Student Loses Facebook Internship After Highlighting Major Privacy Flaw in Messenger

Aran Khanna's Marauder's Map plugin showed the location of Facebook Messenger users, accurate to within a meter.

By Rob Price

This story originally appeared on Business Insider

Facebook canceled a Harvard student's internship after he created a Google Chrome plugin that highlighted serious privacy flaws in the social network's messaging service, Boston.com reports.

In May, computer science and mathematics student Aran Khanna built Marauder's Map. It was a browser plugin that made use of the fact that people who use the Facebook Messenger share their location with everyone they message with by default.

Upon installing the plugin, users could use it to precisely track the movements of anyone they were in a conversation thread with. This included users who they were not friends with on Facebook — and it was accurate to within a meter.

The app went viral, was downloaded 85,000 times, and saw widespread press coverage by The Guardian, The Daily Mail, Huffington Post and elsewhere. Three days after he launched it via a Medium post, Khanna disabled the plugin after Facebook told him to. At the social network's request, he refused to speak to press, and the company released a new version of Messenger a week later, changing how users share their locations.

Earlier this week, Khanna published a case study for the Harvard Journal of Technology Science about his experience. Here's the student on Facebook's initial response:

[On] the afternoon of the 27th, one day after the Medium blog post's publication, Facebook contacted me. My future manager phoned and asked me not to speak to any press; however, I was told that I could keep my blog post up. By that evening, the global communications lead for privacy and public policy at Facebook called me to clarify Facebook's expectations that I not speak to the press, saying that his objective was to hamper the spread of what had become a damaging story.

By midday of the 28th, the global communications lead for privacy and public policy at Facebook requested by email that I disable the extension. I complied within the hour by deactivating the Mapbox API key associated with the extension so that all current and future users could no longer load the map used to display geo-location data.

Then, three days later, Facebook got in touch again — to say it was canceling his internship:

On the afternoon of the 29th, three days after my initial posts, Facebook phoned me to inform me that it was rescinding the offer of a summer internship, citing as a reason that the extension violated the Facebook user agreement by "scraping" the site. The head of global human resources and recruiting followed up with an email message stating that my blog post did not reflect the "high ethical standards" around user privacy expected of interns. According to the email, the privacy issue was not with Facebook Messenger, but rather with my blog post and code describing how Facebook collected and shared users' geo-location data.

Business Insider has reached out to Facebook for comment and will update when it responds. A spokesperson told Boston.com that "this mapping tool scraped Facebook data in a way that violated our terms, and those terms exist to protect people's privacy and safety ... Despite being asked repeatedly to remove the code, the creator of this tool left it up. This is wrong and it's inconsistent with how we think about serving our community."

The spokesperson also adds that the update wasn't developed just in response to Khanna's plugin. "This isn't the sort of thing that can happen in a week ... Even though we move very fast here, they'd been working on it for a few months."

In the case study, Khanna writes that he thinks it is the media attention that forced Facebook to act when it did. "It is possible that before my extension and blog post, the degree of location data collection and sharing by Facebook Messenger was hard for an average user to notice and thus did not raise significant concern. Without public pressure, Facebook may have lacked significant incentive to change. My extension and blog post made the data collection and sharing practice real and transparent."

He concludes with a set of questions: "What does this say about privacy protection? Can we reasonably expect Facebook or others with an interest in collecting and sharing personal data to be responsible guardians of privacy? Could this work have been done inside Facebook to understand how its users view the collection and sharing of their data?

"Must future privacy guardians always be on the outside?"

Rob Price
Rob Price is a technology reporter for Business Insider.

Related Topics

Editor's Pick

The Dark Side of Pay Transparency — And What to Do If You Find Out You're Being Underpaid
Thinking of a Career Change? Here Are 4 Steps You Can Take to Get There.
A Founder Who Bootstrapped Her Jewelry Business With Just $1,000 Now Sees 7-Figure Revenue Because She Knew Something About Her Customers Nobody Else Did
Everything You Need to Know About Franchise Law
Business News

Virgin Orbit Slashing 90% of Workforce, On Pause For 'Foreseeable Future'

The satellite launch company furloughed the majority of its staff earlier this month.

Marketing

How to Select the Right PR Partner in Today's Economy

While it may seem complicated, identifying a good PR fit is crucial for your company's longevity.

Business News

'Angry and in Shock': Fashion Label Orders Former Sales Reps to Return Commissions in Wake of Bankruptcy

The once upscale NYC-based fashion label went under in 2020. Now, former stylists are being ordered to return commissions earned prior to the company's collapse.

Career

How to Cope With Career Baggage and Heal Emotional Scars From Past Jobs

Here's how professional scar tissue can show up in new roles — and a few tips for managing it effectively.

Leadership

Improving Yourself Takes 9.6 Minutes of Work Each Day

Micro-habits are the antidote to a chaotic world, offering a pathway to sustainable change.