Circumvention by design – dark patterns in cookie consents for online news outlets

06/24/2020 ∙ by Than Htut Soe, et al. ∙ 0

To ensure that users of online services understand what data are collected and how they are used in algorithmic decision-making, the European Union's General Data Protection Regulation (GDPR) specifies informed consent as a minimal requirement. For online news outlets consent is commonly elicited through interface design elements in the form of a pop-up. We have manually analyzed 300 data collection consent notices from news outlets that are built to ensure compliance with GDPR. The analysis uncovered a variety of strategies or dark patterns that circumvent the intent of GDPR by design. We further study the presence and variety of these dark patterns in these "cookie consents" and use our observations to specify the concept of dark pattern in the context of consent elicitation.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 7

page 8

page 11

page 12

page 13

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Following the adoption of the General Data Protection Regulation (GDPR), more than 60 percent of popular websites in Europe use pop-ups to elicit informed consent to their privacy policy and their use of cookies to collect and anlyze data about their audience (Utz et al., 2019). While this ostensibly annoying feature has been the most notable implication of GDPR for the regular user of the web, the last year it has also received critical attention from the research community (Utz et al., 2019; Matte et al., 2019b; Nouwens et al., 2020b). In practice, the regulation of data collection and privacy for online services requires, not only that the process of automation and augmentation (Garfinkel and Cox, 2009) is adequately managed, but also that the services offer a carefully designed interface. These interfaces are not a neutral conduit but can help or hinder the user in acting in their own best interest (Leitão and Jakobsen, 2018).

The term dark patterns (Gray et al., 2018), has been coined111The neologism, dark pattern, was coined by user experience designer Harry Brignull in 2010. to identify “instances where designers use their knowledge of human behavior (e.g., psychology) and the desires of end users to implement deceptive functionality that is not in the user’s best interest” (Gray et al., 2018). Dark patterns can be used to circumvent the intent of GDPR, by design (Forbrukerrådet, 2018); even when that service is explicitly required to protect the interest of the user, as is the case with the elicitation of informed consent (Ducato and Marique, 2019). We study the extent of use of dark patterns specifically in the case of the designs used to elicit informed consent for online news services. We use our findings to argue, in line with Nouwens et al. (2020b), that any regulation of a computational system that aims to protect user rights should be accompanied by a regulation of user interface design.

Today regulation is put in place to ease the information asymmetry by giving control to individuals over their personal data: The European Union’s General Data Protection Regulation (GDPR) that has been in force since May 25, 2018 (Parlament and Council, 2016); and The California Consumer Privacy Act (CCPA) of 2018 that has been in force since January 1, 2020 (Infromation, 2018). However, this regulation includes very little guidelines, if at all, regarding the user interface that communicates the rights to users and operationalises their right to control.

In response to the GDPR and CCPA regulations, websites display so called cookie consent notices. We conducted a survey of online news outlets and manually collected and analyzed the cookie consent notices deployed. We were specifically interested in identifying the prevalence in use of dark patterns as described by Gray et al. (2018). We also collected information on the complexity of the consent notice design in general. We cannot attest to the intention behind the design choices that we encountered, however since dark patterns do “nudge” a user towards a particular behaviour (Gray et al., 2018), we use the concept of dark patterns as a proxy to bad, if not malevolent, design that leads to an unethical UI.

Specifically, we manually analyzed 300 consent notifications from Scandinavian and English language news outlets and found that all employ some level of unethical practices. We chose online news outlets for two reasons. News readers span across demographics22288% of read news are accessed online according to 75.000 people surveyed across 38 countries (Newman et al., 2019). and cookie consent notices here can be expected to be designed to be usable by all demographic (as opposed to, for example, specialists in a given area). Furthermore, news outlets do not primarily trade in user data, like for example social media services, and one of their main roles is to be a service of society. As a societal service, we expect that there is an incentive to avoid consent designs that manipulate their readers towards giving consent to avoid the impression that the outlet is manipulating public opinions rather than reporting truthfully the news. On the other hand most news outlets rely on online advertising in their business model, so the incentive to collect user data is not entirely removed. We initially focused on news outlets in Scandinavia, and then included in our collection international news outlets with content in English. Our motivation to focus on Scandinavia was both practical and strategic. The authors are able to understand the Scandinavian languages and have access to an exhaustive list of Scandinavian news outlets. The Scandinavian media enjoys a reputation of trust and freedom of speech (Borders, 2020) and we could expect to see the same values respected in complying with GDPR.

