Since reports surfaced that controversial political data firm Cambridge Analytica collected data from 50 million Facebook users, the social media giant has found itself in the line of fire, trying to answer for the many concerns of its users.

Facebook has mostly remained quiet throughout the controversy, particularly at the executive level. Meanwhile, the company’s shares have taken a significant hit as Wall Street weighs the long-term implications.

Facebook relationship with Cambridge Analytica is complicated and requires some untangling to understand exactly what each party’s role is and their responsibilities.

What Did Cambridge Analytica Do?

Cambridge Analytica, a United Kingdom-based political data analytics firm, used personal data collected from Facebook users to create political profiles to help launch digital advertising campaigns for political candidates and organizations. The firm, which is in part backed by hedge fund billionaire and Republican donor Robert Mercer, was brought in during the 2016 presidential election to help the Donald Trump campaign.

However, the data believed to be used by Cambridge Analytica was not collected directly by the organization. It came from a third-party, Global Science Research (GSR).

Global Science Research created a quiz app on Facebook in 2013. The app was a personality test that was allegedly designed for academic research. It has been reported that about 270,000 people participated in the quiz. Andrew Bosworth, Facebook’s former vice president of ads and current vice president of AR/VR, reported the platform allowed for a maximum of 270,000 users to provide data to an app at the time.

In addition to the 270,000 users who participated in the quiz itself, the application was also able to gather data about the friends of those users—something that was allowed by Facebook’s application program interface (API) at the time. As a result, the quiz application collected data on more than 50 million Facebook users, most of whom did not consent to provide that data.

After collecting the Facebook data, GSR reportedly sold it to Cambridge Analytica. According to a statement from Cambridge Analytica, it was contracted with GSR in 2014 for “a large scale research project in the United States.”

Cambridge Analytica said GSR “was contractually committed by us to only obtain data in accordance with the U.K. Data Protection Act and to seek the informed consent of each respondent," but did not follow those requirements.

"When it subsequently became clear that the data had not been obtained by GSR in line with Facebook's terms of service, Cambridge Analytica deleted all data received from GSR," Cambridge said.

What Action Did Facebook Take?

Facebook’s timeline, at least as laid out by Bosworth, is slightly different. The company acknowledged that GSR launched an app in 2013 and it was used by many Facebook users, but the company claims that it learned in 2015 that GSR was selling the data from the Facebook app to Cambridge Analytica — not that it was part of a contracted project.

Once Facebook learned of the sale of the data, it “took legal action.” According to Bosworth, Cambridge Analytica agreed to comply with the request to delete all Facebook data when approached by the social networking company in 2015 — just as Cambridge Analytica claimed in its own statement.

Facebook at the time didn’t take further action against the data analytics firm because Cambridge Analytica was supposedly deleting the acquired data.

“They certified in a legal document that they had deleted the data," Bosworth said. “In light of further reports that data might still exist, we are asking [Cambridge Analytica] to undertake a full audit to prove that the data was actually deleted.”

While Facebook can explain its reasoning for not suspending Cambridge Analytica back in 2015, it’s harder for Facebook to explain the many other instances of applications and organizations accessing its huge wealth of user data.

Facebook has yet to inform users who may have had their data taken by the GSR app and provided to Cambridge Analytica. Facebook also has not made it clear if it will eventually do so.

It’s worth noting that Cambridge Analytica wasn’t even the first politically motivated organization to make use of Facebook user data. As the Washington Post reported, the Obama for America political action group “built a database of every American voter using the same Facebook developer tool...known as the social graph API.”

Carol Davidsen, director of data integration and media analytics for Obama for America, said in an interview that the organization “ingested the entire U.S. social graph.” Davidsen said that the organization "would ask permission to basically scrape your profile, and also scrape your friends, basically anything that was available to scrape. We scraped it all."

What Does It All Mean For Facebook Users?

While some outlets have reported that Facebook suffered a data breach, that is not the case. A breach occurs when data is taken from a company without permission. Facebook allowed the user data to be collected.

The GSR app isn’t the only guilty party, either. Any developer in 2014 could create an app that would be able to collect information about a user’s friends without that friend ever giving permission to the app.

“We thought that every app could be social. Your calendar should have your events and your friends birthdays, your maps should know where your friends live, your address book should show their pictures,” Bosworth explained. “It was a reasonable vision but it didn't materialize the way we had hoped.”

Facebook has since made changes to the way its platform operates to restrict developer access to detailed data about a user’s friends. It has also implemented more controls for users to manage how their data can be accessed and used by advertisers, third-party app developers and others.

Essentially, what was done with the GSR personality app in 2014 is no longer possible today.

That doesn’t mean that a Facebook user’s information is currently safe. Users can visit their security settings in their Facebook profile and limit the amount of information that can be shared, but it will only do so much— the company still has a strong hold on user information.

Facebook also uses what are called Pixels to track a user’s activity around the web, even when they aren’t logged into Facebook. That information is used to build detailed profiles about the user to help target advertising and content that might interest them.

Facebook’s massive amount of data on every user gives it strong advertising power. It can run heavily targeted ads that produce better results than generic advertising, its algorithms can surface content that keeps users on the platform for hours.

For many years, the social network seemed to shun responsibility for how it wielded that power but now finds itself in the crosshairs.

The New York Times editorial board has called for regulators to investigate Facebook’s response to the Cambridge Analytica incident.

“For starters, they need to take a close look at whether the company is in violation of a 2011 consent decree with the Federal Trade Commission, which had accused it of deceiving users by telling them their information would be kept private and then allowing it to be shared and made public,” the Times wrote.

There will likely be additional calls for increased scrutiny. Lawmakers in the U.S. and U.K. are already lining up questions for Facebook and are starting to call for stricter privacy rules. It seems probable that the social media giant won't escape the round of inquiry without some sort of new regulation.