Not just Facebook. There are many apps that are overstepping in terms of permissions. I turned off auto-update long ago and removed many offenders, but it seems every app these days is now requesting as many privileges as they can get away with. The general population of users aren't reading the list of new permissions on updates and no one is making these co's explain themselves as to why they need listed permissions. I asked an engineer behind an app I wanted to use that paired with a paid service I love why they needed access to my contacts, considering my contact list wasn't part of the core service. I told him read access to my contacts and full network access made me wary; what would keep them from reading and storing all my contacts on their server? His only response was that they promised not to do anything nefarious. I should not have to root my phone to use apps while protecting my personal data. Android User Profiles sounded very promising to keep private away from social, but my experience testing this feature out on the Nexus 7 was terrible.
Apps do not autoupdate from the Play store if there are new permissions. You have to manually update them. I am not sure if this is a recent change or not as I started using Android with the Nexus 5.
