Many of my friends were surprised when I signed up for Facebook. "Why would a privacy advocate put personal information online?" they asked.

"For the same reason that people use the Internet for e-mail or pick up a telephone to make a call," I explained. "It's very useful. Of course, there are real privacy issues. We should understand them and fix them."

Today Facebook is both very useful and a genuine privacy threat. At No. 5 on the Alexa list of most popular Web sites in the United States, it is closing in quickly on its rival MySpace. And, as the commercial use of the network has increased, so too have the privacy problems.

The network has grown quickly from 2004 when it started at Harvard and a few other schools as an online version of a college yearbook. In early 2006, high school students signed on and then so did employees with many companies. By the end of that year, just about anyone could sign on to Facebook, and network effects took hold. People were sharing photos and videos, posting updates about their personal lives, and creating causes and groups across the social networking platform.

You could visit a friend's page and check their interests and their friends. It was like a constantly changing yearbook page, mostly written for friends but with the understanding that others could see what was posted.

Of course, parents grew concerned that their kids were revealing too much personal information. A few schools sanctioned students for posting unflattering comments about teachers. Others warned that potential employers might be turned off by photos of beer-soaked T-shirts. State attorneys general investigated cyberstalking and urged Facebook to crack down on predators.

But the big privacy issues with Facebook are always in the defaults. When Facebook creates a new service or changes a privacy setting from opt-in to opt-out, it has an enormous impact on millions of Internet users.

That's what happened in 2006 when Facebook unrolled "News Feed," a feature that turned every user's postings on their own page into a news item on the pages of all their friends. Everything, from adding a few vacation photos to changes in relationship status, i.e. breakups, scrolled across the screens of others like a modern version of the old teletype machines. Facebook turned on News Feed one day, and users couldn't turn it off.

Facebook users objected. The problem was not so much that Facebook users had no expectation of privacy. It was the opposite. They knew what they were posting and how others could find out. The problem was that Facebook took control away and decided to broadcast personal facts that most people assumed would take a little digging to find.

The protests mounted. One campaign, "Students Against Facebook News Feed (Official Petition to Facebook)," drew several hundred thousand supporters on Facebook. (Note to privacy advocates: Facebook has great tools for online organizing.)

Facebook eventually made some changes and allowed users to opt out of the mini-feed and news feed postings, although the change was not ideal since users had to opt out of each application instead of throwing one master privacy switch to the "off" position.

Privacy problems have continued to plague the service. In May 2007, Facebook opened up the network for software developers to create applications such as Scrabulous that appear on Facebook pages. Some of these programs are very cool, but that doesn't answer the privacy problem. Application developers were given access to the detailed personal information of the user as well as the friends of the user. And that means just about everything in your profile, from relationship status and education history to copies of photos and favorite movies. And amazingly, the data of your friends, who did not sign up to install the program, have their data gathered up by Facebook and sent to the developers.

Earlier this year, researchers at the University of Virginia found that Facebook was providing access to far more personal information than was necessary; in fact, information that the developers were not even seeking. As lead researcher Adrienne Felt pointed out, this was a dangerous security practice because it created unnecessary risks for Internet users.

Marc Rotenberg is executive director of the Electronic Privacy Information Center in Washington, D.C., and a Facebook user.