This was certainly a surprising discovery! Here's the text of a message I sent out to all my Facebook contacts today:
Just thought I'd share something very important with you all. Some of you show your email addresses on your Facebook profiles, some of you don't. Fair enough: that's called privacy, and that's what Facebook's privacy settings are for.
However, I recently started using Facebook on my mobile phone (it's a Windows Mobile handset if you're interested), and discovered something peculiar. If I go to the "contacts" page on Facebook's cut-down mobile version, it displays every single contact's email address, whether or not you had set this information as public. What is more, in some cases it's not the email address that HAS been set as public. In other words, it's the email address you used to set up your Facebook account, whether or not you want that address to remain private.
The implications of this are obvious. It enhances the stalker potential on Facebook, for one thing. Such things could also be mined - albeit with some effort - for spamming purposes. Worst of all, though, is the fact that it is not what you asked Facebook to do, and is in some cases probably the opposite of what you wanted.
What can be done? Who knows. But in the meantime, please forward this message on, just so everyone is aware that their information is in the public domain even if they thought they'd opted out.
I know a few people who will not be pleased to find this out, although some will no doubt not care much. Anyway, this may already be a known security hole, but if so then I'd love to know why Facebook hasn't closed it.