Facebook cancelled a Harvard student's internship after he created a Google Chrome plugin that highlighted serious privacy flaws in the social network's messaging service.
In May, computer science and mathematics student Aran Khanna built Marauder's Map. It was a browser plugin that made use of the fact that people who use the Facebook Messenger share their location with everyone they message with by default.
Upon installing the plugin, users could use it to precisely track the movements of anyone they were in a conversation thread with. This included users who they were not friends with on Facebook — and was accurate to within a meter.
The app went viral, was downloaded 85,000 times, and saw widespread press coverage by The Guardian, The Daily Mail, Huffington Post, and elsewhere. Three days after he launched it via a Medium post, Khanna disabled the plugin after Facebook told him to. At the social network's request, he refused to speak to press, and the company released a new version of Messenger a week later, changing how users share their locations.
Earlier this week, Khanna published a case study for the Harvard Journal of Technology Science about his experience. Here's the student on Facebook's initial response:
"
By midday of the 28th, the global communications lead for privacy and public policy at Facebook requested by email that I disable the extension. I complied within the hour by deactivating the Mapbox API key associated with the extension so that all current and future users could no longer load the map used to display geo-location data."
Business Insider has reached out to Facebook for comment and will update when it responds. A spokesperson told Boston.com that "this mapping tool scraped Facebook data in a way that violated our terms, and those terms exist to protect people's privacy and safety ... Despite being asked repeatedly to remove the code, the creator of this tool left it up. This is wrong and it's inconsistent with how we think about serving our community."
The spokesperson also adds that the update wasn't developed just in response to Khanna's plugin. "This isn't the sort of thing that can happen in a week ... Even though we move very fast here, they'd been working on it for a few months."
In the case study, Khanna writes that he thinks it is the media attention that forced Facebook to act when it did. "It is possible that before my extension and blog post, the degree of location data collection and sharing by Facebook Messenger was hard for an average user to notice and thus did not raise significant concern. Without public pressure, Facebook may have lacked significant incentive to change. My extension and blog post made the data collection and sharing practice real and transparent."