In the past year there had been at least three works that explicitly study how consent elicitation is implemented (Utz et al., 2019; Matte et al., 2019b; Nouwens et al., 2020b) with Nouwens et al. (2020b) specifically looking into dark patterns. These researchers conducted their analysis by crawling a selected choice of websites: e-commerce (Utz et al., 2019), UK (Nouwens et al., 2020b) and European (Matte et al., 2019b). In contrast we focus on design aspects of dark patterns in consent notices and overall ease of denying consent expressed. In contrast to (Utz et al., 2019; Matte et al., 2019b; Nouwens et al., 2020b) our data set is smaller, however we study features that are very difficult to detect automatically. We outline our contribution as follows.

Contribution.

  • A rich manually collected data set of 300 cookie consent notices.

  • An analysis of features of consent notices that cannot be easily detected automatically.

  • A set of eight new dark patterns that refine the dark pattern types currently identified for the consent notices design context.

This paper is structured as follows. In Section 2 we introduce relevant preliminary information and position our paper within the related work. In Section 3 we describe our data collection process. In Section 4 we report the dark patterns observed both the existence and the subsequent study on identifying specific dark pattern types. In Section 5 we describe further observations of consent notice design features that contribute to how easy or hard it is to deny consent for data collection. In Section 6 we pull on our analysis and the related work to propose how the regulation of consent notice design can be improved by proposing eight new dark pattern types specific for this domain of user interfaces. Lastly, in Section 7 we summarise our findings, outline the limitations of our work and discuss future work.

2 Background and related work

We are here concerned specifically with the design of consent elicitation website elements, which are sometimes called cookie consent notices. These elements are implemented as a pop-up or as a banner or panel that is part of the website. Cookie consent notices are typically implement to demonstrate compliance with the GDPR and CCPA regulations. We do not intend to analyse in detail the legal aspects of consent elicitation that these regulations prescribe, but introducing some detail is necessary.

GDPR refers (Parlament and Council, 2016) to interaction between humans and computational systems in which human consent for the operation of the system is elicited; specifically article (32):

(32)

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

The CCPA enlists the rights of a user, such as for example “1798.100. (a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.” However, the CCPA does not mandate how the user is to exercise such rights.

We are explicitly looking at how easy or hard the design of cookie consent notices makes the elicitation for a user. We consider two types of proxies for “ease of consent”: the use of dark patterns and the interaction complexity of the consent notice. In the later category we look at choice hierarchies, how many clicks it takes a user to withhold consent compared to the effort involved to grant it, and whether there is uniformity of language used, e.g., to refer to different consent options and cookie categories.

Dark patterns as a term was introduced by Harry Brignull who defines them as “tricks used in websites and apps that make you do things that you didn’t mean to” (Brignull and Darlington, 2010). The concept of Dark Patterns in user experience design was refined by Gray et al. (2018) who specified five different types of dark patterns: nagging, obstruction, sneaking, interface interference, and forced action. We include the description of each of these patterns as given by Gray et al. (2018) in Table 1.

Name Description
Nagging A minor redirection of expected functionality that may persist over one or more interactions. Nagging often manifests as a repeated intrusion during normal interaction, where the user’s desired task is interrupted one or more times by other tasks not directly related to the one the user is focusing on.
Obstruction Impending a task flow, making an interaction more difficult than it inherently needs to be with the intent to dissuade an action. Obstruction often manifests as a major barrier to a particular task the user may want to accomplish.
Sneaking An attempt to hide, disguise, or delay the divulging of information that has relevance to the user. Sneaking often occurs in order to make the user perform an action they may object to if the had the knowledge.
Interface interference Any manipulation of the user interface that privileges specific actions over others, thereby confusing the user or limiting discoverability of important action possibilities. Interface interference manifests as numerous individual visual and interactive deceptions.
Forced action Any situation in which users are required to perform a specific action to access (or continue to access) specific functionality. This action may manifest as a required step to complete a process, or may appear disguised as an option that the user will greatly benefit from.
Table 1: Dark pattern types of (Gray et al., 2018) and their definitions

It was expected that a regulation such as GDPR would lead to dark pattern proliferation (Paternoster, 2018). It is therefore unsurprising that in the past year there are works like ours that looked specifically in how consent elicitation of cookie consent notices was executed.

Utz et al. (2019) have conducted a field study of consent notices on a live (e-commerce) website to identify how does the design of the notice influence the user decision to accept the website cookies. They studied 80,000 unique users. Specifically they looked into the relative position of the notice, use of nudging and the presence of a privacy link (that explains in detail how data is collected and used) and showed that small UI design decisions substantially impact whether and how people interact with cookie consent notices. One of their experiments indicated that nudging via interface interference (highlighting Accept button in a binary choice with decline) and pre-selected choices for different uses of cookies has a strong impact of whether the users accept the third-party cookies.

Nouwens et al. (2020b) also performed a study on the impact of various designs of consent notices, user interface design nudges and level of granularity of options. They focus on Consent Management Platforms (CMP), which are a service offered by third parties to website owners to help them outsource regulatory compliance and as part of their service promise compliance with regulation. Nouwens et al. (2020b) scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK which has yielded 680 notices. Specifically they were looking for the presence of three features: whether consent is explicit, if ease of acceptance is the same as rejection (by checking whether accept is the same widget (on the same hierarchy) as reject),and whether pre-ticked boxes are present. They found that only 80 out of the 680 notices satisify all three conditions.

