An open letter to Facebook about safety and privacy

Filed Under: Data loss, Facebook, Malware, Privacy, Rogue applications, Social networks, Spam

Facebook and padlockDear Facebook,

As you know, for some years we have been discussing with your security team our concerns about safety and privacy on Facebook.

Every day, victims report to us numerous incidents of crime and fraud on Facebook. They have been personally affected and are desperate for advice on how to deal with the consequences.

A frequent refrain from users who contact us is, ‘Why doesn’t Facebook do more to protect us?’

We have identified three simple steps you can take to better protect your users:


No more sharing of information without your users’ express agreement (OPT-IN). Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on.


It is far too easy to become a developer on Facebook. With over one million app developers already registered on the Facebook platform, it is hardly surprising that your service is riddled with rogue applications and viral scams. Only vetted and approved third-party developers should be allowed to publish apps on your platform.


We welcome you recently introducing an HTTPS option, but you left it turned off by default. Worse, you only commit to provide a secure connection “whenever possible”. Facebook should enforce a secure connection all the time, by default. Without this protection, your users are at risk of losing personal information to hackers.

Why wait until regulators force your hand on privacy? Act now for the greater good of all.

Your users tell us that these are issues they want resolved. So our question is simple: when do you plan to act?


Naked Security

, , , , , , , ,

You might like

71 Responses to An open letter to Facebook about safety and privacy

  1. caledoniadreamn · 1598 days ago

    they could do more to protect our pictures from being copied too :(

    • No, they really couldn't. In order to view a picture, your computer has to download a copy of it from Facebook. At that point, there isn't anything Facebook can do to prevent you from keeping that copy on your computer or uploading it again to a different account. Sorry.

      • WRONG
        it is easy to disable right click with javascript.
        another option is to put transparent gif over a table cell where the background is the image

        • Matt Andrews · 1598 days ago

          If a user can see an image on the screen, they can save a copy of it. Those methods might deter basic web users but anyone with half an ounce of determination can quite easily get around them.

        • Still winds up on your computer though, any chump can open Chrome's developer tools and get the url directly. Also, any API requests will need the picture URL.

          My suggestion is, that will help you find the photo out there. Better still, adjust your privacy settings.

          • JBucky · 1597 days ago

            Alt, Print Screen will always get someone a copy if they really want it. There's no editing but a pic can easily be enlarged.

        • Mark · 1597 days ago

          You can also just hit Print Screen if you're running Windows then Paste into any graphics package.

    • What, you expect THAT to stop picture copying? Are you serious??

    • Rebecca · 1597 days ago

      There are free watermarking programs out there, including piccsa watermark your pictures, harder for them being passed off as someone elses

  2. Item 2 is more than just a little funny and item 3 is almost pure comedy. How many sites do you browse that use https all across their site other than your bank's site? Stop reading the newspaper or any legitimate news source because they're not https and teh h4ck3rz will attack everyone who just clicks on the conservative blogs!!!

    Amazon's not https till I'm ordering. CNN is not https. Blogspot, WordPress, Toys R freakin' US are not https.

    • Lateral · 1598 days ago

      I look forward to stealing your cookies with Firesheep and then logging into Facebook as you next time we're in the same Starbucks.


      • He's right. A single request to without HTTPS can cause anyone snooping on your connection (which is not difficult) to forge a request and impersonate you, thereby literally achieving anything they want on your facebook account.

    • As soon as you log on to amazon they do use https. CNN, blogspot and wordpress do not need https because you're not transferring any private data. Nonetheless everything on the web should be https. You don't want everyone to know what you do right ?

  3. Totally agree regarding number 3, 2 would be nice as well, but I'd imaging unlikely. Not so sure about 1 though.

    It would be great from a users perspective, except that all the features that facebook users enjoy are funded by their ability to share and monetise user data. If users had to opt in to new ways of FB sharing data, they never would (if most don't opt out at the moment, nobody will be opting in!). This disables facebook from every being able to evolve their monetisation strategy, so long term leaves things wide open to competitors. Users have to understand that anything they enter into facebook (even clicks) is fair game for them to make money off. Either that, or don't use facebook!

