Harvard student lost Facebook internship after highlighting privacy flaw

Trisha Thadani | USA TODAY

Rising senior Aran Khanna lost an internship with Facebook — a site that was created out of a Harvard dorm room — for, ironically, an app that he created out of his Harvard dorm room.

Shortly after the 21-year-old accepted an internship offer from Facebook this spring, Khanna created a Chrome extension (called Marauders Map) that used available location data from Facebook Messenger to clearly map out where users were when they sent a message.

At the time, Facebook Messenger automatically sent a location with all messages, making it possible to pinpoint the sender's whereabouts to less than a meter, Khanna wrote on a Medium post. This information was so revealing, he said, that through a couple weeks' worth of chat data, he was able to figure out a Facebook friend's weekly schedule.

He said he could do this with anyone who he messaged — even if they weren't friends on Facebook.

Khanna, who detailed the experience in a case study published Tuesday for the Harvard Journal of Technology Science, told USA TODAY that his app didn't expose anything new, but rather spelled out a privacy issue that people either weren't immediately aware of, or didn't really think twice about.

"I used data that was already there, and just displayed it in a different way," he said. "I think that highlighting a privacy issue with the intent of showing people how much they are putting out there is a service to others."

However, that is not how Facebook felt.

After Khanna tweeted about the app on May 26 and posted about it on Reddit and Medium, his creation began to go viral. Within three days of its release and after thousands of downloads, Facebook caught on and demanded he take down the tool. Khanna said he complied, and deactivated the official version of the app at Facebook's request.

Then, Khanna's coveted summer internship offer from the site was withdrawn.

Facebook spokesman Matt Steinfeld said in a statement to USA TODAY that the 21-year-old's mapping tool "scraped Facebook data in a way that violated our terms and those terms exist to protect people's privacy and safety." Steinfeld said the creator left the tool up, despite being repeatedly asked to take the code down.

"We don't dismiss employees for exposing privacy flaws, but we do take it seriously when someone misuses user data and puts people at risk," Steinfeld said.

Steinfeld declined to comment on the specific case regarding Khanna, and directed USA TODAY to section 3.2 of Facebook's Terms and Services, which states:

"You will not collect users' content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our prior permission."

Nine days after the release of Khanna's app, Facebook updated the app and made sharing geo-location data an opt-in feature, which granted users "full control over when and how you share your location information."

Steinfeld said in the statement that Facebook "began developing improvements to location sharing months ago, based on input from people who use Messenger."

This isn't the first time Facebook's data sharing has been a point of contention with users: earlier this summer, Facebook received some flak over its facial recognition software, which automatically identifies individuals in a digital image by comparing facial features in the image and database, and allows computers to link a person's name to their face in photos or videos.

Khanna said he learned a lot from the back-and-forth with the social media site, which he was initially drawn to because of its "hacker culture" that Mark Zuckerberg, the creator of Facebook, spoke about in his initial letter to investors.

Khanna, who is currently finishing up a summer internship at a tech-start up in Silicon Valley, said this experience with Facebook made him realize that perhaps there are more limits to the "hacker culture" than he initially thought.

Regardless, he said, he hopes that the consequences of unintentionally sharing data resonates with people, and that there is some change brought about by his app, "however small."

Follow USA TODAY reporter Trisha Thadani on Twitter: @TrishaThadani