Summary

  • The Cambridge Analytica record is not only a privacy scandal record; it is a platform-control record about who could grant access, who could verify deletion, who could notify users, and who could detect political-data misuse before journalists, regulators, and legislatures forced a public accounting.
  • Public sources from the FTC, SEC, ICO, UK Parliament, Canadian privacy authorities, Facebook, and court records support a clear distinction between confirmed findings, evidence-supported governance inference, and matters that remain unknown from public evidence.
  • The strongest accountability lesson is that app-platform rules are weak if enforcement depends mainly on developer promises after data has already moved beyond the platform's technical boundary.
  • The public record does not prove every downstream use of every profile record, every campaign decision, every internal Facebook deliberation, or every individual harm; it does prove that platform permission design and enforcement became a civic-risk control surface.

The case began inside a permission system

Facebook made Cambridge Analytica a platform-data accountability test because the central control was not a stolen password, a broken firewall, or a mysterious outside intrusion. The public record describes a developer-platform pathway. A personality quiz app associated with Aleksandr Kogan collected data from people who installed it and, under Facebook's platform design at the time, could also receive data related to those users' friends. The FTC later described the broader Facebook privacy matter and settlement at https://www.ftc.gov/news-events/news/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions-facebook, while the FTC's filed complaint at https://www.ftc.gov/system/files/documents/cases/182_3109_facebook_complaint_filed_7-24-19.pdf and order at https://www.ftc.gov/system/files/documents/cases/182_3109_facebook_order_filed_7-24-19.pdf made the enforcement record durable. The accountability question is therefore practical: who controlled the permission architecture, who monitored developer compliance, who verified that data had not been passed onward, and who told users when the boundary failed?

Facebook's own March 2018 statement at https://about.fb.com/news/2018/03/suspending-cambridge-analytica/ said the company suspended Cambridge Analytica and others after learning that data obtained through Kogan's app had not been deleted as certified. That statement is important because it confirms several control facts without requiring speculation. First, Facebook had a developer policy boundary. Second, Facebook relied on a certification or attestation that data had been deleted. Third, the company later treated the certification as limited public evidence. Fourth, the public suspension came years after the app-data collection period and after the company had already been told about the onward transfer. The issue was not only whether a rule existed. It was whether the rule was enforceable when data had already left the platform.

The scale became public in Facebook's April 2018 product and privacy update at https://about.fb.com/news/2018/04/restricting-data-access/, which said information from up to 87 million people may have been improperly shared with Cambridge Analytica. That statement should be read carefully. It is not a proof that every one of those people suffered the same consequence, that every field was used in a campaign, or that a complete voter-behavior causal chain is publicly provable. It is, however, a platform-scale admission that the permission system created a population-level exposure. A user who never installed the quiz could still be part of the data path because a friend did. That is why the event sits in a different category from ordinary app consent disputes.

The developer boundary matters because consent and control were misaligned. The person installing an app might make a choice, however imperfect. The friends whose data became reachable through that app did not make the same app-specific choice. Facebook controlled the product architecture that allowed that data flow, the app terms that constrained developers, and the enforcement tools that could detect or punish misuse. Users controlled neither the downstream developer's business choices nor the political-data market that later made the data valuable.

When control and exposure sit in different places, accountability should follow the party that designed and operated the permission surface.

This does not mean every political use claim made in public debate was proven. The record is stronger and narrower. It shows that Facebook's platform enabled large-scale collection, that data reached Cambridge Analytica or related parties, that deletion promises were not enough, that regulators later found major privacy and disclosure failures, and that legislatures treated the case as a democratic-governance issue. The accountability task is to keep those proven points separate from unsupported claims while still recognizing the seriousness of a platform rule that did not prevent onward political-data exploitation.

Regulatory records turned apology into evidence

The FTC settlement is one of the central public accountability records because it tied the Cambridge Analytica episode to Facebook's broader privacy obligations under a previous FTC order. The FTC press release said Facebook would pay a 5 billion dollar penalty and accept new privacy restrictions. The order did more than impose a payment. It required a privacy program, certification duties, board-level structures, independent assessor reviews, and controls that moved privacy governance away from informal product discretion. A penalty alone can be treated as a cost of doing business.

A governance order is an attempt to alter who must see, certify, and own the risk.

