Harvard student Aran Khanna was due to work as an intern at Facebook this summer. However, after he highlighted a massive privacy issue in the social network’s Messenger app in May, his internship was abruptly cancelled.
Khanna has now written a column for Time in which he describes the whole episode as an “incredible learning experience.”
The cause of all the fuss is an app that Khanna built called Marauder’s Map, a reference to the map in “Harry Potter”. It was a browser plugin that called attention to the fact that Facebook Messenger (at the time) shared users’ locations with everyone they messaged with by default.
Upon installing the plugin, users could use a map to precisely track the movements of anyone they were in a conversation thread with. This included users who they were not friends with on Facebook — and it was accurate to within a meter.
The app went viral, was downloaded 85,000 times and saw widespread press coverage including The Guardian, The Daily Mail, Huffington Post, and elsewhere. Three days after he launched it via a Medium post, Khanna disabled the plugin at Facebook’s request. After several conversations with Facebook employees, in which they asked him not to speak to the press (a request he complied with), he was told that his offer of an internship was being rescinded.
In a case study for Harvard University’s Technology Science published earlier in August, he says the social network “[cited] as a reason that the extension violated the Facebook user agreement by ‘scraping’ the site. The head of global human resources and recruiting followed up with an email message stating that my blog post did not reflect the ‘high ethical standards’ around user privacy expected of interns. According to the email, the privacy issue was not with Facebook Messenger, but rather with my blog post and code describing how Facebook collected and shared users’ geo-location data.”
A Facebook spokesperson told Business Insider that the company doesn’t “dismiss employees for exposing privacy flaws … but we do take it seriously when someone misuses user data and puts people at risk.”
Just over a week later, Facebook issued an update that disabled automatic location-sharing in Messenger and introduced a new feature requiring users to actively share their location with their friends each time. Facebook says the update was underway for several months and the timing of its release was not affected by the publicity surrounding Marauder’s Map.
(It’s also worth noting here that Khanna didn’t discover the location-sharing issue in Facebook Messenger. It had been known for some time, and been the subject of previous media reports, but did not come to mainstream attention until the student launched his plugin.)
Writing in Time, Khanna now says he believes he acted “in the spirit of ‘hacker culture,'” confronting the issue of privacy by releasing the plugin publicly. Overall, he calls it “an incredible learning opportunity,” and that it helped “[shed] light on how big tech firms respond to privacy issues and how that response may hurt users of their products.”