    • anon · 1597 days ago

      Their monetisation relies solely on adverts and those don't depend upon sharing of information. If their revenue depended upon sharing and monetisation of my information that would mean they are selling my information to advertisers and other third parties breaching their privacy policy. I would agree with sharing with friends by default but past that it should be disabled by default.

    • Dan · 1596 days ago

      If Opt-In is unrealistic, at least users should be asked. Have have a pop-up question, Do you want this new feature? Facebook would get a lot of people saying yes but the (possibly insecure or not private) feature wouldn't slip in under the radar.

  4. 2 out of 3 · 1598 days ago

    I agree with all but one: "2) VETTED APP DEVELOPERS" if they do this they will become as closed and as useless as Apple IMO. People like myslef that have a FB application would no longer be able to (easily) develop for FB.

    • Mrs. W · 1598 days ago

      Ok. How 'bout not being in cahoots with known unscrupulous app developers like Zynga?

      How about checking to make sure that the top ten most commonly used apps are not doing things that are against your ToS?

      In other words, how about trying at all?

    • appman · 1596 days ago

      LOL....that's quite an opinion....that the largest most diverse app store in the world(Apple's) is closed and useless....I assume they wouldn't accept your app. ;)

  5. Robin · 1598 days ago

    I quite agree but would add: Facebook's user interface is riddled with usability issues. Where this has greatest impact is in the account and privacy settings. I would like to press facebook to provide a privacy console which even my 77-year-old mother could use, instead of burying life-altering choices in the depths of a bewildering labyrinth of poorly-labelled checkboxes and submenus. It's your duty to user-test when you have an audience of 600 million.

  6. Steve · 1598 days ago

    user approval of picture tags (in the same way you approve friend requests) should also be added.

    • Jimbo · 1597 days ago

      How is that in any way a security concern?

      • Steve · 1597 days ago

        Privacy concern

        • SecBoy · 1596 days ago

          There was a recent clickjacking/likejacking scam where an app was tagging friends in photos of semi naked girls saying "check out what this girl does" the user then had to install the same app to "view the content" but not before having to fill in a few surveys thus giving away personal info. Similar one here:

    • theopeneye · 1472 days ago

      Oh, and don't share s*** with people who have send me a request that I haven't accepted yet, I haven't cause of good reasons and I do not wish to share anything with these people.

      It has happened to me, many times that I added someone to my fb and I could directly see their updates in my newsfeed. I don't think any of them realised cause I wasn't able to comment on their updates. I could even read the private updates of a famous dutch actress by just sending a friend request.

      Someone knows how this happened and what to do about it?

  7. johnsweeney09 · 1598 days ago

    I agree they need to do more. I have been telling them this for months & even said so in my blogs as well and even gave them some ideas on things they could do but no response. The big thing is Vetting the Apps, if they did this they would eliminate 80 % of the spam issues across the site.

    I hope they learn before it is too late.

  8. Lateral · 1598 days ago

    How about if users could delegate the decision about what to trust and what not to trust to a 3rd party app produced by a trustworthy vendor?

    By specialising in this way that 3rd party vendor could afford to invest significant resources into a database of known bad apps with perhaps a bit of heuristic matching to help detect previously unseen hostile apps that look bad.

    I suppose then though you'd have the problem of the bad guys offering something bad that masquerades as a trustworthy security app.

    So you'd need a vendor who's already known and trusted. Probably one in the computer security space already.

    I suppose if they weren't well known then they could draw attention to themselves by dressing in an orange wet suit and staring in a series of YouTube videos.


    • hooloovoo42 · 1598 days ago

      Anytime someone sends me something that I click on and get a screen saying "this app will access all your data and come round and snoop in all your drawers and cupboards at home, do you want to continue?", I click the "No, bugger off!" button and don't need to worry about it. Why do we need to develop an app for that, other than people are stupid?

