Dark Patterns: We May or May Not Realize We’re Being Tricked

Have you ever received a bunch of annoying promotional e-mails and let them stuck in your inbox because you hardly find the “unsubscribe” button in the e-mail? Or have you ever made a hasty choice because your heart is trembling fast when an “Only 1 room left!” notification appears in a travel website? If that were the case, then most likely you are exposed to – or tricked by – the Dark Patterns.

What are Dark Patterns?

Dark Patterns are tricks used in websites and apps designs that make you buy or sign up for things that you didn’t mean to. This term was first initiated in 2010 by Harry Brignull, a London-based UX designer who created 11 different catchy terms describing various types of dark patterns, such as “Privacy Zuckering” (a situation where we are tricked into publicly sharing our information more than we intended to and as a result, our data is bought by data brokers to be resold to other parties), “Roach Motel” (a situation that makes us easy to get it but hard to get out, such as enormous effort to opt-out from e-newsletters subscription, either through mail requirement or cancellation request), or “Hidden Costs” (when we spend a considerable amount of time to pick goods online and proceed to the last step of the checkout process, only to discover some unexpected charges at the end, e.g. delivery charges, tax, etc.).

Why the Corporations Use Dark Patterns?

We might initially assume that this website placement was created carelessly (being “bad design” as mentioned by Brignull (2010);[1] while in fact many web designers are directed intentionally to build a design that will mislead the consumers to the option(s) that a company wants. They use human psychology assessment by considering the facts that consumers usually only skim-read material they open in a website[2] and observe it in the midst of doing other activities, such as signing up to a service, completing a purchase, or finding out what their friends have sent them.  While it is hard to maintain the focus within one particular thing, human will tend to “ease” up their lives by letting the website they accessed to narrow down the options and falling foul of an unfavourable choice.

The designers may hate the use of dark patterns as it would actually harm their reputation as the content creator, yet the encouragement to have such design comes from the calling of the business people. The designers, as the maker of the designs, are not responsible for strategy, as they are just implementers.[3] On a broader perspective, the business people are likely to have sales target that needs to be achieved as directed from the management and therefore they tend to leverage the practical-based marketing option that requires minimal effort only.

How Does Law Observe Dark Patterns?

An infamous case that relates to one of the types of dark patterns, naming as “Friend Spam” by Brignull, was the case between Perkins v. LinkedIn, happened in San Jose’s U.S. District Court (2014). Under this class action suit, the plaintiffs (Paul Perkins, et. al.) complains that LinkedIn, violated several state and federal laws by obtaining email addresses from the contact lists of email accounts of the users and sending invitations to join LinkedIn repeatedly to the said email addresses, including the Stored Communications Act, the Wiretap Act, 18 U.S.C. § 2511, California’s Comprehensive Data Access and Fraud Act, the right of publicity under California’s common law right of publicity, and  California’s Unfair Competition Law.

The process begins with a request to the user during registration to “connect with people you know on LinkedIn”. LinkedIn, then provides a list by matching the users’ contacts’ email addresses, which LinkedIn collected from Google, against LinkedIn own membership database, which contains email addressed that LinkedIn users utilized to register for a LinkedIn account. If the users choose to allow LinkedIn by opting-in in the checklist, LinkedIn will send e-mails to the users’ friends using the users’ name with the text “I’d like to add you to my professional work.”. If the recipient does not reply within one week, LinkedIn will send follow-up e-mails up to three times, in which the plaintiff describes as “to give the recipient the impression that the LinkedIn member is endorsing LinkedIn and asking the recipient to join LinkedIn’s social network.”

The court decided in favour of the plaintiff that endorsements or invitations from friends have certain value compared with generic advertisements that do not contain the recommendation of a familiar source. However, the court is not persuaded by the plaintiff’s contention against the defendant’s opinion that argues users’ action in clicking various screens serves as consent towards LinkedIn disclosures. In the end, the court granted settlement in a total of $13 million to the plaintiff for a class size with approximately 20.8 million. Under this amount, each user is entitled with only $10. The amount could have been increased into $750 per person under the statutory damages in California’s common law if only the court discovered there were “mental harm” experienced by the users.

Few years after that, the European General Data Protection Regulation (“GDPR”) came into effect in May 2018. The GDPR, that consists protections toward personal data, applies to activities of a service provider that are established in EU, regardless of whether the services were offered in EU or not, and to the services given by the service provider to users who located in EU. It holds several overarching principles[4] in relation to the processing of personal data, including principle of “purpose limitation” where the collection of data should be for “specified, explicit and legitimate purpose” and “data minimization” where the personal data collected should be  “limited to what is necessary”.

GPDR also regulates the requirement to have consent with certain criteria before the company is able to process the data. GDPR requires the request for consent toward data processing to be made in an intelligible and easily accessible form, using clear and plain language, and made separately with another approval request in the event the users’ consents are given to several matters.[5] Further, the users must be able to withdraw the consent at any time.[6] There is also a general duty for a company to ensure the creation of “data protection by design and by default”, that intends to require the company to integrate the safeguards of the GDPR into their operations.[7]

The new GDPR law, in essence, catered sufficient framework to ensure that the service provider will take into account consent requirement carefully and will manage its behaviour during operation. However, certain finding indicated otherwise. Pursuant to the “Deceived by Design” report made by the Norwegian Consumer Council toward privacy policies of Facebook, Google and Microsoft (May 2018), even after the issuance of GDPR these big companies still gave users “an illusion of control” against their new privacy settings, where they created an impression of the users having control over its privacy setting while this was not entirely accurate.

For example, Facebook and Google both have default settings preselected to the least privacy-friendly options and have “hidden default” that obscure the user that click “Agree” or “Accept” to know what is preselected.[8] Microsoft Windows 10 is appreciated by requiring users to actively click on the choice they prefer for every step.[9] Nonetheless, the popups of three of them have design, symbols, and wording that nudge users away from the privacy-friendly choices.

Conclusion

It seems that all mega-corporations are still in the long process to dutifully create the designs that prioritize transparency and privacy protection toward the consumer’s data. From the business perspective, the use of dark patterns to some extent water down the process of obtaining consents from the consumers and at the same time amplify data gathering process that might be needed by the company to deliver better service in the future. We hope that in the increasing number of privacy concerns against big corporations within the world society, they are activated to be socially responsible companies and hence the dark patterns use can be reduced gradually.

Hana Monica Hutabarat is an LLM candidate, 2019, at NYU School of Law.

[1] Arushi Jaiswal, “Dark patterns in UX: how designers should be responsible for their actions”, UX Collective, (April 15, 2018), https://uxdesign.cc/dark-patterns-in-ux-design-7009a83b233c.

[2] Natasha Lomas, “WTF is dark pattern design?”, Tech Crunch, (July 2018), https://techcrunch.com/2018/07/01/wtf-is-dark-pattern-design/.

[3] John Brownlee, “Why Dark Patterns Won’t Go Away”,  Fast Company, (22 August 2018), https://www.fastcompany.com/3060553/why-dark-patterns-wont-go-away.

[4] Articles 5 Paragraph 1 of GDPR.

[5] Articles 7 Paragraph 2 of GDPR.

[6] Article 7 Paragraph 3 of GDPR.

[7] William McGeveran, Privacy and Data Protection Law: 2018 Supplement 53-54 (2018).

[8] “Deceived by Design Report”, Page 14.

[9] “Deceived by Design Report”, Page 18.