Crowd-sourcing Multi-Domain Issues in Consent Dialogues for Automated Generation of Legal Complaints

Ext. Abstract
CHI Workshop on Dark Patterns in Design: What Can CHI Do About Dark Patterns? (DarkPatterns) - co-located with ACM Conference on Human Factors in Computing Systems (CHI)
Harshvardhan J. Pandit* , Brian Lynch , Dave Lewis
publication 🔓copies: harshp.com , TARA , zenodo
📦resources: demo , repo
Proposal for reporting issues across domains and linking them for legal complaints

Abstract

Analysis of dark patterns in consent dialogues includes issues that several domains: HCI for the analysis of interaction mechanisms; psychology and ethics for understanding impact to the individual, technological understanding of their implementation, and finally connecting them to specific legal violations for enforceable actions. We propose creating a mapping between issues from different domains so as to enable researchers to communicate and collaborate towards legally enforceable complaints regarding violations of consent requirements. We discuss how this mapping provides benefits in terms of richer data collection and analysis, automation of documentation generation, and enabling any individual to address malpractices online.

Problem & Motivation

A ‘consent dialogue’ is a design pattern typical to an interactive interface (e.g. website or app) where a notice is shown for providing information and requesting consent through controls provided to the individual. The use of consent dialogues is a common occurrence on websites, and is often the first element most individuals interact with. Consent collected through such interactions is used as the legal basis to collect, use, and share personal data under data protection and privacy laws, such as the EU’s General Data Protection Regulation (GDPR, 2016) [1] and the California Consumer Privacy Act (CCPA, 2018) [2].

These laws stipulate obligations and requirements that dictate requirements for ‘valid consent,’ which in turn influence design patterns used to collect (request) consent. Examples of such requirements include provision of information regarding entities and data sources1, criteria to indicate consent2, and design of request in context of the website it is provided as part of3. These requirements are (in-part) a reaction to prevalent misuse of design patterns and interactions regarding agency and rights of the individual and are intended to reduce negative impacts to privacy. An example of the law catching up to this is the CCPA, which is the first law to explicitly utilise the term ‘Dark pattern’4 and prohibit its use in the process of requesting consent5.

The term ‘dark pattern’ was first coined by Harry Brignull in connection with specific design patterns (UI/UX) intended to deceive the user [3]. When applied to consent dialogues, the deception (and other negative influences such as manipulation) directly contradicts the intended purpose of providing the user with genuine choice and control of their decision regarding personal data and privacy. It is an unfortunate situation that most of the consent dialogues on websites utilise such dark patterns and thereby aim to subvert the process of consenting for their own gains [4].

Despite dark patterns in consent dialogues having (arguably some degree of) resistance and regulation within laws, reporting of violations to relevant authorities requires intricate knowledge of the specifics of a particular law to quote relevant articles or clauses6. This not only requires a good working knowledge of the law, its interpretations, and relevant case law, but also necessitates connecting it with practicalities of the consent dialogues. Connecting dark patterns to requirements in legal clauses and assessing their violation requires expertise in multiple-domains: legal for understanding the requirements codified in law and formalising written documentation for complaints, HCI/psychology (and others) for detection of dark patterns, and Computer Science for understanding and analysing the technological implementations powering the consent practices and processes.

Solution: We start with requirements for detection of issues in consent dialogues that spans multiple domains (see Section.2) that must (finally) be documented in relation to specific requirements codified in law. Based on this, we propose (see Section.3) a ‘mapping’ across issues domains7 and link them to specific clauses in the law that they violate. Through this, we ask experts in their respective areas to highlight issues in consent dialogues and use the mappings to automate generation of a legal document that can be submitted to authorities as a formal complaint of unfair and illegal practices. Once we accumulate enough mappings, we propose opening up the identification and annotation of issues to a crowd-sourced model to enable every individual, irrespective of their knowledge of malpractices, to identify and report issues with relevant legal clauses to relevant authorities .

