Hacker News new | comments | show | ask | jobs | submit login
Norwegian Consumer Council report on how tech companies use dark patterns [pdf] (forbrukerradet.no)
731 points by erlend_sh 4 months ago | hide | past | web | favorite | 160 comments



Good summary of dark patterns and consent, on page 7:

> In digital services, design of user interfaces is in many ways even more important than the words used ... Dark patterns are considered ethically problematic, because they mislead users into making choices that are not in their interest, and deprive them of their agency.

> This is particularly problematic given the power imbalances and information asymmetries that already exist between many service providers and their users ... a suspicion that tampering with default settings might remove important functionality, may affect the tendency to leave default settings alone.

> ... information asymmetry in many digital services becomes particularly large because most users cannot accurately ascertain the risks of exposing their privacy. If a user is asked to trade their personal data for a short-term financial benefit, such as a discount, the actual cost of the trade-off is difficult to grasp. In this case, the short-term gain (discount) is tangible and immediate, while the potential loss (privacy) long term.


Those flowcharts and color coding are amazing.

Everyone: even if you skim the rest of the article (mind, it's ALL worth reading), scroll to the last few pages and LOOK at those.

They're color-coded by ease of flow (and yes, a definition of that was selected and clearly explained).

I'm excited by this because I feel that often when we talk about Dark Patterns, conversations often devolve into a "both-sides"-ism pattern -- something which is as useless in UX discussion as it is in politics. These clear visualizations and starkly color-coded call-outs of flows that add extra work make it easy to compare flows, and point out ones which are obviously arcane.


You're right -- the flowcharts are above par.

But the very first chart in the PDF is troublesome because of negative language.

For example, "No privacy intrusive default settings in popups."

Does the X on Facebook mean "There are no privacy intrusive default settings in popups" or "There are privacy intrusive default settings in popups."

Double negatives are difficult; especially for non-native English speakers.

It's like when you see someone on HN write "it's not non-trivial." Just say if it's easy or hard. Don't bury yourself in confusing jargon.


Is there a tool for easilly making cool flowcharts like this?


I'm pretty certain the whole report was created in MS Word and the flowchart used Word flowchart as well.


Yeah it looks like one of the default "Smart Art" sets.


Good Manual for upcoming startups as well.


Page 14: [edit: number corrected, thanks]

> As the screenshots below illustrate, the Facebook GDPR popup requires users to go into “Manage data settings” to turn off ads based on data from third parties. If the user simply clicks “Accept and continue”, the setting is automatically turned on. This is not privacy by default.

Beautiful! A minimal demonstration of a clear violation of the principal of data protection by default (article 25 of the GDPR).

It will we really hard to talk oneself out of this one.


That flow was really scummy. I remember going through it.

The entry point was an email claiming you have to "read and accept the updated policies in order to continue using the site". And the first thing you're presented with was that two-choice "Manage data settings" / "Accept and continue", implying for the user who is less than extremely careful that if you don't "Accept and continue", you won't be able to use the site anymore.

It's only after that modal that you're presented with the updated T&Cs which you indeed need to either accept or delete your account.

And of course all the various things people have noted:

- A red dot in the fake-header to make you think you have pending notifications

- A complete disregard for "privacy by default"

All this right after Mark testified in congress saying "no we used to be bad and we made mistakes but now we really care, you see".

For a site that despises transparency, Facebook has never been so transparent about how little it gives a crap about its users.

I have some friends working at Facebook who will probably read this and be upset I think so little of their place of work. Folks, I have a huge respect for some of the excellent work that goes on at Facebook, especially in open source. But that doesn't change how scummy the core site itself is.


By staying at Facebook your friends are explicitly supporting these and other scummy actions. They have decided to hold their noses and prioritise themselves over humanity.

Think less of them.


This is a totally inappropriate thing to ask of anyone. Please rethink your view on life.

Edit: Also, that's not what "explicitly" means. I think you meant "implicitly".


some people work for charities, some people work for facebook. the employees make the company, and are complicit if they don’t react harshly to decisions made by their board like google employees did... if nobody wants to support the scummy tactics that “the company” is pushing, it won’t get done. sometimes you need to have a spine to get anything changed otherwise we are just heading for a blade runner distopia, and we in the tech industry are pushing us there as fast as our pay cheques can.

people quit google over the military project because they didn’t agree with it. i don’t think it’s crazy to do the same over facebooks disgusting manipulation of their user base.


I don't think it's crazy either, I just think it's totally inappropriate to tell people to think less of their friends when they don't have the full context.

There's a lot of FB employees on HN and I wager a lot of them know how scummy their employer is. Yes, many are staying for the paycheck (and because leaving a job isn't an easy thing for everyone), but I know several who are staying because they feel that their position is where they can produce the most good for the world.

Similarly, I know many people in politics who despise who/what they work for, but keep at it because that is where they can make a difference.

It doesn't always work. But it also doesn't make me think less of them. At least of the ones who aren't staying because of the $.


No, they are not producing any kind of good for the world, never mind "the most".

For the users, Facebook is just a means of communication, among many others. If it disappeared tomorrow 10 different platforms would replace it and the level of goodness in the world might even increase.

Doing good is probably the lamest, least truthful excuse for working at Facebook, goes to show how self-deluded people can be.


What if you are working at Facebook on improving Linux's network stack for example? Sure, if you have the skills to do that, you will find work very easily. But is it easy to find a job that would allow you to make these kind of contributions?


> but I know several who are staying because they feel that their position is where they can produce the most good for the world

Do you think Facebook is a net positive for the world? Borderline, or overwhelmingly?

