throbber
Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 1 of 37
`
`
`Ann Marie Mortimer (State Bar No. 169077)
`amortimer@HuntonAK.com
`Jason J. Kim (State Bar No. 221476)
`kimj@HuntonAK.com
`Jeff R. R. Nelson (State Bar No. 301546)
`jnelson@HuntonAK.com
`HUNTON ANDREWS KURTH LLP
`550 South Hope Street, Suite 2000
`Los Angeles, California 90071-2627
`Telephone: (213) 532-2000
`Facsimile: (213) 532-2020
` Attorneys for Plaintiff
`FACEBOOK, INC.
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`SAN FRANCISCO DIVISION
`
`
`
` CASE NO.: 3:20-cv-01461
`FACEBOOK, INC., a Delaware
`corporation,
` COMPLAINT; DEMAND FOR
`
`Plaintiff,
`JURY TRIAL
`
`v.
` ONEAUDIENCE LLC,
`
`Defendant.
`
`
`
`
`
`
`
`
`
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`3:20-cv-01461
`
`12345678910111213141516171819202122232425262728
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`

`

`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 2 of 37
`
`
`INTRODUCTION
`1.
`Beginning no later than September 2019, Defendant OneAudience LLC
`(“OneAudience”) controlled a software development kit (“SDK”) designed to
`improperly obtain user data from Facebook, Google, and Twitter (“the malicious
`SDK”). OneAudience promoted the malicious SDK to third-party application (“app”)
`developers, who – in exchange for payment from OneAudience – bundled the malicious
`SDK with other software components within their apps. These apps were distributed
`online to app users on various app stores, including the Google Play Store, and included
`shopping, gaming, and utility-type apps. After a user installed one of these apps on
`their device, the malicious SDK enabled OneAudience to collect information about the
`user from their device and their Facebook, Google, or Twitter accounts, in instances
`where the user logged into the app using those accounts. With respect to Facebook,
`OneAudience used the malicious SDK – without authorization from Facebook – to
`access and obtain a user’s name, email address, locale (i.e. the country that the user
`logged in from), time zone, Facebook ID, and, in limited instances, gender.
`2.
`In November 2019, Facebook took technical and legal enforcement
`measures against OneAudience, including disabling accounts, sending a cease and
`desist letter, notifying users, and requesting an audit, pursuant to Facebook Platform
`Policy 7.9. OneAudience has refused to fully cooperate with Facebook’s audit request,
`therefore Facebook brings this action to protect its users and hold OneAudience
`accountable for violations of Facebook’s Terms of Service and Policies, as well as
`federal and California law.
`PARTIES
`3.
`Facebook is a Delaware corporation with its principal place of business in
`Menlo Park, San Mateo County, California.
`Defendant OneAudience is a New Jersey company that purports to provide
`4.
`marketing and data analytics solutions. Ex. 1 & 2. OneAudience collected user data in
`order to provide services to advertisers and other marketing companies. Ex. 2.
`
`1
`
` 3:20­cv­01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`

`

`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 3 of 37
`
`
` OneAudience has an office located at 222 Bridge Plaza South, Fort Lee,
`5.
`New Jersey. Ex. 1. Between at least 2017 to 2019, one or more OneAudience
`employees created and administered at least one Facebook Page and app on behalf of
`OneAudience.
`JURISDICTION AND VENUE
`6.
`The Court has federal question jurisdiction over the federal causes of
`action alleged in this Complaint pursuant to 28 U.S.C. § 1331.
`7.
`The Court has supplemental jurisdiction under 28 U.S.C. § 1367 over the
`state law causes of action alleged in this Complaint because they arise out of the same
`nucleus of operative fact as Facebook’s federal claims.
`8.
`In addition, the Court has jurisdiction under 28 U.S.C. § 1332 over all
`causes of action alleged in this Complaint because complete diversity exists and the
`amount in controversy exceeds $75,000.
`9.
`The Court has personal jurisdiction over OneAudience because it
`knowingly directed and targeted its scheme at Facebook, which has its principal place
`of business in California. Defendants also used Facebook’s developer and advertising
`platforms, and transacted business using Facebook, and otherwise engaged in
`commerce in California.
`10. The Court also has personal jurisdiction over OneAudience because
`OneAudience used the Facebook Platform and thereby agreed to Facebook’s Terms of
`Service (“TOS”). By agreeing to the TOS, OneAudience, in relevant part, agreed to
`submit to the personal jurisdiction of this Court for litigating claims, causes of action,
`or disputes with Facebook.
`11. Venue is proper in this District under 28 U.S.C. § 1391(b) because a
`substantial part of the events giving rise to the claims asserted in this lawsuit occurred
`here. 12. Pursuant to Civil L.R. 3-2(c), this case may be assigned to either the San
`Francisco or Oakland division because Facebook is located in San Mateo County.
`
`2
`
` 3:20­cv­01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`

