“One of the most important things that Facebook can be doing is looking for new threats in real time,” Weinstein says. “You can stay ahead of that by detecting new patterns of malicious activity and stopping them before you’ve determined malware is present.”
A crucial security feature that Facebook has not yet fully implemented, Weinstein points out, is default encryption (as denoted by Web addresses starting with “https” rather than “http”). The latter, older system leaves someone logging in via Wi-Fi at a Starbucks, for example, at much greater risk of having his or her unencrypted information intercepted.
Last year Gmail moved to https as the default setting. But Facebook currently offers it only as an option. This is problematic, says Weinstein, because “the people who are most likely to need the feature are the least likely to know they need to turn it on.”
In an e-mail statement, Facebook said it is “making progress daily” toward default encryption. “We continue to work towards making this setting a default feature as soon as possible,” the statement said, but it noted that this requires ironing out site stability and speed issues. Facebook is also working with app developers so that encryption works across the site.
But Bruce Schneier, a cryptologist and security expert with BT Counterpane, points out that Facebook’s ultimate product is your data, which it uses to sell advertisements. “I think the biggest danger of putting things on Facebook is Facebook,” he says. “Facebook knows all of your stuff, and they sell it. It’s like handing your money to a thief who says ‘Nobody else will get your money.’ If you want Facebook security, don’t be on Facebook.”