This post describes a checkbox to hide or show the list on your profile page. It goes on to say that regardless of the setting, the friends list is now public information. That means that even if you choose to "hide" it, anyone can hack a URL to insert your facebook ID and see your friends' list. It's a confirmation that privacy regarding friend lists is gone, which is really unfortunate.

My impression is that this change was actually driven by implementation feasibility- for reasons I'm not completely clear on, search indexing and the interface could not unambiguously respect privacy for friend lists (since so much of the indexing depends on what paths are reachable). The choice then, was to upfront about the lack of privacy in this respect, or to just hide it from profile and pretend it was private. Facebook chose the former.

I'm sorry, but there could be no "implementation feasibility"-based justification to make this data public. The same check to determine whether to grant access to a single status update could be used to determine whether to grant access to a friend list.

It's true that someone could figure out a partial list of who you were friends with by spidering the friends lists of others who had chosen to share their list, but that is no justification for removing privacy.

I don't know the actual details here, so I can't really comment.

Re your second point though: I think it's much more important that people understand where they really stand in terms of what is private, even if that isn't everything they'd like- as opposed to discovering later that something they thought was private could be accessed via a workaround.

That's like saying "Well, since it's possible for someone to social engineer the password of my server, I might as well remove the firewall, switch to telnet and chmod everything to 777."

It's important to tell people to know where they really stand in terms of privacy, and then continue to do your best to protect it. The fact is that privacy - like security - is not a binary. It's something that you protect with various overlapping strategies that reduce the risk as much as possible. Few people expect Facebook to provide them with total protection of their data; instead, they expected them to do the best they can. And that's what Facebook has done for the past five years; they went far beyond anyone else in terms of protecting privacy, and even after they were miles ahead of the competition, they continued to improve it. Now they've destroyed all of that progress in the scope of a few days.

It's a question of how difficult the workaround is. In this case, I think it maybe had to do with showing mutual friends in search results- not showing them made the results very difficult to pick through, and showing them was a privacy flaw. This isn't a very effective protection. I believe that the basic idea of protecting privacy as far as possible has not changed, but of course I'm going to say that :)