
Dark Patterns, the Ratchet - l1n
https://jacquesmattheij.com/dark-patterns-the-ratchet
======
jerf
I was discussing some work on some opt-out we're going to be offering
customers so they can either accept or decline certain automated patches to
their systems, and I found myself describing the opt-out as "real opt-out",
because you can flip the switch to "no" and all that happens is exactly what
you want; you stop getting those changes automatically. You can still apply
them manually later, or selectively, etc. We don't terminate your service or
charge you more or do anything else. You just choose whether you want the
convenience along with the bit of risk of changes, or if you want the control
and the responsibility.

And I realized I had been subconsciously calling this "real" opt-out precisely
because what I encounter in life as "opt-out" does not match that
description.. "Real opt-out" is distressingly rare. Almost everything I
encounter in real life is the style of ratchet described in this article, to
the point where my brain without consulting me decided I needed a new
word/phrase for what we were doing.

------
ocdtrekkie
A new Cortana popup's been showing up on the Windows 10 machines this week,
where you can enable it, or have it "remind you later". >.<

I feel like every mode dialog needs a "f--- off" response. When YouTube asks
me every fifteen minutes if I'd like to try YouTube TV, my answer isn't "no
thanks", a polite declination of this generous offer. It's "f--- off", you
incessant greedy tools.

~~~
asfgjadfgionoin
That's everywhere on Windows. They did the same thing to try to railroad
people into installing Windows 10. They do the same thing for every software
upgrade.

OS X isn't much better.

~~~
ocdtrekkie
Actually, Microsoft's current strategy for pushing updates is to
"accidentally" break the options that let you withhold updates for a period of
time. They've broken them like three times in the last six months, arbitrarily
forcing large groups of Pro users to later versions of Windows than they
should've gotten.

~~~
realusername
I found a way to get rid of windows updates. You just need to not have enough
disk space... Every time I boot, I have a modal asking me to free more than
8GB to start the update.

~~~
ocdtrekkie
The goal isn't to "get rid of Windows updates". Windows Updates are
_important_. Of course, we do need to control those updates better. And
Microsoft needs to be better about keeping those updates stable.

~~~
realusername
I only meant it as a joke, I'm just wishing Windows Updates would be less
bloated than they are now, it would help speed up the process and keep
customer complaints down. Also I don't need to wait 20 minutes in front of a
blue screen when I do updates in Ubuntu.

------
mindslight
The longstanding root of the problem is that we're relying on software that is
under the control of an adversarial party, especially for creating a UI. This
necessarily means that incentives are misaligned, and we are left as an
unaccompanied homo sapien to be outwitted by the machine in front of us that
we may have paid for, but that does not work for us.

It will be interesting to see where the GDPR goes, especially with regards to
surveillance companies we don't directly interact with. But as long as we
continue to do things like utilize a specific retailer's software for
researching and planning purchases, the incentives are for that retailer to
design that software to push us into funneling as much business (and
extraneous personal data!) as possible to themselves.

~~~
xg15
> _The longstanding root of the problem is that we 're relying on software
> that is under the control of an adversarial party, especially for creating a
> UI._

One of the original ideas of the "semantic web" was that the entities that
provide data and the entities that _display_ the data should be decoupled and
freely combinable by the user.

That idea didn't gain particularly large support with website developers.

I wonder why... /s

~~~
always_good
Because there isn't much incentive to do something that makes it easier to not
get paid for your content?

It already rubs me the wrong way when Google scrapes content from sites. I'm
not surprised the dream failed if that's what it was.

~~~
kilburn
"/s" at the end of a comment means the author was being sarcastic ;)

------
scottmf
It’s funny how they only want to repeatedly confirm your decision when you
give the answer they don’t want.

Every time my Facebook messenger app updates it asks me to confirm my phone
number (which it already has through some other method). It employs multiple
dark patterns to trick me into confirming, and because of this I’ve very
nearly done so by accident.

This stuff might be profitable in the short term but many of us see through it
— especially the younger generations — and it’s eroding any trust you may
still have with people.

