This is apparently all because HTTP has a referer field (unless the user turns it off in the browser), so clickthroughs on ads have the url you were on when you clicked. FB has lots of urls with user id's in them, which lead to pages with the user's public information, friends, etc. Researchers have already crawled most of these urls without much trouble, but the definition of "giving away private information" seems to have changed a bit under the influence of lawyers.
Nowadays it looks like FB puts ad clickthroughs through a redirect that hides the referer. I suppose the WSJ will discover next that clickthroughs reveal the user's IP address and blame FB for it.