      • liviya · 1597 days ago

        it's such a shame common sense and the ability to think for one's self is completely dead

    • -kg- · 1597 days ago

      And how is the developer of such an app going to be paid for its development and, even more importantly, its continual maintenance, including continually updating its database of "bad apps"? You know that's going to have to be done, and maintenance of the database would be time- and man hour-intensive.

  9. There needs to be a browser or OS setting for HTTPS-only on specified domains. That way, all requests would be sent over HTTPS, and we wouldn't risk someone accidentally linking us to an insecure version.

  10. t.j. · 1598 days ago

    when you're business plan involves scamming people into clicking on ads and selling their data, i'd have to say thats flawed! the bubble is going to burst soon as a new decentralized network is going to show up and everyone but your parents will be using it, once they get there it will be onto something new...3 years ago myspace was huge, where are they now?

  11. sharp_azn · 1598 days ago

    I agree, you have my vote!

  12. Matt · 1598 days ago

    Can't agree with HTTPS everywhere, the overhead of putting all traffic through HTTPS would be too high.

    Yes, it has been proven (firesheep) that you need https on an insecure network, but for anything not open to casual interception, it's a waste putting all traffic through the overhead.

    As for apps, FB apps have been proven time and time again to be a cesspit.
    Vetting of apps or app developers is sorely needed. If we really don't want to lose developers who cannot afford (as it would invitably have some cost) the vetting, then there should be a setting, that defaults to using/seeing verified apps only, and which can be changed, subject to DIRE warnings, to see all apps. And the app permissions dialogue should show if the app is verified, or warn that unverified apps may be harmful.

    Alternatively, automated sandbox testing and maybe a pool of volunteers to check apps before they go live.

  13. meh · 1598 days ago

    saving images is easy use print screen, no protection can stop it, i the fuss of using java messages right click is disabled is useless, print screen, paste works everytime use simple editing software to crop the image out,
    if they make everything https, are they going to include the useless games and apps in https, i like the fact that the uneeded is not available on https, keep the two seperate, plus it has to be aknowledged that facebook is not responsible for idiots, if you are playing bejeweled or farmville and going on apps to see which star you are or answer a question about someone they wont be able to see the answer for you deseve all you get,
    switch to https, stop using the useless crap that comes with facebook or stop whining when it goes wrong, and really how much information can you get from facebook that you can get from the public domain anyway, if your full details are on there again thats your fault not the responsibility of facebook to hold you hand and spoon feed you weetabix.

  14. Dan · 1598 days ago

    My biggest beef with the https argument is that I switched to it, but then as soon as I use any third party application it requires me to turn it off and then I have to go all the way back through my privacy settings to turn it back on. That's annoying.

    And for the people whining about their pictures and being tagged in photos. Here's 2 things to keep in mind:

    1) Get over yourself, the rest of the world doesn't really cares about what you look like.

    2) Get rid of all your lame friends that don't have the common sense to know when a picture is inappropriate to not only put on Facebook but to tag you in it as well.

  15. Mrs. W · 1597 days ago

    Graham, can you add #4 (perhaps to your next open letter)?

    4. Clearly mark the Exit.

    So many people are under the illusion that there is no way to delete their Facebook account, and that they can only deactivate it. They probably figure, "Well, the bastards already have all my information anyway, and I can't ever leave, so I might as well stay."

    If Facebook is as awesome as they keep telling us it is, then the trickle of people out the door will have only a negligible effect on their business. I think they're scared, though, that if they are honest and open with people that they can leave, their users will do so in droves.

    As far as I know, the option is only available by searching the Help. Interestingly, the permalink to the FAQ on how to delete is broken, but for anyone who wishes to do so, this'll get you there:

    • Miss C · 1597 days ago

      Thank you so much for you're post. It has been very helpful to me.

