You're assuming the friends gave the information knowingly.
Most people have no idea what modern image recognition and data mining techniques can do, and many don't understand what they are really agreeing to when they let some on-line service scan their address book.
I've never quite figured out how compiling shadow profiles doesn't violate all kinds of data protection laws in at least much of Europe, but our regulators seem to be gunning for Google at the moment rather than Facebook.
It is still personal data and theoretically regulated in Europe at least. It is hard for me to see how the information about non-users is legitimate from my understanding of UK data protection law but maybe they just stay inside the Irish law (which I know even less about).
Maybe so, but does a Facebook app uploading my phone number from a friend's phone to their servers, or turning on my friend's microphone while we are having an otherwise-private conversation, count as "freely posting"?
They've introduced an optional feature that records media around you. Based on their past record of changing defaults, I think it's a reasonable possibility that this feature will be turned on by default in the future.
