A few months ago, colleagues and I published a behavioural audit of several large, online services. We were investigating the prevalence of dark patterns—manipulative designs which lead people towards options which are not in their best interests. One outcome of this study was our Dark Patterns Auditing Framework, or DPAF.
As the person reasonable for the final draft of the published paper, I can say without concern for my colleagues’ pride that I am not entirely happy with how the DPAF is described in the paper. Fortunately, I’ve had quite a few opportunities to present the DPAF at various events over the past few months, and feel I have improved my ability to explain what it is, and why it is useful. That is the objective of this post.
I do not believe the DPAF is always the best auditing approach to take. As I recently discussed in a working paper, there is too little behavioural auditing research to yet determine what is best practice. The best answer to ‘how should I audit dark patterns?’ is, at the moment: it depends. So, I am not criticising some other approaches, which may come up in this post (and which somewhat prompted me to write this post to begin with).
Pretty much everything I will discuss here can be found in our Behavioural Public Policy paper on the subject, but hopefully this post will be a bit more accessible.
What are Dark Patterns?
I will keep this section brief, as I will assume most readers are broadly familiar with some of the ideas I will discuss here. I am mostly concerned in this section with how dark patterns relate to behavioural science.
There are about as many definitions of ‘dark patterns’ as there are examples of them. The definition I will use is as follows:
Design strategies to influence decision makers within online spaces to choose undesirable or otherwise sub-optimal options for the benefit of the influencing party.
Figure 1 shows a 2 x 2 which is helpful for relating dark patterns to behavioural science.
15 years ago, when behavioural scientists spoke about interventions, they generally meant in offline spaces. For instance, designing a paper form to encourage people to be more honest.1 These designs did not force anyone to do anything, but the argument was that the design would steer (I will generally avoid the word nudge in this post) people towards particular behaviours.
We are all familiar (some more than others) with attempts to force people to do things in offline spaces. The law and the justice system, for instance, works this way. So, too, do some taxes.
Per the above definition, dark patterns live in the online world. As I will discuss below, some dark patterns do force people to do things. Less so than a charging police officer, but still; we have all filled out forms with mandatory fields.
What we might call behavioural science dark patterns live in the upper left-hand quadrant. They exist online, and they steer, rather than force, people to choose “undesirable or otherwise sub-optimal options.” Most dark patterns live in this quadrant, hence why throughout the years, most dark patterns papers have tried to link these design techniques to broad behavioural science ideas, such as system 1 and system 2.
What is the DPAF?
The DPAF has four components for describing online choice architecture. Many papers in the dark patterns literature have proposed taxonomies of dark patterns (and to an extent frameworks), leading to a large gang of different designs which are commonly discussed. In developing the DPAF, we wanted to do two things:
Cut through the noise—there are so many different ways of designing a user interface, and it is so easy to proliferate a new ‘dark pattern’ whenever something subtly different is done. We wanted the DPAF to be easy for practitioners to use out of the box, hence why it only has four components.
Focus on behaviours, not designs—a second feature of the dark patterns literature is the ad hoc way in which design choices are linked to behavioural mechanisms. This makes it messy. Enhancing specific designs may be relevant for UI researchers, but we felt emphasising behaviours is what would matter for behavioural practitioners.
The last hurdle we wanted to overcome was the whole idea of nudge and sludge. I will elaborate on this more below, but in brief, we didn’t want to set out with these terms in mind. They are provocative for some, and carry a lot of baggage. So, we set them aside, and started from a blank canvas.
The creation of the DPAF was very straight forward. Each component would describe a behaviour which a designer is trying to get a user to exhibit. We start with two very simple behavioural outcomes: change choices, and maintain choices.
Detours are all about changing choices. Say you’re on a website. You will have some starting point—typically, the website landing page—and some objective or goal you’re trying to achieve. On any given website, there will be some preferential route to achieving this goal.2 Detours provide an alternative route to achieving the goal. However, on the detour, there are various opportunities to redirect the user towards some different choices.
Here’s an example. In recent years, Amazon has started selling many products as monthly subscriptions. Subscriptions are good for Amazon—most people don’t cancel them, or if they do, only after the nasty reminder when the fee leaves one’s account. But most people use Amazon to buy items as and when they need them. Buy making the subscription the default when of buying some products, Amazon is using a detour to change a user’s choice. The user wants to buy a single item; they are detoured towards purchasing a subscription; and they have to (notice and) opt-out to achieve their original goal.3
Roundabouts are all about maintaining choices. Again, imagine you’re on a website, with a starting point and an end goal. Once more, there will be a preferential route to achieving this. But, on this route, there may be various designs which take you back to webpages and navigation screens that you have already visited. In some instances, the way out of this loop may not be obvious. Very quickly, what you thought would be a 2 minute job is now taking 20 or 30, with no obvious end in sight. So, you give up. Roundabouts, in trapping the user is loops, exhaust the user’s patience and lead them to maintain their choices—to keep doing whatever they were doing before they started.
