Student Loses Facebook Internship After Highlighting Major Privacy Flaw in Messenger

Facebook canceled a Harvard student's internship after he created a Google Chrome plugin that highlighted serious privacy flaws in the social network's messaging service, Boston.com reports.

In May, computer science and mathematics student Aran Khanna built Marauder's Map. It was a browser plugin that made use of the fact that people who use the Facebook Messenger share their location with everyone they message with by default.

Upon installing the plugin, users could use it to precisely track the movements of anyone they were in a conversation thread with. This included users who they were not friends with on Facebook — and it was accurate to within a meter.

The app went viral, was downloaded 85,000 times, and saw widespread press coverage by The Guardian, The Daily Mail, Huffington Post and elsewhere. Three days after he launched it via a Medium post, Khanna disabled the plugin after Facebook told him to. At the social network's request, he refused to speak to press, and the company released a new version of Messenger a week later, changing how users share their locations.

Earlier this week, Khanna published a case study for the Harvard Journal of Technology Science about his experience. Here's the student on Facebook's initial response:

[On] the afternoon of the 27th, one day after the Medium blog post's publication, Facebook contacted me. My future manager phoned and asked me not to speak to any press; however, I was told that I could keep my blog post up. By that evening, the global communications lead for privacy and public policy at Facebook called me to clarify Facebook's expectations that I not speak to the press, saying that his objective was to hamper the spread of what had become a damaging story.

By midday of the 28th, the global communications lead for privacy and public policy at Facebook requested by email that I disable the extension. I complied within the hour by deactivating the Mapbox API key associated with the extension so that all current and future users could no longer load the map used to display geo-location data.

Then, three days later, Facebook got in touch again — to say it was canceling his internship:

On the afternoon of the 29th, three days after my initial posts, Facebook phoned me to inform me that it was rescinding the offer of a summer internship, citing as a reason that the extension violated the Facebook user agreement by "scraping" the site. The head of global human resources and recruiting followed up with an email message stating that my blog post did not reflect the "high ethical standards" around user privacy expected of interns. According to the email, the privacy issue was not with Facebook Messenger, but rather with my blog post and code describing how Facebook collected and shared users' geo-location data.

Business Insider has reached out to Facebook for comment and will update when it responds. A spokesperson told Boston.com that "this mapping tool scraped Facebook data in a way that violated our terms, and those terms exist to protect people's privacy and safety ... Despite being asked repeatedly to remove the code, the creator of this tool left it up. This is wrong and it's inconsistent with how we think about serving our community."

The spokesperson also adds that the update wasn't developed just in response to Khanna's plugin. "This isn't the sort of thing that can happen in a week ... Even though we move very fast here, they'd been working on it for a few months."

In the case study, Khanna writes that he thinks it is the media attention that forced Facebook to act when it did. "It is possible that before my extension and blog post, the degree of location data collection and sharing by Facebook Messenger was hard for an average user to notice and thus did not raise significant concern. Without public pressure, Facebook may have lacked significant incentive to change. My extension and blog post made the data collection and sharing practice real and transparent."

He concludes with a set of questions: "What does this say about privacy protection? Can we reasonably expect Facebook or others with an interest in collecting and sharing personal data to be responsible guardians of privacy? Could this work have been done inside Facebook to understand how its users view the collection and sharing of their data?

"Must future privacy guardians always be on the outside?"