Mobile app developers accused by Facebook of deploying “malicious” SDKs to scrape users’ data from the social network have hit back, telling London’s High Court that nearly all their apps were “not capable” of harvesting data from Facebook itself.
Late last year Facebook issued a press release and this year, civil legal proceedings, targeting two small British companies and their director.
The US social networking site called the companies "two bad actors" and accused them of "paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores." It filed detailed allegations of wrongdoing against Mobiburn, Oak Smart Technology and the two British firms’ director, Fatih Haltas, in August.
Yet Haltas has now hit back, claiming that all but three of his apps couldn't possibly scrape data from Facebook because they didn't use the Login with Facebook feature.
Detailed particulars of claim [PDF] served on 27 August and obtained by The Register show that Facebook alleged:
In particular, both the MobiBurn SDK and the OneAudience SDK, included in the app that the user would install, were programmed to collect the digital key that Facebook assigned exclusively to that app for a single user in order to make automated requests for data from Facebook. This digital key was associated with the ability to log in to a third-party app using one’s Facebook login information. Mr Haltas and MobiBurn caused the MobiBurn SDK to misrepresent the source of those requests as the third-party app authorised to use the digital key. In fact, it was the malicious MobiBurn SDK that made the requests on behalf of Mr Haltas and MobiBurn.
Facebook’s court filing also included the line: “Facebook’s technical restrictions prevented MobiBurn from accessing any user data that the user had not authorised the app to obtain.”
OneAudience is an American company that is being sued by Facebook in a separate US case.
We didn’t know about this, didn’t do it and didn’t intend it either
Mobiburn, claimed Facebook, advertised itself to other app devs as a potential monetiser, harvesting user data and passing it to “data marketing partners” for onward sale. That data allegedly included name, location, time zone, email address, Facebook ID number and gender.
In filings made to the High Court on 29 October, both Haltas and Mobiburn denied having “knowingly developed an SDK bundle designed to obtain data from Facebook,” adding: “Neither Mr Haltas nor Mobiburn at any time had any intention of collecting data from Facebook, and they did not do so.”
Whatever data was slurped from users came from their devices and not from Facebook, said Haltas, further saying in court filings: “The MobiBurn servers were not developed to collect Facebook data and were not capable of doing so,” though he did admit that three Android apps could “theoretically” have slurped data through the Login with Facebook feature combined with the Mobiburn SDKs.
In his defence [PDF] Haltas said the SDKs were written by “third party developers” and that he “was not aware of the precise details of the work done by the third-party contractors”. He added: “However, a primary function of the MobiBurn SDK Bundle was to ensure that no data was collected by any sub-SDK without the user’s express consent,” describing it as a “mere wrapper”.
Oak Smart, which described itself as a publisher of Facebook games, said Facebook had mistakenly sued because it had “no involvement in the Mobiburn business or any of the matters that form the basis of Facebook’s claim”. It also said “only 68” of its games contained Mobiburn’s SDKs.
A micro-entity as defined in English company law, Mobiburn's latest (unaudited) accounts filed in August 2019 recorded net assets of £7,000. Oak Smart Technology had net assets of £82,000 on 31 March 2019.
The three defendants deny all wrongdoing and intend contesting the case at trial. ®