Facebook filed a lawsuit Thursday against MobiBurn, alleging that apps using code written by the data monetization company harvested information about the social network’s users without permission.
Last November, Facebook and Twitter launched investigations into two third-party software development kits (SDKs) that security researchers found were collecting data without consent.
Making an app from scratch takes a lot of time, and SDKs are building blocks developers can use instead. These chunks of code often come at a price to app users, though. SDKs can be free to developers in exchange for user data, which essentially means you can be tracked by companies you’ve never heard of. When you download an app that finds cheap gas, for instance, your location data may be actively sold to data brokers.
The practice is widespread across the data industry, and companies say it’s transparent because it’s disclosed in their privacy policies. But studies have found that the majority of people don’t read privacy policies, casting doubt on these assertions of transparency.
In its lawsuit, Facebook argues that MobiBurn wasn’t transparent about its actions, accusing the company of siphoning data from people’s devices without consent. The SDK would grab a digital key for the “Log In with Facebook” feature, and use it to make requests for data from Facebook every 24 hours.
If your device had an app that was built with MobiBurn’s SDK, and that app was also linked to your Facebook account, the app would siphon data such as your name, time zone, email address and gender from your profile, the social network said.
Facebook sent a cease-and-desist order to the UK-based company last November.
The lawsuit said MobiBurn had its SDK in about 400 apps for gaming, security and utility. In addition to grabbing data from Facebook accounts, the SDK would also take a device’s call logs, location data, contacts, browser type, email and other apps installed on the phone, according to court documents.
In a November statement, MobiBurn denied the accusations, saying “no data from Facebook is collected, shared or monetized by MobiBurn.”
On Friday, MobiBurn doubled down on its defense, stating that it couldn’t have stolen data because none of the apps its SDK was installed on had the “Log In With Facebook” feature.
“MobiBurn and the other Defendants respect Facebook’s genuine but in this case unwarranted privacy concerns and were, and remain, prepared to give undertakings to the English courts to remove these concerns,” the company said in a statement.
Facebook accused MobiBurn of paying developers to install its SDK in their apps, where the code remained hidden. The code harvested data until the social network disabled app access last November. MobiBurn has also since disabled its SDK.
The social network said that MobiBurn isn’t cooperating with Facebook’s request for an audit. The lawsuit marks the first time Facebook has sued a UK app developer. The social network says it wants an injunction to reinforce its ban against MobiBurn using Facebook’s platform. It’s still seeking an audit.
“Today’s actions are the latest in our efforts to protect people who use our services, hold those who abuse our platform accountable, and advance the state of the law around data misuse and privacy,” Jessica Romero, Facebook’s director of platform enforcement and litigation, said in a statement.
MobiBurn said that it complied with Facebook’s request for an audit, to be carried out by a third-party cybersecurity company rather than the social network.
This isn’t the first time Facebook has turned to legal action against alleged data abuse. In February, the social network sued data analytics firm OneAudience for a similar practice, alleging the company paid developers to install its SDK in shopping and gaming apps so it could harvest data.
Along with Thursday’s lawsuit against MobiBurn, Facebook also announced litigation against Nakrutka, a service it accused of using bots to generate fake likes, comments, views and followers on Instagram.
The service’s website, which is entirely in Russian, openly markets fake engagement from bots.
Nakrutka didn’t immediately respond to a request for comment.