`

`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 4 of 37
`
`
`FACTUAL ALLEGATIONS
`A. Background
`13. Facebook is a social networking website and mobile application that
`enables its users to create their own personal profiles and connect with each other on
`mobile devices and personal computers. As of October 2019, Facebook daily active
`users averaged 1.62 billion and monthly active users averaged 2.44 billion.
`14. Facebook also operates a developer platform referred to as the “Facebook
`Platform.” This platform enables app developers (“Developers”) to run apps that
`interact with Facebook and Facebook users.
`15. Facebook permits Developers to access and interact with the Facebook
`Platform, subject to and restricted by Facebook’s TOS and Platform Policies.1
`B. Facebook’s TOS
`16. All Facebook users, including Developers and Page administrators, agree
`to comply with Facebook’s TOS when they create a Facebook account. Everyone who
`Facebook must
`agree
`to
`Facebook’s
`TOS
`(available
`at
`uses
`https://www.facebook.com/terms.php), and other rules that govern different types of
`access to, and use of, Facebook. These other rules include Facebook’s Community
`Standards (available at https://www.facebook.com/communitystandards/), Platform
`Policies (available at https://developers.facebook.com/policy/), and Facebook’s
`Commercial Terms (available at https://www.facebook.com/legal/commercial_terms).
`17. Section 2.3 of the TOS prohibits accessing or collecting data using
`automated means (without Facebook’s prior permission) or attempting to access data
`without permission.
`
`Over the years, the “Platform Policies” have been called the “Developer Principles and
`1
`Policies,” the “Platform Guidelines,” or the “Developer Terms of Service.” For simplicity, this
`Complaint uses the term “Platform Policies” to refer to these policies.
`
`3
`
` 3:20­cv­01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`

`

`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 5 of 37
`
`
`18. Section 3.2 of the TOS prohibits using Facebook to do anything that
`“violates these Terms, and other terms and policies,” and that “is unlawful, misleading,
`discriminatory or fraudulent.”
`C. Platform Policies
`19. All Developers operating on the Facebook Platform agree to the Platform
`Policies. 20. The Platform Policies impose obligations and restrictions on Developers,
`including that Developers must obtain consent from the users of their apps before they
`can access their users’ data on Facebook. The Platform Policies largely restrict
`Developers from using Facebook data outside of the environment of the app, for any
`purpose other than enhancing the app users’ experience on the app.
`21. Through the Policies, Developers agree that Facebook can audit their apps
`to ensure compliance with the Platform Policies and other Facebook policies. Further,
`Developers agree to provide proof of such compliance if Facebook so requests.
`Developers agree to the Platform Policies at the time they first sign up to the Platform,
`and continue to agree to the Platform Policies as a condition of using the Facebook
`Platform. Over time, these Platform Policies have imposed substantially the same
`restrictions on the use and collection of Facebook data.
`22. The relevant Platform Policies include:
` “Don’t sell, license, or purchase any data obtained from us or our services.”
`Facebook Section 2.9.
` “Don’t directly or indirectly transfer any data that you receive from us
`(including anonymous, aggregate, or derived data) to any ad network, data
`broker or other advertising or monetization-related service.” Section 2.10.
` “[Facebook] or an independent auditor acting on our behalf may audit your
`app, systems, and records to ensure your use of Platform and data you receive
`from us is safe and complies with our Terms, and that you've complied with
`our requests and requests from people who use Facebook to delete user data
`
`4
`
`3:20­cv­01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`

