Crowd-sourcing Multi-Domain Issues in Consent Dialogues for Automated Generation of Legal Complaints
CHI Workshop on Dark Patterns in Design: What Can CHI Do About Dark Patterns? (DarkPatterns) - co-located with ACM Conference on Human Factors in Computing Systems (CHI)
✍ Harshvardhan J. Pandit* , Brian Lynch , Dave Lewis
publication 🔓copies: harshp.com , TARA , zenodo
📦resources: demo , repo
Proposal for reporting issues across domains and linking them for legal complaints
Analysis of dark patterns in consent dialogues includes issues that several domains: HCI for the analysis of interaction mechanisms; psychology and ethics for understanding impact to the individual, technological understanding of their implementation, and finally connecting them to specific legal violations for enforceable actions. We propose creating a mapping between issues from different domains so as to enable researchers to communicate and collaborate towards legally enforceable complaints regarding violations of consent requirements. We discuss how this mapping provides benefits in terms of richer data collection and analysis, automation of documentation generation, and enabling any individual to address malpractices online.
Problem & Motivation
A ‘consent dialogue’ is a design pattern typical to an interactive interface (e.g. website or app) where a notice is shown for providing information and requesting consent through controls provided to the individual. The use of consent dialogues is a common occurrence on websites, and is often the first element most individuals interact with. Consent collected through such interactions is used as the legal basis to collect, use, and share personal data under data protection and privacy laws, such as the EU’s General Data Protection Regulation (GDPR, 2016)  and the California Consumer Privacy Act (CCPA, 2018) .
These laws stipulate obligations and requirements that dictate requirements for ‘valid consent,’ which in turn influence design patterns used to collect (request) consent. Examples of such requirements include provision of information regarding entities and data sources1, criteria to indicate consent2, and design of request in context of the website it is provided as part of3. These requirements are (in-part) a reaction to prevalent misuse of design patterns and interactions regarding agency and rights of the individual and are intended to reduce negative impacts to privacy. An example of the law catching up to this is the CCPA, which is the first law to explicitly utilise the term ‘Dark pattern’4 and prohibit its use in the process of requesting consent5.
The term ‘dark pattern’ was first coined by Harry Brignull in connection with specific design patterns (UI/UX) intended to deceive the user . When applied to consent dialogues, the deception (and other negative influences such as manipulation) directly contradicts the intended purpose of providing the user with genuine choice and control of their decision regarding personal data and privacy. It is an unfortunate situation that most of the consent dialogues on websites utilise such dark patterns and thereby aim to subvert the process of consenting for their own gains .
Despite dark patterns in consent dialogues having (arguably some degree of) resistance and regulation within laws, reporting of violations to relevant authorities requires intricate knowledge of the specifics of a particular law to quote relevant articles or clauses6. This not only requires a good working knowledge of the law, its interpretations, and relevant case law, but also necessitates connecting it with practicalities of the consent dialogues. Connecting dark patterns to requirements in legal clauses and assessing their violation requires expertise in multiple-domains: legal for understanding the requirements codified in law and formalising written documentation for complaints, HCI/psychology (and others) for detection of dark patterns, and Computer Science for understanding and analysing the technological implementations powering the consent practices and processes.
Solution: We start with requirements for detection of issues in consent dialogues that spans multiple domains (see Section.2) that must (finally) be documented in relation to specific requirements codified in law. Based on this, we propose (see Section.3) a ‘mapping’ across issues domains7 and link them to specific clauses in the law that they violate. Through this, we ask experts in their respective areas to highlight issues in consent dialogues and use the mappings to automate generation of a legal document that can be submitted to authorities as a formal complaint of unfair and illegal practices. Once we accumulate enough mappings, we propose opening up the identification and annotation of issues to a crowd-sourced model to enable every individual, irrespective of their knowledge of malpractices, to identify and report issues with relevant legal clauses to relevant authorities .
We are currently developing a prototype for this solution in the form of a browser add-on/extension (see Figure.1) that enables users to: (i) highlight problematic areas of the website and consent dialogue; (ii) annotate it to highlight specific issues; (iii) provides a list of issues from various domains for users to select and use based on familiarity; and (iv) generates a legal complaint linking issues to legal clauses within the GDPR.
Domains and Issues
Domain: UI/UX | Issue: Dark Patterns While primarily being described through UI/UX applications (as their field of existence), dark patterns have a history of being applied across different enterprises (e.g. retail, medicine), have a plethora of exploitative techniques (e.g. nudging, hiding), and are a widespread problematic phenomenon on websites today . The existence of dark patterns in positioning, textual information presented, and the complexity of information/choices affects the comprehension of information for consent; with studies demonstrating this through manual  and automated , – analysis. Dark patterns are also prevalent as barriers to the exercising of aligned rights8.
Domain: Law | Issue: Reporting Violation requires specific Documentation The three laws having the most impact on the requirements of consent dialogues are ePrivacy Directive (ePD,2002) , GDPR , and CCPA . Studies have outlined compliance requirements for notice and consent associated with legal requirements: analysis of cookie banners in EU , violations of user’s choice regarding consent , the connections between dark patterns and legal requirements for consent , and analysis legal bases in the notices and their legality in connection with consent . The most detailed of these  outlines low level requirements regarding consent which can be connected to specific design choices and interfaces from a legal perspective.
