
Dark patterns in GDPR consent boxes - vincent_s
https://arxiv.org/abs/2001.02479
======
qwerty456127
I just click agree and then flush the cookies regularly which usually is much
easier than find the way to deny. The EU should better force them to respect
the do-not-track header - this would be a way handier. I hope the law gets an
upgrade soon requiring everybody to offer an easy "deny all tracking and
proceed" button. The only case when I actually don't mind to be tracked (by
the first party only, anyway) is when I register and sign-in.

~~~
andrepd
This interface should be all handled by the browser. It was a mistake not to
do this. It makes no sense that blocking cookies should be done via
inconststent and dubious interfaces implemented by the websites themselves.
Much better that the law would specify minimum standards for browser
interfaces to make those choices (which btw would be trivially implemented, vs
forcing the sites to spend time and money to implement a shitty js pop-up).
Plus you are assured that cookies are really blocked.

As for server-side fingerprinting, the browser, upon the user's choice, would
send the allow/deny information to the website, which is forced by law to
honor it (as it is today).

~~~
wjdp
How can a browser differentiate between a first-party cookie needed for login
and a first-party cookie for tracking?

It's legal to use cookies for behaviour such as login which is necessary but
you need consent for tracking.

If a browser blocked all cookies until the user turned them on you'd have the
choice of "no login" or "login works, but so does all the tracking".

Not saying the current state of affairs is good, it's awful.

~~~
_puk
If we're going down the route of regulation, and browser control, would it be
a step too far to require standardised metadata in a cookie?

That way, each cookie could describe itself as login, tracking, optional
functionality etc.

You can then penalise on cookies that purposefully violate this, and allow the
user to centrally opt in or out of each type.

~~~
wjdp
Aha, place trust in the site to label their cookies correctly?

I see you've covered that with penalising sites who mislabel. Who maintains
this list? If it's the browser vendor remember which company owns the largest
share in this market.

------
Nursie
The whole "Privacy Controls" box is a dark pattern, and appears designed to
confuse the non technical.

What these boxes should say is "Please can we track you and sell your data to
third party advertising services?"

Because that's what's really happening here, they're begging for your
permission, but dressing it up like it's some sort of technical decision about
cookies and trusted partners.

------
bitdotdash
Would be nice if there was some uniformity to these and you could set
granularized default preferences at your browser just the once, and have them
applied universally in all cases where site options match the norm, and just
requires interaction for the few instances were there are some granular
permissions that need to be set outside of the default set. Bonus points for
adding those new rules to your default set for future use.

~~~
contravariant
Frankly at this point all I want is a way to signal "Yes I have looked at the
cookie settings in my browser and I know what I'm doing".

~~~
crawlcrawler
There is at least one way that I know of to realize your dream. First, disable
"do-not-track" header in your browser. Secondly, lobby for organizations to
honor the "do-not-track" header. The whole world will thank you.

~~~
contravariant
How does disabling the do-not-track header help me? I can't indicate that I
take responsibility for handling the cookies by not sending a header, that
would be passive 'consent' which doesn't qualify.

Also it's not that I'm consenting to being tracked I just don't care whether
they set cookies as I will delete them automatically anyway. That's _very_
different from telling them to go ahead and figure out my identity.

------
MayeulC
TBH I'd be likely to accept this. I have no issues sharing reasonable
statistics about me. What I'm personally against is:

1\. Sharing them with Google, trough GA

2\. Sharing PII. I have zero faith in big commercial sites. They'll likely try
their hardest to fingerprint me, and track my every move across the web.

You have to draw a line somewhere. And since most HW info can be used for
fingerprinting, I don't feel like sharing it with unknown websites.

I've looked for it, but couldn't find a screenshot of the old internet
explorer prompt, that, by default, used to ask you every time a website wanted
to drop some cookie on your computer. Why did we move away from it? Are we
going back there? What is different now?

~~~
burtonator
> 1\. Sharing them with Google, trough GA

I have a blog post I'm thinking about writing about this due to launching my
last app.

It's basically impossible to make everyone happy so much so that it's a bit of
an absurdism.

