The whole point is that you cannot meaningfully consent to give out information about your friend since they’d have to consent to that. Even acknowledging they exist and are your friends is already information. To make matters worse, the v1 API would happily hand out information about your friends, such as their likes without _their_ consent. Not your privacy is breached - theirs is. And there’s no way user A can meaningfully consent to have user B’s information exposed.
That's just not how it works. Apps could for example request access to all messages. Let's make that a physical world example: I write you a letter that contains private details. Are you free to share this letter with third parties? The established legal precedent is clearly "no, not at all." Another example: I allow you to peek into my diary. I shared my private thoughts with you. Are you now allowed to go out and trumpet those out in the world? No, not by any standard. So the default assumption is that things shared privately are private, not public. There are cases where a higher good allows to breach that assumption, but "financial gain" has never been accepted as a higher good in such cases.
Failing to honor that assumption is facebooks fault here.
Actually, that is how it works. Unless there is an NDA in place between you and I, I can share anything you choose to share with me, especially in the context of a social network where we both agreed to and are bound by the same TOS where we authorized exactly this kind of sharing.
