Democracy Gone Astray

Democracy, being a human construct, needs to be thought of as directionality rather than an object. As such, to understand it requires not so much a description of existing structures and/or other related phenomena but a declaration of intentionality.
This blog aims at creating labeled lists of published infringements of such intentionality, of points in time where democracy strays from its intended directionality. In addition to outright infringements, this blog also collects important contemporary information and/or discussions that impact our socio-political landscape.

All the posts here were published in the electronic media – main-stream as well as fringe, and maintain links to the original texts.

[NOTE: Due to changes I haven't caught on time in the blogging software, all of the 'Original Article' links were nullified between September 11, 2012 and December 11, 2012. My apologies.]

Wednesday, August 26, 2015

Student Loses Facebook Internship After Highlighting Dangers Of Location Tool

Third-year Harvard University student Aran Khanna had it made: secured an internship at Facebook, created a Chrome browser extension, and highlighted potential privacy concern lurking in his soon-to-be employer’s messaging system — the latter of which caused weeks of controversy that cost him an opportunity with the world’s largest social media company.

The controversy stemmed from Khanna’s Chrome app Marauder’s Map, which extrapolated data through Facebook Messenger’s geo-location feature that allowed friends to automatically share their whereabouts via private messages. Facebook rescinded Khanna’s internship offer after learning about the app over privacy concerns.

Marauder allowed users to map out all of the places Facebook friends shared their location (or opt out) via Messenger, a capability that individuals already had but wasn’t aggregated. In other words, Khanna’s app rapidly collected location points shared between friends in a user’s network via Messenger. The same could be achieved by hand, following the longitude and latitude provided and placing a marker on a map.

Khanna saw it as a serious privacy oversight, but Facebook contended it was a purposeful feature intended to help friends share their lives. Marauder, however, set out to prove how easily that information could be abused.

“It wasn’t malicious and I thought it was fun,” Khanna told ThinkProgress. But he believes privacy is often deprioritized in tech and was surprised at the lack of attention to Facebook’s location feature.

“There was no public outcry to the [location] feature being problematic,” he said, noting that Messenger function has been around for years. “I thought it was fair game to build [the extension] as a side project – meant for family, friends, and potential employers as an example of past work — but I didn’t expect the public response.”

In a May Medium blog post released before his internship started, Khanna pointedly criticized the default-location feature highlighting the potential privacy risks that come from being able to assemble someone’s frequently visited places — even if they are your friends and willing disclosed the information.

    What you should keep in mind is that the mobile app for Facebook Messenger defaults to sending a location with all messages. Go ahead and see how many messages in your chats have locations attached. I’m guessing it’s a lot of them. And if this isn’t already starting to get a bit weird, the first thing I noticed when I started to write my code was that the latitude and longitude coordinates of the message locations have more than 5 decimal places of precision, making it possible to pinpoint the sender’s location to less than a meter.

Facebook caught wind of the viral post, which had abbreviations posted on Reddit and Twitter, and asked Khanna to disable the app, according to Boston.com. But the company’s primary concern was the published code, which could have used to siphon personal data from Facebook and violates the site’s terms and conditions.

Khanna wrote:

    I decided to write this extension, because we are constantly being told how we are losing privacy with the increasing digitization of our lives, however the consequences never seem tangible. With this code [link omitted] you can see for yourself the potentially invasive usage of the information you share, and decide for yourself if this is something you should worry about.

News of Khanna’s app and criticism came as Facebook was working on improvements to the location feature — adopting an opt-in system and removing location information and maps to a separate section of the app, a Facebook spokesperson told ThinkProgress.

Facebook doesn’t comment on employee matters but emphasized that employees and civilians are encouraged to report products’ flaws and vulnerabilities.

“We don’t dismiss employees for exposing privacy flaws, but we do take it seriously when someone misuses user data and puts people at risk,” the spokesperson said in a statement. “[Khanna’s] mapping tool scraped Facebook data in a way that violated our terms, and those terms exist to protect people’s privacy and safety. Despite being asked repeatedly to remove the code, the creator of this tool left it up. This is wrong and it’s inconsistent with how we think about serving our community.”

Khanna told ThinkProgress the reason he posted the code so he could be open about his methods and work, but it wasn’t intended for public consumption. “All of my projects have been open source. It’s not something that was a security issue, it was a feature. It was essentially, a way of being transparent about what was going on, and where [user] data was.”

Moreover, he thought his actions fell in line with Facebook’s outside-the-box culture: “The reason I was actually drawn to Facebook was because of the hacker culture they have,” Khanna told ThinkProgress. But the experience taught him a lot, particularly that a company’s projected culture isn’t always the whole picture.

“With internships, the company is trying you out to see if you’re a good fit for them, and you’re trying them out to see if they’re a good fit for you,” he said. “Through this experience, I saw that it wasn’t what I thought.”

Khanna eventually agreed to disable the app and take down the open source code, and is now interning with Marianas Labs, tinkering with large-scale machine-learning software.

Privacy controversy aside, Khanna’s research demonstrated how a user could discreetly map out a contact’s whereabouts using a feature and potentially abuse a well-intended service. Under different circumstances, his actions could have landed him $100,000 as part of Facebook’s Internet Defense Prize program.

Two Georgia Tech University doctoral students Byoungyoung Lee and Chengyu Song earned the reward after reporting security flaws in the social network’s C++ programs. That discovery led to the repair of vulnerabilities in Chrome and Firefox of which Facebook would have otherwise been unaware.

Original Article
Source: thinkprogress.org/
Author:  Lauren C. Williams

No comments:

Post a Comment