To be clear, I'm not asking whether some people get net benefit out of it, I'm talking about the net overall effect on society and the individuals within it.

Personally, I believe it is causing tremendous psychological damage, and that anyone that works there is a contributor to that end.


I believe Facebook, overall, is a net negative. But that doesn't mean it doesn't have its own positives.

Sticking to the "net positive / net negative" terms, imagine Facebook contributes a number of positive / negative points to the world. Now the sum can be a net negative, but that doesn't mean some line items aren't positives.

Where do you work? Is your company flawless? Are you a contributor to every single one of its misdeeds merely because you work there? This isn't an easy thing to answer for everyone. I think it's certainly a question more Facebook employees should ask themselves though.


That is what net means, there will be positives and negatives which contribute to the net. For the record I agree with you, I think Facebook is overall negative but not by much, there are very strong positives.


I never thought I'd see the day that someone explained the meaning of the word net to me on HN.


I agree, you can't say that to someone to just drop their friends because the company they work for is evil. Hell, I'd actually like to see where all the people calling for this work — them lets see if we can hold their companies to the same light, and if they would actually be willing to quit. I'm saying this a non-facebook user for a number of years, this sounds pretty ridiculous to expect.


I feel that I agree with you @rickycook


Except for the "think less of them," part, I don't think it's inappropriate -- we all get to vote every second of the day for the companies that rule our world. We vote with our wallet every time we buy even the smallest thing, and we vote with our clicks when we choose to use web services.

It is far from the most extreme of social changes that have occurred in history to suggest people stop using a particular company's tools.


I think people at Facebook do have some moral frustration and consider leaving from time to time. It's simply impossible, especially in these times, to avoid asking oneself the moral question of the consequences of my own actions when they affect billions, even if the aim is as innocuous as to hook up the user for some time longer. Nevertheless, I agree that judging them from the outside is quite difficult as we don't know the full context.


Superior orders, often known as the Nuremberg defense, lawful orders or by the German phrase Befehl ist Befehl ("an order is an order"), is a plea in a court of law that a person—whether a member of the military, law enforcement, a firefighting force, or the civilian population—not be held guilty for actions ordered by a superior officer or an official.[1]

The Nuremberg defence is widely regarded as invalid.

1. https://en.m.wikipedia.org/wiki/Superior_orders

tomxor 4 months ago [flagged]

> This is a totally inappropriate thing to ask of anyone. Please rethink your view on life.

No, working at Facebook is the modern day corporate equivalent of the banality of evil.

Unless you genuinely think Facebook is doing good, take some fucking responsibility and rethink _your_ view on life.


[flagged]


There's a difference between working at Facebook actively being involved in the creation of such scummy designs, dark patterns, etc; and merely working on one of its open source libraries. Facebook does do some good and comparing what they're doing to war crimes ... does that really help?


I think that's a distinction without a difference. Facebook doesn't have engineers working on open source libraries because they want to do good in the world, and those other people working on scummy designs and dark patterns just didn't get the memo. They do open source work because:

* The projects directly help their business operations; those engineers might be doing the same work, anyway, even if Facebook were zealously closed source.

* Open source work gives the company image a boost in the minds of potential employees. This expands the labor pool, reducing the wages FB needs to pay, and helps give FB access to talent it otherwise simply could not have. In this case, hiring engineers to work on open source projects is little more than a PR campaign targeted at people like you and me--and it's clearly working on you.

The "good deeds" of their open source work are entirely accidental; the whole point of employing engineers to work on open source libraries is to help their business, which is inherently exploitative.

I agree with lancewiggs: by working at Facebook, your friends are aiding and abetting one of the most unethical and socially-dangerous companies in modern times. Think less of them.


> By staying at Facebook your friends are explicitly supporting these and other scummy actions. They have decided to hold their noses and prioritise themselves over humanity.

> Think less of them.

Given their explicit support of scummy actions and not humanity, do you feel Facebook employees should be punched, in the defence of humanity?


"Think less of them."

That's a horrible metric to apply measuring 'human worth', whatever that is. Humans are by default wired to do what everyone else is doing. Just using Facebook because everyone else is doing it as well is what humans do. They flock to the communities and forums where the action is. They cannot comprehend graph theory intuitively and what power Facebook potentially wields in interfering in their lives.

Governments are supposed to protect people from threats the masses cannot comprehend. Like example taking care of vaccinations.


Facebook will never care about Privacy. People like Zuckerberg are scum, and deserve jail. As an individual, I really do NOT want to live in the same society as this kind of person.


Mr. Zuckerberg cares a lot about privacy.

Privacy for him and his family, that is.


I noticed Twitch is doing the same thing, if you "manage your choices" you get the banner to "manage your choices" on every page load, the only way to get rid of the banner was to "accept" which accepts everything. (I hope it was just a 'bug' but it didn't feel like it.)

I don't get it though, if companies are so scared of being fined 4% of revenue that they put up these banners, aren't they inviting the worse end of the punishment scale by trying to weasel around the law rather than just ignoring it completely?


The worst offender I've encountered is imgur.com, where "click here to manage your privacy settings" brings you to a page with literally hundreds of advertisers.

About half are on "allowed" by default. If you want to disallow, you have to select each entry individually.

The other half only specify "requires opt-out", apparently imgur expects you to contact some third party to do so.

How on earth they expect to weasel around the law with this ham-fisted approach is beyond me.


>How on earth they expect to weasel around the law with this ham-fisted approach is beyond me.

