"We are glad to see that Facebook has taken steps in the past weeks to address some of its outstanding privacy problems," the letter said. "However, we are writing to urge you to continue to demonstrate your commitment to the principle of giving users control over how and with whom they share by taking these additional steps."
Participating groups included the ACLU of Northern California; the Center for Democracy and Technology; the Center for Digital Democracy; Consumer Action; Consumer Watchdog; Electronic Frontier Foundation; Electronic Privacy Information Center; Privacy Activism; Privacy Lives; and the Privacy Rights Clearinghouse.
The recommendations include allowing users to decide which applications access their personal data; making instant personalization opt-in by default, instead of using its current opt-out format; and giving users control over all the information they can share over Facebook, including name, profile picture, network affiliations, and gender. Today, Facebook users must make this information public and users cannot choose to hide their profile photo or gender, for example.
"One issue that must be resolved is the 'app gap': the fact that applications and web sites that use the Facebook Platform can access a user's information if that user's friend -- and not the user herself -- runs the app or connects with the site," the letter said. "Facebook's latest changes allow users a 'nuclear option' to opt out of applications entirely. While this is an important setting, it is not adequate for meaningful control. Facebook users should also have the option to choose to share information only with specific applications."
The recommendations also returned to a familiar theme: That of third-party sites and privacy. Facebook should not keep information about specific visitors to third-party sites that use social plug-ins or Facebook's like button unless users specifically opt to interact with those tools, the letter stated.
"What has gone largely unannounced is that these plug-ins provide Facebook with information about every visit to the site by anyone who is logged in to Facebook, whether or not the visitor ever interacts with the plug-ins or clicks on the 'like' button at all," the group wrote.
In a year that already has seen several widely publicized attacks on Facebook users -- including an adware infection in May -- the advocacy groups recommend that Facebook use an HTTPS connection, by default, for all interactions to protect Facebook users from other threats. And users who become disenchanted with the site should be given simple tools that enable them to remove their information from Facebook, the letter said.
"Facebook users communicate a wealth of private information -- from personal messages and photos to the content they share with just a few friends -- on the service. However, by default, this information is sent over the Internet in unencrypted fashion, potentially allowing it to be intercepted by other parties," the letter said.