Companies need to cut this shit out ASAP if they want to be trusted in the
future.

~~~
mistermann
Cutting this out puts a company at a disadvantage to competitors. This is a
case where the government "of the people and for the people" should step in
and write some _real_ legislation, _and enforce it_. Unfortunately, "of the
people and for the people" is effectively ancient history now, they're far too
busy bickering over Russian trolls and fulfilling their donors wishes. What a
sad state of affairs.

~~~
icebraining
I'm not against regulation on principle, but how specifically would you write
something against these patterns? I have a hard time seeing how to describe
them in a general way - and "I know them when I see them" doesn't make good
law.

~~~
mistermann
Write the law vaguely and make punishments potentially scarily harsh, the
general idea that if companies would like to continue to play dumb farmer,
they better hope they don't run into someone with a strict personality. In
law, there is the notion of both the latter and the spirit of the law, so this
notion isn't unprecedented.

You might think this is a bit crazy, and you'd be correct, but it's nowhere
near as crazy as _thousands_ of things in the actual reality of our current
legal system (banks crashing the global financial system, yet no one was
guilty of anything, black men being executed at point blank range and the cop
walking away, etc etc etc etc etc).

------
mightybyte
This strikes me as an area where legislation could have a significant impact.
It's an area where there is absolutely no economic incentive to do the right
thing. It seems similar to the way email lists and spam were back in the early
days of the internet. Based on my observations, the CAN-SPAM act requiring
automated mailings to have an unsubscribe link actually seems to have been
fairly effective at improving that situation. Granted, there is still spam,
but the legit mailing lists are a lot easier to opt out of than they used to
be. Perhaps some legislation relating to terms of service agreements could
help with this problem?

------
bayonetz
Not privacy related but how about that damn “Ratchet” that iPhones have to get
you to upgrade the OS? You are literally presented with two choices: upgrade
now or remind me later. The remind me later choice means getting a daily nag
with the same two choices. I inevitably lose this little cat’n’mouse game and
accidentally click the upgrade now option. Yes, you can delete the update file
to postpone the prompt for a bit but that is a hassle and only temporary
anyway. APPLE, I DON’T WANT TO UPGRADE!!! Every time I inevitably accidentally
upgrade, the UX responsiveness degrades another step. For the third phone in a
row I’m at the point where I feel like I need to upgrade to new hardware to
get back to the responsiveness level I want. I think we all know this is no
coincidence.

~~~
jachee
You might be overly sensitive. My wife still runs an iPhone 6 (not 6s), on the
latest OS. I can only _just_ tell the difference between it and my 8 (also on
the latest OS.) in app load times for giant apps. Otherwise (scrolling,
network, etc.) there is no functional difference unless you're sitting there
with a stopwatch.

Don't propagate the false "planned obsolescence" meme. It's tired and counter-
productive, especially from a security standpoint.

~~~
lambda_lover
Maybe you're just not that sensitive to it? App load times aren't what keeps
me from updating, it's stability -- iOS 11 is _still_ ridden with bugs, which
is ridiculous for a 6 month old OS used by millions of people worldwide. Of
course, CPU throttling is another valid reason to hold off, or, if you use a
phone with a smaller screen like my SE, you might not want to update to an OS
that doesn't scale well for your screen size..

------
some_random
You know, if a country ran an election over and over until they got the
"right" answer it would obvious that said country wasn't a democracy. I would
have no problems if every time I opened an app or logged into a website it
asked if it could have the set of permissions it needed (or wanted). Or, it
could ask me once, then make me go into the settings to change my answer if I
changed my mind.

But asking over and over until I say yes, then never asking again is just as
nefarious my aforementioned election strategy.

~~~
vanderZwan
I don't think it's much of a stretch to call it abuse.

Imagine this was a person-to-person thing. Person A wants person B to consent
to something person B does not want to consent to. And let's not beat around
the bush here: we're all thinking of something sexual right now. A repeatedly
asks B, and no matter how many times B says no, A claims that B said "maybe
later". B does not get to say "fuck off" unless B somehow quits A altogether.