They reckon, perhaps correctly, that almost all websites weasel around the law and only very few of them will ever be fined.

Privacy activists will go after the big fish first and there will be time for the small sites to correct course once it becomes clear what is and isn't permitted.


imgur is a big fish though.

due to this assholeness, i null routed them at router level in my house, and at my work.

fuck imgur.


> imgur.com

I would absolutely not expect good behaviour from them with respect to advertising, including but not limited to tracking.

That site was the final bail of hay that had me install ad blocking measures at the network level. Too often their advertising partners would attempt pop-ups, drive-by installs, gaining access to microphones, and other arse-hole-ery.

For myself I can just stop going there, but there are others in the household that wouldn't have done and I didn't want the job of cleaning their machines is something did get in. Of course my other option is add imgur.com itself to a malicious sites list so it'll be blocked completely at the network level...


Same goes with Tumblr and Yahoo for example, where everything is enabled by default and you have to go one (I'm not talking about 10-20, it's more like +300) by one to enable the tracking done by advertising/marketing companies.

One of the better thing is, though I don't want to advocate the behavior of auto opt-in at all, that most of these sites are at least using something like TRUSTe or Oath, where you only have to disable hundreds of marketing services once and are done with all the sites, which are using the same service for cookie consent.

It's against the law to make the options opt-out but these companies are still trying hard to don't obey by the law, it's really comical.


Note that Facebook still refuses to let you opt out of personalised advertising based on Facebook activity.

This is the most blatant malcompliance with GDPR IMO, when will data protection authorities start fining FB?


The paper deals with this, it even says this gives the users the false impression of control. I remember this weird pop up if you allow Facebook applications of friends to access your information. It was never really clear if you agree or disagree to it by checking the check boxes.


> This is the most blatant malcompliance with GDPR IMO, when will data protection authorities start fining FB?

The GDPR fans on HN have said over and over again that GDPR wouldn't result in instant fines, that companies would be given a warning and an opportunity to make changes. We'll soon find out if that's true or not.


> that GDPR wouldn't result in instant fines

Well, it has something to do with acting in good faith too. Not respecting GDPR because of an oversight or even laziness is likely to be met with warnings.

But blatantly violating it on purpose (this is no question: these companies have specifically claimed they implemented these obviously non-compliant processes because of GDPR) should not warrant any goodwill on the part of authorities.


facebook made their changes, and failed. they’ve played their hand, now it’s time for the law to tell them what utter bull it is. do you think facebook is going to change anything from now?

the point of “no instant fines” is to give companies a chance to change and develop their GDPR systems. if those systems are both complete, and in violation, why shouldn’t they be fined?


>facebook made their changes, and failed.

That is yet to be determined by the regulator and the courts. Facebook has made their changes. Now someone will complain to the regulator. Then the regulator will make a determination and maybe ask Facebook to make further changes. Then Facebook has another opportunity to comply. If they refuse to make those changes they will get fined and can go to court to fight the regulator's decision.

At least that is my understanding of how this system works.


The GDPR doesn't specify anything precisely. Facebook made changes, they clearly do comply with the GDPR because the GDPR gives much leeway in how it's interpreted.

But there's a deeper reason why the EU fining Facebook would be a deep demonstration of malaise, incompetence and greed. From the report:

Research has shown that most users will never look at, let alone change, the default settings.

That's right, and you know why? Because users don't care and never did. This entire privacy crusade is made up out of whole cloth, by the EU, to obtain power and money. These foolish governments constantly demand more and more controls, consent agreements and so on and the users constantly don't use those new controls and always consent because they were perfectly fine to begin with.

There are no dark patterns. There are no evil conspiracies. There are only users, who enjoy broadcasting every detail of their lives to their friends and sometimes the world.


So it turns out they were right - GDPR went into effect a month ago, Facebook didn't comply (and many other companies either, not offering privacy by default), and nobody paid any fee.


Wait, what? Why would you expect fines being levied within a month of the directive going into effect? The process from a first complaint to a payable fine probably takes a year or more.


the sites had a very long time to get into a state of compliance BEFORE it became law. they could have asked for help from legislators.

FB is being malicious, same as always. hopefully they'll get smashed by the fine when they continue to resist the law.


Well, we're talking about "instant fees".


I would like to point out this message I got on the mobile Facebook website a month ago: https://i.redd.it/hh6xerkskmx01.jpg

"To personalise content, tailor and measure ads and provide a safer experience, we use cookies. By tapping on the site, you agree to our use of cookies on and off Facebook."

Agreeing to something by tapping anywhere on the site doesn't sound enforceable...


> It will we really hard to talk oneself out of this one.

I'm reasonably sure they knew it's a violation. So it feels like they're either prepared to fight over it, or testing the ground to see what the consequences are... After all, I would have guessed that they're in for major losses in ad revenue if most people sign out. So it's worth almost any risk.


Oh: we made mistakes. They will not happen again.


* page 14


Im kind of torn on this.

On one hand, I agree that these "dark patterns" undermine what legislators and voters want in terms of consumer protections and rights. Consumers and legislators need to be aware of it.

On the other, I think it leads to a banal conclusion. Legislation tried to achieve something by putting responsibilities/restrictions on corporations. It did not achieve its goals, because companies "implementing" the law have different things they want to achieve.

One common sense conclusion is "moral failings." I expect most journalists and legislators refering to this report will be in this category. Google is greedy. FB is cynical. Nowhere to go from here but moral righteousness.

