Three months ago, Harvard student Aran Khanna was preparing to start a coveted internship at Facebook when he launched a browser application from his dorm room that angered the social media behemoth.
His application, called Marauder’s Map — a clever name that Harry Potter fans will appreciate — was a Chrome extension that used data from Facebook Messenger to map where users were when they sent messages. The app also showed the locations, which were accurate to within three feet, in a group chat with people he barely knew. That meant complete strangers could hypothetically see that he had messaged them from a Starbucks around the corner, while he could see that they had messaged from their dorms.
The app capitalized on a privacy flaw that Facebook had been aware of for about three years: the Facebook Messenger app automatically shared users’ locations with anyone who they messaged.
Khanna tweeted about the app on May 26 and posted about it on Reddit and Medium. Marauder’s Map began to go viral. Facebook, never one to miss a trend, quickly caught on.
Within three days, Facebook asked Khanna to disable the app. The company also deactivated location sharing from desktops, which meant Khanna’s app wouldn’t work even if he hadn’t taken it down. And the company that Mark Zuckerberg famously launched from his Harvard dorm room withdrew its internship offer from this Harvard student, who apparently made the mistake of…launching an app from his dorm room.
Before it was disabled, the extension was downloaded more than 85,000 times, Khanna said.
About a week later, Facebook released a Messenger app update trumpeted as follows in a news release: “With this update, you have full control over when and how you share your location information.’’
The description didn’t mention the previous default settings. Nor did it point out that users who didn’t activate the update would continue to share their locations by default unless they manually altered their privacy settings.
Matt Steinfeld, a Facebook spokesman, said the company had been working on a Messenger update long before Khanna’s blog post was published.
“This isn’t the sort of thing that can happen in a week,’’ Steinfeld told Boston.com. “Even though we move very fast here, they’d been working on it for a few months.’’
Khanna, who detailed the experience in a case study published Tuesday in Technology Science, a journal published by Harvard University, told Boston.com he created the app to show the consequences of unintentionally sharing data. That way, he said, users could decide for themselves whether or not it was a violation of their privacy.
Facebook Messenger, the company’s mobile messaging app, had been set up with automatic geolocation sharing since it launched in 2011. CNET drew attention to the issue in 2012 and showed users how to switch off location services. Various updates to the app improved its usability and even introduced fun cat emoji stickers, but the geolocation sharing remained.
Khanna used Messenger frequently when he started studying at Harvard, but didn’t realize how much information he was unintentionally sharing until he began to look at his message history.
The day after Marauder’s Map was posted, Khanna said his future manager at Facebook called him and asked him not to talk to the press. That evening, Khanna received a call from Facebook’s global communications lead for privacy and public policy, who reiterated that Khanna shouldn’t talk to the press because the story had become damaging.
Khanna complied, redirecting all press inquiries back to Facebook.
The next day, Facebook asked him to deactivate the extension. He did, but also updated his Medium post and the extension’s description to make it clear that Facebook asked him to disable the map.
Three days after the extension was posted, and two hours before he was supposed to leave to start his internship, Khanna received a call from a Facebook employee telling him that the company was rescinding his summer internship offer. Khanna said he was told that he violated the Facebook user agreement when he scraped the site for data.
However, Khanna told Boston.com that the data was from his own messages, which meant he used information accessible to all Facebook users, not just to employees.
Khanna then received an email from Facebook’s head of global human resources and recruiting, who told him that his Medium post didn’t meet the high ethical standards expected of interns. Khanna was told that the issue wasn’t the Messenger app itself, but instead the way his blog described how Facebook collected and shared user data.
“This mapping tool scraped Facebook data in a way that violated our terms, and those terms exist to protect people’s privacy and safety,’’ Steinfeld told Boston.com. “Despite being asked repeatedly to remove the code, the creator of this tool left it up. This is wrong and it’s inconsistent with how we think about serving our community.’’
In his first letter to investors back in 2012, Mark Zuckerberg said that Facebook follows an approach they coined the “Hacker Way.’’
“The word ‘hacker’ has an unfairly negative connotation from being portrayed in the media as people who break into computers,’’ he wrote. “In reality, hacking just means building something quickly or testing the boundaries of what can be done.’’
Khanna thought his extension — which he built quickly and which tested boundaries — was performing a public good by showing users how their data was being used.
“I didn’t write the program to be malicious,’’ he said.
In the end, Khanna had a pretty great summer after all. He accepted another internship with a tech start-up in Silicon Valley. And, he said, the back-and-forth with Facebook turned out to be an “internship experience’’ in itself that taught him a great deal.
In the closing of his letter to investors, Zuckerberg said one of the five core values of Facebook is for its employees to “be bold.’’
But not too bold.
Famous Massachusetts companies