Trashing privacy? That's our job! Facebook accuses analytics biz of harvesting people's info from software dev kit sold to app makers

Sueball lobbed at OneAudience

Data-driven ad biz Facebook filed a lawsuit in a San Francisco federal court on Thursday against another info-snarfing company for allegedly breaking the social network's rules for gathering personal details.

The California-based audience seller sued New Jersey-based OneAudience over allegations that it "improperly accessed and collected user data from Facebook and other social media companies by paying app developers to install a malicious software development kit (SDK) in their apps," explained Facebook director of platform enforcement and litigation Jessica Romero in a blog post.

Romero said they were made aware of the issue last year when security researchers, motivated by the Facebook's data abuse bounty program, reported the SDK's bad behavior. The data grab echoes the 2018 Cambridge Analytica scandal, though on a smaller scale.

On November 25, 2019, Facebook and Twitter said that certain third-party apps for Android and iOS may have gathered data improperly using the OneAudience SDK. Twitter attributed the problem to "lack of isolation between SDKs within an application," which allowed third-party apps that used the SDK to collect Twitter data.

That same day, OneAudience said it was discontinuing its SDK.

Facebook sent a cease-and-desist letter to the marketing biz and demanded an audit, a procedure developers agree to under the site's platform policies. According to Romero, OneAudience refused to cooperate. So litigation has begun.


Decent, legal, honest and searchable: C'mon, Ofcom. Let us check up on the ad-slingers ourselves


According to the complaint [PDF], the SDK was coded to gather the digital key Facebook assigns to third-party apps to allow them to access user data. OneAudience's code library used the key, it's claimed, to make requests for Facebook data in the name of the authenticated app.

"OneAudience misrepresented the source of those requests as the third-party app authorized to use the digital key," the complaint says. "In fact, it was the malicious SDK that made the requests on behalf of OneAudience."

Facebook's court filing suggests that OneAudience tried to claim that another company, AppJolt, developed the data-sucking SDK. But the aggrieved ad biz points out that AppJolt was acquired by OneAudience's parent company, Bridge Marketing, and the founder of AppJolt became the founder of OneAudience. OneAudience has controlled the SDK since at least 2016, Facebook claims.

A description of OneAudience on a marketing data biz's directory maintained by Adobe explains that the firm relies on its SDK, installed on hundreds of millions of devices, to collect mobile device characteristics – device fingerprinting – and combines that with its email and postal databases and info from data brokers like Acxiom and Experience to profile individuals for targeted advertising.

Facebook is suing for breach of contract and violations of the federal Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act.After all, building profiles of individuals for targeted advertising is its job.

The Register asked Facebook whether it intends to sue Mobiburn, which also had a mobile analytics SDK that got shut down following the data abuse allegations.

"With respect to Mobiburn the investigation is ongoing," a Facebook spokesperson said in an email. ®

Similar topics

Other stories you might like

  • UK Home Secretary delays Autonomy founder extradition decision to mid-December

    Could be a Christmas surprise in store from Priti Patel

    Autonomy Trial Autonomy founder Mike Lynch's pending extradition to the US has been kicked into the long grass again by the UK Home Office.

    Lynch is wanted in the US to stand trial on 17 charges of fraud and false accounting. He is alleged to have defrauded Hewlett Packard investors over the sale of British software firm Autonomy in 2011.

    Continue reading
  • Want to buy your own piece of the Pi? No 'urgency' says Upton of the listing rumours

    A British success story... what happens next?

    Industry talk is continuing to circulate regarding a possible public listing of the UK makers of the diminutive Raspberry Pi computer.

    Over the weekend, The Telegraph reported that a spring listing could be in the offing, with a valuation of more than £370m.

    Pi boss, Eben Upton, described the newspaper's article as "interesting" in an email to The Register today, before repeating that "we're always looking at ways to fund the future growth of the business, but the $45m we raised in September has taken some of the urgency out of that."

    Continue reading
  • All change at JetBrains: Remote development now, new IDE previewed

    Security, collaboration, flexible working: Fleet does it all apparently

    JetBrains has introduced remote development for its range of IDEs as well as previewing a new IDE called Fleet, which will form the basis for fresh tools covering all major programming languages.

    JetBrains has a core IDE used for the IntelliJ IDEA Java tool as well other IDEs such as Android Studio, the official programming environment for Google Android, PyCharm for Python, Rider for C#, and so on. The IDEs run on the Java virtual machine (JVM) and are coded using Java and Kotlin, the latter being primarily a JVM language but with options for compiling to JavaScript or native code.

    Fleet is "both an IDE and a lightweight code editor," said the company in its product announcement, suggesting perhaps that it is feeling some pressure from the success of Microsoft's Visual Studio Code, which is an extensible code editor. Initial language support is for Java, Kotlin, Go, Python, Rust, and JavaScript, though other languages such as C# will follow. Again like VS Code, Fleet can run on a local machine or on a remote server. The new IDE uses technology developed for IntelliJ such as its code-processing engine for features such as code completion and refactoring.

    Continue reading

Biting the hand that feeds IT © 1998–2021