June 30, 2018 : Google and Facebook accused of misleading users
Are Facebook and Google users in Europe being duped into sharing more of their personal data than they think? … a new consumer advocacy report from the Norwegian Consumer Council suggests that they are!
The Norwegian Consumer Council (NCC) has published a 40+ page report describing in detail how three of the world’s largest tech companies are “nudging” their users through “dark patterns” of user interface designs, plus carefully crafted wording, to agree to privacy settings that share their personal data… the very data that the GDPR was designed to protect.
The term ‘Dark patterns’ may be a mystery to most people, but basically, these are designs and user interfaces specifically crafted to dupe users into signing up, buying, or unintentionally taking some other kind of action. The NCC report entitled “Deceived By Design,” describes how these so-called ‘dark patterns’ are being implemented by various internet companies.
In one of the examples cited, Facebook users who wish to opt-out of the facial recognition feature are met with a warning informing them that they “won’t be able to use this technology if a stranger uses your photo to impersonate you.” In this instance, Facebook has carefully formulated its wording to provide a negative result to the user’s data privacy choice instead of giving their users even a neutral proposition. The report makes the accusation that “Facebook, Google, and Windows 10 have designs, symbols, and wording that nudge users away from the privacy-friendly choices.”
Google and Facebook accused of misleading users – Just an illusion?
The NCC report also accuses Facebook and Google of providing nothing more than the the “illusion of control” and citing examples of:
- privacy-friendly choices being hidden away
- ‘take-it-or-leave-it’ choices
- privacy-intrusive defaults with longer processes for users who want privacy-friendly options
- some privacy settings being obscured
- no option to postpone decisions
- pop-ups compelling users to make certain choices, while key information is omitted or downplayed
- threats of loss of functionality or deletion of the user account if certain settings not chosen
The NCC report goes on to call the “practice of misleading consumers into making certain choices, which may put their privacy at risk,” both exploitative and grossly unethical. The council found that the worst of such practices were perpetrated by Google and Facebook. It added that Microsoft’s Windows 10 appeared to use them to a lesser extent.
So, how do these firms respond to a report that sparks news headlines like “Google and Facebook accused of misleading users …”?
Google responded to the report by saying:
Over the last 18 months, in preparation for the implementation of the EU’s new data protection regulation, we have taken steps to update our products, policies and processes to provide all our users with meaningful data transparency and straightforward controls across all our services.
“We’re constantly evolving these controls based on user experience tests – in the last month alone, we’ve made further improvements to our Ad Settings and Google Account information and controls.
Facebook also released a statement saying:
We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information.
In a comment to the BBC Microsoft said:
We have seen the report from Norway and would like to reinforce that we are committed to GDPR compliance across our cloud services, and provide GDPR related assurances in our contractual commitments.
As a result of the 44-page NCC report, several consumer advocacy groups have called on the Federal Trade Commission (FTC) to “investigate the misleading and manipulative tactics of Google and Facebook in steering users to “consent” to privacy-invasive default settings.” These groups include Consumer Watchdog, Electronic Privacy Information Center, Campaign for a Commercial-Free Childhood, Center for Digital Democracy, Consumer Action, Consumer Federation of America, U.S. PIRG and Public Citizen.
Since the GDPR became enforceable law on May 25th 2018 a great deal of of action has been taken by privacy activists and consumer groups against big tech companies who have breached the trust of their users and customers. The outstanding question that everyone is waiting to be answered is, which of these companies will be first to face repercussions from the Information Commissioner’s Office? And, more importantly what will the enforcement (and penalties) be?
Editor’s comment: With corporations like Google and Facebook accused of misleading users, could this be just the tip of the iceberg? Read more posts on this subject.