We are currently developing a prototype for this solution in the form of a browser add-on/extension (see Figure.1) that enables users to: (i) highlight problematic areas of the website and consent dialogue; (ii) annotate it to highlight specific issues; (iii) provides a list of issues from various domains for users to select and use based on familiarity; and (iv) generates a legal complaint linking issues to legal clauses within the GDPR.

Screenshot of prototype used to annotate issues in consent dialogue on https://www.irishtimes.com/

Domains and Issues

Domain: UI/UX | Issue: Dark Patterns While primarily being described through UI/UX applications (as their field of existence), dark patterns have a history of being applied across different enterprises (e.g. retail, medicine), have a plethora of exploitative techniques (e.g. nudging, hiding), and are a widespread problematic phenomenon on websites today [7]. The existence of dark patterns in positioning, textual information presented, and the complexity of information/choices affects the comprehension of information for consent; with studies demonstrating this through manual [8] and automated [4], [9][12] analysis. Dark patterns are also prevalent as barriers to the exercising of aligned rights8.

Domain: Law | Issue: Reporting Violation requires specific Documentation The three laws having the most impact on the requirements of consent dialogues are ePrivacy Directive (ePD,2002) [15], GDPR [1], and CCPA [2]. Studies have outlined compliance requirements for notice and consent associated with legal requirements: analysis of cookie banners in EU [16], violations of user’s choice regarding consent [10], the connections between dark patterns and legal requirements for consent [17], and analysis legal bases in the notices and their legality in connection with consent [18]. The most detailed of these [19] outlines low level requirements regarding consent which can be connected to specific design choices and interfaces from a legal perspective.

Domain: Technology | Issue: Intricate Working Knowledge Analysis of cookies and consent dialogues9 requires knowledge about technical implementations to understand the Consent Management Providers (CMP), their underlying processes, parties involved, and the complexities of targeted advertisements and profiling networks [16]. Assessing and highlighting their (mis-)use involves knowledge of how technologies work (e.g. browsers, cookies) and connecting it with information in notice provided [11], [18], [19].

Domain: Sociology, Psychology, Philosophy | Issue: User empowerment, Agency, Human-centricity The definition and study of ‘Dark Patterns’ takes into account that their use is based on exploiting human psychological behaviour towards manipulation or deception of the user and therefore requires knowledge regarding cognition, psychology, ethics, and sociological constructs [6], [20]. An example applied to consenting is the study by Human et al. [21] that shows how the design/interface used on GAFAM (Google, Amazon, Facebook, Apple, Microsoft) websites has an impact on “cognitive, collective, and contextual dimensions of the consenting action.”

Proposal for Solution

Map issues across domains

As outlined in the earlier section, each domain has its own peculiarities regarding issues and differences in how they approach and document it. For legally actionable documentation, all information must be expressed in connection with the specific clauses or articles within existing laws which are purported to be violated or non-compliant. It is clear that this calls for cross-disciplinary communication and collaboration to connect the practical applications with enforceable actions. Therefore, first: create list of issues regarding consent dialogues within specific domains, and then second: align them by using legal requirements as a central focus. This exercise allows creation of analysis toolkits and guidelines based on applicability of legal requirements to other domains for consenting, and more importantly provides a broader surface for discussion of practices surrounding consent rooted in enforceable legal actions.

To provide an example, consider the dialogue in Figure.1 where a general user observes that there is no clear option, and consults a dark patterns expert who confirms this as a form of nudging. They then consult a legal expert who suggests that the interface does not comply with GDPR (Art.4,7 and Recitals.32,43) regarding conditions for consent. They then produce a letter to the authority outlining their complaint by documenting evidence and citing the GDPR clauses. The mapping captures this ‘consultation’ process and allows rapid collection and exchange of knowledge between the respective communities.

