A quick fix that would get 99.9% of us out of people's pics, if the User-Agent string is something unique to the frames. This would only allow HTTP requests from frames, not from desktop browsers. Yes, we can change our user agent string on the desktop browser to match, but like I say - 99.9% of people wouldn't know how.
Do we really need to do it again?
Now THAT is friggin creepy. Nice horror-movie choir for the soundtrack, nice all-white surroundings with no windows or doors. Nightmare material.