After testifying to lawmakers in the US House of Representatives and the Senate for more than ten hours on April 10 and 11, Facebook Chief Executive Officer Mark Zuckerberg appears to have weathered the worst of storm over news that consulting firm Cambridge Analytica harvested data of 87 million Facebook users.

Here are some issues that came up in Zuckerberg’s testimony—and some that did not.

1.              “What is Facebook doing to prevent foreign actors from interfering in US elections?” (Sen. Dianne Feinstein, D-CA)

According to Zuckerberg, “one of [his] top priorities in 2018… is to get this right”—a sharp break from the dismissiveness he displayed barely a year and a half ago. Now, though, Facebook has “deployed new AI tools” to identify and proactively remove fake accounts, as well as over 20,000 people to work on security and content review. Whether these measures are enough to harden Facebook against the “arms race” with Russia remains to be seen—and we will likely know before the year is out.

2.               “Where does privacy rank as a corporate value for Facebook?” (Rep. Marsha Blackburn, R-TN)

In Zuckerberg’s words, privacy is “foundational to the whole service,” not just “an add-on feature.” Those are comforting words—even if it is unclear how they will be put into practice. Blackburn chairs the House Communications and Technology Subcommittee and is currently sponsoring a bipartisan bill (the BROWSER Act) on consumer privacy. We know that Facebook is taking the value of privacy seriously, at least—but Zuckerberg’s reticence about the BROWSER Act speaks to his uncertainty around translating that value into policy.

3.              “What do we tell our constituents, given what’s happened here, why we should let you self-regulate?” (Sen. Lindsey Graham, R-SC)

The answer: they shouldn’t self-regulate. (Well, not totally.) Asked point blank by Graham in a zinging exchange whether “you, as a company, welcome regulation,” Zuckerberg replied with the tepid but affirmative response of “if it’s the right regulation, then yes.” Despite a lack of details, the need for regulation is now a common point of agreement. As many others in the chamber made clear, the heady days of Facebook’s “started-in-a-dorm-room” adolescence are most likely over.

4.              “[Will Facebook] make the same protections available to Americans that they will the Europeans?” (Rep. Gene Green, D-TX)

Green’s question referenced the General Data Protection Regulation (GDPR), which will enter into effect in May throughout the European Union. Facebook apparently will give European and American users the same protections, including a new tool that will walk users through their privacy settings, and the ability to view and download all personal information drawn for advertising purposes. The details, as elsewhere, are still in the works.

5.              “What sorts of legislative changes would help to solve the problems the Cambridge Analytica story has revealed? And what sorts of legislative changes would not help to solve this issue?” (Sen. Orrin Hatch, R-UT)

Zuckerberg’s answer focused on three principles. First, “simple and practical” privacy policies that consumers can understand. Second, “complete control”—people should be able to remove content at any time. Third, enabling innovation: in his example of face recognition, “a balance that’s extremely important to strike” demands special consent, but also global competitiveness.

These answers were telling—not just for what Zuckerberg said, but what he didn’t say. Broadly, they seemed to show Facebook headed in the right direction—but one exchange stood out, and showed just how far Facebook had to go:

Rep. Frank Pallone (D-NJ): Will you make the commitment to changing all the user default settings to minimize to the greatest extent possible the collection and use of users’ data?

Zuckerberg: Congressman, this is a complex issue that I think deserves more than a one-word answer.

On April 8, we drafted some questions that we thought Zuckerberg should be asked. One of them was: “Is Facebook rethinking its core business model of monetizing personal data?” The answer, apparently, is: probably not.

Data collection is at the heart of Facebook’s business strategy, even if it does not outright sell that data (as many lawmakers seemed to think). Zuckerberg’s rejection of an opt-in model, as above, is testament to that. It may be too much to ask for Facebook to discard that wholesale, but as long as that is so, Facebook will always be in tension with its “foundational” value of privacy—and the hearings, with Zuckerberg or not, will go on.

Shaun Ee is a project assistant in the Asia Security Initiative and Cyber Statecraft Initiative of the Atlantic Council’s Scowcroft Center for Strategy and Security.

Image: Facebook Chief Executive Officer Mark Zuckerberg (back to camera) is surrounded by members of the media as he prepared to testify before a joint hearing of the Senate Judiciary and Commerce Committees in Washington on April 10 on his company’s use and protection of user data. (Reuters/Leah Millis)