Facebook axes a future intern for exposing a privacy flaw

A Harvard student lost his internship offer at Facebook for developing an app that drew attention to a privacy flaw with Facebook's Messenger app.

Facebook intern fired exposing privacy flaw Messenger app

After being accepted for an internship at Facebook, Harvard University student Aran Khanna continued to embrace the same entrepreneurial spirit that helped launch the site on the very same campus over a decade ago. Ironically, his efforts cost him his chance at working at the company.

Khanna discovered a privacy flaw in the default settings of Facebook's Messenger app for Android that automatically shared users' detailed location data. To draw attention to the flaw, Khanna launched an Android app called Marauder's Map that mapped Facebook users' locations based on their activity on Messenger in May, according to Boston.com. The app showed that the location sharing was accurate to within a three-foot distance and shared users' location data even with Facebook users they were not Friends with.

One day after he launched the app, Facebook asked Khanna not to talk to the press, and he complied, directing all press inquiries to Facebook's communications department, according to Boston.com. After three days and more than 85,000 downloads, Facebook asked Khanna to take the app down, and he complied again, even though Facebook resolved the flaw that provided the location data that made Khanna's app work, according to the report.

Despite the fact that Khanna's work led Facebook to resolve a privacy flaw, the company withdrew its internship for the student.

According to Boston.com, Facebook told Khanna that it withdrew the internship offer not because Khanna developed the app, but because he had blogged about Facebook in a derogatory way.

Khanna then received an email from Facebook's head of global human resources and recruiting, who told him that his Medium post didn't meet the high ethical standards expected of interns. Khanna was told that the issue wasn't the Messenger app itself, but instead the way his blog described how Facebook collected and shared user data.

However, in subsequent statements to both Boston.com and Gizmodo, Facebook claims Khanna's app violated Facebook's terms of service agreement, even though Khanna says he used data from his own messages.

Further, Facebook's statement to Gizmodo implies that the company was already working on location sharing in Messenger in some fashion (although what it was working on remains unclear) months before Khanna's app drew attention to it.

"This is revisionist history that conveniently omits a few important points. First, we began developing improvements to location sharing months ago, based on input from people who use Messenger," a Facebook spokesperson told Gizmodo. "Second, this mapping tool scraped Facebook data in a way that violated our terms, and those terms exist to protect people's privacy and safety. Despite being asked repeatedly to remove the code, the creator of this tool left it up. This is wrong and it's inconsistent with how we think about serving our community."

Indeed, as Boston.com pointed out, Messenger has automatically shared location data since at least 2011, with CNET having addressed it with a 2012 video showing how to disable the setting.

But it wasn't until a future Facebook intern used that data in a clever (and definitely creepy) way that the company changed how it handles location.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2015 IDG Communications, Inc.