I think the number you want is the "Illicit Drug Use in Lifetime" for people 18 and over. This table (part of a much larger report) gives the number as 49.3% in 2009, so not quite 50% (although if you scroll up to Table 1.11B, you can see that people 60 and above are pulling the average below 50%).
I am not really sure where to look for data on ill effects or even exactly how you would quantify them, but the same study does make some attempt to do so. For example this table shows (past year, not lifetime) rates of dependence and abuse for both illicit drugs and alcohol.
Since Facebook users volunteer up the information that pretty much makes it public information.
Okay, so if I post information on Facebook (either editing my profile or posting a status) then I am voluntarily giving that information to Facebook, so that makes it public information? Even though I expect only people I have marked as friends to see such information by my privacy settings? What if I send a Facebook message? It has a clear "To" header like an e-mail; should that information be considered public? For that matter what about GMail? I am inputting information into a textbox on a website with the intent that (specific) other people will read that text. Should I therefore treat that text as public knowledge? For a physical analogue, suppose I write my text on paper (perhaps multiple copies) and put those pieces of paper into envelopes and send them to my friends via snail mail. I, once again, have written text and tendered it to a third-party for delivery to a specific set of private individuals. Should I still expect this text to be public?
The United States has laws about privacy and due process. New technology should not make it so the government no longer has to follow due process in collecting private information on its citizens. Unfortunately, due to the nature of network effects, a lot of information gets concentrated in the hands of a few entities (in this case, Facebook) who do not necessarily have much interest in dealing with the government, so they simply freely hand over the information. I suppose privacy laws could be written to make it illegal for Facebook to hand over information about its users to the government, but it is not clear what such laws would even look like nor who would be supporting them.
Seriously, I don't care if you know that I'm at the book store buying a coffee. If I don't want this information to be public I don't post it. Problem solved.
You are right that a lot of this information actually is not that important. At the same time, I do not like the idea that law enforcement personnel can peer into my private life as recorded by various services I use without even having to justify the invasion of my privacy to a judge.
Of course, see my sig: I dislike the idea of monolithic services that are able to collect such information and would prefer that social networking (and other) services be made up of collections of smaller separately administered nodes, each of which would have far less information. How to do that while still having a usable service is, unfortunately, an open problem.
The reasoning is that the vast majority of the time, no one is doing a man-in-the-middle attack and furthermore that doing a man-in-the-middle attack on any significant proportion of the connections on the internet is assumed to be above the capabilities of any known attacker, so it means that you are probably talking to the owner of the DNS entry and normal passive sniffing attacks (ex. Firesheep) won't work. Also, the attacker may not be able to tell which connections are verified and which ones aren't (especially if the browser assumes self-signed sites will always use the same certificate until it expires), so even man-in-the-middle attacks on self-signed certs are non-trivial.
Also, the information being protected is generally assumed to be relatively low value, so protecting it with a relatively easy to break security layer is not a large problem: after all, it is currently being sent unencrypted.
Of course, hopefully verifying certificates via DNSSEC will be supported soon, which will make the entire self-signed certificates argument moot. (Err... well, eventually, once it is widely deployed.)
To thine own self be true. (If not that, at least make some money.)