Facebook Takes Legal Action Against OneAudience for Harvesting User Data

Facebook filed a lawsuit against OneAudience, a mobile data analytics company, in the Northern District of California Thursday for allegedly harvesting data from users who logged in to other apps using their Facebook accounts. Facebook is represented in the case by Hunton Andrews Kurth. 

Facebook alleges that OneAudience paid third-party app developers to include a software development kit (SDK) inside the app which would allow OneAudience to collect information from a person’s Facebook, Google or Twitter accounts if they logged into the app with one of those accounts. “With respect to Facebook, OneAudience used the malicious SDK – without authorization from Facebook – to access and obtain a user’s name, email address, locale (i.e. the country that the user logged in from), time zone, Facebook ID, and, in limited instances, gender,” the complaint stated.

“Security researchers first flagged OneAudience’s behavior to us as part of our data abuse bounty program. Facebook, and other affected companies, then took enforcement measures against OneAudience,” said Jessica Romero, director of platform enforcement and litigation on Facebook in a blog post.

In November 2019 when Facebook became aware of this issue it took steps to stop the issue including disabling accounts, notifying users and requesting an audit, and sending a cease and desist letter. “This is the latest in our efforts to protect people and increase accountability of those who abuse the technology industry and users. Through these lawsuits, we will continue sending a message to people trying to abuse our services that Facebook is serious about enforcing our policies, including requiring developers to cooperate with us during an investigation, and advance the state of the law when it comes to data misuse and privacy,” said Romero.

In the complaint, Facebook alleges that OneAudience, as well as the apps that included their SDK, had agreed to Facebook’s terms of service in order to make Facebook accounts and to register a development account to allow the option for users to log in through Facebook.

Facebook further alleges that OneAudience “provided limited responses to Facebook’s requests for information” between November 26, 2019 and January 31, 2020. They also dispute a claim by OneAudience that they inadvertently engaged in unauthorized activity and the SDK was designed my AppJolt and not disclosed to it. “This claim is inconsistent with publicly available information about AppJolt and OneAudience. Specifically, AppJolt was acquired by OneAudience’s parent company, Bridge Marketing, and the founder of AppJolt became the founder of OneAudience,” Facebook’s complaint says.

OneAudience released a privacy statement in November announcing that they updated the SDK to ensure that the information would not be collected. OneAudience claimed it did not intend to collect the data or add it to their database. “We believe that consumers should have the opportunity to choose who they share their data with and in what context,” the statement says.