If you were asked who could harvest a trove of personal data from 10 million Facebook users in just three weeks you might guess company CEO Mark Zuckerberg over Jason Zada. You'd be dead wrong.
Who is Zada? He offered something scary at Halloween and nearly 10 million strangers stepped up and provided him access to their personal Facebook information to get it. Unwittingly walking him past their privacy settings and into their policy-protected data vaults. Maybe you were one of them?
Certainly more than 10 million people viewed Zuckerberg's private photos a few weeks ago when a Facebook bug exposed them to the public. But Zuckerberg was hacked, Zada's millions were socially engineered, accomplices in their own fleecing.
What sophisticated tool did he use? Facebook Apps.
Zada was the creator of TakeThisLollipop.com, a viral Facebook app that collected your Facebook pictures and profile information and put it in the middle of a psycho stalker video.
It was hailed as brilliantly scary. The video ends with the psycho getting out of his truck at a house. Your photo taped to his dashboard. Zada said it was a message about privacy.
"If you look at the video, the scariest part is that your information is in the video. The piece is scary because a person is violating your privacy, not because it's bloody or there's anything jumping out," he told AdAgeDigital.
Actually the scariest part is that your information is in the hands of the Facebook application developer - in this case Zada, who it turns out is benign. His intent was to entertain and his app clearly stated it was not saving your information. But what's to stop a real life psycho from doing the same thing and saving the data? Nothing really.
Facebook has a set of usage policies for its Facebook Platform, which is what developers use to create apps. Among other requirements, the policies dictate application owners must delete all user data if they stop using the platform or Facebook shuts down their app. And policy says app developers must 'delete all data you receive from us concerning a user if the user asks you to do so.'
If developers are running a business, policy means something. If you're running a scam, policy talk is cheap.
How can a real-life psycho (or scammer, phisher) get your 'protected' data? Ironically, exactly the same way Zada did.
Set-up an app that lets users grant you access to their data, show them a video or offer a game, collect their information, stalk in real life.
In Zada's video you see the psycho is looking at a map to your house. Where do you think that information came from?
What Zada proved is that the Facebook stalker scenario is real-life. The potential psychos you block via privacy settings know your back door is unlocked. A scam would likely run the same as TakeThisLollipop. It sprung up on the Internet, went viral and disappeared in 20 days.
Could it have been sleuth hackers, the Russian mafia, the cliché computer hermit in his parent's basement?
It's an email phishing scam mimicked on the social web. It relies on user habit and social engineering - surfing, prurient interest, etc.
Do users know (or care) Facebook apps by-pass privacy settings? One developer I spoke to said after he wrote his first Facebook app he revoked access to every Facebook application he had signed on to. He was dumbstruck by the amount and depth of user information his app made available to him. When he tested it against his own Facebook account, no matter how tightly he screwed down his privacy settings, the app still had access to just about everything it requested.
TakeThisLollipop.com proves that a fool and his password (and data) are soon parted. Facebook is a ripe audience; unwittingly picked apart.