Facebook Sues oneAudience for Improperly Accessing and Collecting User Data

The social network said the analytics company used a malicious software development kit

oneAudience said it shut down its SDK last Nov. 25 oneAudience
Headshot of David Cohen

Facebook filed a lawsuit Thursday accusing New Jersey-based data analytics company oneAudience of improperly accessing and collecting user data.

The suit (embedded below) was filed in the U.S. District Court, Northern District of California, San Francisco Division.

Facebook alleged that oneAudience paid application developers to install a malicious software-development kit in their apps, which harvested user data including names, email addresses, time zones, Facebook IDs, call logs, cell tower and other location information, contacts, browser information and information about other apps installed on their devices.

oneAudience had not responded to a request for comment at the time of this post.

According to Facebook, this data harvesting began last September and ended last November, after Facebook disabled oneAudience’s accounts and sent a cease-and-desist letter to the company.

Kate Rooney and Salvador Rodriguez of CNBC reported last November that people who used their credentials from Facebook or Twitter to login to and access third-party apps including Giant Square and Photofy may have been impacted, and the malicious SDKs were traced to oneAudience and app monetization provider MobiBurn.

A Facebook spokesperson said at the time, “Security researchers recently notified us about two bad actors, oneAudience and MobiBurn, who were paying developers to use malicious SDKs in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease-and-desist letters against oneAudience and MobiBurn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.”

oneAudience said on its website that its SDK was shut down last Nov. 25, posting on that date, “Recently, we were advised that personal information from hundreds of mobile IDs may have been passed to our oneAudience platform. This data was never intended to be collected, never added to our database and never used. We proactively updated our SDK to make sure that this information could not be collected on Nov. 13, 2019. We then pushed the new version of the SDK to our developer partners and required that they update to this new version … Today, we are shutting down the oneAudience SDK.”

The company’s Facebook, Twitter and LinkedIn accounts have all been shuttered.

Facebook alleged in the lawsuit that oneAudience told Facebook the data-harvesting code was developed by AppJolt, and AppJolt had not disclosed the code to oneAudience. The social network added that both oneAudience and AppJolt are owned by Bridge Marketing.

Facebook also said in the suit that oneAudience and Bridge Marketing falsely represented themselves as Facebook partners.

The social network filed a similar lawsuit against South Korean data analytics provider Rankwave last September for using Facebook user data for advertising and failing to cooperate with its investigation.

Facebook director of platform enforcement and litigation Jessica Romero said in a Newsroom post, “This is the latest in our efforts to protect people and increase accountability of those who abuse the technology industry and users. Through these lawsuits, we will continue sending a message to people trying to abuse our services that Facebook is serious about enforcing our policies, including requiring developers to cooperate with us during an investigation, and advance the state of the law when it comes to data misuse and privacy.”


david.cohen@adweek.com David Cohen is editor of Adweek's Social Pro Daily.