Facebook has created a complex system of controls to manage disclosure in an effort to help users address privacy concerns. Do these controls work in practice? What about controls for disclosure to Facebook itself? We explore user relationships with Facebook and its privacy mechanisms using scenario building and explored their reactions. We then confronted them with their actual practices by using Facebook's apps permissions screen. While the majority of respondents felt responsible for their data disclosure, they failed to live up to their own expectations. We argue that the complexity of privacy controls places unrealistic responsibilities on the users, while masking the way Facebook itself collects user data. There is an urgent need to establish clear and explicit basic privacy norms for user relationships with social media companies.