The Canadian Privacy Commissioner recently completed an in-depth review of Facebook after receiving a wide-ranging complaint about the privacy practices and policies of Facebook.
I won't go into the details here, I suggest you read the report yourself. It is a good read and has stirred discussion both here in Canada, the US, and around the world.
Not discussed, but I think equally important is the lack of identity "proofing" in these systems. There have been all sorts of reports of celebrity impersonations and now instances of kids creating profiles of their friends or teachers (for good or bad purposes). Since there is no identity-proofing in these systems, there is nothing to stop one person from spoofing another person - except for maybe a use agreement. Nothing procedurally or technically, except the general honesty of users, protects the rights of the people being spoofed. After all, if imitating people is not allowed in the agreement, that should be enough right?
At first look,social networking sites seem benign and have huge curiosity and networking value for us as individuals. As a society, we've been tending to minimize the privacy issues, saying "social sites don't make much money, let's give them a break." But as we are learning now, social networking sites are subject to the same kinds of criminal activities as the real-world. The possibility for fraud and identity-theft remains huge. Social networking sites need to step up their game and ensure that they know who their customers really are before they can begin to get the privacy of their customers (and those who aren't customers) under control.