I never realised I could have had a scoop
In a former life, I did some facebook app coding, mainly just for 'fun', about 7 or 8 years ago.
What data you could grab (including "friend of friend"...) was never hidden in any way. It was the norm. No special handshake, no secret societies.
I wrote one 'fun' app that gathered stats for a user on all their friends, and collated it - nothing they couldn't do manually, and I never kept copies of the data (though obviously I could have)
Very few users (less than 1%) had 'friend of friend' disabled... I think the setting may have been called 'allow friends third party apps access to the same data as your friend has'... well, something more catchy, less descriptive, and more hidden.
Basically, if a user was savvy enough to disable this access, when a friend of theirs used my app, the only info I could received was the friends name and id - not the full information the user could retrieve directly.
So, you sorta needed 'friend of friend' capability to be able to write apps with a similar access ability to native facebook functions. But even so, it was bound to be abused in the way that has now been revealed. It was staggeringly obvious immediately, and should have never existed.
So now they are saying "we expected the data to be used for the users experience and not mined" - really? Bollox.
Basically, if they cut off that access, they'd severly restrict what profile-related things legitimate apps could do, and they knew it, so whilst they didn't want the things that cambridge analytica did (after all, why would they want to give away millions of user data for free?) I guess they thought it was a risk worth taking, or a price worth paying.
But to claim that they didn't think people would do it because it's against their AUP... What next? Facebook exec. fall for 419 scams, phising emails, or forward junk emails to 1000's of people because for every one, Bill Gates will donate a kidney? Get real.