"OneAudience controlled a software development kit ( SDK) designed to improperly obtain user data from Facebook, Google, and Twitter."
According to Facebook, OneAudience paid developers to embed the OneAudience SDK into various apps. Once installed, the SDK would collect private user data. On Facebook's Platform, the SDK is alleged to have collected user names, emails, addresses, login locations, time zone, Facebook ID, and sometimes gender.
Facebook disabled OneAudience's account in November 2019, after it claims that OneAudience refused to cooperate in an investigation of its practices and allow an audit. OneAudience's malicious SDK was first uncovered through Facebook's bug bounty program. Twitter and Facebook both exposed OneAudience's SDK practices in November of last year.
According to OneAudience's website, any data disclosure was unintentional. A website post dated November 25, 2019 states:
"Recently, we were advised that personal information from hundreds of mobile IDs may have been passed to our OneAudience platform. That data was never intended to be collected, never added to our database and never used."
The post goes on to say:
"We proactively updated our SDK to make sure that this information could not be collected on November 13, 2019. We then pushed the new version of the SDK to our developer partners and required that they update to this new version."
Interestingly enough, the last line of the post indicates a change in direction:
"Today, we are shutting down the OneAudience SDK."
Facebook's legal claims against OneAudience include breach of contract (based on Facebook terms of service and policies), violation of the Computer Fraud and Abuse Act (a federal law), and California Penal Code 502 (a California law addressing unauthorized computer access and fraud).