`

`
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 6 of 37
`
`obtained through our Platform. If requested, you must provide proof that your
`app complies with our terms.” Section 7.9.
` “Comply with all applicable laws and regulations.” Section 5.8.
`D. OneAudience Agreed to Facebook’s TOS and Platform Policies.
`23. OneAudience created two public Facebook Pages—a profile on Facebook
`used to promote a business or other commercial, political, or charitable organization or
`endeavor—on or about March 31, 2016 and January 5, 2017. OneAudience also created
`a Facebook business account on or about July 13, 2016. At all relevant times,
`OneAudience was a Facebook user that agreed to and was bound by the TOS.
`24. Between approximately 2017 and 2019, OneAudience’s employees and
`agents created and operated at least two apps on behalf of OneAudience on the
`Facebook Platform. OneAudience’s employees and agents accepted and agreed to be
`bound by the Platform Policies on behalf of OneAudience. These apps did not contain
`the malicious SDK.
`E. The “Facebook Login” Feature.
`25. “Facebook Login” is a feature available to Facebook users, which lets them
`log into third-party mobile and desktop apps using their Facebook login credentials.
`Facebook Login allows users to customize and optimize their online experiences and to
`create accounts with third-party apps without having to set multiple usernames and
`passwords. In turn, these third-party web apps can use the Facebook Login feature for
`user authentication and to enhance a user’s experience on the app.
`26. Third-party app developers create independent web-based mobile and
`desktop apps. In order to use the Facebook Login feature on their apps, third-party apps
`developers must have a Facebook account and register a developer account with
`Facebook. In doing so, they must agree to Facebook’s TOS and Platform Policies.
`27. The Facebook Login feature protects Facebook users’ credentials and
`information in several ways. First, when users provide their credentials for the purpose
`of logging into the third-party app using the Facebook Login feature, those credentials
`
`5
`3:20­cv­01461
`
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`12345678910111213141516171819202122232425262728
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`

`

`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 7 of 37
`
`
`are communicated only to Facebook’s servers, not to the servers of the app. When a
`user logs into an app using Facebook Login, the user is assigned a unique identifying
`digital key or token for the specific app, which authenticates the user to Facebook
`computers (the digital key). The digital key allowed the user to access the app without
`having to enter his or her credentials on every occasion and, in turn, allowed the app to
`access the user’s data on Facebook with the user’s consent.
`28. Second, before any user’s public Facebook profile information is sent to
`the app for verification purposes, the user must first provide consent through a custom
`dialogue box that asks whether the user wants to share the information that the app has
`requested. F. OneAudience Used the Malicious SDK to Obtain Facebook User Data
`Without Facebook’s Authorization.
`29. OneAudience used the malicious SDK in order to access and obtain user
`data from Facebook, without Facebook’s authorization.
`30. The malicious SDK was programmed to collect the digital key that
`Facebook assigned exclusively to a third-party app for a single user. OneAudience used
`the misappropriated digital key to make automated requests for data from Facebook.
`OneAudience misrepresented the source of those requests as the third-party app
`authorized to use the digital key. In fact, it was the malicious SDK that made the
`requests on behalf of OneAudience.
`31. OneAudience caused the malicious SDK to send requests for the users’
`name, locale (i.e., the country that the user logged in from), time zone, email address,
`Facebook ID, and gender. Ex. 3. Facebook’s technical restrictions prevented
`OneAudience from accessing any user data that the user had not authorized the app to
`obtain. For example, if a user had not authorized the app to access gender information,
`Facebook computers denied the malicious SDK’s request for the app user’s gender.
`32. OneAudience caused the malicious SDK to send unauthorized requests (or
`API calls) for user data to Facebook computers in approximately 24-hour intervals. In
`
`6
`
`3:20­cv­01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`

`

`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 8 of 37
`
`
`instances where the malicious SDK was able to fraudulently obtain Facebook data, it
`was programmed to send that data to a remote server controlled by OneAudience using
`the domain api.oneaudience.com/api/devices. Ex. 4 & 5.
`33. OneAudience also caused the malicious SDK to collect data from the
`user’s device. The collection of that information was unrelated to Facebook.
`OneAudience collected call logs, cell tower and other location information, contacts,
`browser information, email, and information about apps installed on the device. Ex. 6
`– 11. 34. On information and belief, OneAudience compiled the data they harvested
`from the user’s device and Facebook (and other services) in order to provide marketing
`services to their customers.
`35. On its website, OneAudience falsely represented that OneAudience and its
`parent company, Bridge Company, were partners with Facebook. OneAudience’s
`website also falsely represented that it was “committed to the transparency of [their]
`mobile driven audiences and relationships” and sourced “data responsibly.” In fact,
`OneAudience did not obtain data through any partnerships with Facebook and instead
`obtained data through the malicious SDK.
`G. Facebook’s Enforcement and Request for an Audit Pursuant to the
`Platform Policies.
`36.
`In November 2019, Facebook took technical and legal enforcement
`measures against OneAudience, including disabling apps, sending a cease and desist
`letter, notifying users, and requesting an audit, pursuant to Facebook Platform Policy
`7.9. 37. On or about November 21, 2019, Facebook sent OneAudience a cease and
`desist letter (“C&D”). The C&D letter informed OneAudience that it had violated
`Facebook’s TOS and Platform Policies, including selling data obtained from Facebook
`and accessing and collecting information in unauthorized ways, including collecting
`information in an automated way without Facebook’s express permission.
`
`7
`
`3:20­cv­01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`

