Aran Khanna, a student from Harvard, managed to identify a privacy issue of the Facebook Messenger. He developed a chrome extension app, called Marauder’s Map, which can trace the movement of users from the popular Messenger app, even if they are not your friends on Facebook.
Once the app was launched, Facebook reacted 3 days right after it was published, asking the developer to shut it down. Moreover, 2 hours before the internship of Khanna was supposed to start, he was called by a Facebook employee telling him that the company was withdrawing his summer internship offer. According to the student, he was told that he violated the Facebook user agreement when he scraped the site for data.
Khanna described his app on Medium in a post titled “Stalking Your Friends with Facebook Messenger”. As one of his main findings, he wrote:
The main problem is that every time you open your phone and send a single message it’s so easy to forget about your location data being attached to it. Furthermore, it seems so harmless to attach a location with a single message, but the problem is over time the information from these messages adds up.
Facebook was quick to respond, asking Khanna to disable the app 3 days after it launched.
Coincidentally, according to the Boston.com report, Facebook released an update to Messenger a couple of days ago, trumpeting “full control” over how users shared their locations.
A Facebook spokesman, Matt Steinfeld, said the update was not a response to Khanna’s app and couldn’t have been completed within a week.
Citing Boston.com, there were also behind-the-scenes crisis control efforts at Facebook:
The day after Marauder’s Map was posted, Khanna said his future manager at Facebook called him and asked him not to talk to the press. That evening, Khanna received a call from Facebook’s global communications lead for privacy and public policy, who reiterated that Khanna shouldn’t talk to the press because the story had become damaging.
Khanna insists he created the tool not to be malicious, but to draw attention of observers to a security problem in one of Facebook’s most popular services. The developer was also told that “the issue wasn’t the Messenger app itself, but instead the way his blog described how Facebook collected and shared user data.”
As the Boston.com ironically concludes, Mark Zuckerberg, the Facebook founder, in his first letter to investors said that one of the 5 core values of Facebook is for its employees to “be bold.”
It seems there is a limit to how bold one should be.