There are people that don't want to be tracked, then there are people that
don't want to be tracked by a specific company because they are doing a
boycott.

~~~
MayeulC
Oh, right, hence the customization options. Defaulting to no tracking is
likely a sane choice.

Let me insist that I am okay with statistics, but against tracking. GA is
tracking. I do opt-in into statistics in software like Mozilla Firefox, etc. I
just don't want to be _tracked_. I'm fine with giving away some information
about myself so that websites know my 1680x1050 resolution is still being
used, or that someone still uses Firefox, or on which page I landed, if I
visited a few more pages. But nobody needs to know exactly what websites I
visited today, where I ate, when I woke up, etc. It's my business and only
mine. Would you be interested in such data about me? If not, why would you
help Google achieve that very goal?

Other trackers (twitter, facebook, most other social networks, analytics
companies and advertiser networks) are just the same to me. But maybe some
people boycott Google specifically.

------
markholmes
Tracking should be set and respected at the browser level. Consent forms on
every single website we visit is absurd.

~~~
atoav
Just build websites that comply to GDPR per default and leave that crap away.
Many people don't even seem to know this is possible. They believe Cookie
consent is something everybody has to do on their website and if they don't do
it they are in danger.

------
molsson
I hate when you browse through 10-15 websites and for all of them you quickly
click the "Accept" button in the bottom banner to get rid of the irritating
cookie banners.

And then suddenly, on the 16th website they put a fucking "Buy our thing"
button in a bottom bar that you quickly click on without even thinking twice.

~~~
skummetmaelk
There needs to be a way to punish deliberate subversion of expectation. The
whole "haha gotcha" mentality is harmful to society in general. The problem is
much wider than just dark UI patterns on the web.

~~~
SQueeeeeL
It's an impossibility given how our society is structured. A hundred years
ago, if Tim's General Store did something shady, there was both social (hey
Tim, wtf we're buddies this town only has 50 people) and economic (I'm never
going back there and I'm 10% of Tim's regular customers). In this
circumstance, our system works very well. But because of increased
communication and transportation, pretty much everywhere you can consume from
is a multi-national corporation. If Walmart overcharges you for a shovel, you
can get your money back, but otherwise don't have any meaningful say about
your experience, and probably don't have a meaningful alternative. Same with
the internet, there are millions of people hitting up Google the same way you
are, even if you blacklist "spamshitblog.net"; most people won't. People like
RMS realized this a long time ago, but they basically got shouted down, and I
definitely don't think we're gonna stop the train of unchecked free markets
anytime soon.

TLDR: The market always wins, just download an adblocker.

~~~
skummetmaelk
I agree completely. It's just a shame.

------
fallingfrog
I think at this point a total ban on tracking users for marketing purposes
might be the only way forward. We tried half measures and this is what we got.

------
thomasfedb
Really dislike these things. Hoping that we eventually get a good browser
extension that handles them automatically.

------
K0nserv
I wrote a comment[0] in a different thread about just this and how I am
excited that, at least on iOS, Apple are helping fix these consent prompts.

0:
[https://news.ycombinator.com/item?id=23757498](https://news.ycombinator.com/item?id=23757498)

------
andrewla
What's the use case here that isn't solved by configuring your browser to
prohibit third-party cookies? Obviously browser fingerprinting and all of that
can be used to try to extract the information, so browser should be
strengthening their anti-fingerprinting measures.

But it strikes me that this is almost entirely a client-side problem. If a
server wants to give me a cookie or put something in local storage, or serve
me URLs with a tracking parameter in the url, so be it -- there's no privacy
violation unless they can ask another website if they know who I am, and
blocking third party cookies stops that.

~~~
Hokusai
You are tracked by more means that just cookies.

Fingerprinting is not solved by clearing your cookies. The GDPR is not about
cookies but about data retention and processing using cookies or not.

Accepting to be tracked allows the website to store legally your personal data
and probably use fingerprinting to follow you around.

------
hoppla
Do I consent if the slider is to the left or the right? After done sliding
every option to the left, I still have to press “I agree”, but I do not know
what I agreed to.

~~~
pbhjpbhj
There's one mainstream site I've been to recently, where you have to select
"reject" in the sliders, then navigate away. If you click "I agree" button at
the bottom you're agreeing to navigate away from the page and silently revert
all your choices!

Even the BBC do shenanigans wrt cookies, they don't have a reject button. You
have to navigate to a settings page, the page shows all non-essential settings
as off, then you navigate back. So, you'd think that non-essential cookies are
off by default, but if course they're not; AFAICT if you don't visit the page
on which you do nothing then it turns the cookies on ... so you don't need to
turn then off, but if you don't not-turn-them-off then they're silently
enabled.

Properly compliant sites have "no/reject" buttons and still show all content
after you press it.

------
whywhywhywhy
Should have just been a browser option from the start. Although on the plus
side these popups do expose just how slimy the journalism industry is.

------
Havoc
It’s rare to find one that isn’t dark pattern like.

------
makkesk8
It's gotten so bad I have I almost feel like we need something like pihole for
these boxes.

------
hatchnyc
This is a mess, I absolutely loath consent boxes both as a user and developer.
The ultimate failure of a design is when you need to put up a sign, and this
is insipid idea is basically a billion stupid signs. They totally break the UX
of any site you place them on. You pour time into a design and try to make
something beautiful and then you're force to put this ugly stupid block over
it by a bunch bureaucrats. Likely 99% of users don't even understand what it
is supposed to do, and it is probably a flip of a coin whether or not it is
even implemented "correctly". I really really hate these things, and the fact
that a handful of nerds continue to discuss innocuous web metrics tracking
like it is some kind of conspiracy are the cause of all of this and the reason
my sites will forever bear this shameful blight.