`

`
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 9 of 37
`
`38. Among other things, the C&D letter demanded that OneAudience:
`a. Provide a full accounting of any Facebook user data in their possession;
`b. Identify all of the apps that had installed the malicious SDK;
`c. Provide a copy of the software code used to interact with Facebook; and
`d. Delete and destroy all Facebook user data and provide evidence and
`documentation verifying that this had taken place.
`39. Between November 26, 2019, to January 31, 2020, OneAudience provided
`limited responses to Facebook’s requests for information, but maintained that it would
`comply with the requests for information and request for an audit on an ongoing basis.
`40.
`In its correspondence, OneAudience also represented that it had
`“inadvertently” engaged in unauthorized API call activity to acquire data from
`Facebook. OneAudience claimed that the malicious SDK had been developed by a
`company called AppJolt, which did not disclose the existence or functionality of the
`malicious SDK to OneAudience. This claim is inconsistent with publicly available
`information about AppJolt and OneAudience. Specifically, AppJolt was acquired by
`OneAudience’s parent company, Bridge Marketing, and the founder of AppJolt became
`the founder of OneAudience. OneAudience had access to the malicious SDK and its
`developer since at least 2016.
`41.
` OneAudience further claimed that the data collected by the malicious
`SDK had been deleted on a regular basis from OneAudience’s data systems (even
`though it had been purportedly collected without OneAudience’s knowledge).
`42. On January 23, 2020, Facebook requested a telephone interview with
`relevant OneAudience employees to verify OneAudience’s representations. On or about
`January 31, 2020, OneAudience refused Facebook’s request for an interview.
`H. OneAudience’s Unlawful Acts Have Caused Facebook Substantial Harm.
`43. OneAudience’s breaches of Facebook’s Terms and Policies and other
`misconduct described above have harmed Facebook, including by negatively impacting
`Facebook’s service.
`
`8
`
`3:20­cv­01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`12345678910111213141516171819202122232425262728
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`

`

`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 10 of 37
`
`
`44. OneAudience’s misconduct has caused Facebook to spend resources
`investigating and redressing OneAudience’s wrongful conduct. Facebook has suffered
`damages attributable to the efforts and resources it has used to investigate, address, and
`mitigate the matters set forth in this Complaint.
`45. OneAudience has been unjustly enriched by its activities at the expense of
`Facebook.
`FIRST CAUSE OF ACTION
`(Breach of Contract)
`46. Facebook incorporates all other paragraphs as if fully set forth herein.
`47. OneAudience agreed and became bound by Facebook’s TOS and Platform
`Policies when it created various Facebook Pages and apps.
`48. OneAudience breached these agreements with Facebook by taking the
`actions described above in violation of TOS 2.3, 3.2 and Platform Policies 2.9, 2.10, 5.8
`and 7.9. 49. Facebook has performed all conditions, covenants, and promises required
`of it in accordance with its agreements with OneAudience.
`50. OneAudience’s breaches have caused Facebook to incur damages,
`including the expenditure of resources to investigate and respond to OneAudience’s
`fraudulent scheme and unauthorized access.
`SECOND CAUSE OF ACTION
`(Violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, et seq.)
`51. Facebook incorporates all other paragraphs as if fully set forth herein.
`52. Facebook’s computer network is comprised of protected computers
`involved in interstate and foreign commerce and communication as defined by 18
`U.S.C. § 1030(e)(2).
`53. OneAudience knowingly and with intent to defraud, accessed Facebook’s
`computer network without Facebook’s authorization. Namely, OneAudience used the
`malicious SDK to infect the app users’ devices and obtain a digital key, without
`
`9
`
`3:20­cv­01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`

