Facebook sues analytics firm over alleged data harvesting

Facebook dark mode
(Image credit: Shutterstock)

Facebook has filed a federal lawsuit in California against the New Jersey-based data analytics firm OneAudience claiming it allegedly harvested data from the social network.

The social networking giant claims that the firm paid app developers to install its Software Development Kit (SDK) in their apps which was used to collect data on Facebook users without their knowledge.

According to court documents obtained by ZDNet, the SDK was embedded in a wide variety of apps and some were even made available through the official Google Play Store. In its complaint, Facebook provided more details on the kind of information OneAudience allegedly harvested, saying:

"After a user installed one of these apps on their device, the malicious SDK enabled OneAudience to collect information about the user from their device and their Facebook, Google, or Twitter accounts, in instances where the user logged into the app using those accounts. With respect to Facebook, OneAudience used the malicious SDK – without authorization from Facebook – to access and obtain a user's name, email address, locale (i.e. the country that the user logged in from), time zone, Facebook ID, and, in limited instances, gender."

Data harvesting

Twitter was the first to discover that OneAudience was secretly harvesting data in November of last year and in a blog post, the social network confirmed that the company was also targeting Facebook, Apple and Google users.

Facebook's lawsuit against the company comes after its investigation into the matter has been closed. The company also revealed to ZDNet that it first learned about the suspicious behavior of the OneAudience SDK from a bug report submitted to its Data Abuse Bounty program which it created after the Cambridge Analytica scandal.

In response to the accusations that its SDK was harvesting user data, OneAudience published a statement on its website claiming that the company never intended to collect any user data at all, which reads:

“Recently, we were advised that personal information from hundreds of mobile IDs may have been passed to our oneAudience platform. This data was never intended to be collected, never added to our database and never used. We proactively updated our SDK to make sure that this information could not be collected on November 13, 2019. We then pushed the new version of the SDK to our developer partners and required that they update to this new version. We believe that consumers should have the opportunity to choose who they share their data with and in what context. Today, we are shutting down the OneAudience SDK.”

Facebook responded to OneAudience's behavior by sending the company a cease and desist letter and it also requested that the firm participate in an audit. However, OneAudience refused to cooperate according to Facebook and now the social network is asking a judge to order the data analytics firm to comply with its audit request.

  • We've also highlighted the best VPN services

Via ZDNet

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.