Nouwens et al. (2020b) also ran a user analyses, on 40 participants, on the effect the consent notice design has on whether consent is given. They found that there was an approximate 22% of increase in acceptance when the opt-out option was “hiden” behind the initial notice (at least two clicks are needed to opt out).

Matte et al. (2019b) also focus on CMPs, they looked at those who comply with Europe’s Transparency and Consent Framework (TCF). They ran two automatic and semi-automatic crawl campaigns to detect suspected regulatory violations. Specifically they were looking at consent stored behind the user interface of cookie notices. They crawled 28257 European websites (in 2019) and detected suspected violations in 1426 of the visited websites. Matte et al. (2019b) specifically looked at whether consent was stored before the user made the choice, whether the notice offers a way to opt out, whether there were pre-selected choices and lastly if the choice that the user had made was respected at all. They found that “141 websites register positive consent even if the user has not made their choice; 236 websites nudge the users towards accepting consent by pre-selecting options; and 27 websites store a positive consent even if the user has explicitly opted out.” (Matte et al., 2019b).

Nouwens et al. (2020b) have constructed a browser extension, Consent-O-Matic (Nouwens et al., 2020a), which allows users to set their consent preferences once and have them automatically applied to visited websites. Matte et al. (2019b) also built and published a browser extension called Cookie Glasses (Matte et al., 2019a)

to enable users to see if consent stored by CMPs corresponds to their choice. Both extensions are open source and freely downloadable.

It should be noted that the ambiguity of the term “informed consent” is in itself an issue (Pedersen and Dyrkolbotn, 2018). Nouwens et al. (2020b) make considerable effort to identify the features of the legal understanding of consent in the laws of the European Union. They work with the definition of art 4(11) of the GDPR: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Utz et al. (2019) conclude that opt-out consent banners are unlikely to produce intentional or meaningful expression of consent (Utz et al., 2019).

3 Collected data on Cookie notice implementations

The study was done in two passes. First, consent notices from 300 news outlets with content in Scandinavian languages or English were manually collected and analyzed in the period of July 1-30, 2019. The full list of accessed link and collected data can be accessed at https://github.com/anoauthor101/anorepo101. In April (3 months after CCPA became effective) we re-visited the original 300 web-pages and attempted to identify specifically which dark patterns are present in the consent notices. We first describe the first data collection.

Cookie consent notices from 250 online news outlets and 50 online magazines were collected. Each link was accessed from a web browser with private browsing mode enabled on a laptop. Due to language restriction of the collectors, the language of the page had to be in English or a Scandinavian language. Only websites that displayed a consent notice were included in the survey. Many Scandinavian news outlets used the same design (third party application) for the consent notice, e.g. Schibsted owns several news outlets and use the same design; only one example was retained from these. We aimed for this number of examples to make manual overview and data analysis feasible, while at the same time have a large enough number of examples to draw meaningful conclusions. In total, sources from 42 different countries were considered out of which: 33 from Denmark, 34 from Norway, 33 from Sweden, 68 from the UK and 54 from the USA. In addition to manually identifying the features of cookie consent notices we also collected raw data. The raw data was collected to make our observations verifiable, as websites frequently change, and for possible future research use. The raw data for each surveyed link contains:

  • In an image format, a screenshot of the first GDPR/data consent notice. If the initial consent notice opened another pop-up window, a screenshot of that was collected as well. If there was a redirect to another page, the page was saved as a pdf file and the text was extracted and saved in a text file. sends the user to other web-pages, screenshots of those were collected as well.

  • The text of the consent statement. Namely, the text informing the user what they consent to (e.g. information about settings/options, privacy policy, or similar). This was collected as either a PDF (usually privacy policy or similar) or as a text file.

  • For the consent notices that offer specific cookie information (companies, cookie names and purposes), this information was also saved as a text file.

  • An image of the nudging post-consent-denial reconsideration request, if such appears.

Due to space restrictions, we present here the highlights of our analysis and invite the reader to further inspect our data at https://github.com/anoauthor101/anorepo101. For each consent notice we identified the following:

  • Existence and variety of dark patterns. Using the dark pattern classification of (Gray et al., 2018), in July 2019 we observed that all surveyed outlets can be considered to exhibit dark pattern use. This number has slightly changed when we revisited the websites in 2020 and in April 2020 we observed that 3 of our web-pages have no dark patterns, two are geoblocking European visitors and while 16 have removed the consent notice.

