Facebook privacy changes - a missed opportunity?

October 07, 2010 Sophos Press Release

Facebook announced yesterday that changes are coming soon to the Facebook interface, in particular to the 'Groups' system. According to CEO Mark Zuckerberg, Facebook will, for the first time, make it easier to share information with smaller and more intimate groups of "friends".

Among the changes announced, Mark Zuckerberg revealed tighter control over 'Groups' and a dashboard amongst the Facebook privacy interface to show what Facebook applications have access to users' data.

Computer security experts at Sophos, however, are concerned that although these changes suggest a step in the right direction towards protecting personal information online, they may add complexity, rather than improving online safety.

Paul Ducklin, Sophos's Head of Technology, Asia Pacific, argues that the latest changes implemented by Facebook may well simply be another missed opportunity to get the fundamentals right.

"Adding more security-related dashboards, buttons and knobs is a start, I guess," says Ducklin. "But I, and many others, think that Facebook would do better to make a real grassroots change to its security."

Ducklin wants to see Facebook adopt a completely opt-in model, in which you can sign up as easily as you can today, but can't do much at all on the site until you have decided to open up each feature. In a poll conducted by Sophos earlier this year*, 93% of those asked said that they would prefer to "opt-in" rather than "opt-out" of sharing their information with others.

"No doubt Facebook shareholders looking forward to the IPO will want to maximise the number of users and the openness and availability of the information posted," continued Ducklin. "But Facebook is influential enough now, I reckon, to make bigger long-term gains by getting ahead of the regulatory curve than by waiting until legislators force them to change their opt- in/opt-out attitudes."

More information can be found on Paul Ducklin's blog.

Poll source: Sophos, May 2010.