos also asked that Facebook cease sharing information without users’ express agreement and not assume that whenever a new feature is added that users want it automatically turned on.
Furthermore, it asked that only vetted and approved third-party developers be allowed to publish apps on the Facebook platform.
“With over one million app developers already registered on the Facebook platform, it is hardly surprising that your service is riddled with rogue applications and viral scams,” it said in its open letter.
Easy to Be Hard
One issue Sophos didn’t mention was the complexity of Facebook’s privacy controls. The site did a major overhaul of these after one of the periodic outcries over its privacy policies. Apparently, though, the system of controls is still very complex — judging from a recent glitch.
Facebook reportedly sent email notifications to several users who had opted not to receive them. The event raises a worrisome question: If even Facebook can punch the wrong button on user settings, how many consumers are doing so?
A look at the average end-user is imperative for any security initiative, especially one on a site that is as widely used as Facebook, said Eloqua Chief Privacy and Security Officer Dennis Dayman.
“The end-user typically is not smart enough — nor should be — to act as a trained security or privacy person to understand the multiple controls Facebook is giving them,” he told TechNewsWorld. “Many of the users within Facebook are young go-getters who just want to share their lives with their friends and don’t give a second thought as to how they are using the system.”
This attempt at providing security controls for customers is still not what’s needed to be in line with many other SaaS product when it comes to default settings for the end-user, maintained Dayman.
Essentially, users are required to know that the HTTPS setting exists — or that HTTPS exists, for that matter — as well as how it works and what effects it will have on them, he said. “To make matters worse, in my opinion, this is just putting a band-aid on a more serious problem that will continue to [grow] if the true fix is not implemented — proper privacy controls.”
It is good to see Facebook moving toward giving end-users additional security controls, Dayman allowed. However, hijacking of accounts — which is what one of its improvements focuses on — is not the biggest security problem facing Facebook.
“In many cases over the past year, the biggest issue is how end-user data is used by Facebook, their partners, and other third parties — either with permission or without permission,” he said. “It’s important that there be an industry privacy default standard that works to protect the average Facebook user, as they typically don’t know much about privacy controls.”
Also, it’s important to ensure that Facebook itself is adhering to users’ wishes in the first place, added Dayman, and not altering the privacy settings without their knowledge.
What I Had for Lunch
On the other hand, the security industry needs to take Facebook and what it offers in perspective, Robert Siciliano, CEO of IDTheftSecurity.com, told TechNewsWorld.
“Facebook isn’t a bank. It’s a place where people disclose they ate tuna for lunch.”
All of the concerns addressed in Facebook’s security update are valid, he said, suggesting that many of its users are not as fundamentalist in their approach to privacy.
“While Facebooks security and privacy issues may not be up to others’ standards, they are working for its users,” said Siciliano. “I don’t see a mass exodus because a worm makes its way onto the site.”