Great reporting by the NY Times here on how Cambridge Analytica harvested data and information from more than 50 million Facebook accounts by leveraging an innocuous-seeming personality quiz app they created that 270,000 users installed. It’s a fascinating, yet angering read.

So the firm harvested private information from the Facebook profiles of more than 50 million users without their permission, according to former Cambridge employees, associates and documents, making it one of the largest data leaks in the social network’s history.

There’s a couple big things here that really bug me.

The first is how Facebook has yet to truly comment on this story and the apparent abuse of its users information. Yes, there have been a few Facebook employees who made a few tweets on the subject, but they have largely been deflecting blame from Facebook to Cambridge Analytica. That’s not how you handle a situation like this. I’d like to see Zuck make some kind of statement ASAP.

While I would love to see Cambridge Analytica held responsible for their actions, perhaps Facebook should sue them and make an example out of them, there’s still a lot of blame that falls squarely on Facebook. The company designed its API and has encouraged developers to use it and build apps for its users, but with that API they have also made it easy enough for companies like Cambridge Analytica to do exactly what they did with no real way to verify that the data is being used as originally intended by the app/company. In this case Cambridge Analytica had a third-party develop and launch the app (on their behalf) for the sole purpose of eventually the harvesting user data for use in their models–which is not what users of the app agreed to have their data used for when signing up.

I don’t know what the right solution looks like at this point, but Facebook has some serious questions to answer and things to do to ensure this type of abuse doesn’t happen again.