“On a scale of one to ten, this breach of trust with users,” Savannah Guthrie asks Facebook COO Sheryl Sandberg, “where would you put it?” When Sandberg offers an anodyne non-answer, Guthrie fills in the correct answer, or at least the one she hoped to get: “It’s a ten.” Sandberg, who like her boss Mark Zuckerberg, still seems oddly resistant to fully commit to a mea maxima culpa, despite admitting in this interview on NBC’s Today that they knew about the Cambridge Analytica issue more than two years ago.

“This first came to Facebook’s attention in December 2015, that’s two and a half years ago,” Guthrie points out in a series of tough questions for Sandberg, “and only now is Facebook taking serious steps that you’ve announced this week. What is the reason it took so long? You could’ve done all of this two and a half years ago.”

Because, Sandberg explains, they trusted in assurances from, ah … the same people who had cheated to get the data in the first place:

SANDBERG: Because we thought the data had been deleted and we should have checked. You are right about that.

GUTHRIE: Why didn’t you check?

SANDBERG: We thought had been deleted because they gave us assurances and it wasn’t until other people told us it wasn’t true but…

GUTHRIE: But why go on faith with someone who’s already violated you in spirit if not in the letter of Facebook’s principles?

SANDBERG: We had legal assurances from them that they deleted, what we didn’t do is the next step of an audit and we’re trying to do that now.

Ahem. They did it only after having gotten caught at sloughing it off in the first place. And they weren’t too eager to let people know about it, either:

GUTHRIE: But many have asked why Facebook didn’t tell users their data was taken since they found out back in 2015?

SANDBERG: We thought the data had been deleted, that’s why.

GUTHRIE: But that doesn’t mean you don’t tell the users – hey this was stolen from you-

SANDBERG: Yes, you’re right and we should’ve done that, we should’ve done that as well.

Apparently their strategy was to keep users in the dark about the breach for as long as possible, which isn’t exactly a confidence-builder for users in the future. Forget about the future for the moment, however. Users will likely need to prepare themselves for news about other past breaches:

GUTHRIE: Do you think there could be other breaches like the one we saw in Cambridge Analytica where tens of millions of people’s data was accessed improperly?

SANDBERG: We’re doing an investigation, we’re going to do audits and yes we think it’s possible, that’s why we’re doing the audit.

It’s not just possible, it’s highly likely. Sandberg goes on to tell Guthrie that they can’t allow Facebook users to just opt out entirely from data sharing, because it would then become “a paid product,” which Facebook is not contemplating at this time. At the same time, Sandberg insists that users aren’t the product:

GUTHRIE: People say that we’re product. Our data, that’s the product you’re selling.

SANDBERG: And that’s not true. So here’s how our business works. We don’t sell data ever, we do not give personal data to advertisers. People come onto Facebook, they want to do targeted ads and that’s really important for small business but people want to show ads, we take those ads, we show them, and then we don’t pass any individual information back to the advertiser.

GUTHRIE: You don’t have to pass it because you collect all the information and then you target the ads for the advertisers. That’s the service that you charge the advertisers for.

SANDBERG: That’s right. That’s a very good service that’s a privacy protected good service.

That’s nonsense on several levels. Whether they’re selling the data or selling the users, the users are still being sold. Facebook is merely the broker, and they make tons of revenue on that exchange. The mitigating factor is that this data is voluntarily given to Facebook by its users, who should have known the purpose of its use by the platform, but Facebook should have been a lot more forthcoming about that too. And the measure of its data privacy protections has already been revealed in the broad access Facebook allowed its app developers to it.

Sandberg and Zuckerberg took a lot of flak over their reluctance to speak publicly after the Cambridge Analytica breach became known. Their public statements since then explain why they kept quiet in the first place. They don’t have a good explanation, and the longer they talk, the worse they look. Kudos to Guthrie for making that as painfully obvious as it was this morning on Today.

Addendum: If people are interested in the future of Facebook, Jeremy Ashkenas provided a look at their recent patent applications on Twitter. Be sure to read the whole thread, complete with links to the USPTO filings, about eye tracking control, information gathering from outside platforms, and more. Brave new world, eh?

Update: I mistakenly used “CEO” as Sandberg’s title in the first paragraph; it should be COO (Chief Operating Officer), which was correct in the headline. I’ve corrected it above.