[JimmyAustin]

From https://www.facebook.com/terms.php, item 2.3

When you use an application, the application may ask for your permission to access your content and information as well as content and information that others have shared with you. We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information. (To learn more about Platform, including how you can control what information other people may share with applications, read our Data Policy and Platform Page.)

You gave access to your friends, who then authorised access to the application.

[rhizome]

Let's see what the readability of the FB TOS is, using a random Googled analyzer, in this case https://readable.io:

Readability Grade Levels

A grade level (based on the USA education system) is equivalent to the number of years of education a person has had. A score of around 10-12 is roughly the reading level on completion of high school. Text to be read by the general public should aim for a grade level of around 8.

    Flesch-Kincaid Grade Level  12.6
    Gunning Fog Index           13.9
    Coleman-Liau Index          11.8
    SMOG Index                  14.9
    Automated Readability Index 12.4
    Average Grade Level	        13.1

Text Quality:

    Sentences > 30 Syllables  80  53%
    Sentences > 20 Syllables 115  77%
    Words > 4 Syllables       37   1%
    Words > 12 Letters         2   0%
    Passive Voice Count       17   1%
    Adverb Count             116   4%
    Cliché Count               0   0%

[Xylakant]

The whole point is that you cannot meaningfully consent to give out information about your friend since they’d have to consent to that. Even acknowledging they exist and are your friends is already information. To make matters worse, the v1 API would happily hand out information about your friends, such as their likes without _their_ consent. Not your privacy is breached - theirs is. And there’s no way user A can meaningfully consent to have user B’s information exposed.

[downandout]

It was yours to share because it was shared with you.

[Xylakant]

That's just not how it works. Apps could for example request access to all messages. Let's make that a physical world example: I write you a letter that contains private details. Are you free to share this letter with third parties? The established legal precedent is clearly "no, not at all." Another example: I allow you to peek into my diary. I shared my private thoughts with you. Are you now allowed to go out and trumpet those out in the world? No, not by any standard. So the default assumption is that things shared privately are private, not public. There are cases where a higher good allows to breach that assumption, but "financial gain" has never been accepted as a higher good in such cases.

Failing to honor that assumption is facebooks fault here.

[downandout]

That's just not how it works

Actually, that is how it works. Unless there is an NDA in place between you and I, I can share anything you choose to share with me, especially in the context of a social network where we both agreed to and are bound by the same TOS where we authorized exactly this kind of sharing.

[icebraining]

In what jurisdiction? That's not true in the EU (even pre-GDPR), where Facebook also operates.

[rhizome]

My heuristic is that if they don't make it clear what jurisdiction they're talking about, they're talking about the US.

[pjc50]

Not in GDPR land.