Regulator and lawmakers around the world are finally targeting organisations that use #darkpatterns to manipulate consumers into using products or services.

Chandni Gupta, Deputy CEO of the Consumer Policy Research Centre (and friend of EFA) has wrapped up some fantastic research on this issue. Chandni met with scores of regulators, enforcement agencies, consumer advocacy groups and choice architecture experts in the US, UK, Singapore and India about dark patterns and how they regulate them.

Case in point is Amazon's Project Iliad, a process designed to make it harder for customers to cancel their Prime membership. How? By making the process so needlessly complex that many users would give up and abandon the form.

Chandni writes that Australia is falling behind on protecting citizens from dark patterns. Legislating consumer potections against dark patterns is vital to protect us from manipulation of our behaviour and choices online.

Read the CPRC report: https://cprc.org.au/report/made-to-manipulate-report

#amazon #iliad #digitalrights

#eSafety is requesting feedback from the community and industry on its social media age restrictions regime. Amongst the feedback they are seeking they are looking for possible impacts on privacy and digital rights.

From a digital rights point of view, having more companies involved in age assurance and proliferation of online identification harms users for multiple reasons. We made a submission on this last year and do not support the regime. We intend to make a submission to eSafety representing our ongoing concerns.

What might a private age assurance regime look like, that has some semblance of concern for users' rights online? Perhaps something like Privacy Pass would be worth a look, an IETF-proposed web-capable standard for unlinkable authenticator tokens. Kagi is using this as an option for users to pay for access to its search engine whilst using the service anonymously. Social media operates under a much different model to search where users authenticate to a service and pull down a feed. A Privacy Pass token might allow a pseudonymous user to prove their age without creating a link to their identity.

https://privacypass.github.io/

Some pretty major downsides include significant complexity in implementing such a scheme including multiple independent parties, a requirement for involved users to use a browser plugin and would ultimately still require users to authenticate somewhere for the purposes of age assurance. It seems unlikely that many users would take up such a scheme, opting for a more convenient scan of an ID photo and/or selfies if such a method was offered.

What might a "less bad" age assurance regime look like? Having a lot of options for users to verify their age would be one. A failure could see users being locked out of their accounts. This is age assurance, not identification, and should be treated as such. Organisations that provide age assurance services should be restricted in what they can use the data for and how long it is retained.

Let us know your thoughts on age assurance and how it would impact privacy and digital rights online.