Another common conclusion will be "loopholes." This will send us down the legislative rabbit Warren that financial regulation and tax law has been down.

The right (imo) conclusion is that the whole approach is wrong. We cannot rely on explicit (or even implicit) contracts between a website and every person who visits it.

There must be rules, not contracts. Where users need control or an agreement has to be made, these need to be baked into browsers, where the party implementing "user empowerment" are not the ones losing from it.

Moving to a world where an average consumer "signs" multiple agreements with companies per day.. that's not what our legal conventions were made for.


The GDPR is quite explicit on what consists of consent.

This means that if European privacy regulators agree that this approach does not in fact means that users consented then Facebook/Google/Microsoft may be violating the GDPR.

I think this is where, at least in theory, the GDPR is a major step forward: it has clear instructions on how information should be presented to users. Now we have to see if that theory actually becomes reality.


The GDPR is quite explicit on what consists of consent

I've had this argument a couple of times and I think it comes down to the semantics, though legal and legislative semantics are a little richer than most.

What I mean is that gdpr makes its intentions quite clear, but that's not how the legal system parses laws. What the consequences of gdpr are, in terms of practice is (1) all website visitors must sign a contract with the site owners (2) there are now some conventions and controls governing these contracts (3) the contracts empower the website owner to do most (not all) of what they could do before gdpr.

Gdpr does quasi-explicitely force website operators to provide "i don't agree" option. There are two potential ambiguities that could nullify this: (1) the exceptions in gdpr are ambiguous enough that all sites/services can claim them (2) dark patterns described in this paper make it so that a majority of users consent anyway.

IMO, considering "click here to agree and continue to the article" a valid consent is ridiculous. Contracts work when they are rare. We cannot solve this consent problem this way.


Contracts work fine if they are common. Suppose you are in a bar buying one drink at a time. Each time you buy a drink you enter a new contract. Is that a problem? No.

The 'click here to agree and continue to the article' is a problem in the context of the GDPR because consent has to be given freely and cannot be a requirement to obtain a service.

That's a big departure from the cookie law, where this kind of forced consent is allowed.


1) they really are not ambiguous at all in these cases, it is clear cut that these sites deliberately tries to get away with going directly against the law

2) these dark patterns are illegal, and they are illegal just because they do "force" users to consent


> It did not achieve its goals, because companies "implementing" the law have different things they want to achieve.

If this is what we think the law has become, we're screwed. Not just on privacy or dark patterns but generally.

I think you are missing a small, but crucial, step. We haven't yet seen how much effort will go into enforcement of those responsibilities and how many major fines result. I still have (probably extremely naïve) hope to see some $1bn+ fines, and soon. Then repeat for each follow-up attempt to evade the law. Presumably to Facebook for the "show trial" as they always seem the most egregious offender on clear privacy choices. As so nicely demonstrated by the pattern flowcharts here.

Then companies might interpret the law as something they must obey rather than deciding if they align with corporate goals before opting in.

How novel.


An enforceable "Tell websites I do not want to be tracked" would be nice. We saw quite clearly how that was ignored wholesale when it is voluntary.


> There must be rules, not contracts. Where users need control or an agreement has to be made, these need to be baked into browsers, where the party implementing "user empowerment" are not the ones losing from it.

Yes! This is the right way. Unfortunately it's also looks like it's going to be really, really hard, because the platform did not evolve with this foresight.


Reminds me of P3P https://en.wikipedia.org/wiki/P3P which is unfortunately dead :(


God, I wish someone added Quora to that list. After you read the first article, Quora masks all its content and forces you down the throat to sign up or sign in, pretending to be part of an age verification process (irrespective of the topic).

I remember when this happened - I was so pissed off that I made an add-on called "fuck quora" that will simply reset their cookies to have unlimited reading possible without signing in. Will be happy to open source if the need be :)


You can add ?share=1 to the URL to unblock Quora.


Blocking them from search results is far more effective.

Quora results are mostly saturated with thinly veiled spam now anyway.

Google:

how to use quora for traffic

how to use quora for marketing

how to use quora for SEO

The "hack" is well known and incredibly over exploited.


Please do! Though wouldn't it work to just never accept the cookie at all?

I got very pissed off at Quora for the same reason, and made an account just to read (knowing full well they'd use it for profiling).


Not sure about Quora, but I've noticed that many sites start you off with a big "Accept and Continue" popup and set cookies when you accept. So if you deny cookies, you can't get past the popup (it just refreshes).


Yep. They even try to make them clever by showing actual cookies or people getting slapped by a cookie. Even use words GOT IT to accept terms.


IIRC you can read one article for free on Quora. But yes, that accept and continue is common and annoying.


Private mode works fine with quora


My solution is to avoid Quora links. They don't have any content you can't find elsewhere.


There was an interesting post related to this a few months ago, that maybe some of you missed and would enjoy... "Dark Patterns, The Ratchet"

https://jacquesmattheij.com/dark-patterns-the-ratchet/


Thanks. A quote:

> ... instantly all memory of the consent obtained will be forgotten. There is no way back. That ‘click’ of your mouse (or tap of the finger) was the ratchet advancing one little step. Good luck finding the permission you have just about irrevocably changed in a mountain of convolution designed to lead you astray in your quest to undo your action. Of course it would be trivial to have a log of recently given permissions and an ‘undo’ option for each of those. But there is no money in there and so you won’t find it. The ratchet has clicked and that’s all that matters, you ‘gave your consent’, time to move on. And so the company gets to claim that not only did you give your consent, you gave it willingly and obviously they would have never ever used your data without that consent.


