When you access an app on Facebook’s website, be it a personality-quiz, a game, a horoscope, or a sports community, the service presents you with an authorization dialog, where the specific data an app says it needs is displayed for the user’s consideration. That could be anything from your name, friend list, and email address, to your photos, likes, direct messages and more.
The information shared with an app by default has changed over time, and even a savvy user might never have known what comprised it. When I launched Cow Clicker in 2010, it was easier to acquire both “basic” information (name, gender, networks, and profile picture) and “extended” user information (location, relationship status, likes, posts, and more). In 2014, Facebook began an app review process for information beyond that which a user shared publicly, but for years before that, the decision was left to the user alone. This is consistent with Facebook’s longstanding, official policy on privacy, which revolves around user control rather than procedural verification.