A new extension for Google’s Chrome browser pushes the creepy needle into the red zone. Marauders Map tracks the location of anyone using Facebook Messenger who hasn’t disabled its access to their smartphone’s GPS location information.
The extension is so accurate it can pinpoint Messenger user locations to about a meter, and it can also search old messages to create a map of the user’s travels during the past days or even weeks.
The developer of the app, Aran Kahanna, does not appear to be a creep. He’s a young college student in Cambridge, Mass., who wanted to illustrate the dangers of unconsciously sharing personal data. I think he succeeded. (You can read Kahanna’s blog post about Marauders Map here.)
Not only did Kahanna track the location of his Facebook friends, he figured out a way to keep tabs on anyone participating in group messages on Messenger, even if they weren’t connected to him on Facebook. For example, he tracked the location of someone in a poker group he belongs to and was able to pinpoint the man’s dorm at Stanford University, as well as his specific room within the dorm. (The image shown above details the location of that man over several weeks as tracked by Marauders Map.)
It doesn’t take a lot of imagination to think up some very bad ways that data could be used. There is, of course, an easy way to block the tracking functionality in Marauders Map. You can just go into your smartphone’s settings and revoke Messenger’s location access.
So what’s the big deal? Facebook Messenger grabs location data by default, and it’s likely that many, maybe most, users don’t think about turning it off when they install it. Facebook pushes its users to install Messenger, so tens, even hundreds, of millions of people are inadvertently sharing their locations.
There’s also a broader issue that goes well beyond Marauders Map, according to Tim Erlin, director of IT security and risk strategy at Tripwire, an enterprise security provider. “We have accepted that location is something we share, and we share it with many apps,” he says. The problem is that those apps may share your personal information with people or companies that you don’t know and have no reason to trust.
Your identity is made up of many discrete bits of information including your age, address, social security number and employer, as well as your location at any given time. Individually, these bits may not reveal damaging information, but the combination of two or more pieces of data can paint a detailed picture of who you are, Erlin says.
To illustrate his point, Erlin directed me to a site called MyLife that collects publicly available data on millions of people. I was not happy to see that it listed the names of several close family members, the exact addresses of the last six places I’ve lived, many of my old phone numbers, my age, recent employers, and more.
In his blog post, Kahanna said that Facebook may disable the code that allows Marauders Map to work with Messenger. When I installed Kahanna’s extension, I couldn’t get it to work, so maybe it’s already dead. But that’s beside the point. We all willingly share far too much data for our own good, and we need to change the way we think about online privacy.