Take This Lollipop

Take This Lollipop was a viral video, interactive website that was released in time for Halloween.  

I stayed away from it at the time since the site requires users to use Facebook Connect, the site was of unknown trustworthiness, and it seemed a bit silly to have to give access to my Facebook account to get a lesson in Facebook privacy.  

Tonight I ran across a Dreamhost blog post where they interviewed the creator.   He was also behind the “elf yourself” website.   The site does not store data or post to your account.   This is in line with their posted privacy policy.

Suitably curious, I allowed it the site to connect to my Facebook account.  

If you wish to remain spoiler free, stop reading here

Take This Lollipop is delightfully creepy.   The music and the filming location is perfect.   The video shows a stalker logging into my account.   That is what the account pull down menu indicated.   I’ve seen many people comment that they are going to tighten their privacy settings after watching this video.   If you think that, you’ve missed the point.   Not that there is necessarily a point being made. 

Once in the account, he sees my pictures, my wall, my friends and my location.   Looks up my current city on-line (Google Maps?) and gets in his car.   As he exits the car you see he has my profile pic taped to the dashboard.   The video ends suddenly.

I was really expecting the video to make use of Google Streetview.   I don’t believe that could actually happen as I don’t recall Facebook having my street address.   Would have been off the hook nuts if they had pulled GPS info from the pictures in my Facebook account or made use of my Facebook Check[ins. 

I found the video awesomely entertaining.   It would be orders of magnitude more disconcerting if I was a woman.   Just the same, I think I’ll doublecheck the locks tonight.   If you don’t have Facebook or are unwilling to do the Facebook Connect, you can watch someone else’s experience on Youtube.

It has been shown that people will give up their password (or at least pretend to play alone and give A password) to get a chocoloate bar.  In this case even you know a website is most likely trying to social engineering you into giving Facebook access to teach you a lesson , you’ll still give up that information when the hook is strong enough.   You want to see something entertaining your friends are  all talking about so you give up information.  If there is any lesson here that is what it is.   This app has nothing to do with you accidentally leaving all your photos set to public (although you should fix that), it only uses the access to your Facebook account that you specifically gave it.

To see the promised dancing bears, users will always compromise their own security.   And I did too.   But only have trusting the site owners to adhere to their policy policy and seeing the list of Facebook actions allowed.    As a reminder you should periodically check your Facebook application permissions and remove any that are no longer needed.   Since I don’t see a need to access this site again, I will go to Facebook, select application settings and apps and click the X next to TakeThisLollipop to delete the application permission .  You can always add it back if you return to the site.