  • Possibility for the user to not give consent. We analyzed whether the consent notice includes an option to not give consent. If an opt-out is present, what text identifies it? Is the widget for the consent option of the same type and complexity as the widget for the ‘no consent’ option? We checked if the website information is accessible when consent is withheld and we also checked if the consent notice explicitly used nudging by asking the user to reconsider after they have chosen to not give consent.

  • Location of the consent notice on the screen.

    We observed the vertical position, horizontal alignment and the height of the consent box. The vertical location is identified as either top, bottom or middle of the screen. Horizontal alignment are entire (filling the whole width of the page), left corner or right corner. The height of the box is classified into less than one third, around one third and half of the browser screen height. We also explored whether the content is accessible while the notice is still active or consent is denied.

  • Complexity of the consent notice. As a proxy for complexity we used the number of clicks necessary to withhold consent, and the number of words used to explain data uses. We also considered if the notice describes or links to a website that explains what cookies are, how cookies are used and list their cookies.

4 Findings

We here summarise our observations of the 300 analysed webpages. We first give examples of the dark patterns described in Gray et al. (2018) that our data collectors encountered in July 2019 and then discuss the specific types and frequency of occurrence that our analysis in April 2020 revealed. Of the five pattern types defined by Gray et al. (2018), we observed that obstruction and interface interference were the dominant ones in our collected consent notices. We consider as forced action the instances when a website does not include a consent elicitation but just informs the user that their data is collected.

Figure 1: An example of nagging.

4.1 Existence and examples

Nagging.

We observed cases where after consent was denied, the website tried once again to push the visitor to change their mind by displaying a “Are you sure” notice. Figure 1 gives an example of such a nagging notice displayed from TV2.no after the user opts out from all tracking cookies. The notice reads: Hi. We see that you chose to opt out of third party tracking. This function will prevent our advertisements from downloading. Advertisements are how we in TV2.no earn money and the money we use to make exciting content for you. We would therefore be really happy if you whitelist TV2 so that we can continue to be your free news source.

Obstruction

Obstruction is both the most prevalent dark pattern and the one most difficult to characterize precisely since a large portion of surveyed websites make the option of controlling the cookie use and opting out of consent difficult. The most common obstruction pattern is hiding the option to deny consent in a page separate from the consent notice and behind obfuscating text such as “find out more”. Figure 2 gives an example of such an obstruction encountered at NewScientist.com. The user can opt out of consent only by making browser adjustments which they can find about after following the “use of cookies” link.

Figure 2: An example of obstruction.

Sneaking

Sneaking is difficult to separate from obstruction. Several implementations of cookie consent do not give the impression that the user has option to give or deny consent, as was the example with the consent given in Figure 2. This dark pattern can be most clearly seen in widgets that state “by continuing to use our site, we assume you accept our policies”. Two examples are given in Figure 3. Top figure: the consent notice from NewsInEnglish.no can be seen to be in violation of GDPR regulation specifically by skirting “ Silence, pre-ticked boxes or inactivity should not therefore constitute consent.” Bottom figure: the consent notice from ScienceAlert.com.

Figure 3: Two examples of sneaking.

Interface interference

We encountered all forms of interface inferences, hidden information, pre-selection and aesthetic manipulation, described in (Gray et al., 2018). The most clear example of interference is having the option to deny consent hidden by design as in the example in Figure 4 from CountryLiving.com: the consent notice first displayed (left) is a block of text; following the “learn more” link leads to the actual notice (right) that allows the user to deny consent.

Figure 4: An example of interface interference.

Forced action

Forced action patterns are observed in consents implemented as screen popups that block the users from accessing the website and require the users to click on it before they can continue. Geo blocking can also be seen as a form of forced action. An example is given in Figure 13.

Figure 5: An example of forced action from vice.com.

4.2 Further Dark Pattern Observations

After having conducted the initial data collection in July 2019 and having observed that at least one dark pattern was identified in all the visited websites, we conducted a second round of data collection and analysis in April 2020, revisiting all 300 web-pages. Using only the (above mentioned) categories and descriptions of dark patterns from Gray et al. (2018), we attempted to identify which dark pattern occurs. The instruction provided to the reviewers specified to add a binary value (yes/no) for whether a dark pattern is present in the consent notice. A separate comment field was provided to allow for an argument why a dark pattern is considered as present.

Each site was examined by two researchers independently. The occurrences of dark patterns are summarized in Figure 6. ‘Yes’ and ‘No’ indicate that both reviewers agreed on existence, or absence respectively, of dark pattern. ‘Inconclusive’ is a result of different answers from the two reviewers.

