The plot was made for front-page headlines and cable-news chyrons: A scientist-turned-political-operative reportedly hoodwinked Facebook users into giving up personal data on both themselves and all their friends for research purposes, then used it to develop “psychographic” profiles on tens of millions of voters—which in turn may have helped the Trump campaign manipulate its way to a historic victory.

No wonder Facebook is in deep trouble, right? Investigations are being opened; calls for regulation are mounting; Facebook’s stock plunged 7 percent Monday.

Sensational as it sounds, however, the Cambridge Analytica scandal doesn’t indict Facebook in quite the way it might seem. It reveals almost nothing about the social network or its data policies that wasn’t already widely known, and there’s little evidence of blatant wrongdoing by Facebook or its employees. It’s also far from clear what impact, if any, the ill-gotten personal data had on the election’s outcome.

In short, the outrage now directed at Facebook feels disproportionate to the company’s culpability in this specific episode. But that doesn’t mean people are wrong to be outraged. For Facebook, the larger scandal here is not what shadowy misdeeds it allowed Cambridge Analytica to do. It’s what Facebook allowed anyone to do, in plain sight—and, more broadly, it’s the data-fueled online business model that Facebook helped to pioneer.

The Facebook tools and policies that allowed researcher Aleksandr Kogan in 2014 to obtain information for the political-data firm Cambridge Analytica—via an app called Thisismydigitallife—were public and well-known. They were also quite permissive, allowing developers to collect data not only on users who signed up for their app, but also on those users’ Facebook friends. (Facebook has since changed that policy.) As the Washington Post points out, entities ranging from Tinder to FarmVille to Barack Obama’s 2012 presidential campaign used the same tool to collect many of the same kinds of information. As late as 2015, this was simply how Facebook worked.

The people who used Kogan’s app explicitly granted it access to that data, albeit for academic, not commercial, purposes. (There’s a strong case to be made, of course, that Facebook should never have allowed users to sign away their friends’ privacy in that way.) For what it’s worth, Facebook’s policies did not permit the sort of misrepresentation that Kogan appears to have engaged in. And by Facebook’s own account, when the company found out that he had used the data for unauthorized purposes, it required both him and Cambridge Analytica to delete it and to certify to the company that they had done so. It now appears that they may have lied. But it’s not clear that Facebook had any way of knowing that.

As for what Cambridge Analytica did with that information, you could argue that has been overblown, too. Sinister as it sounds, “psychographic” targeting—advertising to people based on information about their attitudes, interests, and personality traits—is an imprecise science at best and “snake oil” at worst. Distilled to its essence, the Cambridge Analytica scandal is a case of campaign consultants using some shady tactics to try to get their message out to the most receptive audience in the most effective way they can. That is, in a word, politics.

From Facebook’s perspective, then, the company is on the ropes mostly because an unscrupulous developer abused a permissive data policy that it has since tightened. (There’s also the fact that it apparently kept the 2015 leak of user data quiet for years and that it hired and continues to employ a researcher who was connected to it. Facebook has not commented on either of those reports.) It’s possible to imagine rogue app developers exploiting other platforms, such as Twitter, Android, or Apple’s iOS, in an analogous fashion.

That helps to explain why Facebook executives mounted a tone-deaf defense of their company on Twitter this past weekend, even as the outcry kept growing: They really don’t think they did much wrong here. The company’s chief security officer, among others, pushed back on the March 17 Guardian story that broke the scandal for referring to it as a “data breach.” (That executive, Alex Stamos, has since deleted his tweets, and he confirmed reports Monday that he is no longer Facebook’s CSO and is planning to leave the company in August.) As Tiffany C. Li pointed out in Slate, the semantic point matters because a data breach could expose Facebook to legal action from state governments and the Federal Trade Commission, including fines and other remedies.

But if there was no data breach, and Facebook’s security wasn’t compromised, then why isn’t it just Cambridge Analytica that’s in the barrel this week?

But if there was no data breach, and Facebook’s security wasn’t compromised, then why isn’t it just Cambridge Analytica that’s in the barrel this week?

It’s partly because the stakes in this particular data scandal are so high. Had the same data been used to sell people refrigerators or send them email spam, the story would not be playing out on such a big stage. In other words: Almost any significant role Facebook played in the success of the Donald Trump would be a momentous one, because his victory altered the course of history. Many of those who opposed Trump are still furious and still searching for people to blame. And we already know Facebook was a key part of his strategy, as it was for the U.K.’s Brexit campaign, in which Cambridge Analytica was also involved.

But there’s another reason Facebook is getting pilloried over this in a way that another technology company—say, Apple or Microsoft—might not. It isn’t just that Facebook was careless with its users’ data in this instance or that its policy of allowing third-party apps access to information on users’ friends was cavalier and misguided (though it certainly was both of those). It’s that Facebook is the chief architect of the entire socio-commercial arrangement by which people around the world routinely offer up their personal information in exchange for the free use of online services.

Facebook isn’t just the source of the data that Cambridge Analytica used. It’s the reason this sort of data—organized in this way—exists in the first place. Sure, Google and Twitter and plenty of other companies employ similar business models. And the idea of supporting a website by showing people ads has been around longer still. But it was Facebook, more than any of these, that taught people around the world to freely give themselves online and to accept the use of their personal data in targeted advertisements as the price of admission to the modern internet.

If you think of that data, and the ads, as a relatively small price to pay for the privilege of seamless connection to everyone you know and care about, then Facebook looks like the wildly successful, path-breaking company that made it all possible. But if you start to think of the bargain as Faustian—with hidden long-term costs that overshadow the obvious benefits—then that would make Facebook the devil.

This scandal has made the grand bargain of the social web look a little more Faustian than it did before.

What this scandal did, then, was make the grand bargain of the social web look a little more Faustian than it did before.

From that perspective, the real scandal is that this wasn’t a data breach or some egregious isolated error on Facebook’s part. What Cambridge Analytica did was, in many ways, what Facebook was optimized for—collating personal information about vast numbers of people in handy packets that could then be used to try to sell them something.

Yes, the rules were supposed to prohibit these specific packets from being used in this specific way. But with high enough stakes, it was probable, if not inevitable, that those rules would be broken. Facebook appears to have given little thought to how to enforce them, beyond shaking hands and hoping for the best. All indications are that it simply cared more about growth in 2014 than it did about users’ privacy. That the company has evidently matured in recent years doesn’t excuse the way it was built.

TechCrunch’s Josh Constine has followed Facebook as closely as anyone in the media over the past five years, and he’s been known to defend the company when it seems just about everyone else is attacking it. Not this time. In a piece headlined, “Facebook and the Endless String of Worst-Case Scenarios,” he catalogues nearly a dozen instances over the years in which the company has launched products without the safeguards needed to prevent abuse, then ignored or downplayed the consequences.

That habit may be catching up to it at last: Facebook is not getting the benefit of many doubts when it comes to Cambridge Analytica, and it’s hard to feel much sympathy for it. The time for Facebook to self-regulate its way out of the hot seat has probably passed. Now it’s up to the public, legislators, and regulators to rework the terms of that agreement by which people sign away their personal data—and one another’s—for the benefit of tech platforms, their advertising clients, and whoever else might be sneaky enough to get their hands on it.

Read more from Slate on Cambridge Analytica.