If you use Facebook but don't want your personal information leaked all over the Web, you had better make sure you don't use any of Facebook's most popular apps. According to an investigation by the Wall Street Journal, "tens of millions" of apps on Facebook transmit varying amounts of identifying information to their own personal ad servers, even in cases when users' profiles were set to completely private.
On the most benign level, many Facebook apps gather a user's Facebook ID if that user installs the app on his or her profile. The ID itself doesn't necessarily give anyone access to a user's protected profile, though if the person in question has a public profile, then all of that information could be (and undoubtedly is being) scraped.
For other apps, however, the data collection apparently doesn't stop at a user's ID. The WSJ claims that all of the 10 most popular apps collect some form of user data, and three of them—yes, Farmville included—also transmit personal information about a user's friends to outside servers. One company, RapLeaf Inc., was found to be linking Facebook ID information with its own database of users that it cross-checks from other parts of the Internet. The company collects this information through several of its apps, including those made by LOLapps and the Family Tree application, then sells the information to at least 12 other ad firms.