`

`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 11 of 37
`
`
`Facebook’s authorization, to make API calls to Facebook protected computers while
`purporting to be a third-party app.
`54. OneAudience violated 18 U.S.C. § 1030(a)(2) because it intentionally
`accessed and caused to be accessed Facebook protected computers improperly using
`misappropriated digital keys.
`55.
`In violation of 18 U.S.C. § 1030(a)(4), OneAudience knowingly and with
`intent to defraud accessed Facebook’s protected computers, by sending unauthorized
`commands, namely, API calls with stolen digital keys. These API calls purported to
`originate from third-party apps, but in fact originated from OneAudience’s malicious
`SDK. These commands were directed to Facebook’s computer network for the purpose
`of obtaining data from Facebook without authorization and furthering OneAudience’s
`data harvesting scheme, and obtaining anything of value, including revenue, customers,
`and user data.
`56. OneAudience’s conduct has caused a loss to Facebook during a one-year
`period in excess of $5,000.
`57. OneAudience’s actions caused Facebook to incur losses and other
`economic damages, including the expenditure of resources to investigate and respond
`to OneAudience’s fraudulent scheme and unauthorized access.
`58. Facebook suffered damages as a result of these violations.
`THIRD CAUSE OF ACTION
`(California Penal Code § 502)
`59. Facebook incorporates all other paragraphs as if fully set forth herein.
`60. OneAudience knowingly accessed and without permission otherwise used
`Facebook’s data, computers, computer system, and computer network in order to (A)
`devise or execute any scheme or artifice to defraud and deceive, and (B) to wrongfully
`control or obtain money, property, or data, in violation of California Penal Code §
`502(c)(1).
`
`10
`
`3:20­cv­01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`

`

`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 12 of 37
`
`
`61. OneAudience knowingly accessed and without permission took data from
`Facebook’s computers, computer systems, and/or computer networks in violation of
`California Penal Code § 502(c)(2).
`62. OneAudience knowingly and without permission used or caused to be used
`Facebook’s computer services in violation of California Penal Code § 502(c)(3).
`63. OneAudience knowingly and without permission accessed or caused to be
`accessed Facebook’s computers, computer systems, and/or computer networks in
`violation of California Penal Code § 502(c)(7).
`64. Because Facebook suffered damages and a loss as a result of
`OneAudience’s actions and continues to suffer damages as result of OneAudience’s
`actions (including those described above), Facebook is entitled to compensatory
`damages, attorney’s fees, and any other amount of damages to be proven at trial, as well
`as injunctive relief under California Penal Code § 502(e)(1) and (2).
`65. Because OneAudience willfully violated Section 502, and there is clear
`and convincing evidence that OneAudience committed “fraud” as defined by Section
`3294 of the Civil Code, Facebook entitled to punitive and exemplary damages under
`California Penal Code § 502(e)(4). PRAYER FOR RELIEF
`Facebook seeks judgment awarding the following relief:
`1.
`That the Court enter judgment against Defendant that Defendant has:
`a. Breached its contract with Facebook, in violation of California law;
`b. Violated the Computer Fraud and Abuse Act, in violation of 18 U.S.C.
`§ 1030;
`c. Violated the California Comprehensive Computer Data Access and
`Fraud Act, in violation of California Penal Code § 502.
`That the Court enter a permanent injunction:
`a. Ordering Defendant to comply with Platform Policy 7.9 and respond,
`fully and accurately, to Facebook’s requests for information and proof
`
`11
`
`3:20­cv­01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`2.
`
`12345678910111213141516171819202122232425262728
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`

`

`
`
`12345678910111213141516171819202122232425262728
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`of compliance with Facebook’s Policies, including a forensic data
`audit;
`b. Barring Defendant from accessing or attempting to access Facebook’s
`website and computer systems;
`c. Barring Defendant from creating or maintaining any Facebook
`accounts in violation of Facebook’s TOS and Platform Policies;
`d. Barring Defendant from engaging in any activity to defraud Facebook
`or its users; and
`e. Barring Defendant from engaging in any activity, or facilitating others
`to do the same, that violates Facebook’s TOS and Platform Policies, or
`other related policies referenced herein.
`3.
`That Facebook be awarded damages, including, but not limited to,
`compensatory, statutory, and punitive damages, as permitted by law and in such
`amounts to be proven at trial.
`That Facebook be awarded a recovery in restitution equal to any unjust
`4.
`enrichment enjoyed by Defendant.
`5.
`That Facebook be awarded its reasonable costs, including reasonable
`attorneys’ fees.
`6.
`That Facebook be awarded pre- and post-judgment interest as allowed by
`law.
`/ / /
`/ / /
`/ / /
`/ / /
`/ / /
`/ / /
`/ / /
`/ / /
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 13 of 37
`
`
`
`12
`
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`3:20­cv­01461
`
`

