Political action committees may be the least of worries for Facebook users. While plenty of attention has fallen on Cambridge Analytica’s use of the platform’s user data, that turns out to have been a drop in the bucket compared to the activity of other “malicious actors,” to use Facebook’s nomenclature. Yesterday, Facebook admitted that most of its two billion users had their personal data vacuumed by operators on the so-called “dark web” over the last several years, and that they never knew it until now:

The revelation came amid rising acknowledgement by Facebook about its struggles to control the data it gathers on users. Among the announcements Wednesday was that Cambridge Analytica, a political consultancy hired by President Trump and other Republicans, had improperly gathered detailed Facebook information on 87 million people, of whom 71 million were Americans.

But the abuse of Facebook’s search tools — now disabled — happened far more broadly and over the course of several years, with few Facebook users likely escaping the scam, company officials acknowledged.

The scam started when malicious hackers harvested email addresses and phone numbers on the so-called “Dark Web,” where criminals post information stolen from data breaches over the years. Then the hackers used automated computer programs to feed the numbers and addresses into Facebook’s “search” box, allowing them to discover the full names of people affiliated with the phone numbers or addresses, along with whatever Facebook profile information they chose to make public, often including their profile photos and hometown.

Mark Zuckerberg got pushed a bit into this admission in a press conference yesterday:

Josh Constine, TechCrunch: Thank you. During today’s disclosure and announcement, Facebook explained that the account recovery and search tools using email and phone number could have been used to scrape information about of all of Facebook’s users. When did Facebook find out about this scraping operation, and, if that was before a month ago, why didn’t Facebook inform the public about it immediately?

Mark: We looked into this and understood it more over the last few days as part of the audit of our overall system. Everyone has a setting on Facebook, that controls — it’s right in your privacy settings — whether people can look you up by your contact information. Most people have that turned on, and that’s the default, but a lot of people have also turned it off. So it’s not quite everyone, but certainly the potential here would be that over the period of time that this feature has been around, people have been able to scrape public information. The information—that if you have someone’s phone number, you can put that in, and get a link to their profile which pulls their public information. So, I certainly think that it is reasonable to expect that if you had that setting turned on, that at some point during the last several years, someone has probably accessed your public information in this way.

The problem with this explanation is that Facebook makes its money on scraping data from its users. Granted, it’s data that users willingly upload. and they should understand that their “free” use of the platform depends on that willingness, but it’s still the draw for developers and advertisers. The “malicious actors” who want access to this could just as easily have set themselves up as app developers to get to the same data, and the only difference is that Facebook would have gained the benefits directly. All they’re doing, in effect, is to ensure that “actors” of any stripe have to pay Facebook’s tolls to get to its product — you.

To claim that users aren’t a product which Facebook monetizes for its own purposes is to be deliberately obtuse. And yet that’s what Zuckerberg attempted to argue yesterday, emphasis mine:

Carlos Hernandez, Expansion: Hi Mark. You mentioned one of the main important things about Facebook is people… and users’ understanding of the platform. Do you have any plans to let users know how their data is being used? Not just on Facebook but also on Instagram and other platforms that you are responsible for?

Mark: I think we need to do a better job of explaining principals that the service operates under , but the main principals are, you have control over everything you put on the service, and most of the content Facebook knows about you it because you chose to share that content with your friends and put it on your profile. And we’re going to use data to make those services better, whether that’s ranking News Feed, or ads, or search, or helping you connect with people through people you may know, but we’re never going to sell your information. And I think if we can get to a place where we can communicate that in a way that people can understand it, then I think we have a shot of distilling this down to something, to a simpler thing, but that’s certainly not something we have succeeded at doing historically.

It’s true that Facebook doesn’t “sell your information,” but only in the strictest literal sense. They make money by granting access to user data to app developers and advertisers, which might make the process different but the result is still the same.  They will monetize user data to make money, and while they now will create long-overdue improvements to privacy settings, Facebook isn’t about to kill the goose laying the golden eggs.

Still, caveat emptor applies in large part here too. If you’re getting anything for free, you’re not the customer — you’re the product. If you don’t like it, don’t use Facebook, or at least learn enough about privacy settings and data usage to only allow access to information you’re comfortable sharing. The bigger problem here is that Facebook has been a sieve in other ways, allowing other more “malicious actors” access to data for purposes much more nefarious than just GOTV efforts. Cambridge Analytica is just a sideshow.