I was expecting "dark patterns" to be a hyperbole but these are clear violations of GDPR. This will probably catch public attention when the press gets hold of it and makes the screen shots more accessible (not hidden deep down in a PDF).


As I recently learned, a dark pattern is a term used to describe deliberately misleading or manipulative user interfaces.

This twitter-account includes many screenshots for illustration: https://twitter.com/darkpatterns


There's also the website (referenced in the paper) :

https://darkpatterns.org/

Edited to mention : the Hall of Shame seems to be down.


The press gets hold of it and realises that they're littered with Facebook and Google integrations, their consent policy is little better and then they decide that they're going to publish this? The press has been suckered into this whole mess in its sacrifice to keep revenue from advertising


„The media‘s” recent attention to digital privacy issues seems to disprove your conspiracy theories, and to show that journalists operate separate from their publications’ business departments.


How is this a conspiracy theory? I don't think that the business groups in publishing are any happier about the current state of affairs, but they have seen little option but to make themselves beholden to advertising companies. I doubt the irony of these articles escapes anyone in the media, but their failure to adapt early on has led them down this road (although gleefully embracing Facebook instead of their own sites as a way to spread content is not 100% Facebook's fault).

It should be clear to anyone paying attention that current business models to sustainably support journalism have failed, and we are approaching (or have already reached) a point where only low-effort 'clickbait' and recycled AP content is profitable.


The media likes online privacy stories because they want Facebook and Google to pay them money, so never miss a chance to trash these companies and attack their reputation.

The last thing the media wants is to be held to the same rules and standards of the tech firms though. They neededn't worry however. The law will not be applied consistently.


Sacrifice is an interesting word choice when discussing digital gods of internet advertising. Press could use the photos of recently discovered mass-sacrifice skulls in Mexico City.


Especially on mobile some of these cookie management screens I've seen lately are HORRIBLE. If you're gonna make me click on every single partner to opt out of their tracking, I'm just not gonna use your site.


I can't find a section of GDPR requiring these individual toggles for each "partner". From my understanding a website owner could just as well list all partners and give the user the option to consent to processing by all partners (or none) - the agreement is between the website user and the website owner ("controller"), the controller and their partners have a completely separate agreement.

As far as pre-ticked boxes are concerned, they do not signify consent [0], effectively taking the legal base [1] for processing PII in many cases. It's a bit more ambiguous in the actual law: "It shall be as easy to withdraw as to give consent." [2] If consenting can be as easy as clicking the "I agree, have my soul" button, withdrawing consent must not require clicking through dozens of checkboxes and should be just as easy.

[0] Recital 31, Sentence 3: "Silence, pre-ticked boxes or inactivity should not therefore constitute consent." https://gdpr-info.eu/recitals/no-32/

[1] Article 6 (1) "Processing shall be lawful only if [...]" https://gdpr-info.eu/art-6-gdpr/

[2] Article 7 (3) Sentence 4 https://gdpr-info.eu/art-7-gdpr/


> I can't find a section of GDPR requiring these individual toggles for each "partner"

This isn't happening because websites are falling over themselves to comply with GDPR. This is the case because websites explicitly want to make opting out as difficult as possible. Somehow a large portion of web content creators have gone astray and confused locking users in a metaphorical room against their will with "consent".


I use EasyList Annoyances with my adblocker, it hides all cookies/GDPR popups. If the website respects GDPR and waits for my click on the "Accept" button, I'll never see it and tracking shouldn't be enabled (many websites still don't respect that basic concept nonetheless)


Are you referring to "Fanboy's Annoyance List" here: https://easylist.to/ ?

I really want to get rid of all the cookies/GDPR popups.


This filter removes most of the cookie dialogs: https://github.com/r4vi/block-the-eu-cookie-shit-list


I just checked, and apparently on mobile I use 'AdGuard Annoyances filter' and not 'Fanboy's Annoyance List' like on desktop. The former is a fork of the latter by Adguard, so I think it's about the same thing. EasyList's one works perfectly on desktop.


Unless every tracking setting is off by default, they are clearly already in violation - so why would they then even bother having settings for it? Why not just track everyone and not ask?


You can fool many users into thinking they gave consent when they haven't. At least these won't resist further.


That's exactly what I've been doing: whenever I can I unset everything to basic cookies (login/account, shopping cart).

If I can't do that on mobile in under a minute I simply close the website. So far nothing of value has really been lost.


Or hopefully wait and watch while someone with more time than you takes them to court



I just went through the "Manage Your Information" option on the FB website itself. It's terrible, every individual option only has a link to a long document you must read to figure out how to manage your information for only that one particular setting. Then you must separately do that yourself following the instructions, then go back to the Manage Your Information screen and select another of the many topics there and do it all again -- for each individual item in the list.

FB really does not want to make it easy for you to quickly change all your settings.


What a surprise! Microsoft villianised over the decades seems to be better than Google and Facebook. This brings us to the question. Have you paid XX money for a service that doesn’t show ads. Are you happy with it?


Microsoft got pretty un-evil and then rapidly got very evil again a few years ago. The GWX debacle, advertising built into your OS, forced telemetry, turning one-off purchases into subscriptions, and now maybe the return of Embrace/Extend/Extinguish.


Microsoft _still_ does not let me turn off "Basic usage data/telemetry" being sent to them.

I tried to call them about it a month ago and they hung up on me. The one computer in my house running windows is still blocked with this popup.


You need Win10 Enterprise LTSB, even Pro is not enough to get out of Microsoft telemetry capture, including crash dumps (memory with sensitive info), keystrokes, screen grabs.


