Dark patterns or fraud: Obtaining customer data by deception

Recently I came across a Croatian news website, which seems to use dark patterns to avoid being GDPR compliant. Dark patterns are design tricks that companies use to make us do something we didn’t want to do while browsing products. For example, forcing us to close a pop up window only for that little x, which is meant to make it disappear, opening a new page. Why do this? Well, there is almost always a purpose. In the case of the pop up window - it is most likely that website gets paid for advertising and a clicking on a advertisement means money. So they trick the user in clicking something on the pop up window.

These practices are extremely annoying for users but can often be more sinister. So I was reading Croatian news recently and came across a website which seems to use dark patterns principles to cheat a user out of their GDPR rights. GDPR stands for General Data Protection Regulations. These regulations give people more power when it comes to what data is collected from them and how it is used. It is mandatory across most of the Europe (EU) but many companies worldwide are adopting it, because it is an ethical way of treating customers’ data respectfully. Croatia is in the European Union and has to adhere to these regulations.

Typically, this means that a user, when they visit a website, will be alerted to use of the cookies and asked if they are OK with that. Often websites break it down to specific data use (how the cookies are used for different purposes) and the user can pick those uses they agree with (e.g., agreeing to let the company use if for site improvement but not sharing with others). Most companies seem to be honest and make these choices visually equal for a user so the two choices - ‘I agree’ and ‘I don’t agree’ are equal in terms of how they appear on the screen - neither choice is trying to influence a decision.

 
Source: pepco.hr

Source: pepco.hr

Other companies use more suggestive format by informing about cookies and presenting one button that says ‘I agree’. However, a user can easily dismiss the banner by clicking the X and use the site without agreeing to data collection.

 

This is certainly persuasive because it makes the ‘Accept’ button the most appealing and in a haste, users will likely click that button.

 
Source: poslovni.hr

Source: poslovni.hr

But I saw something even more suggestive.

Here a user is given a pop up with two buttons and no option to dismiss. The black button says “ Agree and close” and the greyed out button says “Find out more”. The way these two buttons are designed, a user would rightfully think that their only viable option is the black button or agreeing to cookies, because the other button seems inactive. Apart from that, it is almost invisible so those who have vision problems may not even notice it.

 

But it is not inactive. You can click it and it will lead to another pop up - yet another state to persuade you to accept rather than reject their cookies.

The list on the left explains all the ways of sharing your data. Below, a summary of how this data will be shared with partners is given. They offer a list of data sharing partners (very pale font above the buttons), which they obviously don’t want you to check out because the list is very very very long. All these partners will be getting your data and your data will be used to connect your devices to what you browse, read or do online, in order to target you with specific offers.

Companies often sell your data, making a profit. Data = money.

Many companies like you to think data collection is for your own good, to improve the experience, but many companies use it for more nefarious purposes. Customer data is lucrative and there are companies that sell data packages based on some quality, such as whether you buy lots of Christmas decorations, handbags, vitamins etc. These packages are based on the data collected about you online. Data from various sites you visit is connected by your IP address and your computer ID. There are companies specializing in connecting data.

 
Source: poslovni.hr

Source: poslovni.hr

Even on this pop up the ‘I disagree’ button is so pale you can hardly see it. And if you see it, you may think you cannot click it as it is inactive. At least now you can dismiss this pop up without agreeing, as there is a X in the right hand corner. No, you can’t - it leads to the previous pop up, making a loop from which there is no escape.

Source: poslovni.hr

Source: poslovni.hr

This is likely going to frustrate the user who may, after fighting with it for a bit, admit defeat.

 

Data privacy regulations are awesome and they empower people to have more control over their data, but are they useful when companies are allowed to deceive people into giving the rights to their data, especially if this data is then sold to other companies? And is this a type of fraud? Obtaining data by deception.

Fraud definition: ”Intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right”.
(Merriam-Webster)

Is this not what is happening here? In this case, users are persuaded to surrender their legal right to data privacy, while the company remains compliant with GDPR specifications. I wonder how many people fall for this technique and how outraged would they be if they found out how their data is used by predatory companies that sell and misuse our data for their gain. Even worse, people can be disadvantaged by the data collected about them. There are cases where customer data collected by the company was used against the customer in court, or led to an arrest (read about it). This is why personal data should be used with care and companies that must abide by the GDPR laws should not be resorting to fraud techniques to get customers to part with their rights on data privacy.

Data Privacy and social media: What do social media users think and how do they feel about GDPR?

Data privacy

Internet has changed the way we shop, communicate and socialize. It made the world fit into the screen of our computer and opened avenues of communication that did not exist previously. Social media sites are especially popular. They created a way of communicating with friends and family on a daily basis, in a way that did not exist, by sharing photographs, anecdotes and media. They also created a way of advertising services and promoting business and bringing people together based on some shared element (e.g. opinions, likes and dislikes), all of which made the world a smaller place. But living our lives online has also presented some challenges, primarily how the data we share is used and by whom and how this data is stored and treated by organisations we trust with our data. 


