Who is ultimately responsible for privacy?

Who is ultimately responsible for privacy if that privacy is violated through the use of an API? The user of the API? The owner of the API?

I was recently using a photo website that connected to various social networks to display my photos.  I found a security issue where if you change the id variable in the url, you can view another person’s pictures.  I’ll address this in a separate post.  This isn’t even a hack – it’s just changing  one number in the url.

So who is responsible for protecting my data?
Is it Facebook? I uploaded my photos to Facebook and Facebook is the source of the third-party photo app.  Should Facebook be responsible for checking the apps that connect through it’s API?
Is it the third-party photo app? They’re the one with the security flaw that is exposing my photos.
Is it me, the user? Should I not be posting my photos knowing someone, somewhere, somehow can view them?

I’m leaning towards the third-party application, but it’s not going to look good for Facebook either.