The FTC complaint's value is not that it answers every historical question. It provides a regulator-authored description of alleged misrepresentations, privacy-control failures, and the way developer access interacted with user settings. It also sits alongside the FTC's Cambridge Analytica-specific enforcement record, including the FTC's December 2019 action and opinion page at https://www.ftc.gov/news-events/news/press-releases/2019/12/ftc-issues-opinion-order-against-cambridge-analytica-app-developer-aleksandr-kogan and the administrative docket at https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3107-cambridge-analytica-llc-matter. Those sources help separate platform responsibility from downstream actor responsibility. Facebook controlled the platform boundary. Kogan and Cambridge Analytica faced their own allegations and orders related to how the data was collected, represented, or used.

The SEC record adds a different accountability layer. The SEC announced charges against Facebook at https://www.sec.gov/news/press-release/2019-140, stating that the company had agreed to pay 100 million dollars to settle charges that its public disclosures presented misuse of user data as a hypothetical risk after the company knew about the Cambridge Analytica misuse. The SEC order at https://www.sec.gov/files/litigation/admin/2019/34-86457.pdf is not a privacy order in the same sense as the FTC case. It is a securities-disclosure record. Its importance is that platform-data governance became investor-risk disclosure. Once a company knows a risk has occurred, a public filing that treats that risk as merely possible can become an accountability issue for shareholders as well as users.

The UK Information Commissioner's Office provided another public enforcement record. Its October 2018 announcement at https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2018/10/facebook-issued-with-maximum-500-000-fine/ said the ICO issued the maximum 500,000 pound penalty available under the older UK law then applicable. The ICO's monetary penalty notice at https://ico.org.uk/media/action-weve-taken/mpns/2260051/facebook-mpn-20181024.pdf described failures to protect users' personal information and to be transparent about how data was harvested by others. The number was small by later global-platform standards because of the legal regime then in force, but the finding was important: Facebook's developer ecosystem had become a data-protection enforcement matter outside the United States.

UK Parliament treated the case as a political and democratic-accountability problem. The House of Commons Digital, Culture, Media and Sport Committee final report at https://publications.parliament.uk/pa/cm201719/cmselect/cmcumeds/1791/1791.pdf placed Cambridge Analytica inside a wider inquiry into disinformation, data-driven campaigning, platform power, and electoral integrity. Parliamentary reports are not criminal verdicts. They are public oversight records. Their value here is to show why the affected population was not limited to app users or advertisers. The event touched questions about political persuasion, campaign transparency, platform governance, and how democratic institutions can inspect private data systems that shape public debate.

Canada's privacy authorities reached a related conclusion. The Office of the Privacy Commissioner of Canada's joint findings at https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-002/ found that Facebook had serious privacy shortcomings in the Cambridge Analytica matter and did not adequately safeguard user information. Again, the public value is not that it provides a complete internal engineering timeline. It shows that multiple regulators, in different legal systems, converged on the same control problem: a platform cannot outsource privacy protection to app developers' promises and then treat large-scale misuse as if it occurred outside its accountability perimeter.

User notice was delayed by design and by evidence gaps

The user-notice problem is central. Facebook said in 2018 that it had learned in 2015 from journalists that Kogan had shared data with Cambridge Analytica and that it demanded certifications that the data had been destroyed. The public scandal broke widely in 2018 after reporting by The Guardian at https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election and The New York Times at https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html. Those reports are not primary enforcement documents, but they are part of the public chronology because they forced the dormant control question into public view. Users then learned that a data event known inside the platform's trust boundary had not generated a broad contemporaneous user notice.

Delay matters because privacy remedies decay. A user notified in 2015 might have changed app settings, reviewed connected apps, warned friends, changed political-data expectations, or demanded deletion evidence sooner. A user notified in 2018 received information after the data had already traveled, after the certification dispute had aged, and after political-data use had become a public controversy. Notice is not only a courtesy. It is a recovery control. It lets affected people decide what to do when the platform no longer has sole control over the risk.

Facebook's April 2018 update said the company would show people if their information might have been improperly shared with Cambridge Analytica and described broader restrictions on developer access. That is a remedial step, but it does not erase the accountability question. A platform that waits until public crisis to notify users creates an evidence gap. Users cannot reconstruct what data was accessed, how it was used, whether it was copied again, or whether it was combined with other political or commercial datasets. The later notice can identify potential exposure, but it cannot make the user whole in terms of lost control.

The strongest public evidence supports a limited conclusion: Facebook had earlier knowledge of an onward-transfer problem, relied on deletion certifications, and later notified users only after the issue became public. The record does not let an outside reader prove every internal reason for the timing. It does not prove that every relevant Facebook employee held the same understanding. It does not prove every downstream use. But it is enough to judge the control design.

