Throughout its history, Facebook has adamantly argued that it treats our data, and who has access to it, as a sort of sacred trust, with Zuckerberg & Company being the trustees. Yet at the same time, Facebook has continued to undermine privacy by making it cumbersome to opt out of sharing, trying to convince users that we actually do want to share all of our personal information (and some people actually do) and by leaving the door unlocked for its partners and clients to come in and help themselves. Those partners have included 60 device makers that used application programming interfaces, also known as A.P.I.s, so Facebook could run on their gadgets.

In Facebook’s view those partners functioned as extensions of the Facebook app itself and offered similar privacy protections. And the company said that most of this intrusive behavior happened a decade ago, when mobile apps barely existed and Facebook had to program its way onto those devices. “We controlled them tightly from the get-go,” said Facebook’s Ime Archibong, vice president for product partnerships, in a response to The Times’s article. Yet a Times reporter was able to retrieve information on 295,000 Facebook users using a five-year-old BlackBerry.

A consortium of consumer and privacy organizations, including the Center for Digital Democracy, has already asked the Federal Trade Commission to investigate whether Facebook violated the consent order after the Cambridge Analytica disclosures. Facebook’s failure to protect users’ basic information from outdated devices is only more evidence that the company either can’t manage its data or can’t manage to care, despite Mr. Zuckerberg’s congressional testimony to the contrary. “I say this gently,” said Senator John Kennedy, a Republican from Louisiana, to Mr. Zuckerberg during his testimony. “Your user agreement sucks.”

Mr. Zuckerberg told Mr. Kennedy that he should have “complete control” over his data. The senator is willing to turn that into law. He and his colleague Amy Klobuchar, a Democrat from Minnesota, have proposed rules to codify the right of consumers to opt out and keep their information private while giving them more control over it. More important, the senators’ bill would require “plain language” so there’s no confusion — not a big request, since the insurance industry did so years ago without any apparent harm.

The European Union has passed such legislation, called the General Data Protection Regulation, or G.D.P.R., which forces companies such as Facebook to do a better job shielding individual data. Facebook says it is willing to extend the G.D.P.R. to anyone who asks for it. Though why should we have to ask for what ought to be ours to begin with?