It seems a lot of people are missing the true concern here because they only read the first half of the article.
Going to paraphrase the article a bit here but yes, the website is capturing the filled-in data even if the user hasn't hit the submit button. However, they're also running a tracking script from an advertisement network in the background that attempts to capture your e-mail. If you visit Site A as a result of one of the ads from that network, but leave without putting down your e-mail address, and then go to Site B and do leave your e-mail address, the ad network will send your e-mail address to Site A in an attempt to "re-capture" that lost impression for Site A even if you never even hit submit on Site B. They're marketing it as a way of reducing ad-spend because you don't have to keep trying to target potential customers who've already shown interest through more ads.
I'm not a lawyer so I'm very curious to know how this doesn't easily violate COPPA for Site A, Site B, and the ad network, among other privacy laws. The wording from the ad network shown in the article is a bit vague around enabling a "triggered email sequence", so I'm wondering if they get around some legal issues by sending emails for Site A on their behalf rather than sharing the email address itself.
* Edited for minor typos I noticed after hitting submit.
This is the text from the email footer, they call themselves safeOpt, it's part of addshoppers.com:
THIS IS A THIRD PARTY ADVERTISEMENT
This email was sent to @gmail.com on 2020-05-16 23:06:22.669518 (UTC). If you no longer wish to receive Aeroflow Breastpumps communications via SafeOptⓇ, please unsubscribe here.
I argued against this pattern and left shortly after the owner of a company I worked at made me implement this pattern. As the head of the department I actually refused, but he went to one of the engineers on my team and had the push the change.
I can never figure out why people don't realize that even if it's legal, it comes across as creepy.
If he thinks that is nefarious wait until he learns that websites were using visually hidden fields to surreptitiously capture browser auto-complete details. That is, if you auto complete "name" they might have an "email", "phone number", "address", etc. field hidden from your view that also get auto filled.
I sure hope that browser makers have patched that somehow but I still avoid auto-complete whenever possible.
I _hate_ that browsers auto-complete hidden fields for a different reason: using a hidden "telephone" or "phone" field was a low-effort but quite reliable method to weed bots from users... as users wouldn't fill a hidden field - only bots would.
For this I absolutely hate firefox master password feature. Every once in a while you get prompted to insert your password without any kind of indication of why, which tabs prompted it, what domain is asking, or even whether it is just firefox periodic syncing.
Agreed, the worst is after you restart Firefox and have dozens of tabs from the same site open (like reddit or HN) and each one of them requests your master password over and over until you reject each tab's plea for you to authenticate or finally give into the software you're supposed to be in control of.
If anyone at Mozilla is reading this, please fix this, it's incredibly obnoxious. I'd also appreciate it if you styled your master password prompt better than a javascript alert dialog so I know I'm typing in my most valuable password in the world into the browser and not some site pretending to be you.
Also, session replay is actually pretty common when the webmaster want to see how the visitors use their website. It basically capture everything including mouse movements, page scroll and form states.
One thing I don't think people realize is in the age of async JS, even not doing anything is an action to be observed. Information is not sent when you say "okay" -- it's always being sent.
Rather, information can always be sent. I think it's safe to say that collecting information from a form that was not submitted is a dark pattern. Of course, browsers should keep doing what they can to prevent things like this but it's challenging without blocking legitimate use cases.
Can we get a better name than "dark pattern" please?
Something like "fraudulent practise" or "criminal process" seems to capture the essence of the thing more accurately. I'm sure we can do better than those too.
Except this kind of behaviour is neither fraudulent or criminal. Plus, unlike "dark pattern", those words have legal-repercussive meaning, so wanting to subvert those to mean something they don't is arguably much worse than not liking "dark pattern".
Ok you pick a name that conveys the full force of the dishonesty going on.
How about "scumbag site technique". Or "Shyster Design" Or viciously dishonest intent.
Arguing the semantics of whether it's /sometimes/ not actually fruadulent according to law or /sometimes/ not criminal because the law isn't there yet does not alter one itoa of the wild and deliberate dishonesty going on.
The intent is to deceive. Make excuses for it all you like knowing it doesn't change what this is but reveals something else.
So what is a beter name than "Dark Pattern" for this kind of intentionally dishonest and deceptive program?
I still vote criminal. I want the law to catch up with reality. if your corner store behaved like that they'd go to jail when caught for most of this vile crap.
I'd rather stick with "dark pattern", which on its own literally means nothing (abstract notions don't have physical colors or brightness), and so can be safely assigned a specific meaning in a specific context without risk of ambiguity or even deception.