~~~
david_draco
Or you could not track people and not ask for consent. Like Mozilla, or
Wikipedia.

~~~
hatchnyc
I've seen dozens of companies that do not even do tracking insist on having a
banner out of some cargo cult legal fears.

~~~
chriswarbo
A classic case of FUD
[https://en.wikipedia.org/wiki/Fear,_uncertainty,_and_doubt](https://en.wikipedia.org/wiki/Fear,_uncertainty,_and_doubt)

------
Braunbart
It's important to note that most of these consent boxes are not GDPR
compliant.

~~~
dathinab
Yes, the most "funny" ones are the ones which pretend you can
decline/configure the tracking but only sets you on a long chain of "configure
here" links until you end up in a dead end. Or they let you configure non-
essential tracking but the essential tracking you can not switch off contains
all the worst tracking sites and is definitely not essential for the technical
operation of the site... Also this site tend to have over 100 different
trackers which is totally insane.

~~~
johannes1234321
... and once you are through with it they need a few minutes to "save" the
choices.

~~~
fsflover
And at the end "saving" fails " _for technical reasons. Try again later._ "

~~~
ahartmetz
I see that we are talking about Oath... what they are doing is so blatantly
illegal.

~~~
nottorp
Any site giving me the Oath popup i just instaclose. Even if it's linked from
a site i regularly check, like HN.

~~~
mnw21cam
And flag the HN article.

------
ghostbrainalpha
I feel like we won't be able to call these "dark patterns" for much longer.

Maybe "manipulation patterns" would be a better informative term.

------
stevenjohns
I have a Firefox plugin[0] that I click on whenever a GDPR -- or, well, any
obtrusive modal or overlay -- gets too much in the way of things. It's hit and
miss, but when it does work it makes life so much easier.

[0] [https://addons.mozilla.org/en-US/firefox/addon/behind-the-
ov...](https://addons.mozilla.org/en-US/firefox/addon/behind-the-overlay-
revival/)

------
smnrchrds
I have a related question: how on earth is Der Spiegel's consent box GDPR-
compliant? Try accessing the website here:

[https://www.spiegel.de](https://www.spiegel.de)

It gives you two options: 1) consent to tracking and data collection, with a
vague promise that you can withraw your consent later; 2) become a paying
subscriber.

GDPR says that "When assessing whether consent is freely given, utmost account
shall be taken of whether, inter alia, the performance of a contract,
including the provision of a service, is conditional on consent to the
processing of personal data that is not necessary for the performance of that
contract". Shouldn't that mean that forcing consent in order to allow someone
to read an article is not consent freely given?

[https://gdpr.eu/gdpr-consent-requirements/](https://gdpr.eu/gdpr-consent-
requirements/)

~~~
pkursawe
I hope they already see their page hit number decline. There is no way to get
over this box with DNT in the header either. If it would be only for me, Der
SPIEGEL can die already.

------
gameswithgo
To me the box itself is the dark pattern. That what GDPR actually changed
about the world was making modals showing up in front of content completely
ubiquitous is hysterical in a very dark comedy sort of way. The WWW part of
the internet is nearing uselessness to me lately. :(

~~~
di4na
Technically if they do that, they are illegal.

~~~
gameswithgo
Ok so they are just eating screen real estate instead of literally being _on
top_ of the content? This doesn't improve things any in my mind.

~~~
di4na
Nope that is illegal too.

Basically anything that makes you want to just rage close it is illegal.

The trick noone seems to understand is that this is not about getting your
consent.

It is about making things that cannot get your consent in "good" ways illegal.
Anything that needs to be big and visible means that they are doing things
that are too much for informed consent to be given.

