[pluma]

Sure, it was seen as a social faux pas at the time but mostly because the web was much more personal: companies had no need to do anything nefarious with your data, so they wouldn't have cared, but a lone individual running a random website could potentially know you and ridicule you in front of your friends (especially when it's some random kid at the same university).

What Facebook did was prove that you could make a business out of exploiting those users' personal data without needing to cause obvious harm to them directly (i.e. in ways that were still potentially unethical but 100% legal).

The reason I'm saying he was being unethical at the time is that he saw their misplaced trust as an opportunity to exploit them (initially by snooping for fun, later by exploiting their data for profit). The ethical response would have been to either reject the responsibility (as you describe) or acknowledge it and start thinking about how to protect that data for the users.