Screenshot 2020-01-06 at 21.40.01.png


What is data privacy? In a nutshell, data privacy concerns collection and dissemination of personal data. The laws around data privacy and data protection often differ country to country, therefore the implementation of General Data Protection Regulation (GDPR) aimed to simplify data protection law for online users by creating a regulation that deals with data protection and privacy within European Union and European Economic area. This regulation also addressed the import of users’ personal data outside this given area and aimed to give customers and users more power over their data. One facet of GDPR is to do with empowering users when it comes to their data, primarily the regulation of disclosure of data collection, its retainment and use and if the users’ data is shared with third parties or outside the area of jurisdiction. Under this regulation, users and customers have been given the right to request to see data held on them by organisations they are dealing with. 


But what do users actually think about this and generally, how important is privacy to people who use social media sites where they may share more data about themselves than on other sites (e.g. shopping). The insights in this report are based on results of a short survey looking into users’ attitudes and behaviour regarding data privacy.

Methodology

Survey was used to capture people’s opinion regarding the privacy on social media sites and how this will be affected by GDPR. Participants were also asked to leave qualitative comments and elaborate on questions, to better understand their wishes and preferences.

Who are the users?

A total of 50 social media users participated in this survey, consisting of 32 women and 
 17 men between ages of 18 and 67. 


It’s important to have a clear picture of users’ wishes, opinions and behaviours. 


In order to better understand participants in this survey, short user profiles were created to illustrate different personalities in this survey.

Many participants reported sharing either only a little amount of data on social media (43%) or a moderate amount (33%) and only small number admitted to sharing a great deal (4%).

How important is data privacy to social media users?

Screenshot 2020-01-06 at 21.47.40.png

Many people report that data privacy on social media sites is important to them, but end up not protecting the data they share on such sites.

However, many also reported sharing a lot of personal information online (63%), with location and family photographs being the most shared data on social media. Some users also reported sharing date of birth (33%), phone number (20%), information about hobbies and activities and work related things and even intimate details (13%).
When asked what they do to safeguard their data, some users admitted they don’t do much to safeguard their data. This may be due to the fact that users don’t always know how to safeguard their data online. Often they don’t understand or know about all the privacy settings available to them or they simply are not aware how privacy can be compromised and data used for nefarious purposes, such as to commit fraud.

Following other people’s behaviour

Although majority of users are aware that sharing contests and prizes online can be risky, some reported only doing it if their friends do it too. Seeing others, and especially our friends, do something is like ‘word of mouth’ and therefore, it is likely to lower risk and lead to less caution (social proof), while attaining followers and likes is how fraudsters enhance credibility online. Asking for shares on social media may also help advertise fraudulent activities.

Those that report safeguarding their data cited not sharing too much personal information, checking privacy settings, having strong passwords, not commenting on public posts or adding unknown people as friends on Facebook, removing location tracking and using 2 factor authentication.

Control over data

To many users, it was very important to have control over who sees their data or things they choose to share or that their data is not shared with advertisers or third parties without their knowledge. One user commented that they would like a percentage of funds paid to organisations by third parties or advertisers in order to get users’ data.

Having robust systems in place to safeguard data against cybercrime was also highly important to users, as many reported not being confident that social media accounts effectively protect their data (76%).

What are the most important privacy related features to users?

Privacy features that users find the most important to them were controls over who sees what they post and that their data is not shared with third parties. Good data protection, such as robust cybersecurity was also important.

Requesting own data

Under the GDPR, any customer or user is able to request to see the data held on them by any organisation and question its retainment and use. But how useful is this to users and what do users hope to gain by asking to see this data.

Many users reported this feature to be of great importance to them (41%) but many also reported being undecided on the issue (37%). Small percentage felt that this wasn’t something that was important to them (22%). When asked to elaborate on their answers and verbalize why requesting own data would be important to them, many provided important insights.

Many participants reported wanting this data for self-reflexion, in order to see if they are inadvertently sharing too much information about themselves online, and if this information may be used to harm them in some way. Some felt the ability to legally request to see this data without being refused would lead to more transparency and force organisations to treat users’ and customers’ data more responsibly.

Because I feel like big companies have a tendency to be deceptive when obtaining permissions. For example, they may word things differently than the consumer expects so that data falls under the criteria without the consumer realising it. Allowing the consumer to see what is being shared allows transparency and for making informed decisions.
— Survey participant

Summary

Users want to feel more secure on social media sites especially with regards to targeted advertising and third party sharing. This indicates that for many users, customers or consumers, data privacy is important. So is being able to request own data from organisations, because it offers an opportunity to examine own behaviour online and serve as a learning curve. In addition, this may also offer desired transparency on how personal data is collected, retained and used and reassure users that are concerned about privacy, that their data is used according to their wishes.