When Aran Khanna released the Marauder’s Map, a browser extension that lets you track your friends using their Facebook Message location info, he thought Facebook would be impressed. He was, after all, a few weeks away from starting an internship there.
They did notice. Within a couple of weeks, the Marauder’s Map generated enough attention that Facebookreleased an update to Messenger that ramped up location-based privacy.
Then Facebook fired Khanna.
Check out this blog + extension I wrote about how your friends can track you from Facebook Messenger https://t.co/ufWhvifNLV
— Aran Khanna (@arankhanna) May 26, 2015
Khanna’s internship was supposed to begin on a Monday. The Friday before, Facebook’s vice president of engineering called to tell him that he had violated their terms for employment and couldn’t begin his internship.
Khanna never expected that the backlash would be so drastic. After all, the information he exposed was public and had been available for three years. People had been complaining that Facebook messages were storing too much information about our locations, and Khanna’s app highlighted the vulnerability of the information.
He took the app down when Facebook asked him to, effectively euthanizing it by revoking the API key. But the code was still available on Github, so others could still find it.
“I just wanted to point out something that was privacy-invasive on a product that was used a lot,” Khanna told Mic.
Outside hackers help companies this way all of the time — and they usually get piles of cash for it. They’re called “white hat” hackers (as opposed to “black hats,” who hack maliciously) and their job is to think like the black hats so that they can patch up holes before anyone gets through.
“It’s extremely valuable to have a group of people from all over the world, with a variety of skill sets and creativity, who have a different perspective from the internal team,” Sam Houston, community coordinator for a bug bounty site called Bugcrowd, told Mic. “They find security vulnerabilities that make products more secure.”
Most major tech companies have open bug bounty programs that pay out various rates for white hats who come to them with new information about a security vulnerability. Facebook itself has paid out rewards as high as $33,500 to its bug bounty hunters.
But white hats also have their own ethics while helping the companies they target. And putting vulnerabilities on blast is a blatant transgression.
“Ordinarily, Facebook would be happy about getting information like this,” Bugcrowd CEO Casey Ellis told Mic. “But what Facebook is consistent of is that when they set rules and you violate them, they stick by those rules. White hats are important and critical, but you have to set ground rules and expectations so you don’t end up with anarchy.”
But Khanna didn’t even really “hack” Facebook. He may have brought a privacy issue to light, but technically, the tool is built on publicly available information. That’s the reason he didn’t think he needed bring the project to Facebook’s attention in the first place.
“The information is already public,” Khanna, who has been working at a small deep-learning startup since he lost his internship, pointed out to Mic. “You could collect the same information on paper and pencil and it would have just taken longer.”
Does Khanna regret releasing the Marauder’s Map? He can’t say. He’s disappointed that the company he admired and wanted to work for didn’t hold to the “hacker” values it claims to prize so highly.
“At Facebook they talk about hacker culture — move fast and break things,” Khanna told Mic. “Those were the things that galvanized me to apply to Facebook as a company. I thought it would make me accepted.”