Surveying the reactions to the latest revelation that Facebook played fast and loose with user data, it was hard not to harken back to what Scott McNally, the founding CEO of Sun Microsystems, told a group of reporters, including one from WIRED, in 1999: “You have zero privacy anyway. Get over it.” McNealy was widely excoriated for candor, but nearly twenty years later, we appear to be not only fighting the same fight but continually shocked that McNally’s words, so jarring then, remain so true now.

WIRED Opinion About Zachary Karabell is a WIRED contributor and president of River Twice Research.

This past spring, when it was revealed Facebook allowed campaign data-mining firm Cambridge Analytica to target users, it was grandly described as “Facebook’s Privacy Crisis.” When Facebook disclosed in September that hackers accessed the data of 30 million Facebook users, the massive breach that threw the public into a panic, prompting Facebook to assure the masses with messages that “Your privacy and security are important to us.” And then, a few weeks later, when reports found that Facebook allowed select companies to access user posts and contact information without clear consent, commentary after commentary described this as “Yet Another Massive Privacy Scandal.” Instead of expressing surprise for the umpteenth time this year, maybe it might be best to take a step back and ask, is this really so unsettling and shocking? Or have we instead been in a multi-year state of denial about what the nature of Facebook’s business model is, and indeed what the model of many social media and internet companies has always been?

In ways that have long been documented yet are still only partially understood, the internet giants of today have made a substantial amount of their money by monetizing user data. Some, like Facebook and Google and Twitter, sell ads against that data; some, like Amazon and Apple, keep the data to themselves and use it to refine and market more of their products and services to their own users. Others, like Microsoft, do some of both. Free data isn’t the only source of revenue, but for Facebook, it is the lion’s share.

In its first years, that wasn’t necessarily the case, but when Facebook made the move to mobile platforms, it began to entwine its business model with more aggressive ways to monetize data. That also hinged on becoming more of a media and third-party content platform, instead of just relying on user-generated or shared content. But the media strategy was an outgrowth of turning user data into a product, one that could be sold against in the case of advertising.

This reality has hardly been a secret. It has been hiding in plain sight, rarely touted by these companies who preach a message of “bringing the world closer together” and not how they profit the businesses they are in. Investors, of course, focus intently on the financial metrics of data, but the prevailing story for years was about the mission of Facebook and the rest rather than the nitty-gritty of profit.

Over the past few years, the public and the media have become more attuned to just how much data these companies amass and how far they have been willing to go in order to monetize it. Shifting attitudes have led to outcry, and now in the European Union, to significant action. The EU has levied multi-billion dollar fines against Google and Facebook, as well as Apple for how it used Ireland as a tax shelter. It also enacted the General Data Protection Regulation (GDPR), which aimed to shift control of user data away from the internet platforms and providers and advertisers, and into the hands of users themselves.

LEARN MORE The WIRED Guide to Data Breaches

Nonetheless, as Google CEO Sundar Pichai’s recent testimony to Congress showed, the public’s awareness of how these companies approach privacy remains patchy, as does our understanding of how we can or cannot restrict how our data is used. The revelation that Facebook allowed other companies to use the data it collected is indicative that few users read the fine-print of the multiple services they subscribed to for a full picture of just what privacy and data they were ceding.