Meta subsidiaries must pay $14m over misleading data collection disclosure

Meta has run into yet another bout of court related issues—two subsidiaries have been ordered to pay $14 million regarding undisclosed data collection. The Australian case, which has rumbled on for the best part of two and a half years, has focused on claims related to a now discontinued Virtual Private Network (VPN).

The subsidiary Onavo, acquired in 2013 by Facebook, was supposed to be keeping the VPN a separate brand from the main flagship company. Among various privacy based claims were “peace of mind when you browse” and “keep you and your data safe online”. It was certainly popular, with more than 270,000 downloads in Australia.

One of the app’s major selling points was that users were told their data would not be used for any purposes other than “the provision of Onavo Protect’s products”.

However the app, functional from 2016 to 2017, was found to be sending data to Facebook. This included user location, frequency using other apps, time, and also unrelated websites visited for the purposes of advertising. Here’s a rundown of some of the things the app was tracking, from the original research in 2018:

  • When a mobile is turned on and off
  • Daily Wi-Fi data usage (even when the app is off)
  • Daily cellular data usage (even when the app is off)
  • Amount of time the VPN connection is used

This was not what app users had signed up for, and so things quickly turned legal as a result. From the judgement:

Facebook Israel and Onavo admit that they offered, advertised and promoted Onavo Protect and made the app available to download by users in Australia via the App Store (for iOS users) and the Play Store (for Android users) during the Available Period.

Meta and Facebook Israel’s internal documents state that Onavo Protect was “a business intelligence tool” for Meta, which provided Meta with “a sample of users who we are able to know nearly everything they are doing on their mobile device” (which was in the form of anonymised, aggregated data). Meta then used anonymised and aggregated data derived from sets of the Onavo Protect Data (in the form of statistical information) for a range of purposes, including in relation to its advertising and marketing activities, improving its products and services and developing commercial strategies.

Disclosures related to how consumer data would be used for purposes other than providing Onavo Protect were listed in the Terms of Service and Privacy Policy, in the form of website links promoting the product. Additionally, users were taken to a page containing said documents when using Onavo Protect for the first time after installation. However, the disclosures in question were not “sufficiently prominent or proximate to the listings”.

Back to the judgement, where there is every sense that those responsible have dodged a potentially much larger fine:

Facebook Israel and Onavo admit that, given the above facts, the Listings that contained the Statements were likely to mislead or deceive (within the meaning of s 18 of the ACL), and liable to mislead the public (within the meaning of s 33 of the ACL), in the absence of sufficient disclosures to Australian consumers (which they admit were not made in those Listings) of the fact that Australian users’ data would be used for purposes other than providing Onavo Protect.

Where the theoretical maximum penalty is in the billions or trillions of dollars, the overall maximum penalty will not be a meaningful factor in the court’s assessment. In these circumstances, the appropriate range is best assessed by reference to factors other than where the conduct falls in the range of seriousness of offending in relation to the maximum penalty.

Last year, Instagram received a record fine of $400m for the abuse of children’s data. Elsewhere, Meta was fined $277m for a data breach which impacted around 500 million users. Some believe that social networks simply consider fines like these to be the cost of doing business. A few million dollars here or there doesn’t necessarily convince those responsible to do anything about it.

Even so, the fines keep coming. It remains to be seen if the long-term impact will eventually amount to anything meaningful.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.