Oksana Kulyk (ITU Copenhagen), Willard Rafnsson (IT University of Copenhagen), Ida Marie Borberg, Rene Hougard Pedersen

Cookies are widely acknowledged as a potential privacy issue, due to their prevalence and use for tracking users across the web. To address this issue, multiple regulations have been enacted which mandate informing users about data collection via. so-called cookie notices. Unfortunately, these notices have been shown to be ineffective; they are largely ignored, and are generally not understood by end-users. One main source of this ineffectiveness is the presence of dark patterns in notice designs, i.e. user interface design elements that nudge users into performing an action they may not otherwise do, e.g. consent to data collection.

In this paper, we investigate the mental models and behavior of users when confronted with dark patterns in cookie notices. We do this by performing a mixed-method study (on Danes in their late-20s) which integrates quantitative and qualitative insights. Our quantitative findings confirm that the design of a cookie notice does influence the decisions of users on whether or not to consent to data collection, as well as whether they recall seeing the notice at all. Our qualitative findings reveal that users do in fact recognize the presence of dark patterns in cookie notice designs, and that they are very uncomfortable with standard practices in data collection. However, they seldom take action to protect their privacy, being overall resigned due to decision fatigue. We conclude that website maintainers need to reconsider how they request consent lest they alienate their users, and that end-users need better solutions that alleviate their burden wrt. protecting their privacy whilst visiting websites that collect data.

View More Papers

“This is different from the Western world”: Understanding Password...

Aniqa Alam, Elizabeth Stobert, Robert Biddle (Carleton University)

Read More

On-demand RFID: Improving Privacy, Security, and User Trust in...

Youngwook Do (JPMorganChase and Georgia Institute of Technology), Tingyu Cheng (Georgia Institute of Technology and University of Notre Dame), Yuxi Wu (Georgia Institute of Technology and Northeastern University), HyunJoo Oh(Georgia Institute of Technology), Daniel J. Wilson (Northeastern University), Gregory D. Abowd (Northeastern University), Sauvik Das (Carnegie Mellon University)

Read More

ATTEQ-NN: Attention-based QoE-aware Evasive Backdoor Attacks

Xueluan Gong (Wuhan University), Yanjiao Chen (Zhejiang University), Jianshuo Dong (Wuhan University), Qian Wang (Wuhan University)

Read More

Multi-Certificate Attacks against Proof-of-Elapsed-Time and Their Countermeasures

Huibo Wang (Baidu Security), Guoxing Chen (Shanghai Jiao Tong University), Yinqian Zhang (Southern University of Science and Technology), Zhiqiang Lin (Ohio State University)

Read More