The problem with the Facebook Platform
The Facebook Platform lets Facebook users add gadgets to their profiles and play with third-party applications without leaving the Facebook site. It's been a wild success: the most popular Facebook applications have around 24 million users, and competing social networking sites have moved to create their own imitation platforms. However, although these open platforms enable cool features, they also pose serious privacy risks.

When Jane installs a Facebook application, the application is given the ability to see anything that Jane can see. This means that the application can request information about Jane, her friends, and her fellow network members. The owner of the application is free to collect, look at, and potentially misuse this information. The Facebook Terms of Use agreement tells application developers not to do this, but Facebook has no way of finding out or stopping them.

Users view their profiles on social networking sites as a form of self-expression, but these profiles also have commercial value to marketing companies, competing networking sites, and identity thieves. Data mining through the development platform can potentially affect more people than screen scraping, because it exposes information that might otherwise be hidden (i.e., users with "private" profiles may still install applications).

The problem with the Facebook Platform
If a user wants to install an application, she must grant that application full privileges. Privacy settings can be applied to friends' applications, but one standard is set for all applications. There's no way to say, "X gets my hometown but Y only gets my favorite music." The principle of least authority, a security design principle, states that an actor should only be given the privileges needed to perform a job. In other words, an application that doesn't need private information shouldn't be given any.

We (with the help of Andrew Spisak) performed a systematic review of the top 150 Facebook applications in October 2007 and examined their information needs.
information needs of 150 top Facebook applications

We found that 8.7% didn't need any information; 82% used public data (name, network, list of friends); and only 9.3% needed private information (e.g., birthday). Since all of the applications are given full access to private data, this means that 90.7% of applications are being given more privileges than they need.