> In digital services, design of user interfaces is in many ways even more important than the words used ... Dark patterns are considered ethically problematic, because they mislead users into making choices that are not in their interest, and deprive them of their agency.
> This is particularly problematic given the power imbalances and information asymmetries that already exist between many service providers and their users ... a suspicion that tampering with default settings might remove important functionality, may affect the tendency to leave default settings alone.
> ... information asymmetry in many digital services becomes particularly large because most users cannot accurately ascertain the risks of exposing their privacy. If a user is asked to trade their personal data for a short-term financial benefit, such as a discount, the actual cost of the trade-off is difficult to grasp. In this case, the short-term gain (discount) is tangible and immediate, while the potential loss (privacy) long term.
Everyone: even if you skim the rest of the article (mind, it's ALL worth reading), scroll to the last few pages and LOOK at those.
They're color-coded by ease of flow (and yes, a definition of that was selected and clearly explained).
I'm excited by this because I feel that often when we talk about Dark Patterns, conversations often devolve into a "both-sides"-ism pattern -- something which is as useless in UX discussion as it is in politics. These clear visualizations and starkly color-coded call-outs of flows that add extra work make it easy to compare flows, and point out ones which are obviously arcane.
But the very first chart in the PDF is troublesome because of negative language.
For example, "No privacy intrusive default settings in popups."
Does the X on Facebook mean "There are no privacy intrusive default settings in popups" or "There are privacy intrusive default settings in popups."
Double negatives are difficult; especially for non-native English speakers.
It's like when you see someone on HN write "it's not non-trivial." Just say if it's easy or hard. Don't bury yourself in confusing jargon.
> As the screenshots below illustrate, the Facebook GDPR popup requires users to go into “Manage data settings” to turn off ads based on data from third parties. If the user simply clicks “Accept and continue”, the setting is automatically turned on. This is not privacy by default.
Beautiful! A minimal demonstration of a clear violation of the principal of data protection by default (article 25 of the GDPR).
It will we really hard to talk oneself out of this one.
The entry point was an email claiming you have to "read and accept the updated policies in order to continue using the site". And the first thing you're presented with was that two-choice "Manage data settings" / "Accept and continue", implying for the user who is less than extremely careful that if you don't "Accept and continue", you won't be able to use the site anymore.
It's only after that modal that you're presented with the updated T&Cs which you indeed need to either accept or delete your account.
And of course all the various things people have noted:
- A red dot in the fake-header to make you think you have pending notifications
- A complete disregard for "privacy by default"
All this right after Mark testified in congress saying "no we used to be bad and we made mistakes but now we really care, you see".
For a site that despises transparency, Facebook has never been so transparent about how little it gives a crap about its users.
I have some friends working at Facebook who will probably read this and be upset I think so little of their place of work. Folks, I have a huge respect for some of the excellent work that goes on at Facebook, especially in open source. But that doesn't change how scummy the core site itself is.
Think less of them.
Edit: Also, that's not what "explicitly" means. I think you meant "implicitly".
people quit google over the military project because they didn’t agree with it. i don’t think it’s crazy to do the same over facebooks disgusting manipulation of their user base.
There's a lot of FB employees on HN and I wager a lot of them know how scummy their employer is. Yes, many are staying for the paycheck (and because leaving a job isn't an easy thing for everyone), but I know several who are staying because they feel that their position is where they can produce the most good for the world.
Similarly, I know many people in politics who despise who/what they work for, but keep at it because that is where they can make a difference.
It doesn't always work. But it also doesn't make me think less of them. At least of the ones who aren't staying because of the $.
For the users, Facebook is just a means of communication, among many others. If it disappeared tomorrow 10 different platforms would replace it and the level of goodness in the world might even increase.
Doing good is probably the lamest, least truthful excuse for working at Facebook, goes to show how self-deluded people can be.
Do you think Facebook is a net positive for the world? Borderline, or overwhelmingly?
To be clear, I'm not asking whether some people get net benefit out of it, I'm talking about the net overall effect on society and the individuals within it.
Personally, I believe it is causing tremendous psychological damage, and that anyone that works there is a contributor to that end.
Sticking to the "net positive / net negative" terms, imagine Facebook contributes a number of positive / negative points to the world. Now the sum can be a net negative, but that doesn't mean some line items aren't positives.
Where do you work? Is your company flawless? Are you a contributor to every single one of its misdeeds merely because you work there? This isn't an easy thing to answer for everyone. I think it's certainly a question more Facebook employees should ask themselves though.
It is far from the most extreme of social changes that have occurred in history to suggest people stop using a particular company's tools.
The Nuremberg defence is widely regarded as invalid.
No, working at Facebook is the modern day corporate equivalent of the banality of evil.
Unless you genuinely think Facebook is doing good, take some fucking responsibility and rethink _your_ view on life.
* The projects directly help their business operations; those engineers might be doing the same work, anyway, even if Facebook were zealously closed source.
* Open source work gives the company image a boost in the minds of potential employees. This expands the labor pool, reducing the wages FB needs to pay, and helps give FB access to talent it otherwise simply could not have. In this case, hiring engineers to work on open source projects is little more than a PR campaign targeted at people like you and me--and it's clearly working on you.
The "good deeds" of their open source work are entirely accidental; the whole point of employing engineers to work on open source libraries is to help their business, which is inherently exploitative.
I agree with lancewiggs: by working at Facebook, your friends are aiding and abetting one of the most unethical and socially-dangerous companies in modern times. Think less of them.
> Think less of them.
Given their explicit support of scummy actions and not humanity, do you feel Facebook employees should be punched, in the defence of humanity?
That's a horrible metric to apply measuring 'human worth', whatever that is. Humans are by default wired to do what everyone else is doing. Just using Facebook because everyone else is doing it as well is what humans do. They flock to the communities and forums where the action is. They cannot comprehend graph theory intuitively and what power Facebook potentially wields in interfering in their lives.
Governments are supposed to protect people from threats the masses cannot comprehend. Like example taking care of vaccinations.
Privacy for him and his family, that is.
I don't get it though, if companies are so scared of being fined 4% of revenue that they put up these banners, aren't they inviting the worse end of the punishment scale by trying to weasel around the law rather than just ignoring it completely?
About half are on "allowed" by default. If you want to disallow, you have to select each entry individually.
The other half only specify "requires opt-out", apparently imgur expects you to contact some third party to do so.
How on earth they expect to weasel around the law with this ham-fisted approach is beyond me.
They reckon, perhaps correctly, that almost all websites weasel around the law and only very few of them will ever be fined.
Privacy activists will go after the big fish first and there will be time for the small sites to correct course once it becomes clear what is and isn't permitted.
due to this assholeness, i null routed them at router level in my house, and at my work.
I would absolutely not expect good behaviour from them with respect to advertising, including but not limited to tracking.
That site was the final bail of hay that had me install ad blocking measures at the network level. Too often their advertising partners would attempt pop-ups, drive-by installs, gaining access to microphones, and other arse-hole-ery.
For myself I can just stop going there, but there are others in the household that wouldn't have done and I didn't want the job of cleaning their machines is something did get in. Of course my other option is add imgur.com itself to a malicious sites list so it'll be blocked completely at the network level...
One of the better thing is, though I don't want to advocate the behavior of auto opt-in at all, that most of these sites are at least using something like TRUSTe or Oath, where you only have to disable hundreds of marketing services once and are done with all the sites, which are using the same service for cookie consent.
It's against the law to make the options opt-out but these companies are still trying hard to don't obey by the law, it's really comical.
This is the most blatant malcompliance with GDPR IMO, when will data protection authorities start fining FB?
The GDPR fans on HN have said over and over again that GDPR wouldn't result in instant fines, that companies would be given a warning and an opportunity to make changes. We'll soon find out if that's true or not.
Well, it has something to do with acting in good faith too. Not respecting GDPR because of an oversight or even laziness is likely to be met with warnings.
But blatantly violating it on purpose (this is no question: these companies have specifically claimed they implemented these obviously non-compliant processes because of GDPR) should not warrant any goodwill on the part of authorities.
the point of “no instant fines” is to give companies a chance to change and develop their GDPR systems. if those systems are both complete, and in violation, why shouldn’t they be fined?
That is yet to be determined by the regulator and the courts. Facebook has made their changes. Now someone will complain to the regulator. Then the regulator will make a determination and maybe ask Facebook to make further changes. Then Facebook has another opportunity to comply. If they refuse to make those changes they will get fined and can go to court to fight the regulator's decision.
At least that is my understanding of how this system works.
But there's a deeper reason why the EU fining Facebook would be a deep demonstration of malaise, incompetence and greed. From the report:
Research has shown that most users will never look at, let alone change, the
That's right, and you know why? Because users don't care and never did. This entire privacy crusade is made up out of whole cloth, by the EU, to obtain power and money. These foolish governments constantly demand more and more controls, consent agreements and so on and the users constantly don't use those new controls and always consent because they were perfectly fine to begin with.
There are no dark patterns. There are no evil conspiracies. There are only users, who enjoy broadcasting every detail of their lives to their friends and sometimes the world.
FB is being malicious, same as always. hopefully they'll get smashed by the fine when they continue to resist the law.
Agreeing to something by tapping anywhere on the site doesn't sound enforceable...
I'm reasonably sure they knew it's a violation. So it feels like they're either prepared to fight over it, or testing the ground to see what the consequences are... After all, I would have guessed that they're in for major losses in ad revenue if most people sign out. So it's worth almost any risk.
On one hand, I agree that these "dark patterns" undermine what legislators and voters want in terms of consumer protections and rights. Consumers and legislators need to be aware of it.
On the other, I think it leads to a banal conclusion. Legislation tried to achieve something by putting responsibilities/restrictions on corporations. It did not achieve its goals, because companies "implementing" the law have different things they want to achieve.
One common sense conclusion is "moral failings." I expect most journalists and legislators refering to this report will be in this category. Google is greedy. FB is cynical. Nowhere to go from here but moral righteousness.
Another common conclusion will be "loopholes." This will send us down the legislative rabbit Warren that financial regulation and tax law has been down.
The right (imo) conclusion is that the whole approach is wrong. We cannot rely on explicit (or even implicit) contracts between a website and every person who visits it.
There must be rules, not contracts. Where users need control or an agreement has to be made, these need to be baked into browsers, where the party implementing "user empowerment" are not the ones losing from it.
Moving to a world where an average consumer "signs" multiple agreements with companies per day.. that's not what our legal conventions were made for.
This means that if European privacy regulators agree that this approach does not in fact means that users consented then Facebook/Google/Microsoft may be violating the GDPR.
I think this is where, at least in theory, the GDPR is a major step forward: it has clear instructions on how information should be presented to users. Now we have to see if that theory actually becomes reality.
I've had this argument a couple of times and I think it comes down to the semantics, though legal and legislative semantics are a little richer than most.
What I mean is that gdpr makes its intentions quite clear, but that's not how the legal system parses laws. What the consequences of gdpr are, in terms of practice is (1) all website visitors must sign a contract with the site owners (2) there are now some conventions and controls governing these contracts (3) the contracts empower the website owner to do most (not all) of what they could do before gdpr.
Gdpr does quasi-explicitely force website operators to provide "i don't agree" option. There are two potential ambiguities that could nullify this: (1) the exceptions in gdpr are ambiguous enough that all sites/services can claim them (2) dark patterns described in this paper make it so that a majority of users consent anyway.
IMO, considering "click here to agree and continue to the article" a valid consent is ridiculous. Contracts work when they are rare. We cannot solve this consent problem this way.
The 'click here to agree and continue to the article' is a problem in the context of the GDPR because consent has to be given freely and cannot be a requirement to obtain a service.
That's a big departure from the cookie law, where this kind of forced consent is allowed.
2) these dark patterns are illegal, and they are illegal just because they do "force" users to consent
If this is what we think the law has become, we're screwed. Not just on privacy or dark patterns but generally.
I think you are missing a small, but crucial, step. We haven't yet seen how much effort will go into enforcement of those responsibilities and how many major fines result. I still have (probably extremely naïve) hope to see some $1bn+ fines, and soon. Then repeat for each follow-up attempt to evade the law. Presumably to Facebook for the "show trial" as they always seem the most egregious offender on clear privacy choices. As so nicely demonstrated by the pattern flowcharts here.
Then companies might interpret the law as something they must obey rather than deciding if they align with corporate goals before opting in.
Yes! This is the right way. Unfortunately it's also looks like it's going to be really, really hard, because the platform did not evolve with this foresight.
I remember when this happened - I was so pissed off that I made an add-on called "fuck quora" that will simply reset their cookies to have unlimited reading possible without signing in. Will be happy to open source if the need be :)
Quora results are mostly saturated with thinly veiled spam now anyway.
how to use quora for traffic
how to use quora for marketing
how to use quora for SEO
The "hack" is well known and incredibly over exploited.
I got very pissed off at Quora for the same reason, and made an account just to read (knowing full well they'd use it for profiling).
> ... instantly all memory of the consent obtained will be forgotten. There is no way back. That ‘click’ of your mouse (or tap of the finger) was the ratchet advancing one little step. Good luck finding the permission you have just about irrevocably changed in a mountain of convolution designed to lead you astray in your quest to undo your action. Of course it would be trivial to have a log of recently given permissions and an ‘undo’ option for each of those. But there is no money in there and so you won’t find it. The ratchet has clicked and that’s all that matters, you ‘gave your consent’, time to move on. And so the company gets to claim that not only did you give your consent, you gave it willingly and obviously they would have never ever used your data without that consent.
This twitter-account includes many screenshots for illustration: https://twitter.com/darkpatterns
Edited to mention : the Hall of Shame seems to be down.
It should be clear to anyone paying attention that current business models to sustainably support journalism have failed, and we are approaching (or have already reached) a point where only low-effort 'clickbait' and recycled AP content is profitable.
The last thing the media wants is to be held to the same rules and standards of the tech firms though. They neededn't worry however. The law will not be applied consistently.
As far as pre-ticked boxes are concerned, they do not signify consent , effectively taking the legal base  for processing PII in many cases. It's a bit more ambiguous in the actual law: "It shall be as easy to withdraw as to give consent."  If consenting can be as easy as clicking the "I agree, have my soul" button, withdrawing consent must not require clicking through dozens of checkboxes and should be just as easy.
 Recital 31, Sentence 3: "Silence, pre-ticked boxes or inactivity should not therefore constitute consent." https://gdpr-info.eu/recitals/no-32/
 Article 6 (1) "Processing shall be lawful only if [...]" https://gdpr-info.eu/art-6-gdpr/
 Article 7 (3) Sentence 4 https://gdpr-info.eu/art-7-gdpr/
This isn't happening because websites are falling over themselves to comply with GDPR. This is the case because websites explicitly want to make opting out as difficult as possible. Somehow a large portion of web content creators have gone astray and confused locking users in a metaphorical room against their will with "consent".
I really want to get rid of all the cookies/GDPR popups.
If I can't do that on mobile in under a minute I simply close the website. So far nothing of value has really been lost.
FB really does not want to make it easy for you to quickly change all your settings.
I tried to call them about it a month ago and they hung up on me. The one computer in my house running windows is still blocked with this popup.
The won't sell it to you. I asked about it a Microsoft store and they had no way of selling it to me.
All my important machines run operating systems that do not have spyware built-in.
First of all, Windows 10 is constantly stealing your personal info. To an extent not even possible to a website like Facebook since websites don't have direct access to your hardware. Some of the things they collect are:
- User contacts
- Calendar data
- Location data
- Keyboard input (keylogger)
- Microphone input (wiretap)
- Local files
- Installed programs
- How long you interact with programs
- Browser history
Have you ever read their 45 page policy document? It's chock full of goodies like:
>“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to.”
