It's 2007 and a well funded company like Facebook can't implement secure RSS feeds (RSS feeds served over SSL and protected by HTTP Basic Authentication). Aaargh how many years have we been blogging about the need for secure RSS feeds and that security by obscurity doesn't work? (Answer: since at least 2004) (And I am not impressed by the Facebook Chief Privacy Officer's apologia; sorry the technology exists, 37 signals does it for example with Basecamp so implement it !). If RSS feeds over SSL with HTTP basic authentication are too much of a technological challenge :-), allow the feed URLs to be revoked like flickr does for its guest pass URLs.
So where’s the data leak? Here’s where. These feeds are public. All one needs in order to view and use them is the feed’s URI. There’s no requirement that a reader or user of the feed be the “friend” of individuals whose data is in the feed, or even that the person be logged into Facebook. Are you following me?