13 August 2015

Pin It

Full Story Aran Khanna lost Facebook Internship for Exposing FB Messenger Location Tracking

Full Story Aran Khanna lost Facebook Internship for Exposing FB Messenger Location Tracking

Facebook cancelled an Indian-origin student Aran Khanna’s internship after he exposed a serious privacy flaw in the Facebook Messenger.

Aran Khanna created a Chrome extension that could track the location of Facebook friends on a map
His app Marauders Map, named after the magical map in the Harry Potter series, showed that users of Facebook Messenger could pinpoint the exact locations of people they were talking to.

In 2011 Facebook launched Facebook Messenger, an application (or "app") for Android and iOS mobile devices. Messenger has the ability to share geo-location with messages.
When a Facebook user sends a message from a smartphone using Messenger, the user's physical location can also be sent. Prior to a June 2015 update, unless a user changed the initial default settings of the program, the app would collect and display geo-location information with message content by default in all conversations on the Android app, including conversations in chat groups with people who are not direct friends on Facebook's social network.

When the app first installs on a mobile device, a notice appears that informs the user that the app will collect and share geo-location information. After that notice appears, the only other indicator of location data collection and sharing is a small blue icon next to the textbox in a conversation.

Facebook allows users to chat among themselves on a mobile app called Facebook Messenger.
Facebook Messenger collected and shared user geo-locations as the default setting for every message sent from the Android mobile app. These locations were visible to anyone in a group chat, regardless of his or her relationship to the sender on the Facebook social network.

Noticing a lack of significant public response to the visible nature of geo-location data on Facebook Messenger, despite media coverage dating back to 2012, Aran Khanna hypothesized that users were either (1) not aware, or (2) not concerned about the collection and visibility of their geo-location data on the app.
Aran started to study on this privacy issue during the spring of 2015.
At the time, he was a junior at Harvard College and had been offered a summer internship position at Facebook doing software development.
He had secured the internship through Harvard's Office of Career Services' (OCS) On Campus Interview program.
The internship was a paid position starting June 1, 2015, and he had signed a letter of intent to join the company, although he was not to be considered an employee until  June 1 start date, meaning that he was not privy to any proprietary information.

Aran wrote a browser application that requires a Facebook user to log into their Facebook account and then displays on a map the geo-location data shared with that user through Facebook Messenger chats.

He announced the tool in a blog post and publicized it on Twitter and a few other online forums. The immediate public response was that of surprise and concern over the privacy issue raised by the collection and visibility of the geo-location data.

On May 26, 2015, He published the blog post and corresponding code on Medium.com. He also posted URL links to the blog post and extension to both Reddit and Hacker News (news.ycombinator.com), a popular technical forum. Medium and his twitter.

News of the blog went viral, starting within 24 hours of posting and continuing for about 72 hours afterwards.

His tool was downloaded over 85,000 times since its release and more than 170 global news publications linked his post

By the 28th, only two days after original posting, news stories about his posts appeared on CNN, The Guardian, The Washington Post, and many large international European, Australian, and Brazilian publications

After that FB told him to remove the tool and Aran did the needful he removed his tool, disabled that tool.


Nine days after the release, Facebook made sharing geo-location data an opt-in feature, allowing users to select to share personal geolocations in Facebook Messenger

Aran wrote in his post following “On the afternoon of the 29th, three days after my initial posts, Facebook phoned me to inform me that it was rescinding the offer of a summer internship, citing as a reason that the extension violated the Facebook user agreement by "scraping" the site. The head of global human resources and recruiting followed up with an email message stating that my blog post did not reflect the "high ethical standards" around user privacy expected of interns. According to the email, the privacy issue was not with Facebook Messenger, but rather with my blog post and code describing how Facebook collected and shared users' geo-location data.”

Source –

Facebook's Privacy Incident Response: a study of geolocation sharing on Facebook Messenger

Reality views by sm –

Thursday, August 13, 2015

Tags – Indian Student Facebook Job Internship Lost Boston

2 comments:

Destination Infinity August 14, 2015  

I don't think an intern can share anything and everything about their company to the entire world without consulting the management first. I feel, it would have been better had he approached the proper channels in the management, before writing public blog posts. I am sure FB has an internal blog/social network -- he could have tried to create awareness there first.

Destination Infinity

SM August 15, 2015  

@Destination Infinity

thanks when he wrote the code he was not the employee of FB