Now that is messed up enough already, but what these forms do is _give you no
other option than answer "maybe later"_. That's a level above putting words in
someone's mouth that I am sure would be considered a form of violation if
someone in a position of power could do that to someone else.

And that very much applies here: I don't get to create the pop-ups in an app
or on a website, so the app-makers are abusing a position of power here.

~~~
opportune
I had just thought of this exact analogy too. Another one that came to mind is
a forced/coerced confession. Usually it's combined with something more extreme
like sleep deprivation/psychological abuse but the way it often works is just
asking someone over and over for hours whether they committed the crime / how
they did it. Eventually people confess just to make it stop. I see this as the
same thing on a smaller scale: eventually you just accept the
terms/update/whatever to make the annoying notifications go away. But you were
still coerced into that decision out of annoyance and frustration

------
opportune
Excellent post. I recently dealt with "The Ratchet" for several months on my
old iPhone, because I didn't want to upgrade to the new OS at the time for
battery/performance reasons. Every single day I'd get a full screen popup
telling me to enter my passcode to update, or I could click on a smaller box
at the bottom to remind me later. It was my own phone and I couldn't even make
it stop asking me to update.

The other place I noticed it recently was Reddit's mobile website, which asks
me to download the app TWICE every time I reopen it on my phone. The first
prompt is a bottom banner taking up about 40% of the screen on my phone with
the small link to the mobile site situated uncomfortably close to the much
larger button which takes you to the app store. The second is a popup from
clicking on a link, which takes up about 60% of the screen and is centered.
It's workable, but it's almost as annoying, persistent, and anti-user as
Facebook messenger on mobile web browsers.

It's infuriating seeing some of your favorite products try to pull this on
you. I wish I could tell the developers to stop being assholes to their faces.

~~~
marzell
The Reddit example extends to Android as a whole - I can't speak to Apple iOS
due to inexperience.

Browsing websites with a companion app always prompts you to view in the app
or install the app, and the presentation is always biased toward doing so
instead of declining. I wish there was an option to indicate that you don't
want to be prompted in this fashion in the future - either all around, or to
have it remember specific apps that you don't want to install.

It really is a persistent annoyance. The Reddit website in full desktop mode
has also recently been pestering users about logging in, and it does so every
time you navigate to the site if you aren't already logged in to an existing
account.

It is really quite annoying, and has actively caused me to use the site less.
I'm much less likely to use a timesink or unfocused browsing activity if I'm
being pestered while doing so. I imagine that this type of activity is a
significant portion of the whole for such websites, so it really seems
disingenuous, unless their long-term plan is to pull a Facebook and focus on
revenue through selling user data to third parties (which I imagine is most
likely the case).

------
noir_lord
Google are buggers for this one.

Not now should be "Not now and Never".

They don't stop doing the thing you told their UI to stop doing they 'pause'
it.

GDPR is going to be great.

~~~
stronglikedan
> GDPR is going to be great.

Does GDPR explicitly prohibit the use of these patterns? Or will it spawn more
of them to trick you into accidentally opting in?

~~~
anvandare
Maybe. Per Article 7(3) (in particular the last sentence)[0]:

>The data subject shall have the right to withdraw his or her consent at any
time. The withdrawal of consent shall not affect the lawfulness of processing
based on consent before its withdrawal. Prior to giving consent, the data
subject shall be informed thereof. It shall be as easy to withdraw as to give
consent.

As I read it, if you're going to annoy your no-consent-given-(yet)-users with
a "convenient" popup every time asking whether they consent... Then you also
have to annoy your consent-already-given-users with an equally "convenient"
popup every time asking whether they _still_ consent. Break the anti-pattern
by forcing the developers to pull it all the way through.

At any rate, it gets rid of the "Aha! given at last! now you can never revoke
it!"-part of the ratchet.

