Tom — some of this is what I discussed with you previously, but I wanted to formally post it as a comment as well.
You’re right — generally, we’re not clueful about the scope of how information spreads amongst friends, friends of friends and the greater world at-large. That said, I don’t think there’s any real service to be had by compartmentalising or defining privacy issues into ‘simple’ or ‘complex’ metrics, or to having different operational levels of privacy depending on whether or not the network is big or small. I actually think privacy can be a little easier than that.
It boils down to education and a little conditioning. Just as most folks had to ‘learn’ about the Internet, online purchases, Facebook, etc. in some way (from friends, family, business acquiantances, the news, etc.), so too, they need to learn how to navigate within the system. Call it the digital version of the ‘don’t talk to strangers’ speech that you likely gave your sons.
FoaF aside, most folks blissfully disclose their personal information for little more than an offer of a T-shirt and a credit card. Why? Because marketers have spent the past 20 years convincing (read: educating) people that its no big deal, that the SSN is an acceptable form of identification, and everyone finally started to agree. Want to get them to stop doing that? Make it illegal (for one). Educate. Disincentivize companies from asking (perhaps that’s a little of what Danah was after when she encouraged regulation of social networks).
Or to go back to what Danah said in her first article, explain to people that while radical inclusiveness may work for some (Scobble, Zuckerberg), just like the SSN-as-id example, it doesn’t have to be the default.