Has the nuance of a choice of color-scheme. Needs to have the nuance of being a totally dick-move that should be utterly illegal and turn your stomach.
But I guess a lot of people love those dark patterns for every silicon valley company to be using them. Probably grates to think of them for what they actually are.
... well, it is not consensual (which is not to say that a court might find otherwise) because consent requires, among other things, an understanding by the grantor of what the granted permission entails.
Here, it is unlikely that a user who has yet to click 'submit' understands that merely entering data (but not submitting it) is actually submitting that data.
WHAT IF for the sake of argument, a user typed (but did not submit) data which could get them in trouble if shared? (defamatory or trade secret info are just two examples)
And again -- a court might find otherwise -- but this behavior as presented is absolutely not consensual.
No it doesn't, there are tons of countries, and plenty of US states, with single-party-consent laws. Just like everything about a phone call can be recorded if a single part to the call consents (which is true by default because the recording party counts as a consenting party), everything about website interaction can be recorded for as long as someone is "doing things" on that website if whoever owns the website is okay with that (which we can be pretty sure of they are).
That might sound horrible, and it is, but it's also entirely legal in many, many jurisdictions.
Now tell me how something that sounds like a colour scheme conveys the awfulness and ethical bankruptcy of the party who ordered it and the engineers who programmed it.
"Eh someone else would take money for doing something unspeakable if I didn't." Actually there's what you can live with and what you can't. Names kind of matter to convey meaning. Dark pattern is an abysmal failure.
> Just like everything about a phone call can be recorded if a single part to the call consents (which is true by default because the recording party counts as a consenting party), everything about website interaction can be recorded for as long as someone is "doing things" on that website if whoever owns the website is okay with that (which we can be pretty sure of they are).
Good point, but an important distinction here is that when two people are having a phone conversation both parties are knowingly participating.
If both people in a conversation know that the things that they are saying are being perceived by at least one other person their expectation of privacy regarding the things they say is necessarily limited. In some jurisdictions a person's belief that the conversation is strictly private and limited to just the two of them is a reasonable expectation but other jurisdictions disagree. Those other jurisdictions instead believe that there is no reasonable expectation of privacy by one party that the conversation will not be recorded by another party to that conversation.
And so - although a reasonable belief forms the outlines of the permission granted, not all jurisdictions agree as to what constitutes "reasonable". Some states have held that they don't think the permission granted protection against single-party-recording (because those states held that this specific expectation of privacy to not be reasonable) while other states think it does (because those other states thought this specific expectation of privacy was reasonable).
But this disagreement among jurisdictions is primarily about what constitutes one's "reasonable expectations of privacy" and highlights how the "reasonable" aspect changes based on context (for example, given the ubiquity of recording devices and their use by private parties you should expect that the two-party consent requirement for phone conversations will eventually go away; at some point it is no longer "reasonable" for somebody to think that the other party will not record the conversation --- and yes there are enormous implications here w/r/t government surveillance of its citizens; Kyllo is a good example: the govt used a thermal imaging device to identify a possible marijuana grow house and then get a warrant -- but because this thermal imaging device was not in general public use SCOTUS agreed that Kyllo had a reasonable expectation of privacy and the govt's actions constituted an unreasonable search, saying that "[t]o withdraw protection of this minimum expectation would be to permit police technology to erode the privacy guaranteed by the Fourth Amendment"(1)).
Importantly though these distinctions do not change how consent and its interplay with permission-granting operates.
Which brings us to the issue at hand:
What is the reasonable expectation of privacy that the general public has when typing info into a website form but never pressing 'submit'?
It is reasonable for a user to believe that if they do not press 'submit' then that info was never submitted (otherwise why have a 'submit' button?). If the user believes the unsubmitted-info remains private and if that user's expectation is considered reasonable then that means the website lacks permission to access the unsubmitted-info.
If the website then retrieves that unsubmitted-info it does so without the user's consent. If we allow otherwise then the users' otherwise "reasonable" expectation becomes unreasonable over time.
Indeed one time I put something in my cart (I think it was VMWare Player) and then visited the checkout page and got distracted. When I revisited the tab, there was a dialogue open offering a discount.
The page thought I was hemming and hawing on whether to buy it and then offered a discount to help push me over the edge.
It was likely when your mouse left the window boundary - we use that mechanism on our exit popups. It's super effective, I fucking hate those, but the conversion rate increase is noticeable.
Etsy does this too, albeit in a more sophisticated way, if you are logged in and abandon your cart within 12-24h there's a high chance you get an email offering you a 5-15% discount code for that product.