  16. mike · 1597 days ago

    Facebook has no interest in 'privacy by default'. That would almost certainly lead to users not sharing anything except with their 'friends' and would kill their abilty to help you find your "friends" through Google, which then entices you to sign up for Facebook. They fear a privacy by-default system....

    • Jonas Frost · 1597 days ago

      The real value of facebook is that you can find, casually browse other people, not only your friends - this should be obvious to Mr. Cluley. To change this is to fundamentally change the business of the big F... I don't think so..

  17. James · 1597 days ago

    I use the Sophos feed to forward all current scam info to my friends on FB. You go to FB's Security page and they just say "watch out for likejacking attacks...etc" Why can they not even publish known threats on the walls of the people that at least "like" their security page? Hats off to Sophos for keeping the imminent threats in the crosshairs.

  18. George Passantino · 1597 days ago

    The only time they'll make a move on any of these things is when there is some sort of negative impact to their revenue stream. When companies stand to lose money is when they listen best.

  19. 'John Caldwell' · 1597 days ago

    Tagging as a true Option.

    As it stands now, Facebook will not allow users
    to shut themselves off from Tagging, instead the
    burden is placed upon the User to 'modify' their
    involvement in the process.

  20. One problem with forcing HTTP by default is I suspect that the majority of APPS won't work. Most apps don't have HTTPS versions and are not recruited too.

    I have 5+ small apps on Facebook myself and only recently added support for HTTPS. It was bit of a hassle. Most hosting is done on shared IPs, so I had to PAY for a new IP so I could run my apps from HTTPS . There was also the hassle of buying an SSL certificate and changing a bunch of my code to work. Some of the older facebook markup also doesn't seem to work in HTTPS, like the fb:dashboard FBML tag. My apps wouldn't load at all until I removed that.

    So because of the extra costs and hassle I can see lots of apps not being ported to https and because people still use these apps, they leave the Facebook https option off.

  21. Catrachito · 1597 days ago

    Well, if Facebook provides all the above features to their users, they would like it, but what would they really learn here? They are completing those surveys as they're noobs. Noobs do it. Its their profile, its their responsibility. Facebook shouldn't take any action against this.

  22. Martin Heckel · 1597 days ago

    I assume, the answer to your question is as simple as it is disappointing: they will not do it voluntarily. fb-users are no customers, but products. We get sold better if it stays as it is.

  23. Ok, so what happened to the old saying "you get what you pay for"? What do people expect? Facebook is free!!!! I would bet if it was a paid for service, it would be a little more PRIVATE!!! People always want something for free!!

  24. Paul · 1597 days ago

    Check out this other open letter to facebook I saw a few months ago... I think it provides some relevant points too...

  25. Sprawl · 1597 days ago

    Wow the author of this article needs to get his head out of his ass. People should protect their own data and stop blaming facebook for their stupid drunken posts.

    • -kg- · 1597 days ago

      There's only one problem with your statement. May I blame Facebook for my Friend's "stupid drunken posts" that violate my privacy? Once they've made them, there's not a heck of a lot I can do about it, now is there?

      • John · 1593 days ago

        How about blaming yourself for having idiot friends? That is certainly not facebook's fault.

  26. securelover · 1597 days ago

    i agree on this
    we have to fight against these intruders
    we support facebook team and we expectiing this soon and recover soon

  27. moon · 1597 days ago

    ... "What part of "it's public" don't you understand?"

    ... "Don't put on the Internet what you wouldn't want to hear in court."

  28. securelover · 1597 days ago

    i agree on this

  29. vangvoo · 1597 days ago

    Dude really does make a LOT of sense.

  30. TTT · 1597 days ago

    I am totally agreed, but I think it is peoples fault, too.
    because they trust too much to facebook, which does not deserve it.

