Facebook has been making their own rules since they came on the scene. Although they’ve taken more and more heat for their almost-constant privacy changes, it seems like we find a new low every few months. Meanwhile, even the courts are beginning to side with Facebook on advertising issues.

Facebook gained a partial victory in the US District court last week in a case on click fraud. Judge Jeremy Fogel decided that advertisers could sue Facebook for charges resulting from “invalid” clicks&madsh;but not “fraudulent” ones. A clause in Facebook’s advertising contract, tentatively upheld by the court, actually protects them from any suits about fraudulent clicks.

A fraudulent click might include a competitor’s click campaign designed to drive up the advertiser’s costs. Click fraud is a felony in California (where the case was decided). This class-action suit was originally filed last July. The decision does mean that advertisers can subpoena click information to look for “invalid” clicks they were charged for, and sue Facebook for those.

The court did not agree with Facebook’s argument on invalid clicks, though it was quite similar to their argument for fraudulent ones:

Facebook argued that the litigation should be dismissed because all cost-per-click advertisers were required to agree to the company’s terms and conditions, which allegedly included the following language: “I understand that third parties may generate impressions, clicks, or other actions affecting the cost of the advertising for fraudulent or improper purposes, and I accept the risk of any such impressions, clicks, or other actions.”

Facebook’s latest new venture, a Like button for the whole Internet, may also bring them some serious grief. Developers have revealed that Facebook’s new Graph API had at least one serious privacy loophole: the API allowed developers to see and display all public events a person has said they’d attend, regardless of whether that person is a friend or not.

Ka-Ping Yee, a software engineer for Google.org (Google’s charitable arm, as the Guardian describes it), discovered the vulnerability. He was especially concerned that there was no way to block or opt-out of this setting, especially since respondents to events have no control over whether the event is listed as private or public.

Although you could see non-friends who have RSVP’ed to a public event on the event’s page, the API loophole allows everyone to see a full list of a single user’s public events, regardless of their connection to you.

This vulnerability may have actually been inherited from an old API. However, late last night, Facebook corrected the vulnerability.

Shades of Google Buzz, anyone?

Ultimately, I think the Graph API will probably face at least a few more privacy challenges, even before the watchdogs, federal government and litigators start in on it. What do you think?