It used to be that Pro was enough when you could still turn the telemetry off (I seem to remember that being a thing in W10's early days, correct me if I'm wrong). But in the end, why should the user have to spend even more for a feature set that they'll never use to just protect their privacy? Greed and dark patterns are not acceptable.


Can you even buy enterprise as a private person? All I can see on their webpage is "request a quote" and the form requires a business name.


When I was researching this for personal use a while ago it looked like there should be a way to get a subscription for Windows 10 Enterprise E3 for $7/mo/user via third-party sellers [1] (CSP?). It looks like you can buy a subscription from CDW [2] (I've never used them).

[1]: https://blogs.windows.com/business/2016/09/01/windows-10-ent...

[2]: https://www.cdw.com/product/windows-10-enterprise-e3-from-cd...


There's a 90-day trial, could be useful in a VM: https://www.howtogeek.com/273824/windows-10-without-the-cruf...


Windows 10 Enterprise is enough to disable tracking, you don't need LTSB for that (for those who don't know, LTSB/LTSC is a version of Windows without "modern" apps, like the Store or Edge)


> You need Win10 Enterprise LTSB

The won't sell it to you. I asked about it a Microsoft store and they had no way of selling it to me.


Please correct me if I'm wrong because Microsoft licensing is convoluted. I think the procedure is to acquire a Windows 10 Enterprise license, and then you install LTSB instead of the standard enterprise edition.


It may also be available via MSDN, subject to MSDN terms.


My guess: Will probably stay that way unless they suffer a major breach an this data starts showing up in wrong places.


Can you block it using a Pi-hole?


Of course, I have long since added this list[1] to my openbsd firewall. That is besides the point, I can (and do) also block all crap in my browser via extensions. That doesn't make the crap they are pulling legal and I refuse to click "accept" on the popup that is currently locking the machine from being used. If it does not change soon I will reclaim the license money via microsoft directly or court.

All my important machines run operating systems that do not have spyware built-in.

[1] https://github.com/crazy-max/WindowsSpyBlocker


That'll work while they continue to use dedicated hosts (eg, telemetry.microsoft.com) to collect the exfiltrated data. With a single update they can shift that collection stream to another host (windowsupdate.microsoft.com, or a skype host, etc) such that blocking it would break other stuff


Still I think there's a difference in how deep the intrusion goes. I can just not use Google (except it's harder on stock Android phones), but I can definitely go without Facebook by just not using it. Having my own Operating System to spy on me makes me a victim whatever I do. I can't really escape from that.


It's hard for me not to use Google's products because they're good, it's hard for me not to use Facebook's because they managed to lock me in using social pressure.


Just use an operating system that doesn't track you? There are plenty out there.


This is the most ridiculous comment I've seen all month. I don't know if it's due to ignorance or some PR department in Redmond. Microsoft is the worst by far when it comes to privacy violations and dark patterns. And it's obvious to anyone who's ever heard about Windows 10 in the news over the past few years. But let me break it down anyway.

First of all, Windows 10 is constantly stealing your personal info. To an extent not even possible to a website like Facebook since websites don't have direct access to your hardware. Some of the things they collect are:

- User contacts

- Calendar data

- Location data

- Keyboard input (keylogger)

- Microphone input (wiretap)

- Local files

- Installed programs

- How long you interact with programs

- Browser history

Have you ever read their 45 page policy document? It's chock full of goodies like:

>“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to.”

Fun. If you want to disable this, you have to go through 13 pages of settings in the general settings menu, disable settings through their dumb cortana thing, go to an external website to disable more settings and sign up for a Microsoft account (which requires giving Microsoft your phone number). And these preferences can be magically reset by Microsoft whenever they feel like it.

https://www.rockpapershotgun.com/2015/07/30/windows-10-priva...

>3. This is the crucial one, and so fundamental to Windows 10’s tracking that Microsoft have stuck the setting on an external website, which they say is so that it’s on one easy dashboard, but I find it hard not to wonder if it’s in the hope that we don’t easily stumble across it while browsing Windows 10’s own Privacy menus. Said website is colourful and cheerful and can play a video at you talking about how wonderful targeted advertising is. Ignore the bumf and instead go directly here and set both options to Off. It’s the innocuous-sounding “Personalised ads wherever I use my Microsoft account” which is the likely root of all this, because having that on means Windows 10 itself becomes a hub for targeted ads. You’ll probably have set up Windows 10 with a Microsoft account, because it heavily encourages you to do so with talk of synchronised files and settings and a OneDrive cloud account during installation, but this means the OS is signed into that account all the time. As a result, Windows 10 itself has it spyglasses on, not just apps or pages that you’re signed into with your MS account. I notice that every time I go back to that page, the “Personalised ads in this browser” setting has silently turned itself back on again. This is concerning

Oh yeah, and updates can completely reset these settings, making all that effort pointless.

https://www.makeuseof.com/tag/5-settings-must-check-windows-...

>Recently, a very big update to Windows 10 was released, which brought with it some nice improvements. But what was not publicized in Microsoft’s fanfare was that the update very quietly reset your privacy settings, and reset the default apps back to Windows Store apps. Gee thanks Redmond.

Anyone who still uses Windows 10 in this day in age is a sucker. And anyone who believes these deluge of green accounts shilling for Microsoft is a double sucker.


My firewall is constantly going off that either Microsoft Photos, Microsoft Video or Microsoft Outlook is trying to send some data, even though I am definitely NOT using any of those products. I always permanently block the requests, but a few days later I get another firewall warning that one or more of these processes is trying to call home.


