Online businesses want your personal data, and they’ll deploy every scam they know to trick you into handing it over — and keep handing it over.

Take the micro-blogging site Tumblr, for example. When the EU’s General Data Protection Regulation (GDPR) came into force on May 25 this year, Tumblr let its users choose which advertising networks could access their data. But they listed all 350+ of them individually, so users had to untick them one by one — without  explaining who any of these companies were, or what they’d be doing with the data.

Invest in the journalism that makes a difference.

EOFY Sale. A year for just $99.

SAVE 50%


Technically, Tumblr has given its users the freedom of choice the law required. But in reality, it’s taking the piss.

“There are much easier ways to go about that,” Steve “Doc” Baty, principal at Sydney’s Meld Studios, and a former president of the Interaction Design Association (IxDA), told Crikey.

“That kind of thing is almost guaranteed to just put people off and go ‘it’s not worth the time and energy’,” Baty told Crikey. Which, of course, is the entire point.

“You see that kind of thing and you know that it can only be deliberate,” he said. “It reinforces the fact that data is the actual valuable part.”

Take Instagram, which is owned by Facebook. When you’re signing up for an account, their efforts to get hold of your complete contacts database are split over two screens in an attempt to hide it all in plain sight.


The first screen shows the usual big blue “Next” button, while the option to not hand over your contacts is in smaller, paler type. The act of giving Instagram permission to access your contacts happens on the next screen, where a message in the background implies that it’s about finding your Facebook friends. It is that, sure, but it’s also giving Instagram permission to take a copy of your entire contacts database, and do with it what they will.

It’s “the most sinister interface trick I’ve ever seen,” said one UX designer.

And take Facebook itself. They really want you to turn on face recognition, and a big blue “Accept and Continue” button makes that easy. The pale grey “Manage Data Settings” button already sounds like too much hard work. You just know you’ll have a bunch of confusing options to go through.

Facebook was recently slammed for using fake red dots to imply you had messages waiting — even though you didn’t — to distract users from reading their new GDPR-compliant privacy policy.

There’s a name for this behaviour: Dark patterns.

“Dark patterns are tricks used in websites and apps that make you buy or sign up for things that you didn’t mean to,” wrote Harry Brignull, the user experience (UX) designer who coined the term in 2010.

Facebook’s use of dark patterns has been so egregious that Brignull was inspired to honour them by naming one specific trick “Privacy Zuckering.”

You are tricked into publicly sharing more information about yourself than you really intended to…

In its early days, Facebook had a reputation for making it difficult for users to control their privacy settings, and generally making it very easy to “overshare” by mistake. In response to feedback from consumers and privacy groups, Facebook has created a clearer, easier to use privacy settings area.

Today, privacy zuckering seems to take place mainly behind the scenes, thanks to the data brokerage industry… Data brokers buy it and combine it with everything else they find about you online into a profile, which they then resell. Your profile may contain information about your sexual preferences, physical & mental health. In theory your profile could result in you being refused services such as insurance or loans. The industry is currently not well regulated and it is very difficult to opt out of having your data brokered.

Brignull identified a dozen types of dark pattern, including:

  • Confirm-shaming: Guilting the user into opting into something. The option to decline is worded in such a way as to shame the user into compliance. (More examples here);
  • Trick Questions: You respond to a question, which, when glanced at appears to ask one thing, but if read carefully, asks another thing entirely; and
  • Friend Spam: The product asks for your email or social media permissions under the pretence it will be used for a desirable outcome (e.g. finding friends), but then spams all your contacts in a message that claims to be from you.

Following the introduction of the new General Data Protection Regulation (GDPR) in Europe, the Norwegian Consumer Council looked at user settings updates in Facebook, Google, and Microsoft’s Windows 10. Their report is scathing, calling the widespread of dark patterns “exploitation”.

“The combination of privacy intrusive defaults, and the use of dark patterns, nudge[s] users of Facebook and Google, and to a lesser degree Windows 10, toward the least privacy friendly options to a degree that we consider unethical. We question whether this is in accordance with the principles of data protection by default and data protection by design, and if consent given under these circumstances can be said to be explicit, informed and freely given,” they write — those last three attributes being GDPR requirements.

As just one example, Facebook’s mobile users had to choose between an easy-sounding “Accept and continue” or a tedious-sounding “Manage data settings”. “This ‘easy road’ consisted of four clicks to get through the process, which entailed accepting personalised ads from third parties and the use of face recognition. In contrast, users who wanted to limit data collection and use had to go through 13 clicks.”

According to journalist Maria Bustillos, however, the biggest dark pattern of all is online services presenting themselves as a “community”. They’re not. They’re a massive customer database, just like that of a bank or an insurance company — organisations which also smother themselves in images of “community”.

“Individual users see Facebook through the lens of real, loving, intimate connections with their own friends and family; for millions of people, Facebook’s face is the face of love, a composite of the faces of their own children, grandchildren, neighbours, lovers, teachers, professors, and friends,” Bustillos wrote in her polemic The Smallness of Mark Zuckerberg.

“Mark Zuckerberg uses your most intimate connections, the literal faces of the people you love, to fool you.”

Save this EOFY while you make a difference

Australia has spoken. We want more from the people in power and deserve a media that keeps them on their toes. And thank you, because it’s been made abundantly clear that at Crikey we’re on the right track.

We’ve pushed our journalism as far as we could go. And that’s only been possible with reader support. Thank you. And if you haven’t yet subscribed, this is your time to join tens of thousands of Crikey members to take the plunge.

Peter Fray
Peter Fray
SAVE 50%