If a platform receives notice that data has been transferred against policy, a deletion promise should not be the end of the case unless the platform can independently verify deletion or disclose why it cannot.

This is where abuse-contact economics enters the case. A developer platform has to decide how much it invests in suspicious-app review, user complaints, journalist reports, developer enforcement, legal escalation, and post-termination monitoring. If enforcement is cheap for the platform but expensive for users to challenge, the platform may under-detect misuse until outside pressure accumulates. A user cannot audit Kogan, Cambridge Analytica, a campaign vendor, or a brokered data chain. Facebook could create developer terms, suspend apps, restrict API access, demand certifications, commission audits, and notify users.

Those are not perfect tools, but they are tools the platform had and users did not.

App review failed as a civic-risk control

The Cambridge Analytica record shows why app review cannot be treated only as a consumer-product function. On a social platform, app permissions can expose social graphs, demographic signals, likes, friend connections, and behavioral categories that may be valuable for advertising, psychographic modeling, voter targeting, or influence operations. That does not mean every app is political, every developer is abusive, or every dataset changes an election. It means the platform has to classify certain data flows as civic-risk flows before a scandal proves the point.

Facebook's Graph API changes after the scandal are part of the evidence. The April 2018 update described restrictions on events, groups, pages, login, Instagram, search, call and text history, and app permissions. The fact that Facebook could narrow access after the event demonstrates that the earlier system was a design choice, not a natural law. A platform often defends broad API access as developer innovation. That argument has weight: useful apps depend on access. But a platform that grants broad access must also fund enforcement, revocation, review, and meaningful user notice.

Innovation does not remove the duty to keep permission boundaries enforceable.

The FTC's Kogan and Cambridge Analytica matter is relevant because it shows that downstream actors also had duties. The FTC alleged deceptive practices around the app and data collection. That matters for fairness. Facebook was not the only actor in the chain. Kogan, Cambridge Analytica, political campaigns, data brokers, and other service providers each had potential control over their own conduct. But platform accountability is not eliminated by downstream misconduct. A bridge operator is not absolved of guardrails merely because a driver also behaves badly. The platform built the lane through which data moved.

Confirmed facts show that app review and policy enforcement did not prevent the data path. Evidence-supported inference goes further: Facebook's governance model treated developer compliance as sufficiently manageable until public events showed it was not. That inference is supported by the later restrictions, regulator findings, and Facebook's own suspension and notice chronology. Unknowns remain: how every app-review decision was made, what internal warnings were raised, how risk was prioritized across teams, and which private audits found which facts at which time.

Those unknowns matter because they prevent a public article from assigning unsupported individual blame.

The practical control map is still clear. Facebook controlled the APIs, review rules, developer access, enforcement escalation, suspension decisions, user-facing settings, and public notice. Developers controlled their applications and promises. Campaign clients controlled how they procured and used analytics services. Regulators controlled after-the-fact enforcement and rulemaking. Users controlled only limited settings and their own app choices, and friend exposure meant even those choices could be bypassed by another person's installation. That asymmetry is why platform design is the primary accountability surface.

Consent did not travel with the data

The Cambridge Analytica case is often described as a consent failure, but that phrase is too narrow. Consent failed because it was not portable, visible, or enforceable after data left Facebook. A platform prompt can ask a user to allow an app to access certain information. It cannot by itself ensure that the app later keeps the data segregated, does not sell it, does not combine it with voter files, and deletes it when asked. Once data crosses a boundary, technical enforcement becomes harder. That is why platform rules must include prevention, verification, and durable audit, not only click-through acceptance.

Friend-data access made the weakness sharper. Affected people could include those who never interacted with the app. The consent chain was therefore not merely thin; it was socially delegated. One user's app action could carry consequences for another user's data. That structure sits at the heart of data sovereignty and locality as a practical issue. People often assume their data remains governed by the platform and jurisdictional expectations attached to their account.

In reality, platform APIs can export data into developer systems, analytics firms, campaign operations, cloud storage, legal entities, and jurisdictions that the user never sees.

The ICO's enforcement record framed the issue in data-protection terms, while the FTC framed it through privacy promises and order violations, and the SEC framed it through investor disclosure. These are different legal vocabularies for the same operational problem. Data governance cannot be reduced to a privacy policy if the actual permission system allows third parties to extract large quantities of social data and the platform cannot verify compliance. A promise about control is only as strong as the mechanism that keeps control from evaporating.

