September 29, 2022

Holding Purveyors of “Dark Patterns” for Online Travel Bookings Accountable

Last week, my former colleagues at the New York Attorney General’s Office (NYAG), scored a $2.6 million settlement with Fareportal – a large online travel agency that used deceptive practices, known as “dark patterns,” to manipulate consumers to book online travel.

The investigation exposes how Fareportal, which operates under several brands, including CheapOair and OneTravel — used a series of deceptive design tricks to pressure consumers to buy tickets for flights, hotels, and other travel purchases. In this post, I share the details of the investigation’s findings and use them to highlight why we need further regulatory intervention to prevent similar conduct from becoming entrenched in other online services.

The NYAG investigation picks up on the work of researchers at Princeton’s CITP that exposed the widespread use of dark patterns on shopping websites. Using the framework we developed in a subsequent paper for defining dark patterns, the investigation reveals how the travel agency weaponized common cognitive biases to take advantage of consumers. The company was charged under the Attorney General’s broad authority to prohibit deceptive acts and practices. In addition to paying $2.6 million, the New York City-based company agreed to reform its practices.

Specifically, the investigation documents how Fareportal exploited the scarcity bias by displaying, next to the top two flight search results, a false and misleading message about the number of tickets left for those flights at the advertised price. It manipulated consumers through adding 1 to the number of tickets the consumer had searched for to show that there were only X+1 tickets left at that price. So, if you searched for one round trip ticket from Philadelphia to Chicago, the site would say “Only 2 tickets left” at that price, while a consumer searching for two such tickets would see a message stating “Only 3 tickets left” at the advertised price. 

In 2019, Fareportal added a design feature that exploited the bandwagon effect by displaying how many other people were looking at the same deal. The site used a computer-generated random number between 28 and 45 to show the number of other people “looking” at the flight. It paired this with a false countdown timer that displayed an arbitrary number that was unrelated to the availability of tickets. 

Similarly, Fareportal exported its misleading tactics to the making of hotel bookings on its mobile apps. The apps misrepresented the percentage of rooms shown that were “reserved” by using a computer-generated number keyed to when the customer was trying to book a room. So, for example, if the check-in date was 16-30 days away, the message would indicate that between 41-70% of the hotel rooms were booked, but if it was less than 7 days away, it showed that 81-99% of the rooms were reserved. But, of course, those percentages were pure fiction. The apps used a similar tactic for displaying the number of people “viewing” hotels in the area. This time, they generated the number based on the nightly rate for the fifth hotel returned in the search by using the difference between the numerical value of the dollar figure and the numerical value of the cents figure. (If the rate was $255.63, consumers were told 192 people were viewing the hotel listings in the area.)

Fareportal used these false scarcity indicators across its websites and mobile platforms for pitching products such as travel protection and seat upgrades, through inaccurately representing how many other consumers that had purchased the product in question. 

In addition, the NYAG charged Fareportal with using a pressure tactic of making consumers accept or decline purchase a travel protection policy to “protect the cost of [their] trip” before completing a purchase. This practice is described in the academic literature as a covert pattern that uses “confirmshaming” and “forced action” to influence choices. 

Finally, the NYAG took issue with how Fareportal manipulated price comparisons to suggest it was offering tickets at a discounted price, when in fact, most of the advertised tickets were never offered for sale at the higher comparison price. The NYAG rejected Fareportal’s attempt to use a small pop-up to cure the false impression conveyed by the visual slash-through image that conveyed the discount. Similarly, the NYAG called out how Fareportal hid its service fees by disguising them as being part of the “Base Price” of the ticket rather than the separate line item for “Taxes and Fees.” These tactics are described in the academic literature as using “misdirection” and “information hiding” to influence consumers. 