[0] [https://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELE...](https://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016R0679&qid=1490179745294&from=en) (page 37)

------
21
To pick on a different company, every once in a while when I start Revolut
(fintech mobile bank acount like thingy), I get asked if I want to upload my
contact list so that I can easily send/receive money from my contacts. There
is no option to "Never".

~~~
JimDabell
If you're using iOS, then they only get one shot at asking for permission with
the system prompt, and if you say no, they can't do it again. So what most
applications do is show a custom prompt (which they can show an unlimited
number of times), and if you agree to that, then they show the system prompt,
which users are unlikely to refuse at that point.

This means that it's pointless for them to show their custom prompt if you've
already refused access, because even if you agree, they can't get the system
prompt to show up again. So you can _probably_ make the repeated prompts
disappear by either a) agreeing to their custom prompt then refusing access
when the system prompt appears, or b) going to Settings > Revolut and refusing
access to your contacts there. The latter is probably the best way of doing
it.

~~~
jstarfish
> This means that it's pointless for them to show their custom prompt if
> you've already refused access, because even if you agree, they can't get the
> system prompt to show up again. So you can probably make the repeated
> prompts disappear

No. I have seen this defeated on a few apps-- they harass you with the custom
messages, and when it realizes it can't trigger the system prompt, it just
tells you to go into settings and approve it manually. Failure to follow
through means the custom messages will continue harassing you as long as the
permission has not been granted.

------
sireat
LinkedIn is particularly adept at repeatedly asking you to share your e-mail
contact list.

Don't think there is an option: Never share my contacts and stop bugging me
about this option.

~~~
yjftsjthsd-h
Solution: single use email account. For bonus points, and address book where
each entry it a complaint about LinkedIn.

------
steve_gh
I'm wondering whether GDPR is going to make this worse.

It used to be that the GWR train Wifi would automatically log me in. But now
that has changed, and it takes me to a pre-populated log-in screen, which
requires me to untick the "Add me to the mailing list" button, and tick the
"T&Cs" and "Privacy statement" buttons.

I suspect that this is a GDPR hoop to show they have consent for every bit of
data they use. But all I have to do is forget to untick the "Add me to your
mailing list" button once...

~~~
Someone
The GDPR doesn’t allow default-checked opt-in checkboxes. They aren’t “clear
affirmative actions”.

Article 4.11: _” 'consent' of the data subject means any freely given,
specific, informed and unambiguous indication of the data subject's wishes by
which he or she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to him or her”_

~~~
Silhouette
So now we have to go back to every site/service/app including unchecked but
mandatory tick boxes about agreeing to their terms and privacy policy in the
checkout process, thus both annoying just about everyone and potentially
reducing conversion rates while making no practical difference to anything
whatsoever? I guess we can file that with the "cookie" law and the consumer
protection rules that say if you want to download any digital content you just
bought immediately instead of waiting 14 days first then <insert scary
legalese about losing a right to cancel under some law you never heard of
here>. I think they're under "well intentioned but utterly lacking in
practical understanding".

~~~
icebraining
Those tick boxes can only be mandatory if the data is actually needed to
provide the service - the user can't be forced to allow his data to be used
for marketing purposes, for example. Also, if it's obvious for what purpose
the data will be used (e.g. filling in your address for delivering a package),
you don't need a tick box.

So there should be little need for mandatory boxes.

~~~
Silhouette
As ever with the GDPR, things are going to get subjective and you take your
chances until the picture is clearer. A strict interpretation appears to be
that, for example, a business that uses a customer's email address as an
account ID on its web site and sends only essential messages to that email
address doesn't need consent, because the legal basis for the processing is
performance of a contract, but if the email address is also used for other
form of communication (even if the message is genuinely relevant and something
the customer would almost certainly want to receive) then that may require
active consent. That could lead to a lot of places adding those checkboxes
back in just to make sure they're covered, even if they aren't strictly
necessary.

~~~
icebraining
Actually, they can't add those checkmarks, because consent must be specific
(use this data for this purpose), so a generic tick box about agreeing to
their terms and privacy policy won't fly.

~~~
Silhouette
Well, at that point, all semblance of reality would have been lost anyway. It
seems highly unlikely that any businesses, even huge ones that have data-
hoarding business models, are going to start itemising opt-in consents in
their sign-up process rather than just having a compliant privacy policy and a
single active consent to processing under it.

