Facebook fires sueball at 'malicious' app SDK makers, accuses them of gobbling up people's personal information

Facebook on Thursday said it had filed two separate lawsuits in the US and UK to prevent unsanctioned snarfing of people's personal data and the inflation of likes on posts.

Over in the UK, the ad giant, in conjunction with Facebook Ireland, filed a claim in the London High Court against developer Fatih Haltas and his two marketing operations MobiBurn and Oak Smart Technologies. It's claimed that since April 2018 the British biz used its malicious SDKs to harvest not only data from the social network, but also from other websites where Facebook was used to login.

The legal broadside may evoke a sense of deja vu, given that Facebook took similar action in February against New Jersey-based analytics biz OneAudience for the same sort of SDK shenanigans.

Haltas, Facebook claims, refused to comply with the ad network's audit request. The targeted marketing operation is said to have paid developers to install its SDK in their apps to display advertising and collect information, including details on people's Facebook profile pages.

Jessica Romero, director of platform enforcement and litigation at Facebook, made clear in a statement that the MobiBurn SDK's alleged unauthorized data looting was not the result of any unforeseen technical security failure at Facebook.

"When people installed those apps on their devices, MobiBurn collected information from the devices and requested data from Facebook, including the person’s name, time zone, email address and gender," said Romero. "MobiBurn did not compromise Facebook, instead they used the malicious SDK on the users’ devices to collect information."

What happened, Facebook contends, is apps with the MobiBurn SDK "self-compromised," as described in the High Court filing [PDF]: "After a user installed one of these apps on their device and essentially 'self-compromised,' the SDK contained in the app would collect information about the user from their device and their social media accounts where the user logged into the app using those accounts."

The suggestion is that Facebook being compromised and the app "self-compromising" are different things. The situation recalls the 2018 Cambridge Analytica scandal, which likewise was not the result of anyone compromising the social network's security systems.

Meanwhile in US District Court in San Francisco, Facebook and its Instagram arm sued Nikolay Holper, a resident of Minsk, Belarus, for running a service called Nakrutka that provided fake interactions – likes, followers, post views, and comments.

"[Holper] used a network of bots and Instagram accounts that he controlled to deliver millions of automated likes to his customers," the US complaint [PDF] says. "Some of the Instagram accounts used by [Holper] were responsible for over 8 million likes over the course of just two days."

In its legal filing, Facebook says that it disabled Holper's Facebook account in January and in February sent him a cease-and-desist letter to which he has not yet responded.

"Today’s actions are the latest in our efforts to protect people who use our services, hold those who abuse our platform accountable, and advance the state of the law around data misuse and privacy," said Romero, perhaps forgetting about Facebook's lobbying against privacy laws.

The US has no formal extradition treaty with Belarus, but Facebook's legal salvo will do... something. ®