Automate documentation generation

The mapped issues also permit generating different kinds of documentation based on identified use-cases. For example, jurisdictional authorities have differing requirements (language, laws) which can be codified in a template and populated with pertinent information automatically from the issues identified in a use-case. The use of automation and templates is also useful to collect and generate reports for/by researchers, organisations, and watchdogs. For the earlier example, one could select the pertinent authority and the automated generation would produce a document in the required formal language as a complaint outlining the specific legal clauses violated through the issues highlighted by the individual.

Crowd-sourced Reporting of Issues based on Familiarity

The mapping makes it easier to report issues as it lowers the bar for understanding and interpreting them across domains and figuring out legal violations. By crowd-sourcing responses from experts as well as general users, a better understanding of issues can be gained, both across and beyond domains. It also serves to collect examples of issues on websites in the wild, which can act as a rich corpus of data accessible through the mappings for researchers across all relevant domains. Crowd-sourcing has another advantage in that it allows individuals (and groups) to create their own ‘lists’ of issues and mappings, and to ask users to utilise those for specific ends. For example, European data protection authorities can generate a specific mapping from design elements or dark patterns to violations of the GDPR and consider that as an authoritative source for crowd-sourced collection of complaints as a solution to address the surmounting requirements of web-scale legal compliance assessments.

Concluding Remarks

Through this work, we hope to have outlined the necessity of cross-disciplinary collaboration regarding issues present around practices and processes of consent and consenting on the web. In particular, the proposed solution of creating an alignment or relationships between the issues highlighted within different domains, and the need to connect these with articles in law for enforceable legal documentation and complaints. We hope to present this as a viable and actionable solution in the discussion of dark patterns and consent, and to utilise this work as both an advertisement for this approach, and an invitation for the community to undertake it as a fruitful endeavour.

Although this article focuses predominantly on dark patterns and issues in consent dialogues, it has broader applications to other fields and use-cases. For example, dark patterns on commercial websites such as those for shopping and retail also have detrimental effects to the user. A similar approach can be undertaken to crowd-source their occurrences and report them to a watchdog or consumer protection authorities. The prototype tool we intend to develop can be extended for such applications given its flexibility in using lists to report issues.

This work has been funded by: Irish Research Council Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790; and the European Union’s Horizon 2020 research and innovation programme under NGI TRUST Grant#825618 for Project#3.40 Privacy-as-Expected: Consent Gateway; and The ADAPT SFI Centre for Digital Media Technology funded by Science Foundation Ireland through the SFI Research Centres Programme and co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106_P2.

