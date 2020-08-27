Andrew Hoyle/CNET

Facebook filed a lawsuit on Thursday against MobiBurn, alleging that apps using code written by the data monetization company harvested information about the social network's users without permission.

Last November, Facebook and Twitter launched investigations into two third-party software development kits (SDKs) that security researchers found were collecting data without consent.

SDKs are code embedded into apps, which can be built by third parties. Making an app from scratch takes a lot of time, and SDKs are building blocks that developers can use instead. They often come at a price: SDKs can be free in exchange for data, essentially allowing you to be tracked by companies you've never heard of.

That's why when you download an app that finds cheap gas, your location data may be actively sold to data brokers. The practice is widespread across the data industry, which companies say is transparent because it's disclosed in their privacy policies. Studies have found that the majority of people don't read privacy policies, bringing doubt to these claims of transparency.

In its lawsuit, Facebook argues that MobiBurn wasn't transparent about its actions, accusing the company of siphoning data from people's devices without consent. The SDK would grab a digital key for the "Log In with Facebook" feature, and use it to make requests for data from Facebook every 24 hours.

If your device had an app that was built with MobiBurn's SDK on it, and that app was also linked to your Facebook account, it would siphon data such as your name, time zone, email address and gender from your profile, the social network said.



Facebook sent a cease-and-desist order to the UK-based company last November.

The lawsuit stated that MobiBurn had its SDK in about 400 apps for gaming, security and utility. In addition to grabbing data from Facebook accounts, the SDK would also take your device's call logs, location data, contacts, browser type, email and other apps installed on your phone, according to court documents.

MobiBurn did not immediately respond to a request for comment.

In a November statement, MobiBurn denied the accusations, saying "no data from Facebook is collected, shared or monetized by MobiBurn."

Facebook accused MobiBurn of paying developers to install its SDK in their apps, where the code remained hidden. The code harvested data until the social network disabled app access last November. MobiBurn has also since disabled its SDK.

The social network said that MobiBurn isn't cooperating with Facebook's request for an audit. The lawsuit marks the first time Facebook has sued a UK app developer. The social network says it wants an injunction to reinforce its ban against MobiBurn using Facebook's platform. It's still seeking an audit.

"Today's actions are the latest in our efforts to protect people who use our services, hold those who abuse our platform accountable, and advance the state of the law around data misuse and privacy," Jessica Romero, Facebook's director of platform enforcement and litigation, said in a statement.

This isn't the first time that Facebook has turned to legal action against alleged data abuse. In February, the social network sued data analytics firm OneAudience for a similar practice, alleging the company paid developers to install its SDK in shopping and gaming apps so it could harvest data.

Facebook has also sued developers over alleged data scraping abuse, ad fraud and hacking campaigns.

Along with Thursday's lawsuit against MobiBurn, Facebook also announced litigation against Nakrutka, a service it accused of using bots to generate fake likes, comments, views and followers on Instagram.

The service's website, which is entirely in Russian, openly markets fake engagement from bots.

Nakrutka did not immediately respond to a request for comment.