Facebook announced today it’s suing multiple developers in the U.S. and, for the first time, in the U.K., for violations of its policies. In the U.K., both Facebook Inc. and Facebook Ireland are suing MobiBurn, parent company OakSmart Technologies, and its founder Faith Haltas, in the High Court of Justice for failing to comply with Facebook’s audit request, after security researchers flagged the company’s technology had been collecting data from Facebook users through its malicious software. Separately, Facebook Inc. and Instagram Inc. sued Nikolay Holper in federal court in San Francisco for operating a fake engagement service.
Facebook has been cracking down on malicious developers following the Cambridge Analytica scandal which saw the personal data of 87 million Facebook users compromised. Since then, Facebook introduced more protections over how app developers could access data and punitive actions. Earlier this year, Facebook also introduced new Platform Terms and Developer Policies that gave it permission to audit third-party apps by requesting either remote or physical access to developers’ systems, if need be, to ensure compliance.
According to Facebook’s announcement, MobiBurn failed to “fully comply” with Facebook’s audit request, where it was attempting to investigate the company’s use of a malicious Software Development Kit (SDK) to harvest user data.
News of MobiBurn’s activities first circulated in security research circles in late 2019. In November, both Facebook and Twitter announced that the personal data of hundreds of users may have been improperly accessed after they used their social accounts to log in to certain third-party apps that had malicious SDKs installed by MobiBurn and another company, One Audience. Facebook said it had issued cease and desist letters to those companies.
In MobiBurn’s case, it also took enforcement action, disabled its apps, and requested its participation in an audit, as its policies now allow for. MobiBurn “failed to fully cooperate,” Facebook says.
MobiBurn, in November, had responded that it didn’t collect, share or monetize data from Facebook. The company hasn’t yet responded to a request for comment today.
Facebook’s lawsuit alleges that MobiBurn paid third-party app developers to install its SDK into their apps. Once installed, MobiBurn collected information from the devices and requested data from Facebook, including the person’s name, time zone, email address and gender, explains Facebook, in its announcement of the lawsuit.
The suit is looking for an injunction against MobiBurn; the ability to audit the company’s systems; an account of the data it accessed, payments made to developers, and payments received; damages and other relief.
Meanwhile, in the U.S. lawsuit, Facebook is taking on developer Nikolay Holper, who operated a fake engagement service. Facebook alleges Holoper used a network of bots and automation software to “distribute fake likes, comments, views and followers on Instagram.” Several different websites were used to sell the fake engagement service to Instagram users, the suit says.
This is not the first time Facebook has cracked down on fake engagement services. Last year, it filed a U.S. lawsuit to shut down a follower-buying service in New Zealand. Instagram in 2019 also shut down the accounts of 17 fake engagement services that promises more followers to Instagram users.
Facebook had previously shut down the engagement service and formally warned the developer he was in violation, and sent a cease and desist letter.
While Facebook’s attempts to crack down developers violating its terms of service, users have found other ways to inauthentically grow their follower base. Many Instagram users, for example, participate in “pods” where they systematically coordinate liking and commenting on each others’ posts as a way to game Instagram algorithms.
“Today’s actions are the latest in our efforts to protect people who use our services, hold those who abuse our platform accountable, and advance the state of the law around data misuse and privacy,” said Facebook, in a statement.