  31. Anyone who's read my blog much will know that I've often been a critic of Facebook over privacy and security issues. But I think it's also important to recognize that Facebook has done quite a bit the last few years to improve the situation - they've addressed several concerns I expressed in a similar list of issues from 2009. Also, Facebook is managing a range of interests at a massive scale, so even seemingly simple changes may conflict with other priorities, impact other features, and require significant time to test and implement.

    I say all that not because I think you'd disagree with me, Graham, simply to add some balance to the perspective of "Why doesn't Facebook do more?" On your specific recommendations...

    1) I've often argued more of Facebook's features should be opt-in, and I agree that it's wrong to assume users want a feature turned on. Of course, Facebook often has business reasons for enabling features by default, and if every feature were optional, users might miss out on useful functionality. Also, the whole concept of "sharing information" can get complicated on social networking sites - and while Facebook has often pushed public sharing, they've also helped pioneer privacy controls. I support the notion of "privacy by default," but how that looks in practice can be difficult to figure out.

    2) Your first sentence in this paragraph would be considered by many to be a great feature. There's certainly a tension between ease of development and security, but I don't think developer approval is the only solution, and it could raise all sorts of other problems - just look at the Apple App Store. Ultimately, this becomes a philosophical question: Is it better to make social features easily implemented, allow innovation to thrive in a more open environment, and allow smaller players easy access to a big market, or is it better to focus on user trust in the platform, police development for potential security issues, and ensure a consistent experience? Facebook has made it clear they favor the latter for a variety of reasons, and changing to more of an App Store model at this point would be very difficult given the ecosystem that's grown around the Facebook Platform - not to mention how it would actually stunt the Platform's growth.

    3) I agree that ideally, HTTPS should always be enabled. But Facebook does have to consider other issues, such as performance and compatibility - it's certainly not a huge hurdle, but also not entirely trivial. And Facebook applications add more complexity, since they'll soon all be hosted on sites external to Facebook. Even if Facebook required every developer to use HTTPS, you still have problems of mixed contexts, different CAs, and varying levels of crypto. Finally, while Facebook could do more in this regard, they've already done much more than many sites by providing the level of HTTPS availability currently offered.

  32. Rob Harmer · 1588 days ago

    Given what Sony has just revealed about data leakage (after a week's delay) then Facebook should be paying very careful attention to the legal implications of prompt disclosure when breaches occur.

    They would be wise to pay attention, and they probably are circling behind closed doors with their own legal counsel.

    On a side note given that News Ltd wants to sell off Myspace, what rights do Myspace users have over security over their data/contact/content details.

    The buyer/s of MySpace will undoubtedly want to access the inherent database details, but what rights do existing MySpace users have.
    None is probably the answer.

  33. Tito · 1587 days ago

    Definitively, this letter is the major bilge that I have read in a lot of time. Ho can a company as Sophos allow that someone writes stupid things!! And of course, nothing to comment about the point 3!! To force Facebook to use always https!!!

    Please, STOP being ridiculous and send a formal excuse!!

  34. I am visually-impaired and cannot see pictures anyway, so I have never posted one on Facebook. However, as a screen reader user I will say that FB is pretty easy for me. But I have had some issues. I posted a blog entry over at about how FB used to be rather inaccessible to screen readers. The main site still is, as it refreshes all the time and screen readers just can't keep up with it. This applies to the more advanced ones also, such as the two screen readers I use on an almost daily basis. I use , and it works pretty well for me although I have had some issues such as links not being found at times when I click on them. Having said all that, I do think the powers-that-be need to take a serious look at their security.

  35. trix · 1544 days ago

    Sign me on...we need to take responsibility for our own security, but, we should be able to trust the people we do business with not to sell everything about us to someone else without our permission. The latest face recognition thing is just one more thing that we should not trust them on.
    Go to your security settings and take control

  36. Kevin · 1542 days ago

    I don't use our Facebook account as much as my wife does. However, I find myself periodically having to dig through account settings to make sure that information I regard as private remains so.

    Imho, the difference between rape and consensual sex is the presence of the word "yes". In the absence of "yes", rape is occurring.