Figure 6: Results of dark patterns examination in websites

The results from the categorization show that the most patterns were Obstruction in 43% (129 out of 300), and Interface Interference occurring in 45,3 % (136 out of 300), of the notices that contain dark patterns. Figure 6 shows considerable discrepancy in the classification of the presence of a given dark pattern with an inter-rater reliability of 67%. This might imply that the inter-rater reliability is low, but it also is unsurprising given that the description of the dark patterns is insufficient for their characterisation. Using the rater’s provided comments we attempted to discover the source of disagreements. There are several factors that can be considered relevant. Firstly, the dark pattern categories are sometimes overlapping even in the description of Gray et al. (2018) and it can be difficult to decide which category different ‘problems’ belong to. This could be seen in examples where one reviewer categorised a problem as obstruction while the other categorised the same problem as interface interference, and both have good arguments for their choice. Further, we could see that different reviewers had different focuses when looking for dark patterns. Some were more observant for design elements, while others focused more on wording and usability. When focusing on specific aspects one might also miss other features. This does not necessarily mean that the reviewers disagree conceptually, but rather that they have noticed different problems in the same cookie consent notice.

Figure 6 also shows that there are now websites that do not have a dark pattern in their cookie consent notice (right-most orange bar), in contrast to all surveyed websites exhibiting one in July 2019. This discrepancy can further be explained by the fact that some websites have changed their consent design (perhaps in response to CCPA coming to power).

5 Complexity of consent notices

Figure 7: Number of clicks required to deny consent.

The option to deny consent, directly or via browser settings, is available on 297 out of the 300 websites we surveyed in July 2019333As we observed, some of the websites have already updated their consent notice design. However, these cookie consent notices vary in visibility and complexity of the denying consent option. The deny consent option is hidden in a scrollable or expandable area on 77 of the websites. In 220 of the websites the deny consent option does not have the same UI hierarchy as the accept option.

The number of clicks required to deny all types of cookies is collected as a proxy for the effort required to deny data collection consent. We found that this number varies from 1, pressing one button on the displayed consent notice, up to 17, involving changing browser settings following the instruction provided on a separate website. Only 15 of the 300 websites provide a direct 1-click deny button, in contrast to all of them having 1-click accepts. As illustrated on Figure 7, we can see that half of the websites require the user to make 10-12 clicks to opt out of all cookies.

Deny consent clickable description Cookie categories
Word Frequency Word Frequency
Read more 29 Measurement 26
Cookie Policy 21 Information storage and access 25
More Information 17 Personalization 24
Privacy Policy 17 Strictly necessary cookies 19
Learn More 16 Ad selection, delivery, reporting 19
Here 12 Necessary 19
Cookie Settings 6 Unclassified 19
Find Out More 6 Content selection, delivery, reporting 18
More info 6 Marketing 18
Show purposes 5 Performance Cookies 15
Table 2: Common words for deny consent clickable area and cookie categories

After translating all words into English, we have found that there are 121 different words being used in the clickable area of the deny consent. Most common words used are listed in the left hand-side column of Table 2. Words that frame the privacy friendly configuration directly such as “deny”, “reject”, “opt out”, “decline”, are not widely used.

Websites that instruct the user to disable cookies on their browsers instead of offering this functionality within the consent widget, can be seen as not GDPR compliant444However, we acknowledge that there are technical challenges involved in adding configurable privacy settings on an existing website.. The GDPR further stipulates that “when the processing has multiple purposes, consent should be given for all of them”. We observe that only 125 out of the 300 websites in the study listed the purpose of the cookies used.

Given that the study only collected data from news outlets and magazines, the purposes and categories of the data collection was expected to be similar among the surveyed web-pages. However, we found that the wording used to describe the data collection purposes is very diverse. We translated all stated purposes into English and found 201 distinct wordings for purposes of data collection in total. Each website on average has 4.7 purposes of cookies listed. We find it to be unreasonable to expect the user to familiarize themselves with all the different ways a type of cookies is called in different web-pages. We give the most commonly used cookie names in the right-hand side column of Table 2.

Location of consent widget Frequency
Bottom, entire, less than 1/3 of page height 131
Bottom, entire, around 1/3 page height 23
Bottom, entire, around 1/2 of page height 11
Bottom, left corner 5
Bottom, middle 8
Bottom, right corner 7
Middle of page, middle 42
Others 26
Top, entire, less than 1/3 of page height 30
Top, entire 1/3 of page height 4
Top, middle 3
Whole page 7
Table 3: Location of the consent widget.

Information about the screen position of the consent notice is summarized in Table 3. Exactly 60% of the website display consent notices at the bottom part of the screen. Utz et al. (2019) reported higher interaction rates for the notices displayed at the bottom and left side of the screen for desktop screens. They set up a web-page that offered the consent notice in various locations and compared the choices of 80.000 visitors. On the other hand, Matte et al. (2019b) ran a users study with 40 participants and did not observe any meaningful impact of the consent notice location on whether the user consented to cookies. Clearly more research is needed to understand the possible impact of the consent placement on the choice.

