Facebook on 27 February 2020 asked a federal court in San Francisco to stop New Jersey marketing company oneAudience from harvesting user data, alleging the firm secretly paid mobile developers to embed a malicious software kit that siphoned names, genders, email addresses and other identifiers each time someone logged in through the social network’s single-sign-on button.
How the scheme worked
According to the complaint, oneAudience supplied Android and iOS developers with a custom software development kit, or SDK, that appeared to offer ordinary analytics. Once installed, the kit quietly read data supplied by Facebook’s OAuth mechanism and also scraped information available from Twitter and Google login sessions. Facebook says the SDK even harvested a phone’s advertising identifier, letting marketers follow the same person across multiple apps and websites. The practice continued from at least late 2018 until November 2019, when security researchers tipped Facebook through its data-abuse bounty programme.
Jessica Romero, Facebook’s director of platform enforcement and litigation, said the company immediately disabled the offending apps and demanded an audit. “OneAudience refused to cooperate, so we moved to court,” Romero wrote in a blog post accompanying the suit. The filing seeks a permanent injunction and unspecified damages under the federal Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act.
Earlier warnings and platform responses
Twitter and Facebook separately warned users about oneAudience on 25 November 2019. In its alert, Twitter said it had “evidence that oneAudience paid mobile apps to embed their SDK and that the SDK used malicious techniques to collect data.” The company urged people to review and revoke access tokens for any unfamiliar applications. Google also confirmed that data from Google-sign-in sessions had been exposed, but it stopped short of issuing a public notification, saying it had found “no evidence that the SDK accessed sensitive Google account data.”
Facebook’s lawsuit is the first public legal action against oneAudience. Court documents list the defendants as oneAudience Inc., based in Red Bank, New Jersey, and two affiliated companies, Adience Ltd. and MobiStream Media. None of the firms responded to repeated requests for comment this week, and phone calls to the New Jersey office went unanswered.
Scope of the data grab
Although Facebook has not quantified the total number of affected accounts, it says “hundreds of thousands” of users are likely to have had at least basic profile fields copied. The complaint notes that oneAudience marketed the resulting database to advertisers as “verified, opted-in consumer records,” charging up to 12 cents per user profile. A cached version of the company’s pitch deck, reviewed by InfoPulseToday, promises “real-time mobile app behaviour linked to individual identity.”
Security researchers say the episode illustrates how SDKs can become a weak link. “Developers routinely drop third-party code into their apps without reading the fine print,” said Alex Stamos, director of the Stanford Internet Observatory and former Facebook security chief. “When that code runs inside another app, it inherits the same privileges, so a seemingly harmless analytics library can end up with access to every permission the host app holds.”
Stamos argued that the case strengthens the argument for federal privacy legislation. “For me, the end result of all of these cases is the need for a federal privacy law. If the US had privacy laws, then individuals could go after companies that misuse their data more directly and effectively,” he said.
What users can do now
Facebook says it has revoked the social-login tokens associated with the implicated apps, meaning affected users will have to re-authorise any legitimate connections. The company also mailed notices to people whose information it believes was transferred. Users can check for themselves by opening Facebook Settings > Apps and Websites, then removing any entry they no longer recognise. Twitter offers a similar dashboard under Settings and privacy > Apps and sessions.
Beyond spring-cleaning, security professionals recommend switching to password managers instead of the convenient “log in with” buttons whenever possible. “Single sign-on is great for reducing password clutter, but each new connection is another potential exit point for your data,” said Allison Nixon, director of research at cyber-security firm Unit 221B. Nixon added that consumers should assume any free app supported by advertising is at least collecting the advertising identifier, if not more.
Broader fallout for the ad-tech sector
The lawsuit lands amid mounting scrutiny of real-time bidding and other programmatic advertising tools that share device identifiers widely. California’s new privacy law, the CCPA, took effect on 1 January 2020 and allows residents to demand deletion of personal data; New York and several other states are weighing similar bills. Federal Trade Commissioner Rohit Chopra praised Facebook’s move on Twitter, writing, “Platforms must crack down on data intermediaries that break the rules, especially when they refuse audits.”
Industry groups worry the case could spur stricter SDK regulation. The Interactive Advertising Bureau warned members last December that “any SDK collecting data beyond the scope disclosed to users risks triggering state privacy statutes and platform suspensions.” Apple and Google have already announced tighter review policies for SDKs in their respective app stores, though neither has revealed implementation dates.
The court has not yet set a hearing for Facebook’s request for an injunction. OneAudience has 21 days to file a response or risk a default judgment. Whatever the outcome, the episode keeps the spotlight on the hidden data brokers that profit from the mobile advertising pipeline and on the continuing absence of a unified US privacy standard.
