Over the course of last week, issues with both Facebook's service and Google's Apps service were highlighted by users.
What Google did wrong
Microsoft must have been reveling in Google's tears as their competitor to Live@edu glitched, allowing other users and students to view, in some cases, the entire contents of another student's inbox.
The issue was caused by an unknown bug which occurred during the switchover process from self-hosted accounts to Google-hosted accounts. According to one report, Google took between 3-5 days to isolate the issue and close the accounts before fixing the problem.
"In the case of the Google Apps glitch, which began on Friday, September 11th, a couple of students notified Brown's Computing and Information Services department (CIS) that they were able to read emails belonging to other students.
The CIS department contacted Google on the following day and sent out an email to the 200 students whose mailboxes were in transition, asking them whether or not they were experiencing the same problem. Some were. The affected students could either see entire inboxes belonging to another classmate or, in other cases, saw less than 100 messages that did not belong to them."
What Facebook did wrong
On a similar note, Facebook took a relatively quiet step in the anti-privacy route by allowing application to access inbox messages.
This appears to be a effort to open up the Facebook experience outside of the desktop by allowing the API to connect with offline applications, but arguably the system is susceptible to abuse.
"On August 11th, Facebook started giving whitelisted apps access to inbox messages. User permission is required, but the potential for abuse is enormous - a malicious or hacked app could post private messages on the web for anyone to read.
Even if you block or avoid applications, messages you send to less careful friends (who do use inbox apps) could be compromised."
"The Inbox API allows you to access your users' messages, once they grant your application the new read_mailbox extended permission. This lets your applications provide an interface for users to view their messages. For example, your application could pop up an alert when the user receives a new message."
Ironically those supporting the cause (via) Facebook itself, although the petition application you use doesn't collect any personal information. However, Facebook and security has never seemed very tight with applications in mind; there is very little stopping an application being a spam-engine and causing more hassle than good.
While no company is perfect and it is becoming increasingly difficult to fix and plug holes in complicated code, both Facebook and Google should take something away from all this: Sometimes doing what you consider good causes more issues, and the customer has the final say.