This happens everywhere. Since ebay has started charging tax for all items (regardless of whether or not they are used or new) in my state, I've been using more and more small online shops for product purchases.
In many cases you have to fill out your address and email info before you can get to a shipping page to see shipping charges. In so many cases, even though I did not place an order or create an account, I am still sent an email saying that I have contents in my "shopping cart" and they are looking forward to "making me a satisfied customer".
Yeah, Shopify does this too. If you leave items in a cart and they have your real email address, they'll email you some time later (that day) to "remind" you to complete the purchase.
Guessing all of the shops that implement Shopify automatically pick up the behaviour.
Beats the heck out of me. But sales tax, at least in the beginning, was a way to generate state revenue for the sale of new items. It had no baring for private sales between two persons for a used item which already had its tax paid when it was originally bought.
I knew a guy that started to fill out a shop form (card entry), and didn't submit.
They charged the card anyway (and did not send any product).
They got an earful from him.
I suspect their form was a piece of junk, but that doesn't sound particularly PCI-compliant, to me.
This ad-targeting, email-harvesting thing is really bad, though. It may not be illegal in most of the US (but I'll bet it is in some states), but I will lay odds that this company had better make sure they don't have any EU data mixed into their little bouillabaisse.
Yup. He said that they probably weren't malicious about it, but hired a really shitty Web designer. They got all cooperative when he said his next call would be the local FBI office.
So in the screenshot you're giving an email and they're just storing it without telling you before you click submit, but that AddShoppers system sounds ridiculous. I'm guessing they just provide the data and you send the emails through your own account and take the inevitable reputation hit of endless spam reports yourself after you email people who've never given you their email?
If I abandon a cart there's a reason! Nagging me about it isn't going to make me purchase anything. You may think it did because I come back--but if that happened it's because I was after some other information first.
I took a client's online store gross sales from ~$15K per year to over $250K per year and I can tell you for sure, capturing sales from abandoned carts is very real. Your reasons and actions don't reflect online costumers as a whole.
My last employer had a team of 3 (a dev, a copywriter, and a designer) dedicated to tweaking the abandoned cart sequence. When we implemented an abandoned card email dripper, we doubled sales in 3 months (from 40K P/M to 80+K P/M).
I hate email sequences like this as well, but they work (just like popovers with an email newsletter).
With n small kids my available attention span for non-work tasks has become really short (hopefully a temporary condition).
Not like, "I can't write software in my spare time" short.
Like, "I might not be able to finish writing this comment" and "There's a 50% chance I'm going to get interrupted if I try to buy this thing online right now" short.
I can still get things done at night but often I just don't have the energy.
So anyway, that's one reason why abandoned cart notifications have actually been useful for me now and then. More than 1 email is pushing it though...
I used this to my advantage awhile ago when I needed rent a moving truck. Penske called me about 30 minutes after I abandoned their online rental process. After a bit of back-and-forth about why I aborted the rental, Penske offered me a discount that beat their competitor's price.
I've since used this technique a few times to my advantage when renting trucks. So, it can be a downside for the business if customers catch on, unless it's considered part of doing business.
> Nagging me about it isn't going to make me purchase anything.
I wonder about this. I feel the same, but wonder if it's true for everyone? I kinda assume it must work some of the time, otherwise they wouldn't do it.
often times they will nag w/ an incentive. I recently got one from MealSquares offering 10% off my abandoned cart
This maybe the next level wikibuy/honey ... Intentionally abandon carts to get more % off to undermine companies that do stupid things to get customers.
This is absolutely a thing. I’ve had it happen to me more than once, to the point where I now tend to abandon carts just to see if I can get a sweeter deal a few days later.
Yeah, I do that all the time when I'm dealing with real humans. Get a quote, then let them know you're considering it along with some other options, and hold off for a day or two and the human will often get back to you with a discount.
Sometimes works with rental apartments as well.
It's almost a perfectly scriptable thing -- I sometimes wish Google Assistant could do this negotiating stuff instead of reserving haircuts.
Some of the time the 'reason' is going to be as simple as the browser crashed or aww someone sent me cute kittens. Or even then there was this other option but now I come to think of it that one was the best...
Probably these scenarios occur far more regularly than somebody rules out buying from a store solely because they received a marketing email concerning an earlier order they abandoned.
As someone with a mild form of ADHD and a kid who likes to chat my ear off, I can’t count the number of times I’ve placed something in a cart on my phone, went to check out, and then got distracted or pulled into something else, only to return because I got the “abandonment” email that reminded me of what I was doing.
It actually does work for many people. In digital demand gen you generally send sequences of emails because sending just one has less effect than sending several in a row.
