Skip to content
Naked Security Naked Security

Facebook sues app developer Rankwave over data misuse

The suit says Rankwave used Facebook user data for targeted marketing and ignored its cease-and-desist letter.

It sounds a lot like Facebook has gotten itself into (or encouraged and is now pretending it’s aghast about it all) another Cambridge Analytica-ish data privacy fiasco.

Facebook announced on Friday that it’s filed a lawsuit against a South Korean social media analytics firm called Rankwave, alleging that the company abused Facebook’s developer platform’s data and that Rankwave has refused to cooperate with the platform’s mandatory compliance audit and Facebook’s request that it delete data.

Facebook already suspended Rankwave’s apps and any accounts associated with the company. Now it’s looking for the court to get it to comply with a data audit and to delete whatever Facebook data it has, as well as to cough up the $9.8m USD it made off selling data it never should have, as Facebook tells it.

From its announcement:

By filing the lawsuit, we are sending a message to developers that Facebook is serious about enforcing our policies, including requiring developers to cooperate with us during an investigation.

The suit, filed in California Superior Court for the County of San Mateo, says that beginning around 2010, Rankwave starting developing apps on Facebook’s platform in order to sell advertising and marketing analytics and models, in violations of Facebook’s policies and terms. It operated at least 30 apps on the Facebook platform, according to the complaint.

Those apps included both business-to-business (B2B) and consumer apps. Businesses, including a South Korean department store, a tourism organization and a baseball team, used the B2B apps to track and analyze activity such as Likes or comments on their Facebook pages.

As far as the consumer apps for Facebook users go, this is where it starts to sound like Cambridge Analytica (et al.), which vacuumed up users’ data without permission via what came off as innocent online quizzes.

Facebook detailed one such from Rankwave called the Rankwave App. For six years, up until March 2018, the app offered to analyze a Facebook user’s popularity on the platform by crunching data about the interactions they got on their posts. The analytics company claimed that the app calculated users’ “social influence score” by “evaluating your social activities” and receiving “responses from your friends.”

In other words, another seemingly fun, innocent Facebook app that was quite serious about sucking up user data for profit. The app could pull data about users’ Facebook activity that included such things as location check-ins – handy to determine that you’ve just checked in to a given place and then to target you with appropriate ads. Targeted marketing doesn’t sound as sinister as the political ads that were targeted at users with the help of Cambridge Analytica’s thisisyourdigitallife personality quiz, but it’s in the same ballpark with regards to tempting users to fork over data.

Rankwave’s site has apparently been taken down, but the Android version is still available on Google’s Play store.

Serious, or sloooooooow?

In spite of Facebook’s push to get across the notion that it’s “serious about enforcing our policies,” this lawsuit instead highlights how fast and loose it’s played with user privacy and user data.

Facebook says that it got antsy about Rankwave in June 2018, after the company had been purchased by a Korean entertainment company in May 2017 for about US $9,800,000 (11b South Korean won). For whatever reason, however, it didn’t reach out to Rankwave until January 2019.

Facebook says that as far as it can tell, starting at least as early as 2014, Rankwave allegedly stopped complying with the company’s policies about only using user data in order to enhance its app and instead started using it to line its pockets, by providing consulting to advertisers and marketers: a use that’s prohibited by Facebook Policy 6.1 on data collection and use. Some clauses from that policy:

Only use an entity’s data on behalf of the entity (i.e., only to provide services to that entity and not for your own business purposes or another entity’s purposes).

Don’t let people other than those acting on an entity’s behalf (ex: its employees) access the entity’s data.

But as Tech Crunch points out, there was nothing furtive about what Rankwave was up to. It openly promoted services that blatantly flaunted Facebook policies, casting doubt on how well Facebook has been policing its developers and the apps they run on Facebook Platform. Many critics are suggesting that Facebook buried the news with a late-Friday announcement of the lawsuit in order to avoid calling attention to its failures to protect user data.

One excuse after another

Facebook says it started to ask Rankwave for proof that it was in compliance with its policies starting in January 2019. We want to hear back by 31 January, it said.

Facebook to Rankwave on January 29: “Hellooooooo? Your response is due in two days.” Response: the sound of silence.

On 13 February, Facebook sent a cease and desist letter, telling Rankwave that it was then in violation of Policy 7.9, since the company had allegedly failed to prove it was in compliance with Facebook’s policies. Tell us who got at that data, by purchase or by other means, and send us your access logs to boot, Facebook demanded. Give us the data back, delete and destroy it, and give us access to your storage devices so we can confirm it’s really erased.

On 17 February, Rankwave finally poked its head out of its shell, Facebook says. It said its CTO had resigned and that the company needed more time to respond. OK, fine, you’ve got until the 21st, Facebook said.

Rankwave’s next response, on 20 February: we didn’t violate your policies. Rankwave allegedly ignored the audit request and claimed that it hadn’t had access to any of its Facebook apps since 2018.

Wrong-o, Facebook claims: one of Rankwave’s B2B apps was chugging along until at least last month. More letters flew back and forth, and then on 25 February, Rankwave said sorry, we need nine more days: our bosses are all visiting Spain right now.

Fine, you’ve got until 9 March, Facebook responded, but that’s it, no more extensions. Well, it’s two months later, and Facebook still hasn’t received anything, it said in the suit.

Can’t fix this with (just) a fine

Facebook says that monetary damages aren’t enough to fix this. Rankwave’s “misconduct” has tarnished its reputation, public trust and goodwill. It’s also had to spend time investigating and redressing this mischief, it says.

Facebook is seeking an injunction to keep Rankwave from accessing its platform, to get Rankwave to respond to Facebook’s requests for proof of compliance (including a forensic data audit), and to force Rankwave “to delete any and all Facebook data as appropriate after Rankwave complies with” the audit requirement.

1 Comment

My faith in Facebook has been restored. Now I know they are truly serious about privacy. This undoes the damage of all their mistakes to date.

Deep down I knew they must have been motivated by more than just money, and that they always had our best interests at heart.

(Said nobody, ever.)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!