Serious stalking danger from an extension to Facebook Messenger is revealed in a recent geek post. The extension locates you within one meter ie which dorm, where in dorm, etc.
“However, everyone I have shown this extension to has been anywhere from surprised to appalled that this much of their very personal data is online for their friends (and even complete strangers) to access. So it is seems that there is an issue.”
Stalking Your Friends with Facebook Messenger
MEDIUM.COM|BY ARAN KHANNA
Stalking Your Friends with Facebook Messenger
Edit: At Facebook’s request I have again deactivated the *official* version of the extension. Furthermore, Facebook has deactivated location sharing from the desktop webpage so the extension will not work. However, it seems locations are still being shared on the mobile app and sharing is still enabled by default.
When I came to college Facebook Messenger became an integral part of my digital life. I quickly found that it was the easiest way to keep in touch with old high school friends, contact people I had just met, organize impromptu poker games with people I hardly knew, and everything in between. However, I didn’t realize how much data about me Messenger was revealing to the people I chatted with until last week when I began tinkering with my message history.
As you may know, when you send a message from the Messenger app there is an option to send your location with it. What I realized was that almost every other message in my chats had a location attached to it, so I decided to have some fun with this data. I wrote a Chrome extension for the Facebook Messenger page (https://www.facebook.com/messages/) that scrapes all this location data and plots it on a map. You can get this extension here and play around with it on your message data.
What I Found
You may not believe that there are enough of these location tagged messages to provide truly invasive data on any one person, since they must be on mobile, with GPS on, and choose to share their location for it to be sent… right?
What you should keep in mind is that the mobile app for Facebook Messenger defaults to sending a location with all messages.
Go ahead and see how many messages in your chats have locations attached. I’m guessing it’s a lot of them. And if this isn’t already starting to get a bit weird, the first thing I noticed when I started to write my code was that the latitude and longitude coordinates of the message locations have more than 5 decimal places of precision, making it possible to pinpoint the sender’s location to less than a meter.
Once the extension was written I naturally started seeing what kind of things I could discover about my Facebook friends.
I am in a pretty active group chat with some of my brother’s friends (who I am friends with on Facebook but don’t know too well). They are all fairly active on the chat, posting once a day or more.
Let’s pick on the one who goes to Stanford. By simply looking at the cluster of messages sent late at night you can tell exactly where his dorm is, and in fact approximately where his room is located in that dorm.
Furthermore, by gathering a couple weeks’ worth of chat data on the map and looking at the location clusters you can even figure out his weekly schedule. With this you can predict exactly which building he would be in at a given time.
In fact I found that I could infer a schedule for almost everyone in this chat as well as the other active chats I am in.
I found that I could even do this for people who I am not Facebook friends with. I am currently in a large active chat to organize poker games with some fellow students, many of whom I am not Facebook friends with. However, I can still track their locations extremely accurately from the messages they send the group.
You can now see the fun (and slightly creepy) things this data allows you to do. But wait there’s more! One day when I was chatting frequently with a friend of mine (@tomasreimers) the map allowed me to track his hour by hour locations. At the end of that day the location history on the map closely matched the location history collected by his phone.
Additionally, this map aggregates the location data from all the messages that I send. For the days I was frequently on messenger (posting to different conversations every hour or so), my location history on this map lined up very closely with my phone’s location history.
This means that if a few people who I am chatting with separately collude and send each other the locations I share with them, they would be able to track me very accurately without me ever knowing.
For those of you already wanting out here is a great guide on how to ensure you don’t send your locations from the Messenger app.
What’s The Problem?
Let me reiterate that I still find Facebook Messenger extremely useful and use it religiously, albeit with location sharing now turned off. This may lead you to wonder if there really is a problem here, since there is always option to not share your exact coordinates with messages. However, everyone I have shown this extension to has been anywhere from surprised to appalled that this much of their very personal data is online for their friends (and even complete strangers) to access. So it is seems that there is an issue.
Let’s start at the root of the problem: why do so many people give up their location data so readily on Messenger?
The main problem is that every time you open your phone and send a single message it’s so easy to forget about your location data being attached to it. Furthermore, it seems so harmless to attach a location with a single message, but the problem is over time the information from these messages adds up.
Both of these issues in some way stem from the fact that locations are not only included by default, but also are rather subtly placed in the UI. Thepower of defaults on human behavior is well documented in psychology and suggests that few people will put in the effort to deviate from the default action of sharing. Furthermore, because there are no readily visible consequences to sharing your location, users are never incentivized to devote attention to what this default of sharing is actually revealing about them.
I decided to write this extension, because we are constantly being told how we are losing privacy with the increasing digitization of our lives, however the consequences never seem tangible. With this code you can see for yourself the potentially invasive usage of the information you share, and decide for yourself if this is something you should worry about.