Yes but there's a gap between "can be audited" and "is being audited". If they got caught doing anything malign they can just pull the "oooops we didn't mean to" defence as they've done before[1] - their track record here says "if we can find a way, we're at least going to experiment with it"
Also consider this in the light of recent EU rulings on Facebooks tracking of non-users via the Like button on websites being an illegal violation of privacy[2]. As usual the law lags the technology by many years - was the EU even aware of the Facebook mobile SDK being wisely installed in many 3rd party apps when they made this ruling? (edit: reading the report from the University of Leuven it seems they were at least aware of the implications of things like Facebooks Mobile Advertiser network)