`

`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 14 of 37
`
`
`That the Court grant all such other and further relief as the Court may deem
`7.
`just and proper.
`
`Dated: February 27, 2020
`HUNTON ANDREWS KURTH LLP
`
`By: /s/ Ann Marie Mortimer
`
`
`Ann Marie Mortimer
`Jason J. Kim
`Jeff R. R. Nelson
`Attorneys for Plaintiff
`FACEBOOK, INC.
`Platform Enforcement and
`Litigation
`Facebook, Inc.
`Jessica Romero
`Michael Chmelar
`Olivia Gonzalez
`
`
`
`12345678910111213141516171819202122232425262728
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`
`
`
`
`
`
`13
`
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`
`
`3:20-cv-01461
`
`

`

`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 15 of 37
`
`
`DEMAND FOR JURY TRIAL
`Plaintiff hereby demands a trial by jury on all issues triable to a jury.
`
`Dated: February 27, 2020
`HUNTON ANDREWS KURTH LLP
`
`By: /s/ Ann Marie Mortimer
`
`
`Ann Marie Mortimer
`Jason J. Kim
`Jeff R. R. Nelson
`Attorneys for Plaintiff
`FACEBOOK, INC.
`Platform Enforcement and
`Litigation
`Facebook, Inc.
`Jessica Romero
`Michael Chmelar
`Olivia Gonzalez
`
`
`
`
`
`
`099900.12852 EMF_US 77547286v1
`
`14
`
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`
`
`3:20-cv-01461
`
`12345678910111213141516171819202122232425262728
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`

`

`
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 16 of 37
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 16 of 37
`
`EXHIBIT 1
`
`EXHIBIT 1
`
`15
`
`15
`
`

`

`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 17 of 37
`EN
`02/19/2020 - oneaudience.com/privacy as on 2019-08-23 via archive.org
`
`• 0 •
`
`(3 Privacy Policy - oneAudience
`
`X
`
`C
`
`a web.archive.org/web/20190823024606/http://www.oneaudience.com/privacy/
`
`http://www.oneaudience.com/privacy/
`
`43 captures
`
`5 Feb 2017 - 23 Aug 2019
`
`a* ono
`
`Go
`
`JUL AUG SEP
`23
`
`2018 2019 202
`
`61 11
`
`IIIi
`0 0 01
`111
`
`About this capture
`
`oneAud ience
`
`DEVELOPERS INSIGHTS
`
`GET STARTED
`
`LOGIN
`
`BACK] [ EULA
`
`OPT-OUT
`
`12. Contacting Us About Privacy Questions or
`Concerns
`
`If you have any questions regarding our Privacy
`
`Policy, or in the event that you wish to verify which
`
`of your Personal Information we have collected,
`
`please contact us at privacy@oneaudience.com or
`by mailing us at:
`
`oneAudience
`
`222 Bridge Plaza South
`
`=art Lee, NJ 07024
`
`
`
`
`
`16
`
`

`

`
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 18 of 37
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 18 of 37
`
`EXHIBIT 2
`
`EXHIBIT 2
`
`17
`
`17
`
`