There are analytics tools that are in pretty common use that record entire user sessions on your site. Mouse movements, stuff typed in but not submitted, everything.
Javascript with more than about 1% its current capabilities, in a hyper-text document navigator and e-commerce platform, is a security hole. It can't be fixed because its features are security holes.
I visited Jabra's website the other day, browsed a couple product pages and then left. Sure enough about 24 hours late I get an email with a subject like "Come check out some of these products you missed."
Once I had a call with company called ZoomInfo. This is exactly what they pitched to me - obtaining emails of our website visitors. Creepy AF, but I can easily see why many companies would trade some creepiness in exchange for a revenue hike.
We all definitely underestimate how far marketing surveillance has gone.
I implemented something like this for the uni I worked for a few years ago, basically we wanted to collect 'partials' as we called them. We were paying for web campaigns and we wanted to increase lead intake by collecting information as fields were filled out. We attached this to a cookie that we assigned on user landing and as they typed in the input it was progressively building a profile. If you never clicked submit it was not considered a full lead and ended up in a partials database that got mined by the analytics group.
Modern CMS's, specifically SiteCore have this kind of progressive profiling built in. It was one of the selling points for why we adopted it in our last rewrite.
I'll be upfront about this. I was doing this back in 2003. My rationale? People would forget to complete signups, or they get interrupted. My goal was to make it as trouble-free as possible to get back to where they had left off. And it worked really well. Granted, all this was back long before I really had any concept of spam and privacy. It was just an honest "Oh, this could help those users!" Obviously times are different and expectations have changed. I wouldn't think of doing it now.
I don't think this would be shady if a site kept an incomplete form in browser localStorage. It's only shady when the incomplete form is sent to a server and then acted on.
I got a SMS the other day of an incomplete form in a Shopify shop. The service is called SMSBump. I do not even recall giving them my number but maybe my password manager did autofill it.
This happens to me with shopping carts that I never register for but started to enter email.
You get a "left something in your cart" discount code.
So I've started to do that on purpose when I can't find a discount for a site, works about 50% of the time. Start to checkout, enter email, get to payment and just close tab. Wait an hour or two.
How is this any different than sites that track what people are highlighting in the text? If anything, tracking what you highlight is a worse violation because it can reveal your inner thoughts and values, which is more valuable and harder to get than your email address.
I remember reading a marketing tips page that recommended gathering the email as the first step of a multi-step signup process. I never followed the advice as I was just more interested in the technical details of connecting UI to my backend schema in a rational fashion.
This is so against the basics of GDPR,
all these webshops that participate risk fines for non compliance from the moment a EU citizen is being tracked. Even if these are US companies they need to comply
I experienced this kind of behavior from a UK-based company. This wasn't even necessary, because I already bought something pricey from them and just tried the checkout flow again just to show my friend the shipping prices.
I complained to their data protection officer, who basically fobbed me off and told me they did nothing wrong. A few months down the line I finally found the time to recap everything and collect the proof and complaint to the ICO?
Their response? They threw the complaint away on a technicality because it's been more than 3 (or 6, can't remember) months since my last contact with the company despite them persisting with the behavior.
> Even if these are US companies they need to comply
Only if you have an office in the EU.
Not any more than US companies need to comply with arbitrary Chinese laws, or Japanese companies need to comply with arbitrary Saudi Arabian laws. Why does the EU have special status in being able to impose laws on the US?
The EU can feel free to block the website if they don't like it. (But we know their citizens would throw a riot if they started censoring the internet, sshhh...)
However, independently of GDPR, I agree that it's wrong and that you shouldn't be saving contact information by deception. You'd lose me as a customer if you did that.
Going to paraphrase the article a bit here but yes, the website is capturing the filled-in data even if the user hasn't hit the submit button. However, they're also running a tracking script from an advertisement network in the background that attempts to capture your e-mail. If you visit Site A as a result of one of the ads from that network, but leave without putting down your e-mail address, and then go to Site B and do leave your e-mail address, the ad network will send your e-mail address to Site A in an attempt to "re-capture" that lost impression for Site A even if you never even hit submit on Site B. They're marketing it as a way of reducing ad-spend because you don't have to keep trying to target potential customers who've already shown interest through more ads.
I'm not a lawyer so I'm very curious to know how this doesn't easily violate COPPA for Site A, Site B, and the ad network, among other privacy laws. The wording from the ad network shown in the article is a bit vague around enabling a "triggered email sequence", so I'm wondering if they get around some legal issues by sending emails for Site A on their behalf rather than sharing the email address itself.
* Edited for minor typos I noticed after hitting submit.