The obvious example is pretty much any subscription product. When you try to unsubscribe to a service, it is in the interests of the service to maintain your current choice, which is paying for a subscription. They do not want you to unsubscribe. The service obviously cannot force you to stay subscribed. But they can obfuscate the process of subscribing so much that, psychologically, it feels better to just give up.
Detours and roundabouts lead to the third component of the DPAF: shortcuts. Imagine you’re on a website that is full of detours and roundabouts, making achieving your goal very difficult. A savvy website designer may realise that all the garbage they’ve built into the service to make your life harder also creates an opportunity for them. They can introduce a shortcut—essentially, an easy route to achieving your goal, but one which you will have to pay a price to take.
Shortcuts can be pecuniary or non-pecuniary. On the pecuniary front, consider YouTube. YouTube has been accused in recent months of overloading their free service with advertisements, and (perhaps) slowing down the free service for some users. Incidentally, YouTube’s premium service (called, creatively, YouTube Premium) has no ads (and, I would speculate, quite reliable service, too). On the non-pecuniary front, consider pretty much any cookie banner pop-up. Say you’re trying to read a news article, and a pop-up covers the screen asking if you accept cookies, or not. The ‘Accept All’ button is usually prominent, and removes the pop-up promptly, allowing you to quickly achieve your goal of reading the article. Of course, this ease comes at the ease of some data rights.
The last component of the DPAF is forced action. Forced action is typically overlooked in behavioural science discussions because it’s not really about appealling to, or influencing, a user’s psychology. If you must do something, you must do it. But it is still a dark pattern technique insofar as vendors can choose what actions a person must do. For instance, on pretty much every service, there is a terms and conditions document that a user must accept. They cannot accept some and reject other parts—it’s all or nothing. Now, the service could have this flexibility. Facebook, for instance, could tailor the site’s functionality to accord with the specific terms and conditions that I, as a user, agree or disagree to. They just don’t want to. Hence, forced action is when a user is forced to do something by a service, when the service could choose not to.
Together, detours, roundabouts, shortcuts, and forced actions form the DPAF. Each component describes a behavioural outcome, and contained within each component may be many different dark pattern designs. As such, the DPAF achieves the two objectives outlined above. It cuts through the noise by grouping many designs into four categories, in turn allowing one to focus on behavioural outcomes, rather than specific design techniques.
How to use the DPAF
The DPAF was developed to sit alongside a sludge audit. Sludge audits had been around for a while. But in December 2021, neither I nor any of my colleagues had actually seen one. We’d just heard about the idea of reviewing services from a behavioural perspective to see if things could be designed in a bit more of a helpful way.4
We knew sludge was related to dark patterns. In fact, the intersection of the dark patterns literature and behavioural science probably started because behavioural scientists started thinking about behavioural sludge. One issue, though, was that (again, maybe around 2021/22), a common rule-of-thumb was that ‘dark patterns = sludge.’ This I considered wrong, then as much now.
Our plan was to undertake a sludge audit, and then use the DPAF in conjunction to see if we could find some useful synthesis between these ideas.
Figure 6 shows our sludge audit of several large, online services, without involving the DPAF at all. The x-axis shows the number of ‘clicks’ to create an account with each of these services. The y-axis show the number to delete the account. The diagonal line shows the point of parity, where it is as easy to leave as to join. Services that sit above the line are harder to leave than to join; vice versa for those below.
Figure 6 is a nice result, and in presentations often catches the audience’s attention.5 But there is a very academic problem with these results: so what? Why does it matter that we know Facebook or Netflix is easier to join than it is to leave? It’s not really a scientific result, and it’s not really a result that a practitioner can use, either. Sludge auditing—at least in how we did it—isn’t that helpful. It’s not good enough to say there is a lot of sludge on a particular service. What matters much more is how sludge effects the service, and the user’s behaviour. It also matters where sludge sits within the journey.6
This is where the DPAF comes in. We didn’t just count the number of ‘clicks’ when creating and deleting accounts. We also collected qualitative data. Auditors were instructed to record ‘clicks’ whenever they felt they were taking a substantial action, and then we asked them to describe what they were doing and experiencing as they undertook that action. These qualitative data help us reconstruct the user journey throughout each service. We can then audit this journey using the DPAF.
