The security firm, Sophos, issued an open letter to Facebook zeroing in on three steps it says the social network can take to better protect its users: make privacy the default option, vet its app developers and offer secure browsing across the site.

Those three moves would address a lot of the privacy concerns Facebook users have expressed. Default privacy would have avoided problems with the site’s Beacon advertising feature, which shared users’ online purchases with their network; Facebook was sued over the feature and discontinued Beacon in 2009. Facebook apps are probably the prime source for spam on the site, posting unwanted messages and “likes” on user profiles.

And while Facebook does offer secure browsing — a feature that is turned off by default — Sophos said it only offers the secure option “whenever possible.” The firm said that https encryption should always be an option for users.

Those playing devil’s advocate could easily say that it’s not up to Facebook to take care of any of this. It’s a free service and a business, after all, and what you put on the site is completely up to you. No one should be in doubt that the site is looking to mon­etize your personal information, and it’s a bit naive in this day and age to think that anything you put on the Web is truly private.­

Regardless of what you think Facebook’s responsibilities to its users may be, it’s best to always operate under a set of ground rules: If you don’t want everyone to know about it, don’t post it. And if you don’t completely trust something, don’t click on it.

Related stories:

‘Twilight’ game scam spreading on Facebook

Facebook offering site-wide 'HTTPS' security

Internet firms wake up to federal privacy scrutiny