Harvard Student Loses Facebook Internship After Exposing Privacy Flaw

Three months ago, Harvard student Aran Khanna was all set to begin an internship at Facebook.

Then, he created a browser application from his dorm room called Marauder’s Map, a Chrome extension that used data from Facebook Messenger to map where users were when they sent messages.

[ad_bb1]

He quickly discovered that the app showed the exact locations (as in, within a metre) in a group chat of people he barely knew – whether this meant at a coffee shop, at the library, or from their dorm rooms. He described it as a tool to “creepily stalk” your friends. The app took advantage of a known Facebook privacy flaw whereby the app automatically shares users’ locations with anyone they messaged.

So, Khanna took to social media, Tweeting about the app on May 26, then posting about it on Reddit and Medium.

It didn’t take long for Marauder’s Map to spread, and it was downloaded more than 85,000 times. It also didn’t take long for Facebook to catch on.

The day after Marauder’s Map was posted, Khanna’s future manager at Facebook called him and asked him not to talk to the press. The same day, Khanna received a call from Facebook’s global communications lead for privacy and public policy, who restated that Khanna shouldn’t talk to the press because the story had become detrimental to the company’s image. So, Khanna agreed, and redirected all media inquiries back to Facebook. The next day, Facebook asked him to disable the app. He complied, but also updated his Medium post and the extension’s description to highlight the fact that Facebook asked him to disable the map.

Then, three days after the extension was posted, Facebook withdrew its internship offer.

Two hours before he was supposed to leave to start his internship, Khanna received a call from a Facebook employee telling him that he no longer had a summer internship because he violated the Facebook user agreement by scraping the site for data. However, according to Khanna, the data was from his own messages, meaning he used information accessible to all Facebook users, not just to employees.

In an email from Facebook’s head of global human resources and recruiting, Khanna was then told that his Medium post didn’t meet the high ethical standards expected of interns. The issue, they said, wasn’t the Messenger app itself, but rather the way his blog described how Facebook collected and shared user data.

But in a new paper for Harvard’s Journal of Technology Science, Khanna explains how Facebook treated him like a criminal when all he was trying to do was perform a public good by making users aware of how their data was being used. Khanna told Boston.com that the MO of his experiment was to publicly pressure Facebook to be “responsible guardians of privacy” — adding that he wasn’t previously aware how much information he was unintentionally sharing until he looked into his messaging history.

In the week following the creation of the extension, Facebook released a Messenger app update in a news release: “With this update, you have full control over when and how you share your location information.” It didn’t, however, highlight the former default settings or the fact that users who didn’t activate the update could continue to unknowingly share their locations by default unless they manually altered their privacy settings.

When it launched in 2011, Facebook Messenger had been set up with automatic geolocation sharing. In 2012, CNET highlighted the issue and instructed users how to disable the location services. Despite numerous updates in the years since, the geolocation sharing remained. According to Matt Steinfeld, a Facebook spokesman, the company had been working on a Messenger update long before Khanna’s blog post was published.

Maybe it’s a good thing that the company ditched its former “Move Fast and Break Things” motto.

As for Khanna, we have a feeling he’ll be just fine — he accepted another internship with a tech start-up in Silicon Valley. Not to mention, Facebook famously rejected an engineer a few years ago, who when went on to start his own company. His name was Brian Acton and five years after not starting at Facebook, Zuckerberg and CO. bought his company, WhatsApp, for a cool $22 billion.

FB

[ad_bb2]