~~~
icebraining
If they don't, I'm sure my national data protection commission will be happy
to remind them.

~~~
Silhouette
Unless they really want to play chicken over something that is clearly an
unreasonable interpretation of the rules, I doubt it.

Using the GDPR to go after one big player that seriously screwed up is one
thing. I certainly wouldn't be comfortable if I held Facebook stock right now.

But going after _all_ the big players, just for not complying with something
that is probably impractical for any of them to comply with, is something else
entirely. How long do you think public sentiment is going to support
government regulators and the GDPR if the likes of Facebook, Google Mail,
WhatsApp, Instagram and SnapChat all go dark across the EU for an hour, or a
day, or a week?

~~~
icebraining
_unreasonable interpretation of the rules_

There's nothing unreasonable about it, it's the plain reading of Article 7
(2).

Regarding the big sites, I don't see how is that relevant to your initial
point about whether "every site" will have mandatory checkboxes, and so I'll
let someone else read the magic 8 ball.

------
wccrawford
I completely agreed until this point:

>Of course it would be trivial to have a log of recently given permissions and
an ‘undo’ option for each of those.

No, that's not trivial. It's not _hard_ , but it's pretty far from _trivial_.
Trivial would be removing the "not now" functionality from this question.

Maintaining a list of permissions and implementing the ability to undo them
from a common area doesn't sound trivial at all to me, even if that only meant
"no permission _in the future_ ".

If you were designing the app from the ground up to support that, it'd be a
lot easier. But it still wouldn't be "trivial".

I went to go find the definition of "trivial", but I didn't get what I
expected, and I'm sure it isn't what the author meant, either. "of little
value or importance."

I was looking for something along the lines of "taking a negligible amount of
effort". And I don't think implementing an entire interface and storing a list
of data for it is trivial, let alone the part where you can take actions from
that interface that potentially have system-wide ramifications.

~~~
Thrymr
The computer science sense of "trivial" comes from the mathematical sense,
"Related to or being the mathematically most simple case. More generally, the
word "trivial" is used to describe any result which requires little or no
effort to derive or prove." [0]

And of course "trivial" is related to "obvious" when used in a math lecture.

[0]
[http://mathworld.wolfram.com/Trivial.html](http://mathworld.wolfram.com/Trivial.html)

------
87812487
In browser, I can use this plugin ([https://addons.mozilla.org/en-
GB/firefox/addon/nuke-anything...](https://addons.mozilla.org/en-
GB/firefox/addon/nuke-anything-enhanced/)) to destroy those annoying popup.

In mobile, no such luxury, so instead always use the web app version unless
unavoidable, like whatsapp.

------
solidist
Yes. More on this in context to A/B/C/D.

[https://hackernoon.com/deception-degenerate-a-b-testing-
ecce...](https://hackernoon.com/deception-degenerate-a-b-testing-ecce6635000e)

Note: I am the author.

------
sfilargi
Textbook example was LinkedIn’s “Upload your Gmail contacts” prompt.

It would keep asking the user every time they visited their page.

------
bluetwo
If only there was a government agency who was:

 _Working to protect consumers by preventing anticompetitive, deceptive, and
unfair business practices, enhancing informed consumer choice and public
understanding of the competitive process, and accomplishing this without
unduly burdening legitimate business activity._

------
bencollier49
Aaaaand.. that's why we have GDPR.

~~~
wccrawford
GDPR only applies when the user doesn't give consent. This dark pattern is
about obtaining that consent, not about using the user's data without consent.

~~~
bencollier49
GDPR also governs the way in which consent can be obtained, and the withdrawal
of consent.

------
maksimum
Is the ratchet a good design strategy for software updates (e.g. Chrome, Mac
OS)?

~~~
chopin
It worked for Windows.

------
gesman
Opt-out means “we can’t directly use your information but wait! We’ll find a
sneaky hard to trace way to sell your information to others”

