If there is one message Facebook has been trying to send to the world in 2018, it's that the company understands it needs to rethink the way it operates. Facebook says it understands that it must better police the content that appears on its platforms. And as a result of the Cambridge Analytica scandal early this year, Facebook says it must be more effective in how it protects user data, more transparent about all the data it collects, and more clear about who has access to the data. CEO and cofounder Mark Zuckerberg said fixing Facebook was his project for 2018, and he said earlier this year that he was dedicating enough resources to the problem that we should expect to see tangible progress as we approached 2019.

Facts have proven to be inconvenient things for Facebook in 2018. Every month this year—and in some months, every week—new information has come out that makes it seem as if Facebook's big rethink is in big trouble. The billions the company is spending to fix itself, along with slowing advertising growth in Europe and North America, have stalled revenues. Its once high-flying stock price is down 35 percent. Well-known and well-regarded executives, like the founders of Facebook-owned Instagram, Oculus, and WhatsApp, have left abruptly. And more current and former employees are beginning to question whether Facebook's management team, which has been together for most of the last decade, is up to the task.

Technically, Zuckerberg controls enough voting power to resist and reject any moves to remove him as CEO. But the number of times that he and his number two, Sheryl Sandberg, have overpromised and underdelivered since the 2016 election would doom any other management team. And so for the first time in Facebook's storied history as a public company, employees, investors, and users are beginning to wonder if the only way to solve Facebook's current spate of problems is to replace the two of them.

Just since the end of September, Facebook announced the biggest security breach in its history, affecting more than 30 million accounts. Meanwhile, investigations in November revealed that, among other things, the company had hired a Washington firm to spread its own brand of misinformation on other platforms, including borderline anti-Semitic stories about financier George Soros. Just two weeks ago, a cache of internal emails dating back to 2012 revealed that at times Facebook thought a lot more about how to make money off users' data than about how to protect it.

Now, according to a New York Times investigation into Facebook's data practices published Tuesday, long after Facebook said it had taken steps to protect user data from the kinds of leakages that made Cambridge Analytica possible, the company continued to sustain special, undisclosed data-sharing arrangements with more than 150 companies—some into this year. Unlike with Cambridge Analytica, the Times says, Facebook provided access to its users’ data knowingly and on a greater scale.

Some companies, like Microsoft and its Bing search engine, had access to all of a Facebook user's friends without consent. Apple devices had access to the contact numbers and calendar entries of people who had changed their account settings to disable all sharing. Spotify and Netflix had the ability to read users' private messages. The search engine Yandex was one of the companies with special access, even though it has long been suspected of having special ties to the Kremlin. The Times had access to users’ friend lists for an article-sharing application it had discontinued in 2011---access that lasted into 2017. (The company told its reporters that it was not obtaining any data.) Apple, Spotify, and Yandex told the Times they were unaware that Facebook granted them such broad access. A Netflix spokesperson told WIRED on Thursday that the company used the access to allow users to recommend movies and TV shows to Facebook friends via Messenger. “Beyond these recommendations, we never accessed anyone’s personal messages and would never do that,” she said.1

SIGN UP TODAY Sign up for the Daily newsletter and never miss the best of WIRED.

There have been murmurings all year over whether Congress might pass new data protection laws, akin to the GDPR in Europe, or whether the FTC would fine Facebook for violating its 2011 consent decree with the agency. Now it would not be a stretch to wonder if both those things aren't imminent when the new Congress convenes in January. Already—earlier Wednesday—the attorney general for the District of Columbia decided to sue Facebook for alleged data misuse stemming from Cambridge Analytica. It’s likely to have company in that effort.