There seems to be a collective sense that we’re all being pressured to divulge more about ourselves online than we really should. Yet few of us are aware how much friction is being built into websites and apps to compel us to give up our privacy. Those design choices that guide us against our own self interests are called dark patterns. And they’re something we should all be aware of so we can make more informed choices about protecting our data privacy — and that of our customers.

You’ve probably had the experience of navigating a store that’s so labyrinthine that there is no simple way to go in and find what you’re looking for. Or, you’ve been through a checkout line that runs you through a gauntlet of items for impulse purchase. These things may be annoying, but they’re fairly benign ways to influence you to purchase more than you might otherwise.

On the internet, retailers and services are ratcheting up manipulation techniques to extract more money from you and/or your data. These practices may be things as seemingly subtle as word choice or the color of a button, or they may be more obvious, such as hiding menu options deeply and in nonintuitive places. This friction can have a subtle, negative impact on a customer’s impression of an organization, which can weigh more heavily after a company suffers a privacy incident.

What Are Dark Patterns?

Making truly usable technology is an art and a science that most people give little thought to. There are many things that we take for granted about the flow of information, but font choice, or which words are used to communicate an idea, can make a very big difference in how we use an interface.

I don’t know about you, but since most checkout lines now have some sort of computerized interface where you input your payment card, there are certain stores where I will almost invariably screw up the process. These are usually the machines where someone has taped a sticky note to the corner, with instructions written in all caps or with several exclamation marks.

“You have to select ‘Yes’ first and then wait for the blinking blue arrows to illuminate before you put your card in!!!”

These bad design decisions create friction in the process, but they do so unintentionally. Some apps and sites are finding ways to subvert their user interfaces in ways that intentionally manipulate users into doing things they wouldn’t normally do. These methods are collectively known as dark patterns.

Dark patterns are tricks that compel you to do things that you didn’t mean to, such as purchasing products you didn’t really intend to purchase or divulging information you might not otherwise have divulged. In the context of data privacy, this could include wording options in a way that make it unclear what action you’re taking, or making certain actions — such as unsubscribing or deleting data — prohibitively difficult to accomplish.

How to Avoid Dark Patterns in Your Organization

It might seem obvious that manipulating users into doing things they don’t intend to is not a good thing. But there’s always a push to get more users and more sales, and this often leads companies to use high-pressure tactics to compel customers to behave in certain ways.

On the other hand, eschewing trickery engenders digital trust in your customer base. Getting informed consent from your customers when you ask them to share sensitive information to use your site or service can lead to fewer — or less severe — bad press moments if you do have a security or privacy incident.

It’s possible to create mutually beneficial, long-term relationships with your customers by being clear and transparent. This is especially true when industry trends are heading toward manipulative design, because you will stand out as a shining example of a site or service that is usable and trustworthy. Over time, these sketchy practices become less effective as the shock value wears off and consumers wise up to dark patterns. Now is the time to get ahead of the curve to create digital trust in your data gathering practices.

As TechCrunch described, there are many ways deceptive design is used to create friction when customers try to exercise their autonomy. Here are a few ways to avoid bogging down your user experience with common dark patterns.

Avoid Manipulative Language and Actions

“No thanks, I don’t like saving money!” and similarly sarcastic or shame-inducing language might seem spunky, but it’s more likely to receive eye-rolling or indignation. Customers may initially be motivated by countdown timers or messages about how limited the supply of an item is, but if every interaction receives the same message, the overall feeling is that this behavior is deceptive.

There’s a subtle difference between receiving confirmation of an action, especially when deleting data or an account, and badgering. Avoid repeating the same “Are you sure?” message several times, even when worded differently each time — and especially if any version is meant to create guilt, fear, uncertainty or doubt.

Use Clear Phrasing

Whenever you’re asking a customer to select or confirm an action, it’s important to make sure your choice of wording is as clear as possible. Err on the side of concise wording, and avoid double negatives. When possible, use button labels that describe what the selection will do — e.g., “delete,” “discard,” “save,” etc. — rather than “OK,” “cancel” or “ignore.”

Make Options Easily Available

If you make it easy for your users to delete data or cancel an action, especially where their privacy is concerned, they might be more likely to share data or make future transactions. If their experience canceling, unsubscribing or deleting their account is as positive as possible, they leave with a better “last” impression and may be more inclined to revisit your site or service in the future.

Understand What Data You Truly Need — and Why

The best way to protect your customers’ data privacy is to gather as little sensitive information as possible. When making decisions about what information to gather from customers, understand why you’re asking for it in the first place. If you can accomplish what you need to with less — or, at least, less sensitive — information, you’ll have less data to protect. And when you understand your reasons for gathering information, you can make this choice clear to your customers.

Being clear and honest with customers is always good business. As online interactions become more complex, we need to work harder to make sure customers comprehend what’s going on when they take actions or share their information. By making usable sites and apps, we can help protect and maintain good relationships with our customers as well as their data privacy.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read