Facebook’s bombshell admission that it shared customer data with Cambridge Analytica’s political data-mining firm isn’t just a watershed moment for the world’s largest social network. It’s also a disturbing reminder that Facebook has, in many ways, become a major risk for American and UK elections in 2020.

So far, it seems that the U.S. government may have been the biggest loser in all of this. It’s easy to believe that, in a fight between America’s in-house social networks and an enterprising firm like Cambridge Analytica, the most secure social network wins. Why? In a matter of seconds, Facebook data can be compiled and re-purposed into a myriad of digital tools that can run ads on its servers, track people who visit social network pages and use questionable tactics like target voters with politically charged ads.

Cambridge Analytica, it’s worth noting, doesn’t appear to have been particularly interested in using Facebook data to skew elections in the U.S. and UK – at least not yet. Still, if Facebook’s security system for elections and political advertising really is as locked down as it’s claimed to be, how come the U.S. government paid Cambridge Analytica $9 million to build a sophisticated political targeting system? It seems so much of the data relied on by Cambridge Analytica wasn’t actually Facebook data. For example, according to a U.K. investigation by the Financial Times, Cambridge Analytica used access to Facebook data only for its own social network – not for any political online ads.

The data also appears to have been used for Cambridge Analytica’s marketing platform but that was under the agency’s own name and was kept outside of Facebook. There is evidence that Facebook not only sold its data to Cambridge Analytica but that it also promoted the company’s data services to potential clients. But there’s no evidence to suggest Facebook broke its own regulations.

What we know for sure is that Cambridge Analytica and Facebook at least were sharing information with each other, but we don’t know how many users were involved. The information gleaned from the data was allegedly used to predict voters’ choices and to target them with more personalized messages through Facebook. That in itself isn’t illegal, and Facebook is unlikely to be too upset about how its data was used. What is questionable, however, is the fact that Cambridge Analytica would have received so much insight into the user profiles it had no say over.

In a letter to the UK parliament, Mark Zuckerberg assured lawmakers that the company will investigate whether any of the data that was released by Cambridge Analytica was used in U.S. elections. “We want to work with the committee and other authorities on this important matter,” he said in the letter, adding that Facebook won’t create a separate verification system to test companies’ claims of ownership of information and keep it separate from data it shares with others. (For its part, the U.S. government isn’t yet making an official investigation into Cambridge Analytica’s role in the U.S. election.)

With the 2020 election just three years away, the scrutiny of Facebook’s effect on elections should become a top priority for both Congress and the U.S. election integrity office. An independent review of Facebook and Cambridge Analytica’s relationship is also required. The U.S. government should bar any companies that have not been found to be in compliance with the law before having access to voter information. On a sidenote, reports in the UK media suggest that Cambridge Analytica didn’t acquire Facebook data for itself, but worked with an outside group that purchased it. By this point, we should know what Cambridge Analytica’s reach is, if it knows which legislators to target with political messages. At the very least, Cambridge Analytica should be forced to give full disclosure about its role in our elections to the American public.