Once again, we realize that we have little control over how information we share on social media is ultimately used. The recent revelation that a data analytic firm retained by Trump’s presidential campaign used the Facebook data of more than 50 million people to target them with political ads is both shocking and unsurprising at the same time.  Facebook’s business model is built on collecting and monetizing our data and Facebook has previously been less than forthright about its privacy policies. But I bet few people anticipated that their “likes” would be used by Trump’s political consultants to sway their vote.

While details are still emerging, it appears the basic facts are as follows. In 2015, Dr. Aleksandr Kogan, a psychology professor at the University of Cambridge, offered a personality quiz on Facebook. Approximately 270,000 users downloaded an app to take the quiz. In doing so, they gave permission for Kogan to access their Facebook profile as well as their friends’ profiles. In other words, if your friend took the quiz, your information was also shared with Kogan without you knowing.

While Kogan claimed that his app was for academic purposes, in actuality, Kogan was harvesting data for a company called Cambridge Analytica. Cambridge Analytica is a firm that does political, government and military work around the globe, including for Ted Cruz’s and Donald Trump’s election campaigns.

By getting a few hundred thousand Facebooks users to take his quiz, Kogan was able to access 50 million user profiles and he turned all this information over to Cambridge Analytica. Of those profiles, roughly 30 million contained enough information, including places of residence, that the company could match users to other records and build psychographic profiles. Those profiles were then used by the Trump campaign to try to influence voters.

What is especially noteworthy is that Kogan’s harvesting of user data and their friends’ data was permitted under Facebook’s developer application programming interface at the time. Facebook confirmed that the information was legitimately obtained in accordance with Facebook’s rules. In other words, this was not a “breach” in the sense that information was stolen or hacked. In fact, Facebook’s initial responses to reports were quite nonchalant. Facebook claimed that everyone “knowingly” provided their information and “gave their consent”. However, based on people’s reactions, it is clear that many users feel violated and had no idea their information would be shared in this manner.

The Cambridge Analytica revelations raise many questions, including whether Facebook broke any laws.  Lawsuits have started to roll in, including a proposed class action of Facebook members and a lawsuit on behalf of Facebook investors.  The FTC is apparently looking into this matter, as well as into whether this incident violates Facebook’s 2011 settlement with the FTC over privacy complaints. And Congress has begun demanding answers.

Investigators will likely look at whether Facebook adequately disclosed its information sharing practices to users and whether it took adequate steps to protect user data. Even if Facebook believes it was completely upfront with members (and based on people’s surprise that their information could be shared through friends, arguably this information sharing practice was not clearly and conspicuously disclosed), the scandal is not going away overnight and Facebook will need to justify their past behavior. The ultimate question may be whether users will be more circumspect about sharing information on the social media site going forward.

If you never appreciated it before, this scandal should drive home that every “click” you make on Facebook is saved and analyzed and every “harmless” survey you take is likely used to micro-target ads to you.  And if you haven’t done so already, I encourage you to go to “Settings” and then “Apps” to see what apps you have authorized to interact with your Facebook account.