The better part of 2018 has been an exercise in self-flagellation for Mark Zuckerberg. In January, he promised to fix Facebook, calling the year ahead “a serious year of self-improvement.” After the Cambridge Analytica data-privacy scandal earlier this year, Facebook took out full-page newspaper ads to apologize. And in prepared remarks for congressional testimony in April, Zuckerberg apologized again. “It was my mistake, and I’m sorry,” he said. “There’s more we can do here to limit the information developers can access and put more safeguards in place to prevent abuse.” And yet, it’s always been difficult to square this repentant Zuckerberg with the impish Harvard student high on his own genius. As he bragged to a friend in an undergraduate IM exchange, the people who gave him access to their their e-mail accounts, home addresses, and personal photos, were “dumb fucks” for trusting him. “People just submitted it,” he marveled. “I don’t know why.”

Zuckerberg has apologized for that scandal, too. And yet, as a new investigation from The New York Times reveals, the Zuckerberg of the past might not be so different from contrite Zuck today:

For years, Facebook gave some of the world’s largest technology companies more intrusive access to users’ personal data than it has disclosed, effectively exempting those business partners from its usual privacy rules, according to internal records and interviews.

The special arrangements are detailed in hundreds of pages of Facebook documents obtained by The New York Times. The records, generated in 2017 by the company’s internal system for tracking partnerships, provide the most complete picture yet of the social network’s data-sharing practices. They also underscore how personal data has become the most prized commodity of the digital age, traded on a vast scale by some of the most powerful companies in Silicon Valley and beyond.

The details are damning. Per the Times, Facebook shared its users’ data with a slew of other companies, including Spotify, Netflix, Yahoo, Amazon, and Microsoft’s Bing. Potentially several of these companies could read users’ private messages. Bing could “see the names of virtually all Facebook users’ friends without consent,” according to records reviewed by the Times, and Amazon could see users’ names and contact information through their friends. In total, Facebook maintained such partnerships with more than 150 companies, including Russian Internet company Yandex and Chinese telecom giant Huawei. Sources told the Times that Zuckerberg saw these partnerships as crucial, believing they would “stave off obsolescence and insulate Facebook from competition.” In return, Facebook received data from its partners, as well as an influx of new users, whose presence on the platform drove up ad revenue.

To some extent, Facebook’s data-sharing partnerships are already common knowledge. The company has long defended the practice, with it arguing that because its partners abide by its privacy settings, Facebook is not in violation of a 2011 Federal Trade Commission consent decree, which says it can’t share user data without explicit permission. In a blog post published Tuesday night, Konstantinos Papamiltiadis, the company’s director of Developer Platforms and Programs, specifically addressed the Times report, writing that, “We’ve been public about these features and partnerships over the years . . . But most of these features are now gone. We shut down instant personalization, which powered Bing’s features, in 2014, and we wound down our partnerships with device and platform companies months ago, following an announcement in April. Still, we recognize that we’ve needed tighter management over how partners and developers can access information using our APIs. We’re already in the process of reviewing all our APIs and the partners who can access them.” What remains unclear—and what will likely be addressed in the coming days and weeks—is what Facebook did with the vast amounts of data it gathered, and how it was able to audit its partnerships to conclude, as it asserted to the Times, that none of the data was abused.