Domain: Technology | Issue: Intricate Working Knowledge Analysis of cookies and consent dialogues9 requires knowledge about technical implementations to understand the Consent Management Providers (CMP), their underlying processes, parties involved, and the complexities of targeted advertisements and profiling networks . Assessing and highlighting their (mis-)use involves knowledge of how technologies work (e.g. browsers, cookies) and connecting it with information in notice provided , , .
Domain: Sociology, Psychology, Philosophy | Issue: User empowerment, Agency, Human-centricity The definition and study of ‘Dark Patterns’ takes into account that their use is based on exploiting human psychological behaviour towards manipulation or deception of the user and therefore requires knowledge regarding cognition, psychology, ethics, and sociological constructs , . An example applied to consenting is the study by Human et al.  that shows how the design/interface used on GAFAM (Google, Amazon, Facebook, Apple, Microsoft) websites has an impact on “cognitive, collective, and contextual dimensions of the consenting action.”
Proposal for Solution
Map issues across domains
As outlined in the earlier section, each domain has its own peculiarities regarding issues and differences in how they approach and document it. For legally actionable documentation, all information must be expressed in connection with the specific clauses or articles within existing laws which are purported to be violated or non-compliant. It is clear that this calls for cross-disciplinary communication and collaboration to connect the practical applications with enforceable actions. Therefore, first: create list of issues regarding consent dialogues within specific domains, and then second: align them by using legal requirements as a central focus. This exercise allows creation of analysis toolkits and guidelines based on applicability of legal requirements to other domains for consenting, and more importantly provides a broader surface for discussion of practices surrounding consent rooted in enforceable legal actions.
To provide an example, consider the dialogue in Figure.1 where a general user observes that there is no clear option, and consults a dark patterns expert who confirms this as a form of nudging. They then consult a legal expert who suggests that the interface does not comply with GDPR (Art.4,7 and Recitals.32,43) regarding conditions for consent. They then produce a letter to the authority outlining their complaint by documenting evidence and citing the GDPR clauses. The mapping captures this ‘consultation’ process and allows rapid collection and exchange of knowledge between the respective communities.
Automate documentation generation
The mapped issues also permit generating different kinds of documentation based on identified use-cases. For example, jurisdictional authorities have differing requirements (language, laws) which can be codified in a template and populated with pertinent information automatically from the issues identified in a use-case. The use of automation and templates is also useful to collect and generate reports for/by researchers, organisations, and watchdogs. For the earlier example, one could select the pertinent authority and the automated generation would produce a document in the required formal language as a complaint outlining the specific legal clauses violated through the issues highlighted by the individual.
Crowd-sourced Reporting of Issues based on Familiarity
The mapping makes it easier to report issues as it lowers the bar for understanding and interpreting them across domains and figuring out legal violations. By crowd-sourcing responses from experts as well as general users, a better understanding of issues can be gained, both across and beyond domains. It also serves to collect examples of issues on websites in the wild, which can act as a rich corpus of data accessible through the mappings for researchers across all relevant domains. Crowd-sourcing has another advantage in that it allows individuals (and groups) to create their own ‘lists’ of issues and mappings, and to ask users to utilise those for specific ends. For example, European data protection authorities can generate a specific mapping from design elements or dark patterns to violations of the GDPR and consider that as an authoritative source for crowd-sourced collection of complaints as a solution to address the surmounting requirements of web-scale legal compliance assessments.
Through this work, we hope to have outlined the necessity of cross-disciplinary collaboration regarding issues present around practices and processes of consent and consenting on the web. In particular, the proposed solution of creating an alignment or relationships between the issues highlighted within different domains, and the need to connect these with articles in law for enforceable legal documentation and complaints. We hope to present this as a viable and actionable solution in the discussion of dark patterns and consent, and to utilise this work as both an advertisement for this approach, and an invitation for the community to undertake it as a fruitful endeavour.
Although this article focuses predominantly on dark patterns and issues in consent dialogues, it has broader applications to other fields and use-cases. For example, dark patterns on commercial websites such as those for shopping and retail also have detrimental effects to the user. A similar approach can be undertaken to crowd-source their occurrences and report them to a watchdog or consumer protection authorities. The prototype tool we intend to develop can be extended for such applications given its flexibility in using lists to report issues.
This work has been funded by: Irish Research Council Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790; and the European Union’s Horizon 2020 research and innovation programme under NGI TRUST Grant#825618 for Project#3.40 Privacy-as-Expected: Consent Gateway; and The ADAPT SFI Centre for Digital Media Technology funded by Science Foundation Ireland through the SFI Research Centres Programme and co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106_P2.
See GDPR Article 13 and Article 14↩︎
See GDPR Recital 32, Recital 42, and Recital 43↩︎
See CCPA 1798.185.a.20 (C)↩︎
CCPA (1798.140) (l) “Dark Pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice, as further defined by regulation.↩︎
CCPA (1798.185.a.20) (C) Ensure that any link to a web page or its supporting content that allows the consumer to consent to opt in: (iii) Does not make use of any dark patterns.↩︎
The two distinct terms ‘consent dialogue’ and ‘cookie dialogue’ refer to notice & consent for processing of personal data and cookies respectively. Here, we refer to both collectively as consent dialogues.↩︎