But one worth revisiting today, in the context of the scandal over Facebook’s sanctioning of user-data exfiltration via its application platform. It’s not just that abusing the Facebook platform for deliberately nefarious ends was easy to do (it was). But worse, in those days, it was hard to avoid extracting private data, for years even, without even trying. I did it with a silly cow game.

Cow Clicker is not an impressive work of software. After all, it was a game whose sole activity was clicking on cows. I wrote the principal code in three days, much of it hunched on a friend’s couch in Greenpoint, Brooklyn. I had no idea anyone would play it, although over 180,000 people did, eventually. I made a little money from the whole affair, but I never optimized it for revenue generation. I certainly never pondered using the app as a lure for a data-extraction con. I was just a strange man making a strange game on a lark.

And yet, if you played Cow Clicker, even just once, I got enough of your personal data that, for years, I could have assembled a reasonably sophisticated profile of your interests and behavior. I might still be able to; all the data is still there, stored on my private server, where Cow Clicker is still running, allowing players to keep clicking where a cow once stood, before my caprice raptured them into the digital void.

To understand why withdrawing data was the default behavior in Facebook apps, you have to know something about how apps get made and published on Facebook. In 2007, the company turned its social-network service into an application platform. The idea was that Facebook could grow its number of users and the time they spent engaged by allowing people and organizations to build services overtop of it. And those people and organizations would benefit by plugging into a large network of users, whose network of friends could easily be made a part of the service, both for social interaction and viral spread.

When you access an app on Facebook’s website, be it a personality-quiz, a game, a horoscope, or a sports community, the service presents you with an authorization dialog, where the specific data an app says it needs is displayed for the user’s consideration. That could be anything from your name, friend list, and email address, to your photos, likes, direct messages and more.

The information shared with an app by default has changed over time, and even a savvy user might never have known what comprised it. When I launched Cow Clicker in 2010, it was easier to acquire both “basic” information (name, gender, networks, and profile picture) and “extended” user information (location, relationship status, likes, posts, and more). In 2014, Facebook began an app review process for information beyond that which a user shared publicly, but for years before that, the decision was left to the user alone. This is consistent with Facebook’s longstanding, official policy on privacy, which revolves around user control rather than procedural verification.