Just weeks after the European Union enacted sweeping new privacy rules, the Norwegian Consumer Council has issued a report questioning how Google, Facebook, and Microsoft are meeting these requirements.
In a report entitled Deceived by Design, the group claims the U.S.-based tech firms have instituted changes to their user controls that appear to give consumers more power to protect their privacy, but in fact use default settings and “misleading” wording to accomplish the opposite.
The report looked at the changes the tech companies made to their sites in April and May, in preparation for Europe's General Data Protection Regulation (GDPR), which recently went into effect. At the time, Facebook was also responding to harsh criticism it received after it revealed that some of its user data had been used for unauthorized political marketing purposes.
Privacy-friendly settings hard to access
As examples, the Norwegian report cites some cases of the most privacy-friendly settings being the hardest to access and choices being presented with only two options.
For example, if a Facebook user disables facial recognition, they are told that Facebook will be unable to prevent someone from using their photo to impersonate them. The report said that is a not-too-subtle attempt to persuade Facebook users not to disable facial recognition.
In statements to news outlets, the companies named in the report have reaffirmed their commitment to privacy. Google said it is constantly updating its controls in response to user experience tests. Facebook said it had “made its policies clearer, our privacy settings easier to find.” Microsoft said it is committed to GDPR compliance.
'Vast array of design techniques'
But the report suggests big technology firms, while giving users more control, take overt steps to try to influence those choices.
“Providers of digital services use a vast array of user design techniques in order to nudge users toward clicking and choosing certain options,” the authors write. “This is not in itself a problem, but the use of exploitative design choices, or 'dark patterns,' is arguably an unethical attempt to push consumers toward choices that benefit the service provider.”
The report concludes that the firms' attempts to influence consumer privacy choices cross the line, becoming techniques that could, in some cases, be “deceptive and manipulative.” For that reason, the report questions whether the firms are in actual compliance with Europe's tough, new privacy regulations.