That 'list of friends' meant 'oh, and all of these for all of your friends as well, and by accepting this, you tell us they know about this and they accepted it as well' - in which case, your friends, of course, are not even aware of this.
Please don’t post blatantly incorrect statements like this.
An app that gets a friend list of a user does not get the same access to each friend as to the authorizing user. This should be obvious; if I agree to allow an app to post on my wall and access my friends list, it doesn’t mean the app can post on my friends’ walls from my friends’ identities.
The only information the FB API returns about the authorizing user’s friends is data those friends have made publicly available. In fact, the friends even have the option to configure their privacy settings to exclude them from any “friend lists” given to apps.
Honestly it’s ridiculous... nothing was breached in the CA scandal. Users authorized access to their data, and any data of other people was publicly available and authorized by TOS or (admittedly opt-out) privacy settings.
If you want to stay private online, maybe don’t use a service with the singular business model of monetizing your data.
