Facebook is accusing a developer of collecting username and password credentials from thousands of accounts, and it is separately alleging that a European service distributed fake likes and comments throughout Instagram.
In an announcement Thursday, the social media company said it is taking legal action against software developer Mohammad Zaghar and his company, Massroot8, for allegedly operating a service that compelled Facebook users to provide their personal information. Zaghar’s company would ask users for their username and password, then scrape the site for data about their friends, using a bot to sneak past Facebook’s security controls and collect vast amounts of data quickly, according to the suit.
The company also said it has sued MGP25 Cyberint Services for selling automation software that produces fabricated likes and comments on Instagram. The Spanish firm made money by mimicking the Instagram app while using code that connected outsiders to actual Instagram accounts, Facebook said.
Neither defendant could immediately be reached for comment.
Facebook’s suit against Zaghar, filed in federal court in San Francisco, alleges that Massroot8 relied on a network of bots that masqueraded as an Android device connected to Facebook’s mobile app. The service convinced some 5,500 users to input their Facebook username and password into the malicious app, then would use a bot to collect personal data from their connections.
Even if Facebook users entered their information into Massroot8 services voluntarily, Facebook says, the company still violated the Computer Fraud and Abuse Act by accessing Facebook information in a way that was not intended.
Both defendants continued their activity after Facebook sent cease and desist letters, Jessica Romero, Facebook’s director of platform enforcement and litigation, said in the blog post.
Personal data scraped from social media profiles represents a valuable commodity to marketing agencies and advertising firms. Researchers frequently uncover troves of personal data stored in unguarded databases, such as one collection of data from more than 14 million Instagram accounts that apparently had been collected without users’ authorization.
Scraping public data from a social media website does not violate the Computer Fraud and Abuse Act, according to a federal court decision in September 2019. In a case unrelated to the latest Facebook maneuvers, LinkedIn had sued a startup that gathered data that was visible on LinkedIn users’ profiles. A judge declared that the startup, hiQ Labs, did not require LinkedIn’s permission to collect that information.
Unlike in Facebook’s case against Massroot8, hiQ Labs did not aim to collect LinkedIn users’ usernames and passwords as part of its strategy.
These suits are the latest examples of Facebook trying to impose its will on accused scammers by using the U.S. court system. The firm has launched suits to stop advertising fraud schemes, improper collection of user data and cybersquatting as part of a strategy to avoid regulation by proving it will mitigate malicious activity on its own, according to a BuzzFeed News report.
Facebook also announced on Thursday it would remove political advertisements run by the campaign to re-elect President Donald Trump that featured an upside down triangle that the Anti-Defamation League has said is “practically identical to that used by the Nazi regime to classify political prisoners in concentration camps.”