The content scrolling function was disabled when the cookie notice widget is active on 37 of the 300 websites. On 11 websites we noted the usage of a nagging dark pattern via the “Are you sure?” type of messages all consent was denied.

Though the usage of third party data privacy handling could improve the user experience by making the cookie preference configuration task done once and used everywhere, it is still very sparsely used – we encounter it in only 5 out of 300 websites visited. After all the cookie consent is denied, 9 out of the 300 websites in our study stopped providing their services.

6 Discussion - refining dark pattern types in cookie consents

Using the insight from the related work and our own analysis we put forward the argument that more work is needed both on the end of regulators and UI specialists in protecting users from hindrance to exercise their rights by design. We look specifically in the case of consent elicitation. Before focusing on this argument in the rest of this section, we would like to point out that our work illuminates a gap standards for what is now the cookie aspect of the data market industry.

It is clear from our analysis, right hand-side column of Table 2, that the industry does not have a common language to address what are essentially the same type of cookies and cookie uses. The avoidance to use a “negative” word for denial of consent left hand-side column of Table 2, also introduces additional cognitive burden on the user. There are over 1.5 billion websites555https://www.internetlivestats.com/total-number-of-websites/ at present. Even if there were only a thousand using different cookie descriptions, it would still be difficult for an average user to read all of the cookie and purposes descriptions to understand what they are required to consent to. The data industry needs a standard of terminology that users can read and understand and rely on in consent elicitation.

It is clear that regulators need to include UI design requirements in regulations. Following the work of Nouwens et al. (2020b), the Danish Data Protection Authority has published a refinement to the guidelines on how consent notices should be designed. Specifically, among else, they include (Denmark, 2020) the following pointers (our translation):

  • The visitor to your website should be given an active option to allow their information to be processed

  • It should be clear for which different purposes you would like to process the information collected

  • It should be easy for the visitor to give consent for some purposes and not give consent for others

  • It should be easy not to give consent - even visually

  • In addition, you must be able to document what a visitor has consented to - and how the consent has been obtained.

However, even these refined Danish guidelines such as these allow for a lot of room for interpretation and abuse. How should regulators state their requirements?

One concrete requirement would be that the consent acceptance and denial use the same widget on the same level - the option for acceptance should be next to the option for rejection in the same design. Ideally regulators should explicitly exclude the use of dark patterns from the allowed design of consent elicitation widgets. However, these are not at all a trivial requirement. For the regulatory agencies to have power over how consent elicitation is implemented, they necessarily would have to be able to verify if the regulation is being followed. Given that there are over 1.5 billion web-pages, this verification has to be automatisable. Dark pattern detection is not.

We were able to have a more in-depth insight into the “ease” of withholding data collection consent than perhaps (Utz et al., 2019; Nouwens et al., 2020b) because we analysed the consent notices “manually”. Dark patterns are defined around the perceived intention to deceive the user. Intention, however is very hard to detect by automatic means. Furthermore, as it is demonstrated by our analysis given in Figure 6, even human dark pattern detectors disagree on which dark pattern it is that is implemented. This is unsurprising, as Gray et al. (2018) self argue the ambiguity of his definitions and that they are overlapping. Ideally we need to further define the concept and types of dark patterns, perhaps for a specific context at the time, in such a way that:

  • the features that characterise a dark pattern are clearly identifiable,

  • the characterising features are easily computer-detectable.

Having such a dark pattern definition would enable regulators to automatically flag violators, which in turn, we expect, would increase compliance. To contribute towards this goal, we highlight the patterns of misdirection we have identified, which can be seen as a refinement of the interface interference, obstruction and forced action patterns of Gray et al. (2018). Some of these have already been implicitly identified in the literature.

Does not count

Matte et al. (2019b) have indicated that although consent has not been given (yet or has been denied) data is collected anyway. This can be seen as a dark pattern and it is specific since it can only be computationally detected (by following what the browser does on the back-end.)

No choice.

All the included links and buttons lead to a page that either instructs to further pages that detail adjustments of browser settings, direct the user to contact third-party services (e.g. see “Opting out” paragraph in https://www.horseandrideruk.com/privacy-and-cookies/), or just “explains” cookies and purposes.

Multiple choice panels.

The user should be asked for consent in only one notice panel. This may appear obvious, but we have detected examples where the consent can be given in two panel, but the denial option (if offered at all) is given in only one, smaller, panel. Consider for example the Figure of https://www.manilatimes.net accessed on May 3, 2020 where there is a center and bottom page consent panel.

Figure 8: An example of multiple choice panels.

Choice cascade.

The denial of consent is only reached by following a number of links or buttons that offer more information. One example is given on Figure 4: after following the learn more link the panel with the “Decline” option appears. Another example is given in Figure 9: clicking “learn more” in the left most panel leads to the middle panel on which the user needs to click “manage partners” to reach the right panel where the middle tab reveals the consent opt-out sliders (if one scrolls down there is still no reject button and it is not clear whether the ‘I agree button’ on this panel serves that role.)

