Great. So far so good. Where was the part where I agreed they could harvest my profile information because a friend filled out a quiz/questionnaire/etc.?
When you use an application, the application may ask for your permission to access your content and information as well as content and information that others have shared with you. We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information. (To learn more about Platform, including how you can control what information other people may share with applications, read our Data Policy and Platform Page.)
You gave access to your friends, who then authorised access to the application.
Let's see what the readability of the FB TOS is, using a random Googled analyzer, in this case https://readable.io:
Readability Grade Levels
A grade level (based on the USA education system) is equivalent to the number of years of education a person has had. A score of around 10-12 is roughly the reading level on completion of high school. Text to be read by the general public should aim for a grade level of around 8.
Flesch-Kincaid Grade Level 12.6
Gunning Fog Index 13.9
Coleman-Liau Index 11.8
SMOG Index 14.9
Automated Readability Index 12.4
Average Grade Level 13.1
The whole point is that you cannot meaningfully consent to give out information about your friend since they’d have to consent to that. Even acknowledging they exist and are your friends is already information. To make matters worse, the v1 API would happily hand out information about your friends, such as their likes without _their_ consent. Not your privacy is breached - theirs is. And there’s no way user A can meaningfully consent to have user B’s information exposed.
That's just not how it works. Apps could for example request access to all messages. Let's make that a physical world example: I write you a letter that contains private details. Are you free to share this letter with third parties? The established legal precedent is clearly "no, not at all." Another example: I allow you to peek into my diary. I shared my private thoughts with you. Are you now allowed to go out and trumpet those out in the world? No, not by any standard. So the default assumption is that things shared privately are private, not public. There are cases where a higher good allows to breach that assumption, but "financial gain" has never been accepted as a higher good in such cases.
Failing to honor that assumption is facebooks fault here.
Actually, that is how it works. Unless there is an NDA in place between you and I, I can share anything you choose to share with me, especially in the context of a social network where we both agreed to and are bound by the same TOS where we authorized exactly this kind of sharing.
There is a setting to globally disable and enable all apps. If you disable it, no apps can see you, even if your friends use the app. Facebook actually has tons of settings - discoverability is a big problem
And they change all the time, often resetting defaults. And without notice. Playing “respect
my privacy” whack a mole with a billion dollar company grows old quickly.
When you use an application, the application may ask for your permission to access your content and information as well as content and information that others have shared with you. We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information. (To learn more about Platform, including how you can control what information other people may share with applications, read our Data Policy and Platform Page.)
You gave access to your friends, who then authorised access to the application.