Facebook sues SDK maker for secretly harvesting user data

Data analytics firm OneAudience allegedly paid app developers to include its SDK in their code so it could harvest data from Facebook users.

Facebook website

Image: Kon Karampelas

Facebook filed today a federal lawsuit in a California court against OneAudience, a New Jersey-based data analytics firm.

The social networking giant claims that OneAudience paid app developers to install its Software Development Kit (SDK) in their apps, and later used the control it had over the SDK's code to harvest data on Facebook users.

According to court documents obtained by ZDNet, the SDK was embedded in shopping, gaming, and utility-type apps, some of which were made available through the official Google Play Store.

"After a user installed one of these apps on their device, the malicious SDK enabled OneAudience to collect information about the user from their device and their Facebook, Google, or Twitter accounts, in instances where the user logged into the app using those accounts," the complaint reads.

"With respect to Facebook, OneAudience used the malicious SDK – without authorization from Facebook – to access and obtain a user's name, email address, locale (i.e. the country that the user logged in from), time zone, Facebook ID, and, in limited instances, gender," Facebook said.

Twitter was the first to expose OneAudience's secret data harvesting practices on November 26, last year. Facebook confirmed on the same day. In a blog post at the time, Twitter also confirmed that beside itself and Facebook, the data harvesting behavior also targeted the users of other companies, such as Apple and Google.

Today's lawsuit comes as Facebook has finished its investigation into the matter. Facebook told ZDNet today that they actually learned of suspicious behavior of the OneAudience SDK from a bug report received via the Data Abuse Bounty program.

Facebook launched the Data Abuse Bounty program in April 2018, following the Cambridge Analytica data harvesting scandal.

OneAudience refused to cooperate

Reacting to the accusations last year, OneAudience published a statement on its website claiming that they never intended to collect any user data.

"This data was never intended to be collected, never added to our database and never used," OneAudience said, also adding that they updated their SDK to prevent any further data collection.

On the other hand, Facebook reacted to OneAudience's behavior by disabling apps that used the SDK from accessing its system, sending OneAudience a cease and desist letter, and requesting that the analytics firm participate in an audit.

Facebook said OneAudience refused to cooperate.

Facebook is now asking a judge to order OneAudience to comply with its audit request so its engineers can check and verify if analytics company still stores data on Facebook users. Further, Facebook is also seeking an injunction against OneAudience barring it from accessing any of Facebook's servers and creating new Facebook accounts.

Fifth lawsuit Facebook files in the past year

"This is the latest in our efforts to protect people and increase accountability of those who abuse the technology industry and users," Jessica Romero, Director of Platform Enforcement and Litigation, said today in a press release.

This marks the fifth lawsuit Facebook has filed against third-parties that abused its platform. Previous lawsuits include:

March 2019 - Facebook sues two Ukrainian browser extension makers (Gleb Sluchevsky and Andrey Gorbachov) for allegedly scraping user data.
August 2019 - Facebook sues LionMobi and JediMobi, two Android app developers on allegations of advertising click fraud.
October 2019 - Facebook sues Israeli surveillance vendor NSO Group for developing and selling a WhatsApp zero-day that was used in May 2019 to attack attorneys, journalists, human rights activists, political dissidents, diplomats, and government officials.
December 2019 - Facebook sued ILikeAd and two Chinese nationals for using Facebook ads to trick users into downloading malware.

"Through these lawsuits, we will continue sending a message to people trying to abuse our services that Facebook is serious about enforcing our policies, including requiring developers to cooperate with us during an investigation, and advance the state of the law when it comes to data misuse and privacy," Facebook said.

A Facebook spokesperson told ZDNet they are still investigating MobiBurn, a data monetization platform that was caught engaging in a similar user data harvesting behavior at the same time as OneAudience. If the investigation will result in another lawsuit remains unclear.

OneAudience could not be reached for comment.

Article updated at 11:00am PT with information from Facebook's legal complaint.