Figure 9: An example of a choice cascade https://huffpost.com/ loading consent.yahoo.com

Widget inequality

We have observed that while the execution of giving consent is made easy (bright button clearly labeled with a positive word), the denial of consent option, even if given in the same panel as the acceptance is given a different design. Examples range from a different web object altogether (link instead of a button), single button for consent more than one for learning more and implicitly denial of consent, two buttons of which the one for consent is more noticeable (Figure 10 top and middle), to two identical button but with different functionality (Figure 10 bottom).

Figure 10: Examples of widget inequality. Top https://english.elpais.com/. Middle ap.org. Bottom https://www.historytoday.com.

Either both choices lead to an explanation of cookies and purposes or neither should.

Unlabeled sliders

The consent notices uses sliders to allow users to consent or not to individual services, but it is not labeled which side of the panel is accept/on/active or which is reject/off/inactive. See for example the right most panel of Figure fig:huffington. For an example of well labeled sliders see Figure 11.

Figure 11: Examples of well labeled sliders https://www.mirror.co.uk.

Unmarked X

When the panel has (usually) a top right “x” widget, but the panel text does not explain whether clicking this “x” counts as consent or denial of consent. See for example Figure 12.

Figure 12: An example of an unmarked X from https://economictimes.indiatimes.com.

No antonyms

Lastly, the use of clear words such as “I agree”, “I consent”, “yes” to label consent option and not using their antonyms to label the denial of consent option, see for example Figure 9, in its own is a dark pattern.

Lastly we put forward a design suggestion for a cookie consent notice that we believe fulfills the requirements of the GDPR and does not have any dark patterns (old or new). This example builds on the design of CookieBot (2020), but with some adjustments.

As the GDPR requires the user must give an informed consent for the different types of data collected. This requirement is fulfilled by giving the user the opportunity to select which data categories they want to consent to, if any. Only ‘Necessary’ is pre-selected, which the GDPR allows as this is cookies that are needed for the website to function. Further, all cookie options are displayed at the first page: The user can both accept or deny all cookies with one click. If the user wants to allow only specific cookie categories this is done with a few clicks. All the button have the same size and color as not to indicate to the user that one alternative is more correct than the others. The wordings on the different buttons are made as clear as possible not to confuse the user about their purpose. If the user wants to read more about the cookies or the different cookie categories they can do so by clicking ‘More information’.

It is important that the cookie consent notice don’t force the user to make a choice. The cookie consent notice must therefore be placed accordingly. Lastly, it is important that the user know how to change the settings later on. The cookie consent notice should include this type of information and the website should make this information accessible in their website.

Figure 13: An example of cookie consent notice.

7 Summary

In this paper we have presented an analysis of 300 consent notices from a selection of online news outlets. The analysis shows that most of them (297) use dark patterns when eliciting consent from their users. Further we categorized the prevalence of the different dark patterns as defined by Gray (Gray et al., 2018) . Based on the analysis, we identified and described eight specific patterns used in the analyzed cookie consent notices. These patterns can be used when evaluating consent notices to make sure they are not a circumvention by design of the intentions of privacy regulations.

Unlike (Utz et al., 2019; Matte et al., 2019b; Nouwens et al., 2020b) who scraped the data on the cookie notices that were analyzed, we collected our data manually. This resulted in a smaller, and richer data set, and allowed us to study features of user interaction in design that cannot be easily automatically detected.

In contrast to Utz et al. (2019) and Nouwens et al. (2020b) we did not run a user study to see what effect the usage of dark patterns have and focused on a detailed analysis of the implemented designs for the consent notice. We however look for more features of design such as type of dark pattern and complexity of interaction, expressed in amount of effort required to opt out and richness of textual descriptions for instructions and purposes.

We discuss some of the limitations of ours, and the work (Utz et al., 2019; Matte et al., 2019b; Nouwens et al., 2020b) done so far. We conducted our survey on browsers running on laptops. The size of the consent notice is not always possible to scale with the size of the screen, as that would make the text of the notice illegible. As a result, the consent notice that would cover a third of a screen on a laptop browser, would cover the entire screen on a mobile device which might change the likelihood of consent (Utz et al., 2019). We analyzed each consent notice from the perspective of a user that sees it for the first time. Repeated visits could reveal further dark patterns, in particular nudging. In future work we intend to explore such repeated behavior of web services. Web-pages for which data collection consent was denied can persist on requesting it with each new open sub-page or at each subsequent visit despite “functionality” or “necessary” cookies being used that could store the denial of consent information. It is also possible that the design of the interface changes for subsequent visitors, or it is personalized. We also did not compare whether the “processing time” for the choice and accessing the web-page (when access is blocked prior to choice) is the same for the accept and reject options. We have noticed that sometimes after opting out from consent, processing takes noticeably long. There are reasons to believe that there might be a whole new type of dark patterns that reveal themselves after the consent panel has been interacted with.

