“Untraceable” surveillance firm sued for scraping Facebook and Instagram data

Days after Meta achieved victory after suing the NSO Group for Computer Fraud and Abuse Act charges, Meta filed a lawsuit against surveillance company Voyager Labs for violations of its Terms and Policies and California law. 

According to court documents, Voyager Labs created 38,000 fake accounts on Facebook and Instagram so it could use its home-brew surveillance software to scrape data from them. Scraping is an automated way of collecting data from websites or apps. Meta alleges the company did a similar tactic on other social media platforms and other websites, such as Twitter, YouTube, LinkedIn, Telegram, VK, Tumblr, Pinterest, Medium, and Vimeo.

Voyager is said to have scraped more than half a million pieces of viewable profile information, including likes, comments, friends list, photos, and Facebook Groups and Pages information. The company allegedly marketed its scraping tool as “untraceable” and sold it to companies “that wanted to conduct surveillance on social media websites without being detected”.

Meta was aware of Voyager’s scraping activities long before formally filing a case against the company. Court documents show that no later than July 2022, Voyager began using its thousands of fake accounts to scrape data. These were tied to phone numbers with an Israel country code (972) or email addresses following a certain pattern.

At least since February 2016, Voyager has been creating these multiple fake accounts on Meta’s platforms, agreeing with its terms yet knowingly breaking them. On October 2017, Meta sent a cease and desist letter to Voyager for the alleged fake accounts.

When confronted about a Facebook account for an individual named “Olga Herrera”, Meta alleges Voyager denied accessing, using, and controlling this account, although Meta says it had seen that a Voyager employee logged on to it just three days before. The Voyager employee is allegedly a “QA Manager and Automation Tests Development Specialist”.

Meta asserts in the complaint that Voyager also offered to scrape data from websites on client request. Voyager’s known target of data scraping range from (but are not limited to) “employees of non-profit organizations, universities, news media organizations, healthcare facilities, the armed forces of the United States, and local, state, and federal government agencies, as well as full-time parents, retirees, and union members”.

In a blog post, Meta describes Voyager Labs as a “scraper-for-hire service.”

“We are seeking a permanent injunction against Voyager to protect people against scraping-for-hire services. Companies like Voyager are part of an industry that provides scraping services to anyone regardless of the users they target and for what purpose, including as a way to profile people for criminal behavior. This industry covertly collects information that people share with their community, family and friends, without oversight or accountability, and in a way that may implicate people’s civil rights. These services operate across many platforms and national boundaries, and require a collective effort from platforms, policymakers and civil society to deter the abuse of these capabilities. Meta will continue to take action against these types of entities.”

Like NSO, Voyager Labs is headquartered in Israel. In October 2022, the company announced its move to the US as part of its “growth strategy”.

At the time, founder and former CEO Avi Korenblum of Voyager Labs said:

“Moving our business operations to the US positions Voyager Labs to better serve our fastest-growing markets which include the US federal government as well as state and local law enforcement and prosecution agencies.”

Meta is seeking compensation for damages caused by Voyager Labs. It’s also asking the court to enforce its Terms and Policies, and ban Voyager Labs from Facebook and Instagram.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

https://blog.malwarebytes.com/feed/