Fun. If you want to disable this, you have to go through 13 pages of settings in the general settings menu, disable settings through their dumb cortana thing, go to an external website to disable more settings and sign up for a Microsoft account (which requires giving Microsoft your phone number). And these preferences can be magically reset by Microsoft whenever they feel like it.
>3. This is the crucial one, and so fundamental to Windows 10’s tracking that Microsoft have stuck the setting on an external website, which they say is so that it’s on one easy dashboard, but I find it hard not to wonder if it’s in the hope that we don’t easily stumble across it while browsing Windows 10’s own Privacy menus. Said website is colourful and cheerful and can play a video at you talking about how wonderful targeted advertising is. Ignore the bumf and instead go directly here and set both options to Off. It’s the innocuous-sounding “Personalised ads wherever I use my Microsoft account” which is the likely root of all this, because having that on means Windows 10 itself becomes a hub for targeted ads. You’ll probably have set up Windows 10 with a Microsoft account, because it heavily encourages you to do so with talk of synchronised files and settings and a OneDrive cloud account during installation, but this means the OS is signed into that account all the time. As a result, Windows 10 itself has it spyglasses on, not just apps or pages that you’re signed into with your MS account. I notice that every time I go back to that page, the “Personalised ads in this browser” setting has silently turned itself back on again. This is concerning
Oh yeah, and updates can completely reset these settings, making all that effort pointless.
>Recently, a very big update to Windows 10 was released, which brought with it some nice improvements. But what was not publicized in Microsoft’s fanfare was that the update very quietly reset your privacy settings, and reset the default apps back to Windows Store apps. Gee thanks Redmond.
Anyone who still uses Windows 10 in this day in age is a sucker. And anyone who believes these deluge of green accounts shilling for Microsoft is a double sucker.
3. Chinese IP cameras
Among these, Microsoft is the most scary. Then Google.
They might not be collecting as much as Facebook and Google but god damn they are trying.
A villian doesn't become virtuous just because someone even worse turns up.
The criticism of Microsoft a few decades ago was in relation to Apple, OS/2, BeOS, Linux/BSD/etc. and I'm pretty sure those which still exist are still less villianous than Microsoft. Note that Apple is still villianous, but rather than just extorting their users directly, they prefer to extort everyone via massive tax avoidance.
> Have you paid XX money for a service that doesn’t show ads. Are you happy with it?
I make regular payments to the Free Software Foundation, Open Rights Group, Wikimedia, etc. and am generally happy with what they do. That's not always a direct contribution to the particular software I use, but it does support some things indirectly.
In relation to Microsoft, I hear that they charge money and show ads, and I mostly hear their customers complaining about their software and services rather than praising them. For example, the centralisation of Skype for spying purposes seems to have crippled its throughput; I saw someone struggling with this recently and suggested they try meet.jit.si which turned out to give a far smoother connection (since it's P2P, like Skype used to be).
MS was, and possibly still is, the classical abuser of market position. The kind that age old antitrust laws were written to combat.
They've cancelled one of my flights and "automatically rebooked" into different one. Turns out it wasn't really automatic - scroll down the email and there's bunch of options with buttons "Click here to login". Because I didn't really accept my new automatic flight booking, I had to pay €30 check-in fee at the airport.
Still, after the 30 extra, was it still cheaper than a legitimate airline?
The flight wasn't that much of a difference in price, rather than destination. Matter of fact lately I see premium airlines in Europe win me over ultra cheap ones - same price but better airports, better seats, complimentary coffee and couple of euros back in alliance rewards.
When I got the popup, I accepted some default settings accidentally. Based on the context of the popup and placement of UI elements, I thought that the "Next" button meant "Proceed to my settings management screen" but in reality it meant "Keep default settings and proceed to Facebook".
Norway seems to actually accept its current political position inside the EU's sphere of influence just fine.
We have to accept all EU rules but we don't have any influence over it. I'd take full membership over that any time but the politicians don't want to risk a 3rd referendum. So we're stuck between the "bark and the wood" as a Norwegian proverb goes.
