Thanks to Facebook's Open Graph API (which simplifies the development of third-party applications that interoperate with the social networking site) and social plug-ins (which essentially splash Facebook's "Like" button all over the Internet), people who are interested in your data are getting a chance at a much choicer cut of it. (For more, read "How Facebook Plans to Dominate the Web.")

Additionally, Facebook's Instant Personalization Pilot Program, which the social network introduced this spring, was the wake-up call for many users who had been ignoring the concerns of privacy watchdogs. In response, Facebook updated its privacy settings in late May, to some praise--and confusion.

Read on to see who's getting a look at what you do on Facebook. You're sharing more than you think--and you might be surprised at what your data is worth.

Facebook itself
It goes without saying that Facebook has unrestricted access to everything you do relating to its site, and its growing collection of profile data, preferences, and connections is prompting some experts to estimate the value of the site beyond the GDP of some countries.

For instance, a Mashable article reported that SharesPost, a marketplace for shares in privately owned companies, suggested an $11.5 billion value for Facebook, versus a $1.4 billion value for Twitter and a $1.3 billion value for LinkedIn.

"You've filled out the biggest survey in the world for Facebook, and you didn't even know it," says Cappy Popp, founder and principal of Thought Labs, whose Doorbell application is one of the top 100 most-used apps on Facebook. "You can't put a price on it because there's never been anything like it," Popp says of the user data that Facebook could accumulate over the next few years.

Everyone else
A quick look through the Website Openbook, which allows users to search for embarrassing Facebook status updates that anyone can view, shows the volume of people whose accounts are set to broadcast status updates to everyone. Some Facebook status updates reveal far too much.

For instance, a search for "cocaine" or "drunk" in Openbook's search field yields status updates such as "Cocaine is a man's best friend" and "I'm so drunk right now need to go to bed." (Note: Despite its resemblance, Openbook is not part of Facebook.)

Are these updates just jokes? Are they statements taken out of context? They could be either. But slapped next to a name, gender, and profile picture (information that Facebook requires to be public), they create an impression. And it could cost you.

Facebook's Instant Personalization partners
One day in April, registered users of Pandora and Facebook launched their favorite online radio station on Pandora's site and discovered that they could now see which of their Facebook friends liked the artists and songs they were hearing.

For that to happen, the users either purposely or accidentally passed by the opt-out bar for Facebook's Instant Personalization Pilot Program, for which Pandora, Yelp, and Microsoft were launch partners. The same thing happened to readers of MSNBC, who were surprised to find information on stories recommended by their Facebook friends pop up on the news Website.

Instant Personalization allows selected Facebook partner Websites to access your data and tailor content to your tastes. With Instant Personalization activated, your Facebook information is available for access the moment you arrive on partner sites. When the program launched in April, Facebook automatically activated it for all users. However, a privacy uproar forced the company to revise its policy, and Instant Personalization is now optional for users.

"A number of people have reported to me that this feels a little weird to them," says Kurt Opsahl, senior staff attorney for the Electronic Frontier Foundation, about Pandora's Instant Personalization implementation. Pandora declined to be interviewed for this story.

How Instant Personalization works
The implications of Instant Personalization are more serious than your discovering your boss's love for '80s boy bands. Partner sites can work with Facebook to learn a whole more about you than what you may have told them directly.

Peter Eckersley, senior staff technologist for the Electronic Frontier Foundation, says the Instant Personalization partner sites use JavaScript code and Ajax calls to get personally identifying information about you from Facebook. So if you already had an account on the Instant Personalization partner site, that site can now see your Facebook information and your existing account information at the same time.

"[The Facebook partner sites] would see the usual cookie that they set in your browser, and the one that Facebook's API constructs using Ajax, simultaneously," says Eckersley. "The design of the Facebook API clearly anticipates that the Website will do this."

Next: Why playing FarmVille may not be in your best interests.

Application developers
Facebook applications are fun. According to All Facebook, which calls itself the "Unofficial Facebook Resource," the site's Facebook Application Leaderboard of applications with the highest monthly users shows that a variety of games--including Zynga's FarmVille, Texas HoldEm Poker, and Café World--make up more than half of the top 20 applications.