    I am having trouble equating Facebook's actions on facial recognition to a consensual act..

  37. niadin h · 1541 days ago

    You make some valid points, but the sad part is that the majority of people don't even know this much about the social media they spend so much time on. The key to safety and security online is knowledge, and most people don't have the slightest clue! I found this resource to be incredibly helpful in learning and understanding social media, and a valuable resource in keeping my privacy safe online!
    Social Media Education Group

  38. Russell · 1490 days ago

    I am outraged by the inclusion of facial recognition software. Just wait until Law Enforcement, the IRS of the FBI get amongst this., who needs a warrant?

  39. devilwriter666 · 1419 days ago

    I think the ser, is too high on here I can't even add people I know on here. The op, for this a horriable idea. Now I have to wait. For this if this doen't let up I'll keep whoever is on my list. Not going to close it, because of the friend and family I have on here.

  40. mindovermartyr · 1392 days ago

    I don't see how you can legally prevent people from tagging you (on any website for that matter) if your pic gets taken in public, whether you're John Travolta or Joe Soap.

  41. It would be great if they added a feature to allow us to report fraud as I've noticed quite a few cases of people cutting off any watermarks on picture's and claiming it's their own work to get more money. That is a crime in any country and there is no excuse for it, not allowing us to report these offence's are pretty lazy and means both the person who technically stole the work and claims it's their own work can be sued along with facebook itself for allowing it. The only advice any facebook staff give is to message the person about such crimes and ask them to remove it, that is heavily insulting and a childish answer. May be a free site but they are meant to offer some security for their members etc along with any reports given to facebook staff they ignore or say it's perfectly fine even though it clearly breaks their so called rules. Facebook needs a serious wake up call.

  42. Jay · 431 days ago

    You people at Facebook have finally lost the plot.
    I travelled overseas with my laptop and tried to log on to Facebook and got the message “you are logging on with a device we do not recognise” and you stopped me from logging on. It’s the same laptop that I have been logging on with now for over 5 years – so I am not sure why you can’t recognise it (or why you feel the need to recognise it – or how the heck you even attempt to recognise a device. – I mean what other website wants to recognise the device that you are logging on with?). Are you guys “Big Brother”?
    So I gave up until I got back home as this issue has always resolved itself before when I am back in my own country (which is strange as I can’t tell friends and family what I am up to overseas because you won’t allow me to log on).
    After getting back home this time, I find I now have to supply a mobile number in order to re-activate my account otherwise you still won’t let me log on. What the heck is this about? I refuse to have my phone mobile entered on to my timeline for all and sundry to see. I also refuse to give my mobile number to Facebook when I do not use the service on a mobile device. You do not need it to deliver your advertised services.
    It’s bad enough that the amount of email and Facebook spam from your service has increased over the last 2 years and now you want to open me up to getting spammed on my mobile number also. I seriously wonder what your company’s guiding principles are. Your guiding principles do not obviously revolve around your duty or care for your users’ experience.
    So now I can’t get into my Facebook account, because you changed the rules on me (without telling me – hmm thanks for that) and I can’t retrieve all my photos, contacts, message etc. Hey wait a minute that is MY data – so why do you all stop me from accessing something that is mine (not yours).
    As I said, you people have lost the plot and if you continue on the path your company is currently on you will lose users (just like previous social networking sites did when you first came along – yes there were others before you and there will be others after you, especially if you do not wise up).
    I really struggle to understand how you can STOP me from accessing my online information.
    I can only assume that your company is now based in a country that does not take personal privacy on the internet seriously, or that you have just become far too big to give a rat’s arse about your users (ie: your client base, aka your customers who may click on your paid spam). Or is it that you are based in the USA where no-one travels interstate (little lone overseas). Think about the rest of the world for a minute and provide a service that works for everyone, taking into account the differences in culture around the world and that make it easy for the rest of world (who are very globally mobile) to use your services.
    This customer experience is very poor.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley