Independently from the fact that using Facebook, especially with your real name, is going to be PRISM-read or NSA acquired anyway, as the info is going to be asked to FB directly... they're using the wrong tool.
If you want to be "safe", you only need to use HTTPS, and it's even an option on Facebook to make it so that your entire session always goes through HTTPS. No need to use "HTTPS Everywhere" or anything like it. Adding that kind of stuff actually makes you more vulnerable, as now your "secure" traffic is going through a third-party. One that probably has PRISM sitting right at the exit point.
Fake security is worse than no security at all!