Stalking Your Friends with Facebook Messenger

Aran Khanna
Faith and future
Published in
6 min readMay 26, 2015

Edit: At Facebook’s request I have again deactivated the *official* version of the extension. Furthermore, Facebook has deactivated location sharing from the desktop webpage so the extension will not work.

When I came to college Facebook Messenger became an integral part of my digital life. I quickly found that it was the easiest way to keep in touch with old high school friends, contact people I had just met, organize impromptu poker games with people I hardly knew, and everything in between. However, I didn't realize how much data about me Messenger was revealing to the people I chatted with until last week when I began tinkering with my message history.

As you may know, when you send a message from the Messenger app there is an option to send your location with it. What I realized was that almost every other message in my chats had a location attached to it, so I decided to have some fun with this data. I wrote a Chrome extension for the Facebook Messenger page (https://www.facebook.com/messages/) that scrapes all this location data and plots it on a map. You can get this extension here and play around with it on your message data.

A screenshot of the map the extension creates:

What I Found

You may not believe that there are enough of these location tagged messages to provide truly invasive data on any one person, since they must be on mobile, with GPS on, and choose to share their location for it to be sent… right?

What you should keep in mind is that the mobile app for Facebook Messenger defaults to sending a location with all messages.

You can see this location data by clicking on individual messages in the mobile app to reveal a map of where they were sent from.
You can tell if your location is being shared in a message if the little GPS icon next to the text-box is colored blue.

Go ahead and see how many messages in your chats have locations attached. I’m guessing it’s a lot of them. And if this isn't already starting to get a bit weird, the first thing I noticed when I started to write my code was that the latitude and longitude coordinates of the message locations have more than 5 decimal places of precision, making it possible to pinpoint the sender’s location to less than a meter.

Coordinates scraped by my code for two of my friends.

Once the extension was written I naturally started seeing what kind of things I could discover about my Facebook friends.

I am in a pretty active group chat with some of my brother’s friends (who I am friends with on Facebook but don’t know too well). They are all fairly active on the chat, posting once a day or more.

Let’s pick on the one who goes to Stanford. By simply looking at the cluster of messages sent late at night you can tell exactly where his dorm is, and in fact approximately where his room is located in that dorm.

Where my acquaintance who goes to Stanford sleeps.

Furthermore, by gathering a couple weeks’ worth of chat data on the map and looking at the location clusters you can even figure out his weekly schedule. With this you can predict exactly which building he would be in at a given time.

The location history data over the course of a few weeks for my Stanford acquaintance.

In fact I found that I could infer a schedule for almost everyone in this chat as well as the other active chats I am in.

Highlighted the important location clusters for another Facebook friend who is a student at UW

I found that I could even do this for people who I am not Facebook friends with. I am currently in a large active chat to organize poker games with some fellow students, many of whom I am not Facebook friends with. However, I can still track their locations extremely accurately from the messages they send the group.

The detailed location history of someone I am not friends with on Facebook

You can now see the fun (and slightly creepy) things this data allows you to do. But wait there's more! One day when I was chatting frequently with a friend of mine (@tomasreimers) the map allowed me to track his hour by hour locations. At the end of that day the location history on the map closely matched the location history collected by his phone.

Additionally, this map aggregates the location data from all the messages that I send. For the days I was frequently on messenger (posting to different conversations every hour or so), my location history on this map lined up very closely with my phone’s location history.

My scraped messenger location history for a certain active day
My Android phone’s location history for that same day.

This means that if a few people who I am chatting with separately collude and send each other the locations I share with them, they would be able to track me very accurately without me ever knowing.

If you want to map your friends’ locations to see for yourself how fun (and creepy) this data is you can download the extension for Chrome here. The code is also available and open source on Github.

For those of you already wanting out here is a great guide on how to ensure you don’t send your locations from the Messenger app.

What’s The Problem?

Let me reiterate that I still find Facebook Messenger extremely useful and use it religiously, albeit with location sharing now turned off. This may lead you to wonder if there really is a problem here, since there is always option to not share your exact coordinates with messages. However, everyone I have shown this extension to has been anywhere from surprised to appalled that this much of their very personal data is online for their friends (and even complete strangers) to access. So it is seems that there is an issue.

Let’s start at the root of the problem: why do so many people give up their location data so readily on Messenger?

The main problem is that every time you open your phone and send a single message it’s so easy to forget about your location data being attached to it. Furthermore, it seems so harmless to attach a location with a single message, but the problem is over time the information from these messages adds up.

Both of these issues in some way stem from the fact that locations are not only included by default, but also are rather subtly placed in the UI. The power of defaults on human behavior is well documented in psychology and suggests that few people will put in the effort to deviate from the default action of sharing. Furthermore, because there are no readily visible consequences to sharing your location, users are never incentivized to devote attention to what this default of sharing is actually revealing about them.

I decided to write this extension, because we are constantly being told how we are losing privacy with the increasing digitization of our lives, however the consequences never seem tangible. With this code you can see for yourself the potentially invasive usage of the information you share, and decide for yourself if this is something you should worry about.

If you found this interesting you may also enjoy my post on Venmo’s privacy flaws and the extension I made to reveal them.

--

--

Aran Khanna
Aran Khanna

Written by Aran Khanna

I write about technology and society. Harvard College ‘16. Find me at arankhanna.com

Responses (63)