A client pointed me to this great post, with which I couldn't agree more.
After discovering that, by default, friends of friends who comment on Facebook-posted pictures get access to the full album of photos, the author writes:
apophenia: Putting Privacy Settings in the Context of Use (in Facebook and elsewhere)
... Tech developers... I implore you... put privacy information into the context of the content itself. When I post a photo in my album, let me see a list of EVERYONE who can view that photo. When I look at a photo on someone's profile, let me see everyone else who can view that photo before I go to write a comment. You don't get people to understand the scale of visibility by tweetling a few privacy settings every few months and having no idea what "Friends of Friends" actually means. If you have that setting on and you go to post a photo and realize that it will be visible to 5,000 people included 10 ex-lovers, you're going to think twice. Or you're going to change your privacy settings....
Making people think? Good idea.
When privacy has been characterized as minimizing surprises, if you fully let people know what they're doing (particularly when it is somewhat behind the veil of not-well-understood technology) you're doing your job.