Once you accept an application on Facebook, it gets an all-access pass to your profile data. The application runs through an iframe (inline frame), a widely used HTML element that lets a site embed its content onto Facebook's site.

As a result, you're sending data directly to the third-party application's servers. Previously that server was required to refresh its Facebook data every 24 hours, but as of the April F8 conference, Facebook did away with that requirement. As a result, the outside parties can store user data for longer periods before refreshing it.

"You've authorized that application to do whatever it wants to do," says Thought Labs' Popp.

And even if you don't use Facebook applications, your friends do.

Unless you've gone into the 'info accessible though your friends' portion of Facebook's Applications, Games, and Websites privacy settings, your friends are taking your profile information with them on their farming and gambling adventures--without your knowledge, but in most cases with your tacit consent. (For some advice, read "Facebook's Social Web: How to Protect Your Privacy.")

Game applications are big business. For instance, FarmVille maker Zynga is reportedly valued at as much as $4 billion. Plus, Facebook just revamped its Insights dashboard, which page owners and application developers can use to obtain data and graphic visualizations about social plug-ins and integrated site content to better understand their return on investment for using Facebook.

Hackers and worms
Right now it's hard to know the worth of user data shared through Facebook's Instant Personalization since the program is so new, but in the wrong hands such information could represent a large chunk of change.

A May article on TechCrunch reported a proof-of-concept exploit on Yelp that took advantage of cross-site scripting to grab Facebook addresses and other information. The exploit's author was a security consultant looking to prove a point. Yelp, which declined to be interviewed for this story, patched the vulnerability. No user data was stolen.

But other, genuine security threats are thriving on Facebook. The Koobface worm has been lurking on Facebook since 2008, growing more sophisticated with its ability to create an account, friend strangers, and join groups.

And on Memorial Day weekend, hundreds of thousands of Facebook users encountered a clickjacking worm that duped them into "liking" pages that led to the installation of malware for perpetuating the worm's spread.

"The biggest danger that I can see is that they get your log-in credentials," says Beth Jones, senior threat researcher at Sophos Labs. The intruders can gain access to information such as mobile phone numbers, partial credit card numbers, and billing addresses stored in the Payments section of Facebook's account settings.

Unless you've gone into the 'info accessible though your friends' portion of Facebook's Applications, Games, and Websites privacy settings, your friends are taking your profile information with them on their farming and gambling adventures--without your knowledge, but in most cases with your tacit consent. (For some advice, read "Facebook's Social Web: How to Protect Your Privacy.")

Game applications are big business. For instance, FarmVille maker Zynga is reportedly valued at as much as $4 billion. Plus, Facebook just revamped its Insights dashboard, which page owners and application developers can use to obtain data and graphic visualizations about social plug-ins and integrated site content to better understand their return on investment for using Facebook.

Hackers and worms
Right now it's hard to know the worth of user data shared through Facebook's Instant Personalization since the program is so new, but in the wrong hands such information could represent a large chunk of change.

A May article on TechCrunch reported a proof-of-concept exploit on Yelp that took advantage of cross-site scripting to grab Facebook addresses and other information. The exploit's author was a security consultant looking to prove a point. Yelp, which declined to be interviewed for this story, patched the vulnerability. No user data was stolen.

But other, genuine security threats are thriving on Facebook. The Koobface worm has been lurking on Facebook since 2008, growing more sophisticated with its ability to create an account, friend strangers, and join groups.

And on Memorial Day weekend, hundreds of thousands of Facebook users encountered a clickjacking worm that duped them into "liking" pages that led to the installation of malware for perpetuating the worm's spread.

"The biggest danger that I can see is that they get your log-in credentials," says Beth Jones, senior threat researcher at Sophos Labs. The intruders can gain access to information such as mobile phone numbers, partial credit card numbers, and billing addresses stored in the Payments section of Facebook's account settings.

Despite waves of privacy backlash, Facebook continues to thrive and to look for new ways to make money for itself and its partners. To do that, Facebook will continue to leverage its biggest asset: you.

"Facebook is a business. I don't think they have any ill will toward anyone, but they're going to do anything they can as a corporation to be successful," says Popp. "The onus of privacy is on the person using the Web."