Facebook might have another Cambridge Analytica on its hands. In a late Friday news dump, Facebook revealed that today it filed a lawsuit alleging South Korean analytics firm Rankwave abused its developer platform’s data, and has refused to cooperate with a mandatory compliance audit and request to delete the data.

Facebook’s lawsuit centers around Rankwave offering to help businesses build a Facebook authorization step into their apps so they can pass all the user data to Rankwave, which then analyzes biographic and behavioral traits to supply user contact info and ad targeting assistance to the business. Rankwave also apparently misused data sucked in by its own consumer app for checking your social media “influencer score”. That app could pull data about your Facebook activity such as location checkins, determine that you’ve checked into a baseball stadium, and then Rankwave could help its clients target you with ads for baseball tickets.

The use of a seemingly fun app to slurp up user data and repurpose it for other business goals is strikingly similar to how Cambridge Analytica’s personality quiz app tempted millions of users to provide data about themselves and their friends.

TechCrunch has attained a copy of the lawsuit that alleges that Rankwave misused Facebook data outside of the apps where it was collected, purposefully delayed responding to a cease-and-desist order, claimed it didn’t violate Facebook policy, lied about not using its apps since 2018 when they were accessed in April 2019, and then refused to comply with a mandatory audit of its data practices. Facebook Platform data is not supposed to be repurposed for other business goals, only for the developer to improve their app’s user experience.

“By filing the lawsuit, we are sending a message to developers that Facebook is serious about enforcing our policies, including requiring developers to cooperate with us during an investigation” Facebook’s director of platform enforcement and litigation Jessica Romero wrote. Facebook tells TechCrunch that “To date Rankwave has not participated in our investigation and we are trying to get more info from them to determine if there was any misuse of Pages data.” We’ve reached out to Rankwave for its response.

Cambridge Analytic-ish

Facebook’s lawsuit details that “Rankwave used the Facebook data associated with Rankwave’s apps to create and sell advertising and marketing analytics and models — which violated Facebook’s policies and terms” and that it “failed to comply with Facebook’s requests for proof of Rankwave’s compliance with Facebook policies, including an audit.” Rankwave apparently accessed data from over thirty apps, including those created by its clients.

Specifically, Facebook cites that its “Platform Policies largely restrict Developers from using Facebook data outside of the environment of the app, for any purpose other than enhancing the app users’ experience on the app.” But Rankwave allegedly used Facebook data outside those apps.

Facebook’s suit claims that “Rankwave’s B2B apps were installed and used by businesses to track and analyze activity on their Facebook Pages . . . Rankwave operated a consumer app called the ‘Rankwave App.’ This consumer app was designed to measure the app user’s popularity on Facebook by analyzing the level of interaction that other users had with the app user’s Facebook posts. On its website, Rankwave claimed that this app calculated a user’s ‘Social influence score’ by ‘evaluating your social activities’ and receiving ‘responses from your friends.'”

TechCrunch has found that Rankwave still offers an Android app that asks for you to login with Facebook so it can assess the popularity of your posts and give you a “Social Influencer Score”. Until 2015 when Facebook tightened its policies, this kind of app could ingest not only a user’s own data but that about their Facebook friends. As with Cambridge Analytica, this likely massively compounded Rankwave’s total data access.

Facebook Delays Coming After Rankwave

Founded in 2012 by Sungwha Shim, Rankwave came into Facebook’s crosshairs in June 2018 after it was sold to a Korean entertainment company in May 2017. Facebook assesses that the value of its data at the time of the buyout was $9.8 million.

Worryingly, Facebook didn’t reach out to Rankwave until January 2019 for information proving it complied with the social network’s policies. After receiving no response, Facebook issued a cease-and-desist order in February, which Rankwave replied to seeking more time because it’s CTO had resigned, which Facebook calls “false representations”. Later that month, Rankwave denied violating Facebook’s policies but refused to provide proof. Facebook gave it more time to provide proof, but Rankwave didn’t respond. Facebook has now shut down Rankwave’s apps.

Now Facebook is seeking money to cover the $9.8 million value of the data, additional monetary damages and legal fees, plus injunctive relief restraining Rankwave from accessing the Facebook Platform, requiring it to comply with Facebook’s audit, requiring that it delete all Facebook data.

The fact that Rankwave was openly promoting these services that blatantly violate Facebook’s policies casts further doubt on how the social network was policing its platform. And the six month delay between Facebook identifying a potential issue with Rankwave and it even reaching out for information, plus another several months before it blocked Rankwave’s app shows a failure to move swiftly to enforce its policies. These blunders might explain why Facebook buried the news by announcing it on a Friday afternoon when many reporters and readers have already signed off for the weekend.

For now there’s no evidence of wholesale transfer of Rankwave’s data to other parties or its misuse for especially nefarious purposes like influencing an election as with Cambridge Analytica. The lawsuit merely alleges data was wrongly harnessed to make money, which may not spur the same level of backlash. But the case further proves that Facebook was too busy growing itself thanks to the platform to properly safeguard it against abuse.

You can learn more about Rankwave’s analytics practices from this 2014 presentation.