The plot was made for front-page headlines and cable-news chyrons: A scientist-turned-political-operative reportedly hoodwinked Facebook users into giving up personal data on both themselves and all their friends for research purposes, then used it to develop "psychographic" profiles on tens of millions of voters — which in turn may have helped the Donald Trump campaign manipulate its way to a historic victory.
Investigations are being opened; calls for regulation are mounting; Facebook's stock plunged. But for Facebook, the larger scandal here is not what shadowy misdeeds it allowed Cambridge Analytica to do. It's what Facebook allowed anyone to do, in plain sight — and, more broadly, it's the data-fueled online business model that Facebook helped to pioneer.
The Facebook tools and policies that allowed researcher Aleksandr Kogan in 2014 to obtain information for the political-data firm Cambridge Analytica — via an app called thisismydigitallife — were public and well-known. They were also quite permissive, allowing developers to collect data not only on users who signed up for their app, but also on those users' Facebook friends. (Facebook has since changed that policy.) As the Washington Post points out, entities ranging from Tinder to FarmVille to Barack Obama's 2012 presidential campaign used the same tool to collect many of the same kinds of information. As late as 2015, this was simply how Facebook worked.
The people who used Kogan's app explicitly granted it access to that data, albeit for academic, not commercial, purposes. (There's a strong case to be made, of course, that Facebook should never have allowed users to sign away their friends' privacy in that way.) For what it's worth, Facebook's policies did not permit the sort of misrepresentation that Kogan appears to have engaged in.
From Facebook's perspective, then, the company is on the ropes mostly because an unscrupulous developer abused a permissive data policy that it has since tightened. (There's also the fact that it apparently kept the 2015 leak of user data quiet for years, and that it hired and continues to employ a researcher who was connected to it.) It's possible to imagine rogue app developers exploiting other platforms, such as Twitter, Android, or Apple's iOS, in an analogous fashion.
The stakes in this particular data scandal are high. Had the same data been used to sell people refrigerators or send them email spam, the story would not be playing out on such a big stage. In other words: Almost any significant role Facebook played in the success of the Trump campaign would be a momentous one, because his victory altered the course of history. Many of those who opposed Trump are still furious, and still searching for people to blame. And we already know Facebook was a key part of his strategy, as it was for Britain's Brexit campaign, in which Cambridge Analytica was also involved.
But there's another reason Facebook is getting pilloried over this in a way that another technology company — say, Apple or Microsoft — might not. It isn't just that Facebook was careless with its users' data in this instance, or that its policy of allowing third-party apps access to information on users' friends was cavalier and misguided (though it certainly was both of those). It's that Facebook is the chief architect of the entire socio-commercial arrangement by which people around the world routinely offer up their personal information in exchange for the free use of online services.
Facebook isn't just the source of the data that Cambridge Analytica used. It's the reason this sort of data — organized in this way — exists in the first place. Sure, Google and Twitter and plenty of other companies employ similar business models. And the idea of supporting a website by showing people ads has been around longer still. But it was Facebook, more than any of these, that taught people to freely give of themselves online, and to accept the use of their personal data in targeted advertisements as the price of admission to the modern Internet.
If you think of that data, and the ads, as a relatively small price to pay for the privilege of seamless connection to everyone you know and care about, then Facebook looks like the wildly successful, path-breaking company that made it all possible. But if you start to think of the bargain as Faustian — with hidden, long-term costs that overshadow the obvious benefits — then that would make Facebook the devil.
What this scandal did, then, was make to the grand bargain of the social web look a little more Faustian than it did before.
From that perspective, the real scandal is that this wasn't a data breach, or some egregious isolated error on Facebook's part. What Cambridge Analytica did was, in many ways, what Facebook was optimized for — collating personal information about vast numbers of people in handy packets that could then be used to try and sell them something.
Yes, the rules were supposed to prohibit these specific packets from being used in this specific way. But with high enough stakes, it was probable if not inevitable that those rules would be broken. Facebook appears to have given little thought to how to enforce them, beyond shaking hands and hoping for the best. All indications are that it simply cared more about growth in 2014 than it did about users' privacy. That the company has evidently matured in recent years doesn't excuse the way it was built.
Techcrunch's Josh Constine has followed Facebook as closely as anyone in the media over the past five years, and he's been known to defend the company when it seems just about everyone else is attacking it. Not this time. In a piece headlined "Facebook and the endless string of worst-case scenarios," he catalogues nearly a dozen instances over the years in which the company has launched products without the safeguards needed to prevent abuse, then ignores or downplays the consequences.
That habit may be catching up to it at last: Facebook is not getting the benefit of many doubts when it comes to Cambridge Analytica, and it's hard to feel much sympathy for it. The time for Facebook to self-regulate its way out of the hot seat has probably passed. Now it's up to the public, legislators and regulators to rework the terms of that agreement by which people sign away their personal data — and one another's — for the benefit of tech platforms, their advertising clients, and whoever else might be sneaky enough to get their hands on it.
Will Oremus is Slate's senior technology writer.
© 2018 Slate