Skip to content

Menu

ChannelsPublishersSubscribe
LexBlog, Inc. logo
LexBlog, Inc. logo
ProductsSub-MenuBlogsPortalsTwentySyndicationMicrositesResource Center
Join
Search
Close
Join the Movement. Blog 4 Good

Facebook Brings Suit against Mobile Marketing Firm for Siphoning User Data without Authorization

By Jeffrey Neuburger
March 8, 2020
EmailTweetLikeLinkedIn

In continuing its push to enforce its terms and policies against developers that engage in unauthorized collection or scraping of user data, Facebook brought suit last month against mobile marketing and data analytics firm OneAudience LLC. (Facebook, Inc. v. OneAudience LLC, No. 20-01461 (N.D. Cal. Complaint filed Feb. 27, 2020)). Facebook alleges that OneAudience harvested Facebook users’ profile data and device data in contravention of Facebook’s terms and developer policies. OneAudience purportedly gathered this data by paying app developers to bundle OneAudience’s software development kit (SDK) into their apps and then harvesting data for those users that logged into those apps via Facebook credentials.

Facebook users, including developers and page administrators, are required to assent to Facebook’s terms and various platform policies when a Facebook account is created. According to Facebook’s Complaint, OneAudience created two public Facebook pages and a business account, and its employees/agents operated at least two apps on OneAudience’s behalf on the Facebook platform – actions, which Facebook asserts, bound OneAudience to its terms and platform policies for developers. Since 2019, Facebook has filed multiple suits against various app developers, software makers and social media analytics firms that Facebook has determined to have violated some or all of these terms. These cases generally assert that the defendants have engaged in off-limits scraping or collection of user data for marketing and other purposes (Facebook’s website details its approach in these actions, see “Taking Action against Platform Abuse”).

The instant dispute involves claims for breach of contract and violations of the Computer Fraud and Abuse Act (CFAA), and are particularly important as they may shed clarity on the availability of these claims in other types of scraping suits as well. In all, it appears Facebook is asserting what it has previously called “platform enforcement authority” or the right of an online service to combat unauthorized data scraping and misuse that violates its terms.

In its Complaint, Facebook alleged that around September 2019, OneAudience offered to pay app developers to bundle its SDK into their apps. The SDK allegedly allowed OneAudience to collect data about users’ devices and their Facebook (and some other social media) accounts in instances where the user logged into the particular app using their Facebook credentials (e.g., the “Sign in with Facebook” option). The data included user names, email addresses, country, time zone, Facebook ID, and, in limited instances, gender, all of which were allegedly used by OneAudience for targeted marketing services. OneAudience also allegedly collected device data such as call logs, cell tower and other geolocation data, contacts, browser information, email, and information about installed apps.

In bringing this suit, Facebook advanced breach of contract and Computer Fraud and Abuse Act (CFAA) claims (including claims under the California state law computer trespass law).

With regard to the CFAA “unauthorized access” claims, Facebook asserted that OneAudience directed software commands to Facebook’s network to obtain user data without authorization and “used the malicious SDK to infect the app users’ devices and obtain a digital key, without Facebook’s authorization, to make API calls to Facebook protected computers…” Concerning the breach of contract claims, Facebook pointed to several provisions from the Facebook terms of service and its developer platform policies, which, among other things, grant Facebook certain audits rights and generally place certain restrictions on automated data scraping and developers’ data use outside the app.

While OneAudience has not filed an Answer, it posted a statement on its website in November 2019, stating that its SDK may have inadvertently collected personal information, but that it had initially disabled such functionality and then shut down the SDK.

Beyond the instant litigation, the OneAudience dispute has an additional wrinkle for any company that acquires anonymized market data or social media analytics from third party vendors. In its Complaint, Facebook alleged that OneAudience falsely represented that it was partners with Facebook and had also stated that it was “committed to the transparency of [their] mobile driven audiences and relationships” and sourced “data responsibly.” In one of the Exhibits to the Complaint, Facebook also appended screenshots of OneAudience’s explanation of its data collection practices, which indicated that: “All of our data is permission based and fully-compliant, meaning it’s been confirmed by the user to access and collect his or her personal data.” As we’ve previously stated – and regardless of the outcome of this litigation – it is important for downstream recipients of anonymized web or user data or analytic reports crunching such data to understand how such data is collected and processed and whether such data collection is done according to applicable law or contractual requirements.

Photo of Jeffrey Neuburger Jeffrey Neuburger

Jeffrey Neuburger is a partner, co-head of the Technology, Media & Telecommunications Group, a member of the Privacy & Cybersecurity Group and editor of the firm’s New Media and Technology Law blog.

Jeff’s practice focuses on technology, media and advertising-related business transactions…

Jeffrey Neuburger is a partner, co-head of the Technology, Media & Telecommunications Group, a member of the Privacy & Cybersecurity Group and editor of the firm’s New Media and Technology Law blog.

Jeff’s practice focuses on technology, media and advertising-related business transactions and counseling, including the utilization of emerging technology and distribution methods in business. For example, Jeff represents clients in online strategies associated with advertising, products, services and content commercialized on the Internet through broadband channels, mobile platforms, broadcast and cable television distribution and print publishing. He also represents many organizations in large infrastructure-related projects, such as outsourcing, technology acquisitions, cloud computing initiatives and related services agreements.

Serving as a collaborative business partner through our clients’ biggest challenges, Jeff is part of the Firm’s cross-disciplinary, cross-jurisdictional Coronavirus Response Team helping to shape the guidance and next steps for clients impacted by the pandemic.

Read more about Jeffrey NeuburgerEmail
Show more Show less
  • Posted in:
    Communications, Media & Entertainment, Featured Posts
  • Blog:
    New Media and Technology Law Blog
  • Organization:
    Proskauer Rose LLP
  • Article: View Original Source

Stay Connected

Facebook LinkedIn Twitter RSS
Real Lawyers

Company

  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service

Products

  • Products
  • Blogs
  • Portals
  • Twenty
  • Syndication
  • Microsites

Support

  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Redefined Blog
  • Global Trade Law Blog
  • The Quick Take
  • Consumer Privacy World
  • Energy Law Report
Copyright © 2021, LexBlog, Inc. All Rights Reserved.
Powered By LexBlog