(CNN) -- Facebook is, by its nature, a social experience.
But as the undisputed king of social networking expands ways for its users to interact, it's raising more questions about how much of their information is made available to people they don't know.
In some cases, users may not even realize it's happening.
One example is the hundreds of thousands of developers approved by Facebook to create games, quizzes and other applications. Some of those developers are able to access basic information about users after a Facebook friend has started using their application.
Facebook provides pages of instructions on how people can tighten up their privacy settings to hide their personal information from other users and outside applications.
But some observers say that too many of the site's estimated 400 million users don't know how to do so.
Microsoft researcher and social-media analyst Danah Boyd, speaking at last month's South by Southwest Interactive festival, said none of the "non-techy" users she talked to about their privacy settings knew how they were configured.
"I ask them what they think their settings are and then ask them to look at their settings with me. I have yet to find someone whose belief matched up with their reality," said Boyd, a keynote speaker at the Austin, Texas festival. "That is not good news."
In January, Facebook announced that 35 percent of its users had tweaked their privacy settings after a December change that made more information public.
To be sure, that represents millions of users. But Boyd said that can't possibly be all the people who want at least some of the privacy features that Facebook's new default settings changed.
"Are there Facebook users who want their content to be publicly accessible? Of course," she said. "But 65 percent of all Facebook users? No way."
For Facebook, it's a balancing act. The site wants to give users the privacy they've come to expect, but at the same time make information available to create experiences that will compete with other emerging applications such as Foursquare and Twitter.
Twitter, as well as photo sharing sites such as Picasa, default to open access, making them more accessible by outside applications and search engines. Facebook's material that is public can also be searched -- for example, by Google's new social search feature -- while private material cannot.
"The experience that we're trying to provide through the Facebook platform is fundamentally a social one," said Simon Axten, a manager on Facebook's public policy team. "There are some really interesting and useful applications that have come out of that development that really allow people to have a social experience that involves the people that they are friends with."
Axten said the rules of the road for developers are pretty strict. Basically, developers are instructed to collect only the data they need for their application. Anything else could land them in trouble, he said.
For example, an application that lets users send friends an electronic greeting card might need to know their birthday or anniversary. Games that require players to work together must know which other friends play the game so it can send them alerts when they need to act.
Axten said Facebook can take "a spectrum of actions" when it discovers inappropriate use of people's information -- from warning developers who may not realize they're misusing the data to disabling a developer's access to the site.
No application can access a user's most sensitive data, such as contact information, according to Facebook. And the site announced late last year that they're working on a new approval process that will require an application to more specifically state what information it wants to access.
Mike Rasmussen is president of Republic of Fun, a game company with a crowdsourcing app on Facebook that lets users give feedback and advice on current games and, in the near future, to suggest new ones. He said Facebook's list of rules for developers is a strict one.
"Developers, if they were creative, could certainly abuse it," he said. "But with Facebook, it's almost not worth it. They make it so easy to get what you really need, unless you're being malicious."
Rasmussen said his application stores a single identifier for users and does not even keep their names. He said he's only heard "second- or third-hand" about developers getting into trouble for pushing the boundaries.
Evan Brown, a Chicago technology and intellectual-property attorney, said he's not familiar with any legal cases involving private information gathered by a Facebook developer.
He said Facebook's rules governing outside developers are designed so the site may legally expel a developer easily.
"They have the sole discretion to determine what the crime is, and they have the sole discretion to determine the punishment," said Brown, who blogs about Internet legal issues.
Facebook's Axten said a team monitors complaints, which users can file simply by clicking a link that's on every Facebook application. The team also regularly monitors popular and fast-growing applications and conducts random checks, he said.
And of course there are personal settings. A user can click the "Account" tab at the top right of their Facebook home page, then scroll down to "Application Settings" and "Privacy Settings" to make changes.
Increasing awareness about that ability is what Facebook and other social-networking sites need to work harder on, Boyd said.
"While you want your services to go viral, help users walk through the value proposition first," she said. "Not through a video, but through an experience."