Dark Patterns: We May or May Not Realize We’re Being Tricked
Have you ever received a bunch of annoying
promotional e-mails and let them stuck in your inbox because you hardly find
the “unsubscribe” button in the e-mail? Or have you ever made a hasty choice
because your heart is trembling fast when an “Only 1 room left!” notification
appears in a travel website? If that were the case, then most likely you are
exposed to – or tricked by – the Dark Patterns.
What are Dark Patterns?

Dark
Patterns are tricks used in websites and
apps designs that make you buy or sign up for things that you didn’t mean to.
This term was first initiated in 2010 by Harry
Brignull, a London-based UX designer who
created 11 different catchy
terms describing various types of dark
patterns, such as “Privacy Zuckering” (a situation where we are tricked into
publicly sharing our information more than we intended to and as a result, our
data is bought by data brokers to be resold to other parties), “Roach Motel” (a
situation that makes us easy to get it but hard to get out, such as enormous
effort to opt-out from e-newsletters subscription, either through mail
requirement or cancellation request), or “Hidden Costs” (when we spend a
considerable amount of time to pick goods online and proceed to the last step
of the checkout process, only to discover some unexpected charges at the end,
e.g. delivery charges, tax, etc.).
Why the Corporations Use Dark Patterns?
We might initially assume that this website
placement was created carelessly (being “bad design” as mentioned by Brignull
(2010);[1]
while in fact many web designers are directed intentionally to build a design
that will mislead the consumers to the option(s) that a company wants. They use
human psychology assessment by considering the facts that consumers usually
only skim-read material they open in a website[2]
and observe it in the midst of doing other activities, such as signing up to a
service, completing a purchase, or finding out what their friends have sent
them. While it is hard to maintain the focus within one particular thing,
human will tend to “ease” up their lives by letting the website they accessed
to narrow down the options and falling foul of an unfavourable choice.
The designers may hate the use of dark patterns
as it would actually harm their reputation as the content creator, yet the
encouragement to have such design comes from the calling of the business
people. The designers, as the maker of the designs, are not responsible for
strategy, as they are just implementers.[3]
On a broader perspective, the business people are likely to have sales target
that needs to be achieved as directed from the management and therefore they
tend to leverage the practical-based marketing option that requires minimal
effort only.
How Does Law Observe Dark Patterns?
An infamous case that relates to one of the
types of dark patterns, naming as “Friend Spam” by Brignull, was the case
between Perkins v. LinkedIn, happened in San Jose’s U.S. District Court (2014).
Under this class action suit, the plaintiffs (Paul Perkins, et. al.) complains
that LinkedIn, violated several state and federal laws by obtaining email
addresses from the contact lists of email accounts of the users and sending
invitations to join LinkedIn repeatedly to the said email addresses, including
the Stored Communications Act, the Wiretap Act, 18 U.S.C. § 2511, California’s
Comprehensive Data Access and Fraud Act, the right of publicity under California’s
common law right of publicity, and California’s Unfair Competition Law.
The process begins with a request to the user
during registration to “connect with people you know on LinkedIn”.
LinkedIn, then provides a list by matching the users’ contacts’ email
addresses, which LinkedIn collected from Google, against LinkedIn own
membership database, which contains email addressed that LinkedIn users
utilized to register for a LinkedIn account. If the users choose to allow
LinkedIn by opting-in in the checklist, LinkedIn will send e-mails to the
users’ friends using the users’ name with the text “I’d like to add you to
my professional work.”. If the recipient does not reply within one week,
LinkedIn will send follow-up e-mails up to three times, in which the plaintiff
describes as “to give the recipient the impression that the LinkedIn member is
endorsing LinkedIn and asking the recipient to join LinkedIn’s social network.”
