To gather that data, the Times reports, Kogan hired workers through Amazon’s Mechanical Turk to install a Facebook app in their accounts. The app, built by Global Science Research, requested an unusual (but not unheard-of) amount of data about users themselves and their friends. That’s how 270,000 Turkers ended up yielding 30 million profiles of American Facebook users that could be matched with other data sets.

From the current reporting, it seems that Kogan violated Facebook’s terms of service in saying he was using the data for academic research, but then selling it to Strategic Communications Laboratories. That’s what got Cambridge Analytica and Kogan in trouble. (Cambridge Analytica told The Guardian that they do not have possession of the data nor did they use any of this data in the 2016 election. An anonymous source in the Times story disputes this.)

There’s a lot about Cambridge Analytica that doesn’t quite add up. Are they data geniuses who swung the Brexit vote and got Trump elected, or pretenders bluffing their way to fat marketing contracts? Right after the election, several stories pointed to their psychological profiles of voters as a crucial piece of the Trump digital machine. As time has gone on, their role has come to be seen as less important, more in line with the tiny slice of the Trump campaign treasury that they got, roughly $6 million.

While the specifics of this particular violation are important to understand, the story reveals deeper truths about the online world that operates through and within Facebook.

First, some of Facebook’s growth has been driven by apps, which the company found extended the amount of time that people spent on the platform, as retired users of FarmVille could attest. To draw developers, Facebook had quite lax (or, as one might say, “developer-friendly”) data policies for years.

Academic researchers began publishing warnings that third-party Facebook apps represented a major possible source of privacy leakage in the early 2010s. Some noted that the privacy risks inherent in sharing data with apps were not at all clear to users. One group termed our new reality “interdependent privacy,” because your Facebook friends, in part, determine your own level of privacy.

For as long as apps have existed, they have asked for a lot of data and people have been prone to give it to them. Back in 2010, Penn State researchers systematically recorded what data the top 1,800 apps on Facebook were asking for. They presented their results in 2011 with the paper “Third-Party Apps on Facebook: Privacy and the Illusion of Control.” The table below shows that 148 apps were asking for permission to access friends’ information.

Pennsylvania State University

But that’s not the only way that friends leak their friends’ data. Take the example of letting an app see your photos. As the Penn State researchers show, all kinds of data can be harvested: who’s tagged in photos, who liked any of the pictures, who commented on them, and what they said.