Facebook's later privacy program obligations are relevant because they moved governance toward documented assessment. The FTC order required a more formal program and certifications. Such obligations are not proof that every future risk disappears. They are evidence of the control layer regulators believed was missing or inadequate. A mature platform-data program should identify high-risk permissions, require data-minimization justification, test developer claims, maintain termination and deletion evidence, monitor anomalous extraction, record enforcement decisions, and notify users when the platform cannot verify containment.

The case also shows why public-interest harm differs from ordinary individual privacy harm. A person may not be able to identify a single message, advertisement, or decision caused by the data transfer. Yet the aggregation of millions of profiles can matter for political systems, civil society, and election oversight. Public-sector continuity is relevant here because democratic institutions depend on trust in political communication, campaign transparency, and the fairness of information environments. A platform-data failure can therefore create harm that is diffuse, institutional, and hard to remediate through individual notice alone.

Disclosure failures extended the accountability perimeter

The SEC case widened the accountability perimeter beyond users and regulators. Public companies disclose risks to investors. The SEC alleged that Facebook's risk-factor language described the potential for misuse of user data even though the company already knew that misuse had occurred. The significance is not simply that Facebook paid a settlement. It is that privacy incidents can become disclosure-control incidents. If executives, legal teams, privacy teams, and investor-relations functions hold different pictures of the same event, public accountability breaks.

This matters for all large platforms. A privacy event may begin in a product team, be handled by a policy team, be escalated through legal channels, and then sit outside public securities disclosure until reputational crisis erupts. The SEC record says that is not enough when the event is material to investors. A mature incident program must connect product risk, legal risk, privacy risk, communications risk, and financial disclosure risk. Otherwise a company can know an event occurred while telling the market only that such an event could occur.

The disclosure issue also affects users. If a company publicly frames a known data event as hypothetical, users may underestimate the need to review settings, change behavior, or demand answers. Investors may underestimate the scale of regulatory exposure. Legislators may underestimate the urgency of oversight. Advertisers and developers may underestimate the governance change coming. Disclosure is therefore not a paperwork formality. It is a coordination control across stakeholders who cannot inspect the platform's private systems.

The public record supports this inference without requiring private speculation. The SEC order, FTC order, ICO penalty notice, Canadian findings, parliamentary report, and Facebook's own statements all describe overlapping aspects of the same episode. The details differ, but the direction is consistent: Cambridge Analytica was not a single isolated app mishap. It became a test of whether a platform could identify, govern, disclose, and remediate data misuse that moved through its own permission architecture.

Unknowns remain significant. The public record does not disclose every internal meeting, draft filing, legal assessment, engineering alert, or executive decision. It does not let outsiders reconstruct the exact path from internal knowledge to public disclosure language. But the SEC's public order is enough to support the accountability conclusion that disclosure controls must be integrated into data-governance controls. A privacy team that knows about misuse and a securities filing that treats misuse as hypothetical are not separate risk worlds.

Deletion promises were not containment proof

One of the most important lessons is the difference between deletion promise and containment proof. Facebook's 2018 statement said it had demanded and received certifications that data had been destroyed. Later events showed that this was not a sufficient public-confidence endpoint. If data has been copied into another entity's systems, certification can be a legal control, but it is not the same as technical proof. It may be necessary; it is rarely sufficient.

Containment proof would require stronger evidence: what data was held, where it was stored, who accessed it, whether it was copied into backups, whether derived models were created, whether third parties received it, whether deletion was independently audited, whether logs were preserved, and whether noncompliance would be detected. Some of those questions may be impossible to answer fully after time passes. That is precisely why prevention and timely verification matter. The later a platform tries to contain exported data, the less certain the containment evidence becomes.

The FTC's Cambridge Analytica docket and related orders helped assign responsibility to downstream actors, but they did not restore user control over the historic exposure. The FTC Facebook order addressed platform governance going forward. The ICO penalty imposed the maximum available penalty under the relevant old law. The Canadian report documented serious failures. Civil litigation added another public accountability channel, including the privacy class settlement site at https://www.facebookuserprivacysettlement.com/ and the federal court docket for In re Facebook, Inc. Consumer Privacy User Profile Litigation at https://www.cand.uscourts.gov/judges/chhabria-vince-vc/in-re-facebook-inc-consumer-privacy-user-profile-litigation-mdl-no-2843/. Settlement processes are not the same as findings after trial, but they show how user claims moved into a compensation and release framework.