`

`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 19 of 37
`What We Collect
`As detailed in our permission screen, our SDK collects the following PII if user permits:
`
`• Advertising ID:(cid:3)(cid:48)(cid:82)(cid:69)(cid:76)(cid:79)(cid:72)(cid:3)(cid:36)(cid:71)(cid:89)(cid:72)(cid:85)(cid:87)(cid:76)(cid:86)(cid:76)(cid:81)(cid:74)(cid:3)(cid:918)(cid:71)(cid:72)(cid:81)(cid:87)(cid:76)(cid:564)(cid:70)(cid:68)(cid:87)(cid:76)(cid:82)(cid:81)
`• Carrier: The devices carrier
`• Device Language: Language preference on the user’s device
`• Device Manufacturer: The manufacturer of the device such as samsung, sony, HTC
`• Device Model: The model of the device such as Samsung 8, iPhone 6S
`• Location: The latitude and longitude of the device
`• Hashed Email: The hashed email to identify a real device and prevent mobile fraud
`• User Platform: User’s device platform such as Android, iOS, Blackberry, Windows, other
`
`How the Data is Used
`
`SOK
`
`Embed SDK into 3rd
`party mobile apps.
`
`O
`
`(cid:56)(cid:86)(cid:72)(cid:85)(cid:3)(cid:70)(cid:82)(cid:81)(cid:564)(cid:85)(cid:80)(cid:86)(cid:3)(cid:40)(cid:81)(cid:71)(cid:3)(cid:56)(cid:86)(cid:72)(cid:85)(cid:3)(cid:47)(cid:76)(cid:70)(cid:72)(cid:81)(cid:86)(cid:72)(cid:3)
`(cid:36)(cid:74)(cid:85)(cid:72)(cid:72)(cid:80)(cid:72)(cid:81)(cid:87)(cid:3)(cid:68)(cid:81)(cid:71)(cid:3)(cid:54)(cid:39)(cid:46)(cid:3)(cid:76)(cid:71)(cid:72)(cid:81)(cid:87)(cid:76)(cid:564)(cid:72)(cid:86)(cid:3)
`mobile info including:
`• Mobile Ad ID
`•
`App Ownership
`•
`Location
`•
`Hashed Emails
`•
`Device Make & Model
`
`Overlay SDK/EMAIL/ONLINE
`data to identify individuals
`
`Create audience from
`mobile data
`
`(cid:36)(cid:79)(cid:79)(cid:3)(cid:82)(cid:73)(cid:3)(cid:82)(cid:88)(cid:85)(cid:3)(cid:71)(cid:68)(cid:87)(cid:68)(cid:3)(cid:76)(cid:86)(cid:3)(cid:83)(cid:72)(cid:85)(cid:80)(cid:76)(cid:86)(cid:86)(cid:76)(cid:82)(cid:81)(cid:16)(cid:69)(cid:68)(cid:86)(cid:72)(cid:71)(cid:3)(cid:68)(cid:81)(cid:71)(cid:3)(cid:73)(cid:88)(cid:79)(cid:79)(cid:92)(cid:16)(cid:70)(cid:82)(cid:80)(cid:83)(cid:79)(cid:76)(cid:68)(cid:81)(cid:87)(cid:15)(cid:3)(cid:80)(cid:72)(cid:68)(cid:81)(cid:76)(cid:81)(cid:74)(cid:3)(cid:76)(cid:87)(cid:519)(cid:86)(cid:3)(cid:69)(cid:72)(cid:72)(cid:81)(cid:3)(cid:70)(cid:82)(cid:81)(cid:564)(cid:85)(cid:80)(cid:72)(cid:71)(cid:3)(cid:69)(cid:92)(cid:3)(cid:87)(cid:75)(cid:72)(cid:3)(cid:88)(cid:86)(cid:72)(cid:85)(cid:3)(cid:87)(cid:82)(cid:3)
`access and collect his or her personal data. We are also transparent in our terms and conditions
`and privacy policy so the user is aware of what is being collected and how it is being used. The user
`(cid:75)(cid:68)(cid:86)(cid:3)(cid:87)(cid:75)(cid:72)(cid:3)(cid:73)(cid:85)(cid:72)(cid:72)(cid:71)(cid:82)(cid:80)(cid:3)(cid:87)(cid:82)(cid:3)(cid:82)(cid:83)(cid:87)(cid:3)(cid:76)(cid:81)(cid:3)(cid:82)(cid:85)(cid:3)(cid:82)(cid:83)(cid:87)(cid:3)(cid:82)(cid:88)(cid:87)(cid:3)(cid:68)(cid:87)(cid:3)(cid:68)(cid:81)(cid:92)(cid:3)(cid:83)(cid:82)(cid:76)(cid:81)(cid:87)(cid:3)(cid:90)(cid:76)(cid:87)(cid:75)(cid:82)(cid:88)(cid:87)(cid:3)(cid:68)(cid:909)(cid:72)(cid:70)(cid:87)(cid:76)(cid:81)(cid:74)(cid:3)(cid:75)(cid:76)(cid:86)(cid:3)(cid:82)(cid:85)(cid:3)(cid:75)(cid:72)(cid:85)(cid:3)(cid:68)(cid:70)(cid:70)(cid:72)(cid:86)(cid:86)(cid:3)(cid:87)(ci

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket