Hacker News new | past | comments | ask | show | jobs | submit login
Dark Patterns: Past, Present, and Future (acm.org)
130 points by randomwalker 4 days ago | hide | past | web | favorite | 32 comments

A/B testing is the worst. I'm always on the bleeding edge of products I use and extremely tolerant about changes and regressions–to the point the browser I am using crashes every couple of hours, likely due to a longstanding threading issue–but I just cannot stand constant A/B changes. If you change the font of your website even once, I will know. If you tweak the spacing of some elements, I will know. If you change a color slightly, I will know. Even if you pretend like nothing changed at all, I can tell and it drives me out of my mind because something seems "off" and I must find what it is. I spent half an hour once searching for why Hacker News's text area font seemed to have randomly changed from Courier to Menlo before emailing 'dang in desperation to figure out what was different (turns out it was a new lang="en" attribute). Please, don't change things randomly and silently.

I understand the frustration, but A/B testing is one of the more objectively tools we have at our disposal.

While there are good arguments against A/B testing UI changes and doing p-hacking, much of the modern web's current UX and UI improvements are in part due to this. How else would we truly know what affects user on a broad scale?

In theory, yes, A/B testing sounds great. However, whenever I see it implemented it invariably becomes some sort of annealing process for a metric that doesn't actually make the site more pleasant for end users ("engagement", usually) and you have people shipping apps with seven different UIs in them and users who are accustomed to features moving around and disappearing completely unpredictably. As I was searching for a picture of "Courier" Google gave me a completely different "cards" UI that went back to how it was before when I searched "Menlo". My last couple weeks with Slack on iOS have been a nightmare as it constantly switches between its fairly decent UI and some new abomination depending on which workspace I'm in and the phase of the moon. It seems like nobody really knows how to do A/B testing properly. (Perhaps the companies that do are doing it in such a way that I cannot notice. But there is ample evidence of a lot of products where I can.)

Much of this could be legislated away.

The cost would be "creativity" but consider the gains.

Think of a database where there are no rules for how data is entered, no formats, no validation, nothing. Sure, it allows maximum creativity for the input but its value as a source of information can actually be less than if strict rules were enforced.

The web is largely unstructured data precisely because there are few if any rules for input. This makes it extremely difficult to manage as an information source. Few companies, let alone individual users, can even attempt to wrangle it into something useful. Every website is potentially "unique" in so many ways.

Even something as simple as a uniform, standard web form for e-commerce could be a vast improvement. No more differences between ordering from Amazon versus everywhere else. With a standard format for collecting payment information that does not vary from merchant to merchant, there could be significant gains. Predictability. Easier to design intercompatibility.

As always, feel free to shoot this idea down. "It will never work because ...." or "That already exists..."

However no one can deny there are huge problems with the haphazard way things are done today. Complaints about such things form a large part of each day's HN commentary.

Sometimes creativity is not the best thing. Certainly it is unrestrained "creativity" that allows many "dark pattern" to exist.

I agree with the intention... But!

Such a system would become so inherently complex, because even in things as simple as "e-commerce" there is so much variation in how the whole purchasing experience works.

It would start by supporting only a few "mainstream" business model, then growing more and more complex to handle all the different sorts of shops (bulk discounts? split payment methods? multiple destinations? group buy? subscriptions?) to the point where it would become basically as complex as the Web.

Just look at the Web, becoming more complex as to be basically its own operating system running inside an operating system.

There's no need for a law that specifically allows or disallows implementations of things. There just needs to be a legal body that allows someone to refer a website to an adjudicator if they believe it's using a dark pattern, and a significant fine if the adjudicator finds that they are. Let each case be judged on its own merit.

Occasionally the adjudicator could publish a guide for "Things we're always going to say are dark patterns" to make it a bit easier to avoid getting fined.

That would be a lot of work for an adjudicator considering how many websites and how many offended users. How many adjudicators would we need?

What if the large companies with lots of cash can just pay the fines without impairment to their business? What if they just keep repeat offending?

In paying the fines would this mean websites would have to have to be more transparent regarding who is behind each website? This is assuming they will be paying in real currency (not cryptocurrency).

Who will bank the money recieved from the fines and how will that money be used?

What if the large companies with lots of cash can just pay the fines without impairment to their business? What if they just keep repeat offending?

The ban could be a percentage of revenue. For persistent offenders their DNS entries could be banned.

Who will bank the money recieved from the fines and how will that money be used?

The money raised from fines would pay for the service. Anything left over would be paid to me. :)

Those adjudicators might try to milk the system. There might not be anything left over!

OK, now ignore the one example I gave and consider what if a law addressed known dark patterns that we see in online forms. What if there were fines per infringement associated with doing the things we know are dark patterns? Too complex? Please explain.