It would be fair to get rid of Windows from all EU public authorities, schools, etc. I really don't understand why is it still not done after so many years?



I had to learn and setup a firewall so that the following can be blocked in my home network from going out unnecessarily.

1. Microsoft 2. Google 3. Chinese IP cameras

Among these, Microsoft is the most scary. Then Google.


Microsoft are no better with their forced telemetry and resetting privacy settings.

They might not be collecting as much as Facebook and Google but god damn they are trying.


> Microsoft villianised over the decades seems to be better than Google and Facebook.

A villian doesn't become virtuous just because someone even worse turns up.

The criticism of Microsoft a few decades ago was in relation to Apple, OS/2, BeOS, Linux/BSD/etc. and I'm pretty sure those which still exist are still less villianous than Microsoft. Note that Apple is still villianous, but rather than just extorting their users directly, they prefer to extort everyone via massive tax avoidance.

> Have you paid XX money for a service that doesn’t show ads. Are you happy with it?

I make regular payments to the Free Software Foundation, Open Rights Group, Wikimedia, etc. and am generally happy with what they do. That's not always a direct contribution to the particular software I use, but it does support some things indirectly.

In relation to Microsoft, I hear that they charge money and show ads, and I mostly hear their customers complaining about their software and services rather than praising them. For example, the centralisation of Skype for spying purposes seems to have crippled its throughput; I saw someone struggling with this recently and suggested they try meet.jit.si which turned out to give a far smoother connection (since it's P2P, like Skype used to be).


Governments choosing not to levy taxes on Apple is not "extortion" by Apple.


Villains comes in all shapes and sizes.

MS was, and possibly still is, the classical abuser of market position. The kind that age old antitrust laws were written to combat.


I've recently got caught in a dark pattern by cheap airline in Europe - Wizzair.

They've cancelled one of my flights and "automatically rebooked" into different one. Turns out it wasn't really automatic - scroll down the email and there's bunch of options with buttons "Click here to login". Because I didn't really accept my new automatic flight booking, I had to pay €30 check-in fee at the airport.


If that happened to me there would have been a scene that led to my arrest. That's a textbook case of an unconscionable contract, creating a situation of duress (accept new terms or be stranded)

Still, after the 30 extra, was it still cheaper than a legitimate airline?


I did make somewhat of a scene, but the staff wasn't official airline one. Poor Icelandic guy had his fingers shake a bit, felt sorry for him and my behaviour.

The flight wasn't that much of a difference in price, rather than destination. Matter of fact lately I see premium airlines in Europe win me over ultra cheap ones - same price but better airports, better seats, complimentary coffee and couple of euros back in alliance rewards.


I knew that someone would write about this eventually. Facebook's GDPR popup was criminal.

When I got the popup, I accepted some default settings accidentally. Based on the context of the popup and placement of UI elements, I thought that the "Next" button meant "Proceed to my settings management screen" but in reality it meant "Keep default settings and proceed to Facebook".


Great summary, hopefully the EU can deliver what these companies are asking for.


Doesn't invalidate what you said, but just in case: Norway is not in the EU.


As Norway is a member of EEA (European Economic Area) they get GDPR anyway.

https://easygdpr.eu/2017/09/gdpr-in-norway-personal-data-act...


May as well be, as via the EEA we seem to adopt more directives from Brussels than some full members...


The only thing holding norway back from full EU membership is fishing rights and a referendum on EU membership.

Norway seems to actually accept its current political position inside the EU's sphere of influence just fine.


Right now we are in the worst position.

We have to accept all EU rules but we don't have any influence over it. I'd take full membership over that any time but the politicians don't want to risk a 3rd referendum. So we're stuck between the "bark and the wood" as a Norwegian proverb goes.


You have a pretty great country, so I'd say what you're doing works and I'd advise against changing it.

The current agreements give you the freedom to renegotiate should the need arise. You can't do that when you have full membership.


That means very little. As the UK is demonstrating, members can invoke Article 50, begin negotiations on the parameters of future relations, and exit. Luckily for the UK, the EU very much does not want the precedent of secession, which gives the UK a small but workable amount of leverage.

In either case, changing the relationship with the EU will require negotiation, with the EU in a position of strength due, among other reasons, to the size of the single market and the awful BATNA virtually ensured by the guillotine clauses. However, full EU members looking to leave have a better negotiating position than Switzerland or EEA members.

EEA or EU members can leave any time. But when you leave, you lose access to the single market, and your economy will take a nosedive. If you're not willing to pay the price to leave the single market, you're going to have to follow EU directives and regulations. If you're going to have to follow EU directives and regulations anyway, isn't it better to at least have some say in those promulgations and insist on full EU membership?


If it‘s that what the Norwegian people want, why not. I think they know very well what they are doing.


Don't they prefer to be not in the EU, because they can keep their oil to themselves? (AFAIK if they're in the EU then EU oil companies can ask to drill in their territory: https://www.politico.eu/article/of-crustaceans-and-oil-the-c... ).

So maybe it's better to have no deciding voice but be able to keep all the money.


Oil companies can still get licenses and drill in Norway, they just have to pay taxes (80%) and that won't change.

The people decided in two referendums that they do not want to be in the EU, but the politicians did not accept it and created the EAA/EØS which basically puts us in EU in all but name with very limited power to influence what happens there. It was not democratically done.

I am pro EU, but it was the wrong way to do it.


Hey, and we in the UK are going pretty much exactly the same way!


Yep, this is how it always goes.


in my opinion, membership would be the wiser choice, especially as it becomes more and more clear geopolitical influence is done mainly through trade and softpower.

Alas, it should be a democratic choice to join the EU, the vessel which decided how (referendum or parlementary method) depends entirely on the (to-be) member state.


Well, speaking as a Brit, allow us to demonstrate Norway++

We shall finish up subject to the full set of EU obligations and privileges, but everyone shall strongly agree that the UK is not part of the EU. No no no. Just in the various unions and so forth, matching all the rules and that sort of thing. Not part of the EU. Nu uh! :)


Yeah, this is the ""best case"" Brexit option: the same as now, except we've excluded ourselves from all the political institutions of the EU. So we have to accept all the rules and get no say in them.

(The worst case option is the government is too disorganised to agree anything with anyone and we start running out of food, fuel and medicine...)


Plausible denEUbility?


Why not also include Linux in the list, to show that it is indeed possible to get "all green" score..


I presume this will get past to the Norwegian privacy regulator - https://www.datatilsynet.no


Yes, it will.

Here's a good news-article [0] giving context to the report. Quote:

> Director of Digital Services in the Consumer Council, Finn Myrstad, says they will now ask the Norwegian Data Inspectorate [i.e. Datatilsynet] to assess whether Google and Facebook violate the new Privacy Policy (GDPR) that has entered into force in the EU.

Furthermore:

> The operation is coordinated with 23 European sister organizations in 16 countries. Of these, the Consumer Council states that 12 organizations will deliver letters to their respective data surveillance. At least six American consumer organizations are also behind the report.

[0] https://nrkbeta.no/2018/06/27/facebook-og-google-manipulerer...


Without decentralization and alternatives criticism is toothless and hand wringing.

Google and Facebook have developed this extremely invasive dystopic surveillance model and they are not going to abandon it. Its for users to abandon them.

SV and the entire culture is operating in a moral vacuum, and everyone here knows it. All the talk about freedom and liberty has been exposed as posturing and what we have instead are the biggest sellouts in history.


You can do something to make a real difference. First contact data controller ex. Facebook, Google or any company which doesn't respect your privacy and rights, tell them to stop. If they refuse to take action then contact your national data authority and they will investigate it for you. https://ec.europa.eu/info/law/law-topic/data-protection/refo....

Direct link to contact details: https://ec.europa.eu/commission/sites/beta-political/files/n...


I would pay money to have someone clean up my data online since I live in a GDPR country.

I have this weird conspiracy in my brain that big IT companies are just fronts for what the CIA/NSA/governments need to do to do their job.

I don't think those companies really care about getting your data, but government do, because governments saw and know that the internet is not something they directly control. Information is power, and it flows beyond the government's reach and proper authority. I don't really understand how those companies work so hard at great extents to get that data at the limit of the law or morality. I don't see how it's not the government doing this for security or economic reasons.

Liberty and freedom of speech are important, but until the internet, governments were able to have their eyes on sensitive tools. Now citizens have access to technologies that can do a lot of things at the speed of light, so in a way, governments are losing control, so it's natural that governments are trying to get back the control they lost.

Of course politically it's not going to please everyone, but I think that the golden age of information sharing is over.

The problem is that escaping data collection will often be seen as ambiguous, politicized or very complicated, so you can't even justify it morally, you have to consent. I'm a little worried because because at some point you could have cyber activists that could resort to "cyber-terrorism" to attack companies that do data collection, and show it to the public. Sending users their own data would be one way to stain the image of those companies. Ironically, terrorism justified data collection.

I don't think people realize how they are controlling their flow of thought and what they say when they know it can be heard. How many times I thought about what I was writing, knowing its trace could land somewhere that could have consequence on my image.


I'm shocked! I just assume hostility and act accordingly. Ublock origin and tampermonkey scripts at anyone who bypasses it. Cookie autodelete to remove tracking cookies every 3 seconds. Canvasblocker against fingerprinting.

Honestly this is how the internet makes money and I can't even be mad. Asking Facebook to respect privacy is like asking a drugdealer to find legal employment. Just don't do drugs!


On the one hand it is good to deny them explicit permission. On the other hand I am 100% certain that Facebook is still tracking every single data point of every single EU user. They are not scared of breaking the law.


Yes. Yes. Yes.

Dark patterns ought to be illegal: They exploit the innate weaknesses of human perception and cognition to get human beings unwittingly to do things they otherwise don't want to do.


We already have functional laws against misleading (not just obvious lies) advertisements, so it should be no stretch to have similar ones for misleading instructions.


In contrast, Twitter's was well thought out and simple


Bloomberg is also surprisingly bad. I naively expected them to have more integrity.

Their consent page (linked from The Recycling Game story a few slots above this on HN right now) has a huge "Accept and Continue" button and a much smaller "More Information" link. The really bad thing IMO is each section has a switch with options Out and In, with a black/white slider on a black background. Not only is it unclear what Out and In mean here, it's unclear which of black or white means selected.

That's bad enough I'm actually tempted to write to their GC.


Just noticed how chrome is giving me a notification to close all my incognito tabs (all one or two of them)


As porn (or "shopping for surprise gifts" for a more PR-friendly example) is a common use case for those, it makes sense to get a reminder to also close the tabs.


Couldn't find where I can change my GDPR settings in Facebook. Can someone send me a link?


Let's hope it goes to more EU consumer associations


Another reason to stay in Apple ecosystem.


This is how you get it for free




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: