This article is more than 1 year old

Trashing privacy? That's our job! Facebook accuses analytics biz of harvesting people's info from software dev kit sold to app makers

Sueball lobbed at OneAudience

Data-driven ad biz Facebook filed a lawsuit in a San Francisco federal court on Thursday against another info-snarfing company for allegedly breaking the social network's rules for gathering personal details.

The California-based audience seller sued New Jersey-based OneAudience over allegations that it "improperly accessed and collected user data from Facebook and other social media companies by paying app developers to install a malicious software development kit (SDK) in their apps," explained Facebook director of platform enforcement and litigation Jessica Romero in a blog post.

Romero said they were made aware of the issue last year when security researchers, motivated by the Facebook's data abuse bounty program, reported the SDK's bad behavior. The data grab echoes the 2018 Cambridge Analytica scandal, though on a smaller scale.

On November 25, 2019, Facebook and Twitter said that certain third-party apps for Android and iOS may have gathered data improperly using the OneAudience SDK. Twitter attributed the problem to "lack of isolation between SDKs within an application," which allowed third-party apps that used the SDK to collect Twitter data.

That same day, OneAudience said it was discontinuing its SDK.

Facebook sent a cease-and-desist letter to the marketing biz and demanded an audit, a procedure developers agree to under the site's platform policies. According to Romero, OneAudience refused to cooperate. So litigation has begun.


Decent, legal, honest and searchable: C'mon, Ofcom. Let us check up on the ad-slingers ourselves


According to the complaint [PDF], the SDK was coded to gather the digital key Facebook assigns to third-party apps to allow them to access user data. OneAudience's code library used the key, it's claimed, to make requests for Facebook data in the name of the authenticated app.

"OneAudience misrepresented the source of those requests as the third-party app authorized to use the digital key," the complaint says. "In fact, it was the malicious SDK that made the requests on behalf of OneAudience."

Facebook's court filing suggests that OneAudience tried to claim that another company, AppJolt, developed the data-sucking SDK. But the aggrieved ad biz points out that AppJolt was acquired by OneAudience's parent company, Bridge Marketing, and the founder of AppJolt became the founder of OneAudience. OneAudience has controlled the SDK since at least 2016, Facebook claims.

A description of OneAudience on a marketing data biz's directory maintained by Adobe explains that the firm relies on its SDK, installed on hundreds of millions of devices, to collect mobile device characteristics – device fingerprinting – and combines that with its email and postal databases and info from data brokers like Acxiom and Experience to profile individuals for targeted advertising.

Facebook is suing for breach of contract and violations of the federal Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act.After all, building profiles of individuals for targeted advertising is its job.

The Register asked Facebook whether it intends to sue Mobiburn, which also had a mobile analytics SDK that got shut down following the data abuse allegations.

"With respect to Mobiburn the investigation is ongoing," a Facebook spokesperson said in an email. ®

More about


Send us news

Other stories you might like