Facebook Messenger is the single most popular app in the entire iTunes store. Millions of people now use it on their phones instead of SMS, which means that millions of people have been letting Facebook tap their exact locations whenever they chat. Who needs the NSA?

Aran Khanna, an incoming Facebook intern (!), combed his Facebook Messenger account and was startled by how much exact GPS data the company had been recording without his knowledge:

You may not believe that there are enough of these location tagged messages to provide truly invasive data on any one person, since they must be on mobile, with GPS on, and choose to share their location for it to be sent… right?

What you should keep in mind is that the mobile app for Facebook Messenger defaults to sending a location with all messages.

It’s not just locational data, it’s very, very specific locational data:

Go ahead and see how many messages in your chats have locations attached. I’m guessing it’s a lot of them. And if this isn’t already starting to get a bit weird, the first thing I noticed when I started to write my code was that the latitude and longitude coordinates of the message locations have more than 5 decimal places of precision, making it possible to pinpoint the sender’s location to less than a meter.

Khanna was able to scrape all this together with a little coding and map out the GPS coordinates of everyone he’s been talking to. His findings are illuminating and deeply creepy (you’ll go far at Facebook, son). The data would make it a cinch for stalkers with a little knowhow to keep tabs on their victims, or predict their next move—and you needn’t even be someone’s official Facebook friend to glean their GPS blips:

I found that I could even do this for people who I am not Facebook friends with. I am currently in a large active chat to organize poker games with some fellow students, many of whom I am not Facebook friends with. However, I can still track their locations extremely accurately from the messages they send the group.

Khanna focuses mostly on what a bad actor could do with this information, but seems to ignore the gargantuan, publicly traded bad actor he’s going to work for this summer. Most people probably don’t realize they’re transmitting their phone’s exact location to Facebook’s server fleet, because Facebook turns this option on by default and camouflages the option within its own busy blue UI.

Khanna updated his post to say that Facebook has notified him that “they are fixing this issue”— but that’s a fundamental, naive misunderstanding of how the site works. This wasn’t an “issue” that required a “fix” until someone pointed out how uncomfortable and sinister it is that a corporation had lured us into providing them with this level of personal information. Facebook Messenger didn’t just erupt, spontaneously, from some primordial code bog; it was designed some of the smartest and most deliberate engineers in the world. If it’s creepy, it’s creepy on purpose.

If you don’t feel like waiting on Facebook to fix this problem Facebook manufactured, here’s how to turn off location information in your Messenger chats:

Tap the blue arrow at the top right.

Contact the author at biddle@gawker.com.
Public PGP key
PGP fingerprint: E93A 40D1 FA38 4B2B 1477 C855 3DEA F030 F340 E2C7