Privacy advocates are calling on all social media platforms to more responsibly handle and restrict improper access to data in the wake of Facebook’s latest controversy where it acknowledged users’ personal information had leaked through a third-party app.

“People are shocked this happened, but I’m shocked it didn’t happen sooner… it’s so easy to penetrate this kind of thing with social media providers,” said Joseph Steinberg, founder of social media security company SecureMySocial, in an interview with Threatpost. “The real issue here is Facebook… not the people who collected the data or those who used it. Facebook knew it happened and didn’t say anything to the public.”

Facebook is in hot water after stating that Cambridge Analytica – a consulting group that has worked on several high-profile political campaigns, including that of President Donald Trump’s – used the social media company’s platform to harvest the data of 50 million users.

Facebook’s troubles trace back to 2015 when app developer Aleksandr Kogan requested access to information from users who downloaded his third party app, “thisisyourdigitallife” on Facebook, which billed itself as “a research app used by psychologists.” In reality, that data was being given to Cambridge Analytica, a U.K.-based company that helps political parties target voters with specific messages.

The social media platform has defended itself, saying the incident wasn’t a breach because users consented to giving their data to a third-party app. While security experts agree no systems were breached, they say the Facebook debacle points to worrying overarching issues around security, privacy and personal data harvested by social media companies.

“In a technical sense this wasn’t a breach. This is how the business model is supposed to work. But for end users, if it was a breach in any sense of the word, it was a breach of trust,” said Gennie Gebhart, researcher with the Electronic Frontier Foundation, in an interview with Threatpost.

Up to 270,000 Facebook users downloaded the app – giving Kogan consent to access data, such as the city they live in or content they “Liked” on Facebook. However, in 2015, Facebook also enabled developers to collect data on the Facebook Friend networks for users – meaning that when users agreed to show their data to Kogan, he could also access data about their Friends, catapulting the number of users impacted to up to 50 million.

Facebook, for its part, adamantly says that users were knowingly providing their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked: “The claim that this is a data breach is completely false,” the company said in a statement. “Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent.”

Facebook said Monday it has hired independent forensic auditors from Stroz Friedberg to investigate whether Cambridge Analytica actually destroyed the end users’ data. Cambridge Analytica on Tuesday announced that it has suspended CEO Alexander Nix on the heels of both the Facebook fiasco and videos that emerged from a reporter in Channel 4 News who filmed the executive making inappropriate remarks.

Despite these steps, the company has faced a slew of backlash –including a wave of politicians who have called on Facebook to enforce privacy policies to protect user data, and reports that the U.S. Federal Trade Commission is probing Facebook over whether it violated terms of a 2011 consent decree over its use of personal data.

Making matters worse for the social media platform, in the midst of all this, Facebook’s security chief, Alex Stamos is reportedly planning to step down from the company in August, after he was met with resistance after advocating for more disclosure around Russian manipulation of the platform and some restructuring to better address related issues.

The disruption on Facebook comes at a time when data runs rampant on social media platforms – including where users live, birthdates, political affiliations, photos and likes and dislikes. This data also exists on other platforms, such as LinkedIn and Twitter – and Facebook’s issues have lasting impacts for the social media industry as a whole when it comes to privacy.

“This situation has been laser focused on Facebook’s policies and mistakes, but many if not all social media platforms have the same business model… they are the advertisers and the end users are the product,” Gebhart told Threatpost. “As people start raising these new questions about Facebook, they will begin also questioning other social media platforms.”

What Data Privacy Regulations Exist On Social Media?

Facebook outlines clear policies around data for third-party developers, including that developers must provide a publicly available policy that explains what data they are collecting and how they will use that data.

One rule mandates that developers must “obtain adequate consent from people before using any Facebook technology that allows us to collect and process data about them, including for example, our SDKs and browser pixels,” according to the company Developer’s policy.

However, the Cambridge Analytica incident shows that third-party app developers, such as Kogan, can easily lie about their intents for collecting data – raising questions about Facebook’s ability to enforce data protection policies. “Facebook needs to do a better job ascertaining how data is used, but it’s almost impossible to control where data goes,” SecureMySocial’s Steinberg said.

For instance, Steinberg said, companies could exist who are being sold data in a similar manner from third party app developers – and then using that data for malicious intent – such as fielding their Facebook data for potential passwords (ie a mother’s maiden name). “[Facebook is] saying it’s not a breach, but what if instead of Cambridge Analytica that data had been sold to criminals?”

Another issue is that the company’s default privacy settings on the app automatically shares users’ data – including their email address and public profile – with the apps they interact with.

While users can protect themselves by checking their app settings and customizing what they share with apps, many are unaware that this is the case, said Gebhard.

“Users shouldn’t have to do this, they shouldn’t be settings experts and they deserve so much better.” said Gebhart. “It’s ludicrous – the defaults are terrible, and they serve the business, but not the end users. As long as the defaults confusing and complex, you can’t say that users were informed.”

Some regulations exist to attempt to regulate social media providers’ control over end user data, including a 2011 consent decree mandates that users should be notified that they explicitly gave consent that data is shared beyond the privacy settings that were established. According to reports, the US Federal Trade Commission is currently investigating whether Facebook broke these rules.

However, many social media platforms are still new enough where the government, end users, and social media platforms themselves have an adequate understanding of how to protect data privacy – and what are considered ethical practices when it comes to data security.

“In our era we now have a new model that is unprecedented in human history,” said Steinberg. “When social media is this new, it’s a problem, because it’s hard to educate people about the risks and what they can do.”