References

[1] “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),” Official Journal of the European Union, vol. L119, May 2016.
[2] “Assembly Bill No. 375 Chapter 55: An act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy,” California State Legislature, Jun. 2018.
[3] H. Brignull, “Dark Patterns: Deception vs. Honesty in UI Design,” A List Apart. Nov-2011.
[4] M. Nouwens, I. Liccardi, M. Veale, D. Karger, and L. Kagal, “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence,” Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, pp. 1–13, Apr. 2020, doi: https://doi.org/10/ggx9vq. [Online]. Available: https://arxiv.org/abs/2001.02479
[5] “Exercise Your Rights Article 77 complain to your DPA!” noyb.eu. https://noyb.eu/en/withdraw-your-consent.
[6] A. Mathur, J. Mayer, and M. Kshirsagar, “What Makes a Dark Pattern... Dark? Design Attributes, Normative Considerations, and Measurement Methods,” arXiv:2101.04843 [cs], Jan. 2021, doi: https://doi.org/10.1145/3411764.3445610. [Online]. Available: https://arxiv.org/abs/2101.04843
[7] A. Narayanan, A. Mathur, M. Chetty, and M. Kshirsagar, “Dark Patterns: Past, Present, and Future,” Queue, vol. 18, no. 2, pp. 67–92, Apr. 2020, doi: https://doi.org/10/ggwwhp.
[8] T. H. Soe, O. E. Nordberg, F. Guribye, and M. Slavkovik, “Circumvention by design – dark patterns in cookie consents for online news outlets,” arXiv:2006.13985 [cs], Jun. 2020 [Online]. Available: https://arxiv.org/abs/2006.13985
[9] C. Utz, M. Degeling, S. Fahl, F. Schaub, and T. Holz, “(Un)informed Consent: Studying GDPR Consent Notices in the Field,” in ACM SIGSAC Conference on Computer and Communications Security (CCS’19), 2019, p. 18.
[10] C. Matte, N. Bielova, and C. Santos, “Do Cookie Banners Respect my Choice?” in 41st IEEE Symposium on Security and Privacy, 2020, p. 19.
[11] M. Hils, D. W. Woods, and R. Böhme, “Measuring the Emergence of Consent Management on the Web,” in Proceedings of the ACM Internet Measurement Conference, 2020, pp. 317–332, doi: https://doi.org/10/ghjgnp.
[12] D. Machuletz and R. Böhme, “Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs after GDPR,” Proceedings on Privacy Enhancing Technologies, vol. 2020, no. 2, pp. 481–498, Apr. 2020, doi: https://doi.org/10/ghqdq8. [Online]. Available: https://arxiv.org/abs/1908.10048
[13] “Dark Patterns and the CCPA.” /blog/2020/10/dark-patterns-and-ccpa.
[14] “Deceived By Design: How tech companies use dark patterns to discourage us from exercising our rights to privacy,” Forbrukerrådets, Jun. 2018.
[15] “Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications),” Official Journal of the European Union, vol. 201, Jul. 2002.
[16] M. Trevisan, S. Traverso, E. Bassi, and M. Mellia, “4 Years of EU Cookie Law: Results and Lessons Learned,” Proceedings on Privacy Enhancing Technologies, vol. 2019, no. 2, pp. 126–145, Apr. 2019, doi: https://doi.org/10/gf6kfq.
[17] C. M. Gray, C. Santos, N. Bielova, M. Toth, and D. Clifford, “Dark Patterns and the Legal Requirements of Consent Banners: An Interaction Criticism Perspective,” p. 18, 2021.
[18] C. Matte, C. Santos, and N. Bielova, “Purposes in IAB Europe’s TCF: Which legal basis and how are they used by advertisers?” in Annual Privacy Forum (APF 2020), 2020.
[19] C. Santos, N. Bielova, and C. Matte, “Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners,” Technology and Regulation, pp. 91–135, Dec. 2020, doi: https://doi.org/10/ghtr3n.
[20] C. M. Gray, Y. Kou, B. Battles, J. Hoggatt, and A. L. Toombs, “The Dark (Patterns) Side of UX Design,” in Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, 2018, pp. 534:1–534:14, doi: https://doi.org/10/gfxvpz.
[21] S. Human and F. Cech, “A Human-centric Perspective on Digital Consenting: The Case of GAFAM,” in Human Centred Intelligent Systems 2020, 2020.

  1. See GDPR Article 13 and Article 14↩︎

  2. See GDPR Recital 32, Recital 42, and Recital 43↩︎

  3. See CCPA 1798.185.a.20 (C)↩︎

  4. CCPA (1798.140) (l) “Dark Pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice, as further defined by regulation.↩︎

  5. CCPA (1798.185.a.20) (C) Ensure that any link to a web page or its supporting content that allows the consumer to consent to opt in: (iii) Does not make use of any dark patterns.↩︎

  6. For example, see None of Your Busienss (NOYB) guide on Exercising Your Rights under GDPR Article 77 regarding Complaining to DPA [5].↩︎

  7. A good resource to understand the current research about dark patterns across domains is this article by Mathur et al. [6]↩︎

  8. See complaint outlining violation of ‘do not sell’ as per the CCPA [13], and the report by Norwegian Consumer Council (Forbrukerrådets) regarding impact of dark patterns on privacy [14]↩︎

  9. The two distinct terms ‘consent dialogue’ and ‘cookie dialogue’ refer to notice & consent for processing of personal data and cookies respectively. Here, we refer to both collectively as consent dialogues.↩︎