Tech companies are taking more and more heat over other people’s software. An alarming story in The Wall Street Journal this week dove into the world of Gmail plugins, many of which have the power to scan through users’ entire inboxes. Some of that scanning is automated, but in other cases developers have combed through emails by hand, raising obvious privacy issues.

It was an ugly story for Google, not just for its immediate impact but for the difficult assumptions underneath. For decades, platforms have trusted users to make their own decisions about what programs to install and accept the consequences if they choose to install something scammy. After the Cambridge Analytica scandal, that trust is starting to look irresponsible. Facebook and Google are adjusting to the idea that, if they let something bad happen on their networks, they are going to catch the blame for it. After years of light-touch moderation, that means taking an entirely new look at third-party ecosystems -- and facing the hard question of whether it’s worth having them at all.

Under the old expectations, there’s nothing obviously scandalous about the Journal story. User emails were definitely exposed, but it all happened with the user’s permission. Apps need email access to work as a client, and Google is clear about the permissions when the app is installed, even if most people click through without thinking about it. Google didn’t make the apps or even promote them, and while it could be more strict about weeding out scammy plugins, it’s not clear what rules the offending apps had even broken. As one reporter put it: “if you give something access to your Gmail, it has access to your Gmail.”

But that may not be good enough anymore. Whether permissions were granted or not, Gmail users gave up incredibly sensitive information, sometimes without realizing what they were doing. In a post on Tuesday night, Google defended itself, reminding users of exactly what the permissions they clicked through looked like. “We review non-Google applications to make sure they continue to meet our policies, and suspend them when we are aware they do not,” the company said.

If the stakes seem higher than usual for an API dispute, it’s because of this episode’s similarities to the Cambridge Analytica scandal, which has been hounding Facebook for months. Cambridge got its data from a third-party plugin, willfully installed by users and nominally transparent about the data it was collecting. Facebook did more to implicate itself, failing to ban Cambridge as an advertiser even after it became clear they had violated platform rules. But the broader similarities are hard to ignore: A scammy plugin duped users and ended up making problems for the entire platform. You can try to blame the app-maker or the users who installed it, but in the end, it’s the platform that’s responsible.

It’s a new reality for tech companies, and it’s still not clear how Google and Facebook will adjust. In its post, Google emphasized the value provided by third-party plugins, saying, “a vibrant ecosystem of non-Google apps gives you choice and helps you get the most out of your email.” The implicit message was that plugins were still valuable, still worth the risk posed by a few bad actors. But for the average user, the Gmail experience is more homogeneous than ever, and it’s hard to argue plugins are a central part of the experience. It raises an inconvenient question: is it time for platforms to ditch third-party apps altogether?

The business case for third-party ecosystems has never been weaker. Apple set the model ten years ago with the iOS app store, a well-manicured software ecosystem that’s far-reaching enough to draw in developers and controlled enough to keep out junk. With Apple taking anywhere from a fifteen to thirty percent cut, it’s been wildly profitable for the company, monopoly allegations aside. For a time, it was easy to imagine Facebook playing the same game — particularly around 2012, when Farmville and Draw Something were at their peak. As popular products like Instagram looked for a way to monetize, the app store model seemed like the easiest path to profitability.

Now, that model is mostly out of reach. Draw Something flamed out, alongside countless Twitter clients and Instagram apps. Developers had a hard time keeping up with platform rules, and platforms grew more ambivalent about developer demands. Above all, developers realized that it’s hard to build a sustainable business on someone else’s turf. Programming talent slowly moved on, and would-be app ecosystems like Snapchat and Instagram decided to focus on targeted advertising instead. Google doesn’t sell more ads because of Gmail plugins, and Facebook is gradually tightening the rules on its APIs, incrementally closing off the platform. The APIs for many of these platforms are still there, but the economic drive that created them has largely disappeared.

Now, those same apps have become an active liability. Leaving the door open for third-party developers has done real damage to Facebook, and now possibly to Gmail as well. As big tech companies take on more responsibility for their products, they’ll have to either clean up those ecosystems or shut them down. It will be a slow choice, but given the challenges of moderation, shutting the platforms down or at least paring them back seems almost inevitable. There’s just not enough benefit to keeping them open, and the cost is growing larger by the day.