It’s been a really, really bad few weeks for Facebook.

We learned recently weekend that the personal data of 87 million user accounts was accessed by Cambridge Analytica, a data analytics firm that specializes in targeted digital advertising. The data was acquired via a third-party app, and the company behind the app harvested information not just from the users of that app but also from the Facebook friends of users.

The fallout for Facebook has been rough. As my colleague Emily Stewart pointed out, the company is “under siege from lawmakers, regulators, users, shareholders, and even its own employees.” Its stock plummeted by 13 percent in a single week in late March, wiping away $35 billion of shareholder value.

Facebook founder and CEO, Mark Zuckerberg, testified before a senate hearing on Tuesday, apologizing, yet again, for Facebook’s bad behavior.

Much of the coverage has focused on what happened and how it could have been prevented, but the question now is whether Facebook — and other big tech companies — will have to be regulated by the government in a way we never imagined before.

To answer this question, I reached out to Sally Hubbard, an expert in tech law and antitrust enforcement at the Capitol Forum, a nonpartisan legal investigative company that offers analysis to policymakers. I asked her if Facebook should have seen this coming and if antitrust laws are needed to regulate companies like Facebook and Google.

A lightly edited transcript of our conversation follows.

Sean Illing

Were you surprised by the Facebook-Cambridge Analytica story?

Sally Hubbard

Not at all. There are no data protection rules governing Facebook. There are rules that are going into effect later this year in Europe that might help prevent a problem like this, but in the US, it’s pretty much the Wild West when it comes to the so-called “surveillance economy.” And make no mistake about it: The business model of a company like Facebook is surveillance; they’re harvesting data, and that data can and will be misused.

Sean Illing

What makes this story so problematic?

Sally Hubbard

The biggest problem about this is not just that people were deceived about apps they were downloading; that is, they didn’t fully understand how much of their private data they were exposing. The really egregious part of it is that the Facebook friends of these app users had their data accessed as well, and they never consented to any of it.

It’s surprising what’s been permitted in terms of privacy regulations, especially in this country. Whether it’s a third-party app that’s harvesting the data or its Facebook itself, I don’t think people have any understanding of the various ways in which their data is being collected. And they almost certainly have no idea how much Facebook knows about them and how their private data can be used in nefarious ways.

“I don’t think Facebook is going to do anything meaningful on a voluntary basis”

Sean Illing

Is there any way to use a platform like Facebook and not expose yourself to this sort of data breach?

Sally Hubbard

No.

Sean Illing

Should Facebook have seen this coming? Are they negligent in not taking steps to prevent this?

Sally Hubbard

Facebook definitely should’ve seen this coming; they’ve known about it for years. They have a very Silicon Valley libertarian stance on all this, which is to say they just want to create a platform and take no responsibility for what happens on it. I don’t know what they will do next, but they cannot claim to be surprised by what has happened. They understood that their data was being harvested in this way.

Sean Illing

Is this the result of Facebook prioritizing growth over security and privacy at all costs?

Sally Hubbard

Well, security and privacy directly contradict Facebook’s business model. Their business model is a digital advertising business model, and the reason why Facebook and Google had more than a 90 percent share of growth in the digital advertising space last year is that they can target advertising in a way that no other site can because they have a 360-degree view of user activity, meaning they’re tracking users across the web and therefore know much more about their users than anyone else. So protecting private data is contrary to Facebook’s whole reason for being.

Sean Illing

Should we consider using antitrust laws to break up or at least heavily regulate Facebook?

Sally Hubbard

You hear a lot of calls for breaking up big tech companies like Facebook, and while that’s certainly an option, it’s done very rarely. There are other tools that enforcers can use. In the Microsoft case, for example, they didn’t actually break up the company but instead put in place certain constraints on their ability to leverage their monopoly.

I’ve written about the ways that Facebook prioritizes the content that keeps users on its platform and pushes content that doesn’t keep users on its platform to the bottom. These engagement algorithms are causing immense polarization in our society, and I think there’s an antitrust case to be made that they should be forced to change this approach for the health of our society. This wouldn’t break up Facebook, but it would force them to adapt their business model.

“Security and privacy directly contradict Facebook’s business model”

Sean Illing

Can we trust Facebook to self-regulate?

Sally Hubbard

I don’t think Facebook is going to do anything meaningful on a voluntary basis. Again, their entire business model depends upon access to and distribution of private personal data. So why would they take steps to undercut this? They’re a corporation, after all, and their profits are tied to being able to gather this data.

Sean Illing

A final point worth making is that although I called this a “data breach” earlier, it’s not really a breach at all. Facebook wasn’t hacked by Cambridge Analytica or anyone else. They happily gave this data away and trusted that it wouldn’t be used for malign purposes.

Sally Hubbard

That’s right. Although I’m not sure I’d say they gave it away or sold it. Instead, they just allowed the free flow of data in this ecosystem, knowing that something like this could happen.