1. Harvard student Aran Khanna was supposed to intern with Facebook starting in June. However, after he pointed out a massive flaw in Facebook’s messenger app on Android devices, his internship was revoked.
2. Upon realising that people using the Facebook Messenger app share their location with everyone they message by default, Khanna built a Google Chrome plugin that could accurately track the movement of anyone that users had messaged on Facebook.
“Facebook was defaulting users into sending their location data with every message from the Android application,” Khanna said in an email to BuzzFeed. “As an avid user of Messenger this feature had frustrated me for a while, so I built an extension that displayed the location data that Messenger was sharing with you on a map (though you didn’t need an extension for this; you could do it with a pencil and a piece of paper), and I shared this project with friends and family to see what they thought about this feature revealing all this data, not expecting the app to go viral the way it did.”
5. According to Khanna, within three days of launching the app, Facebook told him to take down the plugin and then rescinded his internship invitation.
“Facebook’s response to the blog post and extension was to ask me to not speak to the press about it and then to disable the extension,” Khanna said. “Finally they rescinded my internship offer, citing the fact that my code broke Facebook’s user agreement (which every FB user signs when they join the site) by ‘scraping’ the site. They additionally stated that my actions were not up to the ‘high ethical standards’ expected of interns.”
A Facebook spokesperson told BuzzFeed in an email:
“This is revisionist history that conveniently omits a few important points. First, we began developing improvements to location sharing months ago, based on input from people who use Messenger. Second, this mapping tool scraped Facebook data in a way that violated our terms, and those terms exist to protect people’s privacy and safety. Despite being asked repeatedly to remove the code, the creator of this tool left it up. This is wrong and it’s inconsistent with how we think about serving our community.
“We don’t dismiss employees for exposing privacy flaws, but we do take it seriously when someone misuses user data and puts people at risk.”