The current agreements give you the freedom to renegotiate should the need arise. You can't do that when you have full membership.
In either case, changing the relationship with the EU will require negotiation, with the EU in a position of strength due, among other reasons, to the size of the single market and the awful BATNA virtually ensured by the guillotine clauses. However, full EU members looking to leave have a better negotiating position than Switzerland or EEA members.
EEA or EU members can leave any time. But when you leave, you lose access to the single market, and your economy will take a nosedive. If you're not willing to pay the price to leave the single market, you're going to have to follow EU directives and regulations. If you're going to have to follow EU directives and regulations anyway, isn't it better to at least have some say in those promulgations and insist on full EU membership?
So maybe it's better to have no deciding voice but be able to keep all the money.
The people decided in two referendums that they do not want to be in the EU, but the politicians did not accept it and created the EAA/EØS which basically puts us in EU in all but name with very limited power to influence what happens there. It was not democratically done.
I am pro EU, but it was the wrong way to do it.
Alas, it should be a democratic choice to join the EU, the vessel which decided how (referendum or parlementary method) depends entirely on the (to-be) member state.
We shall finish up subject to the full set of EU obligations and privileges, but everyone shall strongly agree that the UK is not part of the EU. No no no. Just in the various unions and so forth, matching all the rules and that sort of thing. Not part of the EU. Nu uh! :)
(The worst case option is the government is too disorganised to agree anything with anyone and we start running out of food, fuel and medicine...)
Here's a good news-article  giving context to the report. Quote:
> The operation is coordinated with 23 European sister organizations in 16 countries. Of these, the Consumer Council states that 12 organizations will deliver letters to their respective data surveillance. At least six American consumer organizations are also behind the report.
Google and Facebook have developed this extremely invasive dystopic surveillance model and they are not going to abandon it. Its for users to abandon them.
SV and the entire culture is operating in a moral vacuum, and everyone here knows it. All the talk about freedom and liberty has been exposed as posturing and what we have instead are the biggest sellouts in history.
Direct link to contact details: https://ec.europa.eu/commission/sites/beta-political/files/n...
I have this weird conspiracy in my brain that big IT companies are just fronts for what the CIA/NSA/governments need to do to do their job.
I don't think those companies really care about getting your data, but government do, because governments saw and know that the internet is not something they directly control. Information is power, and it flows beyond the government's reach and proper authority. I don't really understand how those companies work so hard at great extents to get that data at the limit of the law or morality. I don't see how it's not the government doing this for security or economic reasons.
Liberty and freedom of speech are important, but until the internet, governments were able to have their eyes on sensitive tools. Now citizens have access to technologies that can do a lot of things at the speed of light, so in a way, governments are losing control, so it's natural that governments are trying to get back the control they lost.
Of course politically it's not going to please everyone, but I think that the golden age of information sharing is over.
The problem is that escaping data collection will often be seen as ambiguous, politicized or very complicated, so you can't even justify it morally, you have to consent. I'm a little worried because because at some point you could have cyber activists that could resort to "cyber-terrorism" to attack companies that do data collection, and show it to the public. Sending users their own data would be one way to stain the image of those companies. Ironically, terrorism justified data collection.
I don't think people realize how they are controlling their flow of thought and what they say when they know it can be heard. How many times I thought about what I was writing, knowing its trace could land somewhere that could have consequence on my image.
Honestly this is how the internet makes money and I can't even be mad. Asking Facebook to respect privacy is like asking a drugdealer to find legal employment. Just don't do drugs!
Dark patterns ought to be illegal: They exploit the innate weaknesses of human perception and cognition to get human beings unwittingly to do things they otherwise don't want to do.
Their consent page (linked from The Recycling Game story a few slots above this on HN right now) has a huge "Accept and Continue" button and a much smaller "More Information" link. The really bad thing IMO is each section has a switch with options Out and In, with a black/white slider on a black background. Not only is it unclear what Out and In mean here, it's unclear which of black or white means selected.
That's bad enough I'm actually tempted to write to their GC.