Your favorite tech companies are trying to trick you into giving up your data, and a new study shows how they’re using design to do it.
A study from the Norwegian Consumer Council dug into the underhanded tactics used by Microsoft, Facebook, and Google to collect user data. The study comes in the wake of the European Union’s newly-enacted GDPR laws designed to protect users from predatory data collection and Facebook’s own controversy involving the sharing of users’ personal data.
“The findings include privacy intrusive default settings, misleading wording, giving users an illusion of control, hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy friendly option requires more effort for the users,” states the report, which includes images and examples of confusing design choices and strangely worded statements involving the collection and use of personal data.
One example cited is Facebook’s GDPR-related popup, which makes the “Agree and continue” option much more appealing and less intimidating than the grey “Manage Data Settings” option. And, according to the report, the company-suggested option is the easiest to use. “This ‘easy road’ consisted of four clicks to get through the process, which entailed accepting personalised ads from third parties and the use of face recognition. In contrast, users who wanted to limit data collection and use had to go through 13 clicks.” Trying 41 shades of blue to measure which one is most appealing is one (weird) thing, but making it more difficult for your own users to hold tight to their data is another.
Google makes opting out of personalized ads more of a chore than it needs to be and uses multiple pages of text, unclear design language, and, as described by the report, “hidden defaults” to push users toward the company’s desired action. “If the user tried to turn the setting off, a popup window appeared explaining what happens if Ads Personalisation is turned off, and asked users to reaffirm their choice,” the report explained. “There was no explanation about the possible benefits of turning off Ads Personalisation, or negative sides of leaving it turned on.” Those who wish to completely avoid personalized ads must traverse multiple menus, making that “I agree” option seem like the lesser of two evils.
Microsoft’s data collection options in Windows 10 were somewhat more respectful of user data collection, the study found. Still, it’s quite clear which option Microsoft wants users to choose. “For example, if the user wanted to opt out of ‘tailored experiences with diagnostic data’, they had to click a dimmed lightbulb, while the symbol for opting in was a brightly shining bulb,” says the report. “For the choice to let apps use an Advertising ID, the ‘Yes’ choice was accompanied by an arrow hitting its target, while the ‘No’ choice had an empty target. The opt-in choice was also always placed at the top. These are nudges towards clicking yes.” To Microsoft’s credit, the number of clicks to opt-out is equal to the number required to opt-in.
Facebook recently revised its account page to be more clearly decipherable, and Google followed suit with a redesign of its own Google Accounts page on Android devices (and soon on the web). Of course, the company seemingly has no intent to stop collecting as much data on users as possible. Even with a two-year head start in complying with the EU’s set of privacy laws, both Facebook and Google were accused on day one of violating the GDPR by not giving users the option to stop sharing data without requiring them to delete their account.
We’ve reached out to Google, Facebook, and Microsoft for comment on the report, and will update when we hear back.
Update 5:40pm: Facebook, Google, and Microsoft have all responded to Gizmodo’s requests for comment with statements from their respective spokespersons. In all cases, the companies downplayed the tactics described in the report, while Microsoft and Facebook emphasized that they are complying with GDPR.
“We have seen the report from Norway and would like to reinforce that we are committed to GDPR compliance across our cloud services, and provide GDPR related assurances in our contractual commitments,” said Microsoft’s spokesperson, who directed us to a blog post related to GDPR further explaining the company’s position.
A Google spokesperson stated: “We’ve evolved our data controls over many years to ensure people can easily understand, and use, the array of tools available to them. Feedback from both the research community and our users, along with extensive UI testing, helps us reflect users’ privacy preferences. For example, in the last month alone, we’ve made further improvements to our Ad Settings and Google Account information and controls.”
A Facebook spokesperson responded as well, stating: “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. In the run-up to GDPR, we asked people to review key privacy information which was written in plain language, as well as make choices on three important topics. Our approach complies with the law, follows recommendations from privacy and design experts, and are designed to help people understand how the technology works and their choices.”