Back in 2010, the video-game designer and scholar Ian Bogost created Cow Clicker, a withering satire of Farmville and other clicker games that were, at the time, wildly popular on Facebook. (Wired wrote an excellent story about it, worth reading.)
As he developed Cow Clicker, Bogost quickly discovered something: Facebook gave app developers a lot of data about users. He was able to get each user's unique Facebook ID (Zuckerberg's is"4", as it turns out); and without even him asking for it, Facebook sent him "affiliation" info about users' schools, workplaces, and other organizations they belonged to.
In essence, Facebook at that time outgassed info so readily that it was almost hard to avoid building profiles of people. But of course, it made it insanely easy for something like Cambridge Analytica to happen, as Bogost notes.
He wrote an engrossing piece for the Atlantic about the experience, and it's the best thing I've yet read that walks you through how Cambridge Analytica got its hands on so much data. You hear phrases like "50 million Facebook profiles", but it can seem awfully abstract. When Bogost describes precisely what Facebook offered him as he developed his Facebook game, you understand much more deeply what's at stake.
And of course, as he notes, a) there were oodles of people developing apps and games at that point for Facebook, and b) they probably all still have that data, as he does:
But because I stored the numerical identifiers for user affiliations, I still have them. Until 2016, I could use a database-query tool called FQL, Facebook Query Language, to retrieve the details of those networks, and correlate them back to my users. Had I wanted to, I could have recombined that information with other data and used it for retargeting.
Cow Clicker's example is so modest, it might not even seem like a problem. What does it matter if a simple diversion has your Facebook ID, education, and work affiliations? Especially since its solo creator (that's me) was too dumb or too lazy to exploit that data toward pernicious ends. But even if I hadn't thought about it at the time, I could have done so years later, long after the cows vanished, and once Cow Clicker players forgot that they'd ever installed my app.
This is also why Zuckerberg's response to the present controversy feels so toothless. Facebook has vowed to audit companies that have collected, shared, or sold large volumes of data in violation of its policy, but the company cannot close the Pandora's box it opened a decade ago, when it first allowed external apps to collect Facebook user data. That information is now in the hands of thousands, maybe millions of people.