Facebook sues developers who violated terms to collect user data, sell fake ‘likes’

Facebook announced today it’s suing multiple developers in the U.S. and, for the first time, in the U.K., for violations of its policies. In the U.K., both Facebook Inc. and Facebook Ireland are suing MobiBurn, parent company OakSmart Technologies and its founder Fatih Haltas, in the High Court of Justice for failing to comply with Facebook’s audit request, after security researchers flagged the company’s technology for collecting data from Facebook users through its malicious software. Separately, Facebook Inc. and Instagram Inc. sued Nikolay Holper in federal court in San Francisco for operating a fake engagement service.

Facebook has been cracking down on malicious developers following the Cambridge Analytica scandal, which saw the personal data of 87 million Facebook users compromised. Since then, Facebook introduced more protections over how app developers could access data, as well as punitive actions. Earlier this year, Facebook also introduced new Platform Terms and Developer Policies that gave it permission to audit third-party apps by requesting either remote or physical access to developers’ systems, if need be, to ensure compliance.

According to Facebook’s announcement, MobiBurn failed to “fully comply” with Facebook’s audit request, where it was attempting to investigate the company’s use of a malicious Software Development Kit (SDK) to harvest user data.

News of MobiBurn’s activities first circulated in security research circles in late 2019. In November, both Facebook and Twitter announced that the personal data of hundreds of users may have been improperly accessed after they used their social accounts to log in to certain third-party apps that had malicious SDKs installed by MobiBurn and another company, One Audience. Facebook said it had issued cease and desist letters to those companies.

In MobiBurn’s case, it also took enforcement action, disabled its apps and requested its participation in an audit, as its policies now allow for. MobiBurn “failed to fully cooperate,” Facebook says.

MobiBurn, in November, had responded that it didn’t collect, share or monetize data from Facebook. The company hasn’t yet responded to a request for comment today.

Facebook’s lawsuit alleges that MobiBurn paid third-party app developers to install its SDK into their apps. Once installed, MobiBurn collected information from the devices and requested data from Facebook, including the person’s name, time zone, email address and gender, explains Facebook, in its announcement of the lawsuit.

The suit is looking for an injunction against MobiBurn; the ability to audit the company’s systems; an account of the data it accessed, payments made to developers, and payments received; damages and other relief.

Facebook vs MobiBurn by TechCrunch on Scribd

Meanwhile, in the U.S. lawsuit, Facebook is taking on developer Nikolay Holper, who operated a fake engagement service. Facebook alleges Holoper used a network of bots and automation software to “distribute fake likes, comments, views and followers on Instagram.” Several different websites were used to sell the fake engagement service to Instagram users, the suit says.

Complaint and Exhibits-conformed by TechCrunch on Scribd

This is not the first time Facebook has cracked down on fake engagement services. Last year, it filed a U.S. lawsuit to shut down a follower-buying service in New Zealand. Instagram in 2019 also shut down the accounts of 17 fake engagement services that promise more followers to Instagram users.

Facebook had previously shut down the engagement service and formally warned the developer he was in violation, and sent a cease and desist letter.

While Facebook’s attempts to crack down on developers violating its terms of service, users have found other ways to inauthentically grow their follower base. Many Instagram users, for example, participate in “pods” where they systematically coordinate liking and commenting on each others’ posts as a way to game Instagram algorithms.

“Today’s actions are the latest in our efforts to protect people who use our services, hold those who abuse our platform accountable, and advance the state of the law around data misuse and privacy,” said Facebook, in a statement.

Update, 8/28/20, 4 PM ET: MobiBurn provided its statement:

We can confirm that MobiBurn has been served with a claim issued by Facebook in the English courts. We would not ordinarily choose to make a public statement while proceedings are ongoing, however, we feel that we have no choice but to do so as a result of the inaccurate articles about the case in the public domain.

MobiBurn first received a cease-and-desist letter in relation to this matter from Facebook in November 2019. Since then Mobiburn has tried to cooperate with Facebook to show that no Facebook user data was subject to unauthorised access or misuse or otherwise improperly handled. In particular, Mobiburn has sought to explain that none of the apps developed or published by the Defendants in the case incorporated the Facebook Login Feature and therefore were technically unable to collect Facebook user data.

MobiBurn and the other Defendants respect Facebook’s genuine but in this case unwarranted privacy concerns and were, and remain, prepared to give undertakings to the English courts to remove these concerns. It has been reported that Mobiburn refused to cooperate with an audit requested by Facebook. Those reports are not accurate. The undertakings offered by the Defendants enabled Facebook to appoint a third-party cyber-security firm, at the Defendants’ expense, to perform a forensic data audit of their activities. The Defendants remain willing to engage in such an audit.

Mobiburn and the other Defendants regret that their offer of undertakings was not accepted and have therefore been left with no choice but to instruct their legal team to prepare a response to Facebook’s claim. Mobiburn and the other Defendants are nevertheless committed to seeking to resolve this unnecessary dispute amicably.