The deletion lesson applies beyond Facebook. Any platform that allows third-party apps to collect personal data must decide what happens when the app loses authorization, violates policy, or changes purpose. Does the platform receive machine-readable deletion proof? Does it audit high-risk developers? Does it inspect data flows before granting broad permissions? Does it monitor extraction volume? Does it have contractual rights to inspect downstream systems? Does it notify users when deletion cannot be verified? Does it distinguish ordinary developer mistakes from civic-risk data transfers?

Cambridge Analytica showed the cost of answering those questions after the fact.

The public evidence supports an evidence-based inference: Facebook's earlier enforcement relied too heavily on representations after data movement and not enough on verifiable data-use controls before or during access. That inference is grounded in the company statements and regulator records. It should not be stretched into claims about every app or every Facebook employee. The point is systemic: platform-data governance fails when policy is treated as a document rather than as an enforceable control loop.

Political-data use made platform risk public-sector risk

Cambridge Analytica mattered because the data path intersected with political campaigning and public debate. A commercial app misuse case can harm consumers; a political-data misuse case can also affect democratic trust. The UK Parliament report treated data-driven campaigning, platform accountability, and disinformation as linked problems. The ICO's broader investigation update at https://ico.org.uk/media/action-weve-taken/2260271/investigation-into-data-analytics-for-political-purposes-update.pdf placed the Facebook matter inside a wider inquiry into data analytics for political purposes. These sources do not prove every public claim about election outcomes. They show that democratic institutions regarded opaque political data flows as an oversight problem.

The distinction is important. It is easy to overstate Cambridge Analytica's proven influence on electoral results. Public evidence does not allow a clean causal claim that the data transfer changed a particular election outcome. The accountability case does not need that claim. A platform-data system can be irresponsible even when downstream persuasion effectiveness is uncertain. The control failure is that political actors could seek advantage through data whose collection, consent, onward transfer, and deletion status were not transparent to the people described by the data.

Political-data risk also changes the harm model. If a user receives a manipulative ad, joins a modeled audience, or is excluded from a campaign message, the user may never know. If a campaign builds a strategy using improperly obtained data, outsiders may not be able to separate the data's effect from messaging, media buys, field operations, voter files, or broader political climate. The opacity itself is part of the accountability problem. Public-sector continuity depends on institutions being able to inspect and challenge the infrastructure that shapes political communication.

Facebook later created more political-ad transparency tools and imposed more restrictions, but the Cambridge Analytica case remains a baseline because it exposed the gap between platform scale and public oversight. Regulators can punish after the fact. Legislatures can hold hearings. Journalists can investigate. Users can sue. But none of those mechanisms works as cleanly as platform controls that prevent high-risk data extraction before it becomes politically useful elsewhere.

The case therefore belongs in public-sector continuity as well as data sovereignty. A global social platform is not a government agency, yet it can shape the information environment in which public institutions operate. When its app rules fail, the consequences can reach civic trust. That does not mean every platform incident is a state failure. It means platform operators should treat certain permissions, especially those involving social graphs and political analytics, as infrastructure-grade risks.

What changed, and what evidence still matters

Facebook's post-scandal changes included restrictions on developer access, user notices, app review changes, privacy program obligations, and public commitments from leadership. Mark Zuckerberg's prepared testimony and hearing transcript page at https://about.fb.com/news/2018/04/transcript-of-zuckerbergs-senate-hearing/ is relevant because it shows the company presenting the case to elected officials as a responsibility failure that required product and governance changes. The FTC order then converted some commitments into enforceable obligations. The difference between voluntary promise and enforceable order is central. Public apology can start accountability, but durable accountability requires audit, reporting, verification, and consequences.

The evidence to watch after Cambridge Analytica is not only whether a similar scandal repeats. It is whether high-risk data flows are governed before scandal. A serious platform should be able to answer: which permissions expose friends or social graphs; which apps receive sensitive combinations of data; which developers have political, broker, analytics, or profiling purposes; which data leaves the platform; what deletion proof exists; what user notice threshold applies; and which senior officials certify that the control system works. These are governance questions, not public-relations questions.

Another watchpoint is whether user settings reflect real control. A privacy dashboard can give people choices, but if those choices cannot prevent third-party onward transfer through another user's app, the dashboard may overstate control. A platform should distinguish settings that control direct visibility from settings that control API movement and from settings that only affect future access. Cambridge Analytica showed that users need plain answers about what the platform can still enforce after data has left.