As for the OS inside an OS comment, I think that relates to today's corporate web browsers not the web. Those programs can definitely take over a computer -- they do much more than "browse" the web. I think of the web though as web servers and the content they serve. The HTML pages on one server may be hyperlinked to pages on other servers and that linkage may resemble a "web". The web is not the functional equivalent of an OS, but those corporate browsers might be. The web is more like files, e.g., documents and scripts. File servers with documents that hyperlink to documents on other file servers. That is why we say "access the web". The browser is not the web, it is a program we use to access the web.

> Much of this could be legislated away.

Until they find ways of getting around it.

For example - what if instead of having a "cookie", you just trained an AI model on a person, to be later recognize by inference?

I think it will be like tax law.

This stuck out to me the most:

>The authors seem genuinely surprised by recent developments and have distanced themselves from dark patterns

Time and again, people just refuse to accept that there are unintended consequences to their well-intentioned actions. There's a reason knowledge like this is often referred to as a Pandora's box, and it seems like not many people really take those old fables to heart. Like, it had never once entered into these people's minds that these might get warped given the a perverse set of incentives? "They were so preoccupied with whether or not they could, they didn't stop to think if they should."

A related question came up in Andrew Przybylski's 2019 GDC talk about the science of gaming addiction. https://www.youtube.com/watch?v=vVwu4RDChsY

Q&A from 49:30 and at 59:30 are relevant. Someone asked about the responsibility of those who looked into these kinds of things; and about "if we have facts about addiction the bad people will use them".

Przybylski argued that it's better to have the facts about how people behave, rather than act based on opinion.

I wish people would take it to its natural conclusion, though. That is, if you have facts about how people behave, and then your product creates pathological behavior, then you're fully responsible for it because you've done it on purpose. This particularly applies to all the skinner-box "games" that are so popular in mobile scene these days. They're purposefully optimized to be as addicting as possible, so their authors should be made to face consequences of all the problems caused by the addiction of their players.

Honestly, this doesn't even point out some of the worst dark patterns. In the US, it's become ubiquitous to no longer even ask to send you spam: if I understand correctly, the legal justification is that they put the email consent in the Terms of Use (which are "conveniently" "consented to" by a non-optional, pre-checked checkbox).

When I get subscribed to any mailing list I didn't explicitly opt-in to I just mark them as spam (which it is) on GMail and move on.

Enough of us doing this and I guess they'll get the message.

I don't think this is a good idea, for two reasons:

They push the responsibility of getting rid of unwanted stuff in our mailboxes to us. It's not a single company doing this, but most of them. That's sometimes dozens of emails a week! We shouldn't waste our time reading, parsing and fighting the unsubscribe forms - many times fortified with cookie-consent walls!

The average internet user will not do that anyway, so the spammers rely on user's laziness and dulled senses, just like ad blindness, so they slowly start to accept this sick situation as the new normal. For us it becomes the new normal. For our children - the only normal.

That doesn't work and it really can't work. If you order from foo.com, you want to receive the receipt, but you don't want to receive "Top ten deals of the summer from foo.com". But these come from the same email address, from the same server, etc. Maybe AI filtering will get good enough to deal with this stuff reliably in the future, but right now, it seems like we're stuck with it.

The reality here is that the free market rewards this awful behavior, so it won't be solved until regulation is applied.

It's particularly annoying because the spammers are not only causing trouble in their own right but also motivating an overreaction from major mail services in response.

From the sending side, I have one business right now where our outgoing emails are apparently being blocked or even silently dropped by at least three ISPs spread across two different continents. We have never sent anything even remotely spammy in our entire trading history. We have all the usual shouldn't-be-needed-but-are extras like SPF properly configured. The sending mail server hasn't found its way onto any of the big blacklists as far as we can tell. And the mails being blocked are actually quite important things like password reset requests, emails with copies of documentation that we are legally required to send attached, or even replies to customers contacting us to ask where their password reset emails are when they've been requesting them!

From the receiving side, I'm fed up with helping friends and family who are trying to work out why they aren't getting important messages, and with the ISPs who have screwed up their mail configuration or deliberately set up overly aggressive anti-spam policies but then have front-line support drones who just intone that you should check your junk mail folder as an instinctive reaction to any complaint about missing mail.

I think that with email now effectively being both the effective root password to so many online accounts and the primary means of communication between a lot of people and organisations with genuine reasons to contact them, the medium of email needs the same kinds of legal safeguards that other essential means of communications like postal mail have enjoyed for a long time. I don't think it should be left to big name mail services or some random ISP to decide whether or not their users are going to receive legitimate emails any more. Blocking false positives is far more damaging than missing false negatives when it comes to spam, and the situation is out of control. It's time to regulate.

Can't you pay Google to let your spam/ads through?

I would doubt this. I work for a large email service provider and we do lots of work to fight spam on our system. We also do lots of work with the Gmail folks (at least, we have in the past -- pretty sure we were the first ESP to use delivery feedback loops with them). We were never offered a "pay to play" thing. Instead, it was just them doing their best to fight spam and us doing our best to fight spam.

Or even worse, financial companies can reset your "opt-out" of data sharing/selling/etc by sending you a new agreement/change of terms/etc. Every time you get a ream of paper from your credit card company, there is a single sheet of paper with information to opt-out of data sharing/selling/etc. You have to mail that form or call the number to opt-out every single time they send you that massive ream of paper. And since it is opt-out rather than opt-in, if you don't explicitly opt-out within 30 days or so, you are automatically enrolled in their data collection program.

the subscriber stuff is the worst. I unsubscribe from a marketing list and a month later the emails are back under a different name. They just create a new marketing category so you have to unsubscribe again

If you reply in order to "unsubscribe" doesn't this provide the spammer with "email validation", i.e., they know it is a working address and someone is reading the mail sent to it.

Well, there are two categories of spam worth talking about:

1. Spam from people who are just brute-forcing the space of possible email addresses. In this case, yes, clicking unsubscribe gives them information. But I will say, this spam is generally pretty well taken care of by existing spam filters, so personally I'm not concerned about this.

2. Spam from people who got your email address via some interaction. Maybe you bought something from them, for example. This sort of spam, they already have your email address and know it works. The upside here is that if you've made a purchase from them, it's much harder for them to avoid regulation due to the money trail, so if you unsubscribe, they have to actually unsubscribe you. There are loopholes in regulation, however.

What happens when a user creates an email address just for a single purpose, e.g., making a single purchase, then she never uses the email address again?

How strong is the assumption that all users have only one email address and will keep that address long-term? I remember hearing that one could keep getting AWS free trials simply by signing up with a new email address.

A lot (the majority?) of email clients load remote images by default, so just viewing the email may provide validation.

In apple mail, even if you turn it off it will happily load the remote images if you try to forward the email.

I found this particularly troublesome when I wanted to forward a phishing attempt to IT, and Little Snitch showed mail trying to connect to the phishing site.

(this was not on catalina, maybe it is fixed?)

linkedin just reset all my unsubscribed preferences this morning

Arvind, Arunesh, Marshini and Mihir - thank you for this article, it's very informative and well researched, as evident from the footnotes.

We do need an open discussion in this matter, and actions must be taken as a result of the discussion. While regulators are likely to be pressed by the business to relax the rules, designers and behavioural researchers ofter don't think about long-term consequences of their choices, so there is a need for a third group there. People who see through the tricks and can recognise dark patterns.

The problem has become so prevalent that even tech-savvy folk sometimes gets tricked into giving up bits of their private data. Where does that leave the average consumer? It's evidently exploiting the fact that physically people just don't have the time and expertise to parse and understand what is being forced upon them.

As for Dark-Patterns-As-A-Service companies, there must be a way to detect and block their software using browser plugins. Isn't this effectively malware?

Email can be fixed only gradually. There is no way the world will stop using it and move overnight to something else, no matter how great. As a related topic, I propose a dedicated footer field to put an end to emails containing two sentences and several meters of logos, badges, ads! and legal notes, which clutter our email threads and JIRAs. There is substantial potential in cutting down mental effort and IT resources necessary to process and store it.

Most malware today is not aimed to destroy local data, but rather to exfiltrate it. Instead of bloated antivirus software a more effective and lightweight solution is curated hosts files. No need to rely on external DNS, which can be hijacked. I'm working on electron-based desktop tool that does just that.

Another dark pattern I discovered on ala.co.uk, a popular GAP insurer in the UK. Their Get A Quote page is silently siphoning data from a complex form which triggers sending the whole form on field change, before you press Send. Beware of auto-filling by the browser!

And there is that: https://techcrunch.com/2020/05/06/no-cookie-consent-walls-an... Legislation vs clear guidelines and enforcement.

I guess the strategy is to wear us down with nagging, nudging and whatnot to make a mistake, and once our data is out, there is no reversing it.

One of the recent dark pattern is what current US administration has employed. Taking the issues, however minor, from the fringe, bring those issues to mainstream, turning the fringe believers into supporters.

the countdown pattern reminds me of shopping television's "but call within the next fifteen minutes to receive a second FREE product!"

The countdown pattern is useful if you consider it a flag to indicate the site is sketchy. Especially you go back to the site later and the countdown has changed... (as in the time that it will elapse has changed)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact