Securing Our Communities: Dark Patterns

Each week, the NTIC Cyber Center highlights a different social engineering scam impacting individuals and communities within the National Capital Region. We encourage everyone to share this information with friends, colleagues, and loved ones to help reduce their risk of becoming a victim of financial fraud and identity theft.

A dark pattern is a type of social engineering technique whereby businesses or other organizations use crafty user interface/user experience (UI/UX) designs to manipulate users into making unintended choices. Dark patterns are often used to charge unwitting customers money, maintain a user’s attention, harvest personal data, gain or retain subscribers, and display advertisements. While most of these tactics are not necessarily illegal, they can cost customers time, money, and privacy.

Some organizations use deceptive website and advertisement design to misdirect customers and trick them into purchasing their products and services rather than using free or less expensive alternatives. For example, earlier this year, news reports surfaced claiming that some tax software companies used web design techniques to hide their free tax filing option from search engine results, corralling website visitors toward paid software products, even if they were eligible to file their taxes for free. Other organizations deliberately make it difficult for customers to permanently delete or close their accounts, stop recurring subscription charges, unsubscribe from promotional emails, or remove their personal data from databases. Social media platforms commonly use dark patterns to trick users into uploading their personal contact lists when they first open an account so that the platforms can market themselves to new users and collect additional data. Mobile app developers who want users to make in-app purchases may use specific colors or replace the functionality of certain symbols – such as an “X” that is often used to close a screen or pop-up – to influence user behavior. “Confirmshaming” is another dark pattern technique used to discourage customers from making decisions that are not in the financial interest of the organization, such as declining an offer to receive promotional emails.

In April 2019, two US senators introduced a bill to ban companies from using dark patterns to manipulate consumer behavior. This bill, named the Deceptive Experiences to Online Users Reduction (DETOUR) Act, is a bipartisan effort to prohibit large online platforms from using deceptive user interfaces to trick consumers into sharing their personal data.

The following is a list of common dark pattern categories that organizations may employ individually or in combination with others to manipulate consumers: 

  • Involuntary Acknowledgments - These are UI/UX design elements specially crafted to keep customers locked into a service, forcing them into allowing the organization certain access to devices or data, or to collect their personal information. They include tactics such as automatically renewing paid subscription services, uploading contact information of individuals and their associates, and enabling network settings such as Wi-Fi, Bluetooth, and GPS by default. Organizations often use trick questions or “bait-and-switch" schemes to snare customers into involuntary acknowledgments.

  • Concealed Advertisements - These UI/UX design elements are created to display unwanted ads. These appear as pop-ups, ads, or redirection links masquerading as legitimate navigation buttons or other user options.

  • Hidden Costs - These are UI/UX design elements that are used to charge unsuspecting customers a fee beyond the price of the product or service offered. Hidden costs can include additional items or services that automatically populate in online shopping carts right before customers complete their transactions, weekly or monthly subscription charges, unnecessary warranties or insurance, or excessive shipping costs.

  • Convoluted Exit - These UI/UX designs elements are implemented to keep customers from leaving a website or cancelling a service. For example, pop-up ads may have a camouflaged or hidden "X" button to prevent users from closing the window. In other instances, when trying to unsubscribe from a service, customers may have to jump through several tedious hoops such as muddling through several automated telephone and website prompts or by mailing a hardcopy of their cancellation request to the organization.

The NTIC Cyber Center provides the following tips to help our readers recognize and avoid being manipulated by dark patterns:

  • Maintain awareness of dark patterns and how they are used to manipulate consumers.

  • Research organizations thoroughly before making a transaction. Be sure to look for customer or client reviews posted on legitimate review websites and visit the Better Business Bureau (BBB) website to see if any complaints have been filed against the organization.

  • Double-check for hidden costs, items, and services added to online shopping carts before finalizing the transaction.

  • Carefully read the terms of service and requested user permissions before making a purchase, subscribing to a service, opening an account, or installing any software or mobile app.

  • Regularly monitor financial statements for unauthorized charges regularly as they may not appear immediately after an initial transaction.

  • Consider using low-balance or empty prepaid debit cards for trial offers that require the input of a payment method. This will prevent you from automatically being charged a recurring subscription fee should you decide not to continue with the service after the trial period.

  • Be aware of any website, pop-up, or ad that tries to convey a sense of urgency or attempts to make you feel guilty about your purchasing decisions. Organizations use these tactics to get customers to act quickly and prevent them from taking the time to thoroughly research the product, service, or organization.

  • Contact your representatives and urge them to support the Deceptive Experiences to Online Users Reduction (DETOUR) Act to help protect consumers from these manipulative practices.

The NTIC is governed by a privacy, civil rights, and civil liberties protection policy to promote conduct that complies with applicable federal, state, and local laws. The NTIC does not seek or retain any information about individuals or organizations solely on the basis of their religious, political or social views or activities; their participation in a particular noncriminal organization or lawful event; or their race, ethnicities, citizenships, places of origin, ages, disabilities, genders, or sexual orientations. No information is gathered or collected by the NTIC in violation of federal or state laws or regulations.