The Federal Trade Commission said that three-quarters of the more than 600 websites and apps reviewed this year use what are called dark patterns to manipulate consumers into handing over personal information or buying products or services they wouldn’t buy otherwise.

Reports by two international consumer protection networks that the FTC participated in both found high rates of websites and applications using several types of dark patterns, which are digital design methodologies that aim to trick users into handing over data or money.

The review, released this week, gives an idea of how widespread the practice is. The International Consumer Protection and Enforcement Network (ICPEN) reviewed 642 websites and mobile apps that offered subscription services from companies worldwide, finding that almost 76% of them used at least on dark pattern and almost 67% used multiple tricks.

In addition, the Global Privacy Enforcement Network (GPEN), comprising more than 80 privacy enforcement authorities, similarly found that a majority of the sites and apps used such deceptive techniques.

The FTC didn’t determine whether those dark pattern practices identified during the review where illegal or violated laws in any of the 26 countries.

A Growing Problem

The term “dark patterns” was first coined in 2010 and the FTC, industry and privacy groups, and other entities have tracked their expanding use, which has coincided with the growth of ecommerce over the years. The agency in 2022 released a report on the practice, with Samuel Levine, director of the FTC’s Bureau of Consumer Protection at the time saying in a statement that it “shows how more and more companies are using digital dark patterns to trick people into buying products and giving away their personal information.”

In March 2023, the FTC ordered Epic Games, which makes the popular Fortnite game, to pay consumers $245 million after finding the company used dark patterns to trick players into making unwanted purchases and letting children make such purchases without parental involvement.

Dark patterns come in multiple variations, though with the singular goal of manipulating people’s decision-making processes, according to Washington DC whistleblower law firm Tycko and Zavareei.

“Dark patterns are particularly prevalent in e-commerce, where deceptive practices are weaponized against tech users of all ages,” the firm wrote in a blog post in November 2023. “Both tech-savvy teenagers and older internet users can fall victim to dark patterns. One of the most important goals of computer engineers, designers and statisticians is how to get users to direct their attention towards their products, even when doing so is not in the consumer’s true interest.”

That said, “dark patterns are different from regular advertising, however, because they employ more difficult barriers and more deceptive design into making people pay attention, and pay for, goods and services that they did not want originally,” they wrote.

All Shapes and Sizes

In its 2022 report, the FTC noted various categories of dark patterns, from misleading consumers and disguising ads to burying key terms and junk fees. They also include making it difficult to cancel subscriptions or charges – giving them recurring payments for products or services they didn’t intend to buy or don’t want to continue paying for – and tricking consumers into revealing sensitive data. This includes offering choices about privacy settings or sharing data that are a really designed to steer customers to options that lead them to giving up the most data.

The dark patterns that were seen most often during the review included sneaking practices, which involve hiding or delaying the disclosure of information that likely would affect the buying decision of the consumer, according to the FTC. Sneaking practices are often related to costs, such as adding new non-optional charges to the price just before completing the purchase – a practice also known as “drip-pricing” – and automatically renewing a subscription without consent after a free trial (“subscription traps), the ICPEN wrote in the report.

“The most frequently encountered practice that could described as sneaking during the sweep, is the inability of the consumer to turn-off a subscriptions auto-renewal within the purchase flow,” the group wrote. “This was found in 81% of the traders swept who provide subscriptions that renew automatically.”

Interface Interference

Another is called interface interference, such as “obscuring important information or preselecting options that frame information in a way that steers consumers toward making decisions more favorable for the business,” the FTC wrote.

The ICPEN report detail several examples, including false hierarchy – prominently presenting favorable options for the business – pre-selection, such as options most beneficial to the business, like more expensive or longer subscriptions, and confirmshaming, or using specific language that targets particular emotions in the consumer.

The GPEN report found similar trends, with the group writing that it “suggests an extremely high occurrence of deceptive design patterns across websites and apps worldwide, indicating that users are likely to encounter, in the vast majority of cases, at least one DDP [deceptive design practice] when interacting with websites and apps.”

Consumers Need to Educate Themselves

Abu Qureshi, former threat intelligence analyst with the government of Ontario and lead threat intel researcher at predictive cyber firm BforeAI, told Security Boulevard that dark patterns, while not technically DNS abuse, are dangerous to consumers.

“These deceptive design practices are specifically crafted to trick users into making unintended purchases or sharing personal information without realizing it,” Qureshi said. “Dark patterns can lead to financial losses, breaches of privacy, and overall consumer mistrust in digital services.”

He added that consumers need to be informed about dark patterns, including “commonalities such as disguised ads, hidden costs, and difficult cancellation processes. Additionally, if there is a particular concerning pattern or behavior, it can be reported to the FTC or other relevant authorities to help crack down on these practices.”