Regulatory coordination also matters. The FTC, SEC, ICO, Canadian authorities, UK Parliament, and courts each touched different parts of the episode. Fragmentation can create gaps if privacy, securities disclosure, election oversight, consumer protection, and civil litigation proceed in isolation. The case shows why large platform incidents need cross-domain accountability. A data event can be simultaneously a consumer-protection issue, a data-protection issue, a securities-disclosure issue, a political-transparency issue, and a private litigation issue.

The public record still leaves open questions. It does not fully show how all affected data was used, whether all derived material was deleted, how every downstream recipient handled the data, what internal risk signals existed before 2015, or how every team understood the issue before 2018. Those unknowns should not be filled with unsupported certainty. They should be treated as reasons for stronger evidence duties. When a platform cannot show containment, the burden should not fall on users to prove where their data went.

There is also a procurement lesson for institutions that use social platforms for outreach, advertising, constituent communication, or research. Public agencies, universities, charities, media organizations, and campaigns often treat platform tools as audience infrastructure. They may buy ads, run pages, authorize apps, embed sharing tools, or use analytics without holding direct power over platform enforcement.

Cambridge Analytica showed that institutional users should ask whether the platform can document high-risk data access, political-segment safeguards, app-review escalation, audit rights, deletion verification, and user-notice thresholds. Those questions are not only for privacy officers. They belong in procurement, campaign compliance, information security, public communications, and board oversight.

The same lesson applies to developers. A healthy app ecosystem needs useful access, but useful access should be tiered by risk. Low-risk integrations can follow lighter review. Apps requesting social graph, friend, profile, political, demographic, or behavioral data need stronger purpose limitation, logging, and revocation duties. Developers should know that access is conditional and that later misuse can trigger evidence demands, not only account suspension. Platforms should publish enough about those duties that legitimate developers understand the rules and users understand why a permission request is sensitive.

Secrecy around the enforcement model can protect attackers, but total opacity can also weaken public confidence.

For users, the case is a reminder that interface control and data control are not the same. A user can remove an app, change a setting, or close an account, but those actions may not retrieve data already exported to another system. That does not make user action pointless. It means user-facing controls must be paired with platform-side guarantees about future access, historical export, deletion, and notice. A privacy setting should say what it can prevent, what it cannot reverse, and when the platform will inform people that a third-party boundary has failed.

The accountability standard is enforceable consent

The final accountability standard is enforceable consent. Consent is not enforceable if users do not know what is leaving, if friends can expose them without app-specific choice, if developers can repurpose or transfer data without timely detection, if deletion promises substitute for verification, if known misuse is not clearly disclosed, and if political-data use is only inspected after journalism and regulatory action. Enforceable consent requires a permission system that can be audited, narrowed, revoked, and explained.

Confirmed facts support that standard. Public records confirm the app-data pathway, Facebook's suspension statement, the up to 87 million exposure estimate, the FTC penalty and order, the SEC disclosure settlement, the ICO penalty, the Canadian privacy findings, parliamentary scrutiny, and civil litigation settlement processes. Evidence-supported inference supports a broader governance conclusion: Facebook's platform controls did not match the civic and privacy stakes of the data flows the platform enabled. Unknowns remain around complete downstream use, internal deliberations, and individual-level harm.

Responsibility should follow practical control. Facebook controlled the platform architecture and enforcement model. Developers controlled their apps and compliance with terms. Political data firms and campaigns controlled their procurement and use of analytics services. Regulators controlled after-the-fact enforcement. Users controlled only narrow choices, and sometimes not even those when friend-data access was involved. That map is the reason Cambridge Analytica remains a live accountability case even years after the first headlines.

The broader lesson for cloud and platform governance is simple but demanding: data-access rules must be built as operational controls, not reputational language. A platform should assume that once data leaves its boundary, recovery becomes uncertain and public trust becomes harder to restore. The safer control is prevention through minimization, purpose review, narrow permissions, developer verification, anomalous-access monitoring, rapid suspension, verified deletion, and user notice when containment is uncertain.

Facebook's Cambridge Analytica record therefore belongs in a risk file not because it answers every political question, but because it asks the right infrastructure question. When a private platform becomes a gatekeeper for identity, social graphs, advertising, political communication, and third-party developer access, its permission system is no longer just a product feature. It is a public accountability surface. The test is whether the platform can prove that consent, enforcement, deletion, disclosure, and remediation work before outsiders force the record open.