We did not investigate whether cookie consents are geo-dependent, specifically if citizens accessing the same web-page from a non European country are still offered the opportunity to opt out from data collection and if the consent design differs.

Analyzing our work and related work, we made an attempted to refine the dark pattern concept by identifying dark patterns that we have encountered in cookie consent notices. Our list is not intended to be exhaustive, merely a first step towards helping regulators and experts identify that undesirable design choices have been made. We stipulated that a useful dark pattern definition is such whose characterising features are clearly and automatically identifiable. In our future work we intend to assert that our refined dark pattern types satisfy this criteria of usefulness by building a crawler that identifies these dark patterns in cookie consent notices. Our data set allows for each of the 300 considered consents to be labeled with the new dark patterns allowing us to explore using machine learning for dark pattern identification.

References

  • R. W. Borders (2020) Supported by the Adessium Foundation. External Links: Link Cited by: §1.
  • H. Brignull and A. Darlington (2010) . External Links: Link Cited by: §2.
  • CookieBot (2020) Cybot Denmark. External Links: Link Cited by: §6.
  • D. Denmark (2020) . External Links: Link Cited by: §6.
  • R. Ducato and E. Marique (2019) Come to the dark side: we have patterns. choice architecture and design for (un)informed consent. External Links: Link Cited by: §1.
  • N. Forbrukerrådet (2018) Forbrukerrådet, Norway. External Links: Link Cited by: §1.
  • S. L. Garfinkel and D. A. Cox (2009) Finding and archiving the internet footprint. In First Digital Lives Research Conference: Personal Digital Archives for the 21st Century, London, England, 9?11 February 2009, Note: https://simson.net/clips/academic/2009.BL.InternetFootprint.pdf Cited by: §1.
  • C. M. Gray, Y. Kou, B. Battles, J. Hoggatt, and A. L. Toombs (2018) The dark (patterns) side of ux design. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, CHI ’18, New York, NY, USA, pp. 534:1–534:14. External Links: ISBN 978-1-4503-5620-6, Link, Document Cited by: §1, §1, Table 1, §2, 1st item, §4.1, §4.2, §4.2, §4, §6, §7.
  • C. L. Infromation (2018) The state of California. External Links: Link Cited by: §1.
  • R. Leitão and F. Jakobsen (2018) A survey on user-interface design strategies to address online bias. In Extended Abstracts of the 2018 CHI Conference on Human Factors in Computing Systems, CHI EA ’18, New York, NY, USA, pp. LBW084:1–LBW084:6. External Links: ISBN 978-1-4503-5621-3, Link, Document Cited by: §1.
  • C. Matte, N. Bielova, and C. Santos (2019a) Cookie glasses. GitHub. Note: https://github.com/Perdu/Cookie-Glasses Cited by: §2.
  • C. Matte, N. Bielova, and C. Santos (2019b) Do cookie banners respect my choice? measuring legal compliance of banners from IAB europe’s transparency and consent framework. CoRR abs/1911.09964. External Links: Link, 1911.09964 Cited by: §1, §1, §2, §2, §5, §6, §7, §7.
  • N. Newman, R. Fletcher, A. Kalogeropoulos, and R. K. Nielsen (2019) Reuters Institute and the University of Oxford. External Links: Link Cited by: footnote 2.
  • M. Nouwens, I. Liccardi, M. Veale, D. Karger, and L. Kagal (2020a) Consent-o-matic. GitHub. Note: https://github.com/cavi-au/Consent-O-Matic Cited by: §2.
  • M. Nouwens, I. Liccardi, M. Veale, D. Karger, and L. Kagal (2020b) Dark patterns after the GDPR: scraping consent pop-ups and demonstrating their influence. CoRR abs/2001.02479. External Links: Link, 2001.02479 Cited by: §1, §1, §1, §2, §2, §2, §2, §6, §6, §7, §7, §7.
  • E. Parlament and Council (2016) EU. External Links: Link Cited by: §1, §2.
  • L. Paternoster (2018) Suffolk Libraries. External Links: Link Cited by: §2.
  • T. Pedersen and S. K. Dyrkolbotn (2018) The legally mandated approximate language about ai. Norsk Informatikkonferanse. External Links: ISSN 1892-0721, Link Cited by: §2.
  • C. Utz, M. Degeling, S. Fahl, F. Schaub, and T. Holz (2019) (Un)informed consent: studying gdpr consent notices in the field. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS ’19, New York, NY, USA, pp. 973–990. External Links: ISBN 9781450367479, Link, Document Cited by: §1, §1, §2, §2, §5, §6, §7, §7, §7.