The court decided in favour of the plaintiff
that endorsements or invitations from friends have certain value compared with
generic advertisements that do not contain the recommendation of a familiar
source. However, the court is not persuaded by the plaintiff’s contention
against the defendant’s opinion that argues users’ action in clicking various
screens serves as consent towards LinkedIn disclosures. In the end, the court
granted settlement in a total of $13 million to the plaintiff for a class size
with approximately 20.8 million. Under this amount, each user is entitled with only
$10. The amount could have been increased into $750 per person under the
statutory damages in California’s common law if only the court discovered there
were “mental harm” experienced by the users.
Few years after that, the European General Data Protection
Regulation (“GDPR”) came into effect in May 2018. The GDPR, that
consists protections toward personal data, applies to activities of a service
provider that are established in EU, regardless of whether the services were
offered in EU or not, and to the services given by the service provider to
users who located in EU. It holds several overarching principles[4]
in relation to the processing of personal data, including principle of “purpose
limitation” where the collection of data should be for “specified, explicit and
legitimate purpose” and “data minimization” where the personal data collected
should be “limited to what is necessary”.
GPDR also regulates the requirement to have
consent with certain criteria before the company is able to process the data.
GDPR requires the request for consent toward data processing to be made in an
intelligible and easily accessible form, using clear and plain language, and
made separately with another approval request in the event the users’ consents
are given to several matters.[5]
Further, the users must be able to withdraw the consent at any time.[6]
There is also a general duty for a company to ensure the creation of “data
protection by design and by default”, that intends to require the company to
integrate the safeguards of the GDPR into their operations.[7]
The new GDPR law, in essence, catered sufficient
framework to ensure that the service provider will take into account consent
requirement carefully and will manage its behaviour during operation. However,
certain finding indicated otherwise. Pursuant to the “Deceived by Design”
report made by the Norwegian Consumer Council toward privacy policies of
Facebook, Google and Microsoft (May 2018), even after the issuance of GDPR
these big companies still gave users “an illusion of control” against their new
privacy settings, where they created an impression of the users having control
over its privacy setting while this was not entirely accurate.
For example, Facebook and Google both have
default settings preselected to the least privacy-friendly options and have
“hidden default” that obscure the user that click “Agree” or “Accept” to know
what is preselected.[8]
Microsoft Windows 10 is appreciated by requiring users to actively click on the
choice they prefer for every step.[9]
Nonetheless, the popups of three of them have design, symbols, and wording that
nudge users away from the privacy-friendly choices.
Conclusion
It seems that all mega-corporations are still in
the long process to dutifully create the designs that prioritize transparency
and privacy protection toward the consumer’s data. From the business
perspective, the use of dark patterns to some extent water down the process of
obtaining consents from the consumers and at the same time amplify data
gathering process that might be needed by the company to deliver better service
in the future. We hope that in the increasing number of privacy concerns
against big corporations within the world society, they are activated to be
socially responsible companies and hence the dark patterns use can be reduced
gradually.
Hana Monica Hutabarat is an LLM candidate, 2019,
at NYU School of Law.
[1] Arushi Jaiswal, “Dark
patterns in UX: how designers should be responsible for their actions”, UX
Collective, (April 15, 2018), https://uxdesign.cc/dark-patterns-in-ux-design-7009a83b233c.
[2] Natasha Lomas, “WTF is dark
pattern design?”, Tech Crunch, (July 2018), https://techcrunch.com/2018/07/01/wtf-is-dark-pattern-design/.
[3] John Brownlee, “Why Dark Patterns
Won’t Go Away”, Fast Company, (22 August 2018), https://www.fastcompany.com/3060553/why-dark-patterns-wont-go-away.
[4] Articles 5 Paragraph 1
of GDPR.
[5] Articles 7 Paragraph 2
of GDPR.
[6] Article 7 Paragraph 3
of GDPR.
[7] William
McGeveran, Privacy and Data Protection Law: 2018 Supplement 53-54 (2018).
[8] “Deceived by Design Report”,
Page 14.
[9] “Deceived by Design Report”,
Page 18.