Figure 7 shows what we call a pathway plot, though it’s basically just a flow chart showing the user journey. Using the qualitative data, we can then label different parts of the pathway plot with components of the DPAF. This gives quite an engaging visualisation of what is going on in a particular service.
It is important to note what the DPAF does and does not show. The DPAF shows the various behavioural mechanisms levered at a user as they traverse a service to achieve some goal (in this case, creating and deleting accounts). It does not show specific dark pattern designs. Nowhere on the pathway plot do we label something as ‘nagging’ or as a ‘roach motel’ technique, or something else. Of course, these labels may be useful for some practitioners, and to this end, one might argue the DPAF isn’t very useful. But, what the DPAF does is it focuses attention. One can look at an annotated pathway plot and pick out specific parts of the user journey which warrant more attention, rather than having to audit blindly. The DPAF is thus a high level approach, which could be supplemented with more detailed auditing approaches as and when desired.
Why should we use the DPAF?
This partly answers the why question. But in this section I want to focus on the more conceptual reasons for using the DPAF. As above, the DPAF is not the only auditing approach which has been developed, and I certainly do not think it alone represents best practice. There are a bunch of outstanding questions when it comes to auditing. For instance, should we use an auditor-led approach, as we have done in measuring ‘clicks’, or should be use a checklist-led approach, as organisations such as BIT have done in some of their audits? Well, as above, it depends.
Checklist-led approaches do some things much better than auditor-led approaches. Figure 8 shows some checklist results compiled by BIT in one of their recent audits of online financial services. These checklists are great information gathering tools, and they allow for comparability across services. For instance, one can easily compare which services use deceptive defaults, and which do not. Furthermore, checklist-led approaches may be more rigorous in some aspects. For instance, auditors are unlikely to miss criteria found on a pre-specified checklist, compared to an auditor-led approach, where the auditor often goes in blind.
One criticism I have of these approaches, however, is that they do not really capture the user journey, or necessarily probe how people actually experience dark patterns.7 There are a couple of ways to look at this point.
Firstly, dark patterns may be more or less important depending on the choices they are trying to influence. Defaulting someone into tracking cookies may be less economically impactful than defaulting them into a premium subscription. One needs to go beyond a simple checklist to situate the technique within the user journey to fully appreciate the degree of harm caused by the technique (and thus the most appropriate action).
Secondly, much as some behavioural scientists may be loath to admit it, behaviour change rarely comes through ‘one neat trick.’ Instead, behavioural techniques work cumulatively. Just as one cannot drive from A to B without turning left and right several times, one cannot affect a behavioural outcome without intervening here and there to keep people on a preferable track.8 To this end, observing that a technique is used is less important than understanding how and how much the technique is used within the whole user journey.
The DPAF is a framework for organising data collected via an auditor-led approach, allowing one to unlock these insights into the user journey. If this is what matters to an organisation, the DPAF may be better than constructing a checklist using the consellation of dark pattern taxonomies and (sometimes) vague behavioural science terms.
I use the term ‘preferential’ rather than ‘optimal’ because the latter implies the best route is the shortest route, when one imagines a website as a network of nodes. I am sympathetic to this perspective and think that, often, this description will also capture the preferential route. But it is feasible that simply the fastest route is not preferential.
Note that detours are not about defaults. Mnay different designs can fit into each component of the DPAF. What matters is the behavioural outcomes the designs are trying to affect.
The first one of any note would only come in June 2022, when the Behavioural Insights Team (BIT) published their Behavioural Risk Audit, looking at the gambling industry. Note that this audit did do some stuff around the user journey, which may be relevant for some of my later comments.
Usually, the audience find fun in seeing a service they particularly hate scoring badly, or—more commonly—members of the audience will point out various services which we did not audit, but which they personally hate.
One of the issues with saying ‘sludge = dark patterns’ is that many dark patterns are about making harmful choices easier to make. This is to say, they are more aligned with the nudge notion of ‘make it easier’ than the sludge notion of ‘adding friction.’ I tried to resolve this problem a little bit in my nudge/sludge symmetry paper (an option can become easier to take if all other options are made more difficult to take), but that community seems to have decided the ideas in that paper are unsubstantial. We have also seen discussion of the term ‘dark nudge,’ which I am not opposed to. However, insofar as nudges are normatively good, some object to the term. These objections haven’t stopped it being the preferred fix of some to this day, with a recent BIT audit using the term ‘dark nudge’ to describe some design patterns.
It was this criticism which prompted me to write this whole post. I do not like to pick fights, and it is often hard to voice criticism on the internet without sounding like one is doing so.
Nudging is sometimes called steering, after all.