In 2013, the National Security Agency was accused of monitoring the metadata of Americans - telephone logs, for example - in search of patterns that would help identify terrorists. And - just imagine! - that was a major scandal.
Even at the time, I thought it odd that we were so worried about the NSA - which is bound by ethics and privacy rules and, at least in principle, is answerable to Congress - whereas we weren't at all concerned about Facebook, which had far more of our data, was bound by no rules and was answerable to no one.
But now we are.
Thanks mostly to the work of a single reporter, Carole Cadwalladr of the Observer, we have learned that Facebook not only had our data but also was giving it to people who knowingly sought to manipulate it for political purposes. As a result, the chief executive of Facebook has finally agreed to testify before Congress.
But Mark Zuckerberg's appearance in Washington this week is a voluntary, one-off reaction to a scandal. It should be the start of the conversation, not the end: Facebook, like every company that collects and stores personal data, must be made permanently accountable to American political and regulatory institutions.
This needn't be draconian - regulation doesn't have to mean "censorship" - and it isn't impossible. After all, we regulate capital markets, an industry that involves billions of dollars moving at great speed around the world, transferred between people who are constantly inventing new ways to cheat. Compared to that, social media is a soft target.
Nor will it be unwelcome.
Perhaps because they feel much less sentimental about Silicon Valley, the European Union has been way ahead of the United States in debating and now implementing regulation.
Next month, the E.U. general data protection regulation will go into effect, a set of rules that require transparency for all online companies around the use of data, greater control for individuals over their data, as well as penalties for abuse. Far from expressing outrage at this major new imposition, Zuckerberg appears to be relieved. Last week, he said he intends to implement European standards around the world.
As is always the case with these data privacy contracts, let's read the fine print on that promise. Even better, let's write it ourselves. The European initiative on data privacy is a start, but why don't Americans start thinking more creatively about what we really want from the tech companies?
We could, for example, demand more public inquiry and oversight over the algorithms they use to determine what people see. We could ask them to reinvest some of their profits in the independent media whose business model they've destroyed, particularly to the detriment of smaller communities which have lost their local newspapers.
Certainly we need to create some space for research into their social, political and economic impact; Facebook has just announced that it will, together with a group of foundations, begin working closely with academics. The other platforms also need to think about how to work with researchers, and maybe with the government, so that we begin to understand better what is happening.
These discussions are long overdue.
Electronic media, social media and other innovations have created new challenges for law enforcement and national security; they have also helped to increase polarization and undermine trust in public institutions, in America and everywhere else. Zuckerberg, by himself, is not going to come up with a solution to any of these problems.
We are Facebook's customers, but we are also citizens of a democracy.
We have the right to decide how we want this technology to impact our lives and our politics, and it's time to say so.