The findings from this investigation illustrate why dark patterns are not simply aggressive marketing practices, as some commentators contend, but require regulatory intervention. Specifically, such shady practices are difficult for consumers to spot and to avoid, and, as we argued, risk becoming entrenched across different travel sites who have the incentive to adopt similar practices. As a result, Fareportal, unfortunately, will not be the first or the last online service to deploy such tactics. But this creates an opportunity for researchers, consumer advocates, and design whistleblowers to step forward and spotlight such practices to protect consumers and help create a more trustworthy internet.    

T’Mobile: Deleting Stale Data Reduces Liability

T-Mobile’s data breach in August 2021 exposed the social security numbers and drivers license numbers for over 40 million former or prospective customers. I recently discovered that I was one such victim because of an alert that popped up on my phone this weekend from my credit monitoring service. I was surprised because I have not been a customer for over 5 years. Why did they still have my data? 

T-Mobile has not yet contacted me or explained why they retained my data. Various state and federal regulators are now investigating whether T-Mobile had “reasonable data security” measures in place to protect customer information. Certain aspects of the regulatory investigation will undoubtedly examine what technical measures T-Mobile used and whether they were adequate. But one important non-technical issue worth investigating further is whether the company had meaningful data retention and deletion policies, and whether it followed them. 

It appears T-Mobile’s privacy policy first introduced a statement about its data retention practices in 2013, as captured in a longitudinal study, “Privacy Policies over Time: Curation and Analysis of a Million-Document Dataset,” that our team of researchers at the Center for Information Technology Policy published in 2021. The retention policy itself is a terse one-line statement that says “we retain your personal data for business or tax needs, or legal reasons,” without any further explanation. 

But what “business need” required retaining sensitive information about former or prospective customers who had not converted into T-Mobile customers? If T-Mobile cannot justify a legitimate need, it should be held accountable for misleading the public about its data practices.

Recent data breaches involving telecommunication carriers – this is the 5th reported breach for T-Mobile since 2018 – have led the Federal Communications Commission to consider new rules to address data breaches. The FCC might draw inspiration from the Federal Trade Commission’s security guidelines for information held by financial institutions. The FTC used our public comments to modify the Safeguards Rule to require automatic destruction of customer information two years after it was last used, unless the information is required for a legitimate business purpose. 

In a different context, the FTC’s rules implementing the Children’s Online Privacy Protection Act of 1998 also mandates data retention and deletion requirements when it comes to information about children: “An operator of a Web site or online service shall retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The operator must delete such information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.” 

In short, minimizing data collection and retention are simple, inexpensive steps that are effective against all manner of sophisticated or unsophisticated attacks. Any company that seeks to protect their customers should develop such policies to reduce its liability in the event of a data breach. 

2020 Workshop on Technology and Consumer Protection

Christo Wilson and I are pleased to announce that the Workshop on Technology and Consumer Protection (ConPro ’20) is returning for a fourth year, co-located with the IEEE Symposium on Security and Privacy in May 2020.

As in past years, ConPro seeks a diverse range of technical research with implications for consumer protection. Past talks have covered dating fraud, ad targeting, mobile app data practices, privacy policy readability, algorithmic fairness, social media phishing, unwanted calls, cryptocurrency security, and much more.

Unlike past years, ConPro 2020 will accept talk proposals for early stage research ideas in addition to short papers. Do you have a new project or idea that you’d like to refine? Are you curious about which project directions could yield the greatest impact? Pitch a talk for ConPro, and get feedback and suggestions from its diverse, engaged audience.

Each year of ConPro, I’ve been heartened by the enthusiasm towards research that can help improve consumer welfare. If this is important to you too, we hope you’ll submit a paper or talk proposal. We’re always excited to expand our community! The submission deadline is January 23, 2020.

The Third Workshop on Technology and Consumer Protection

Arvind Narayanan and I are pleased to announce that the Workshop on Technology and Consumer Protection (ConPro ’19) will return for a third year! The workshop will once again be co-located with the IEEE Symposium on Security and Privacy, occurring in May 2019.

ConPro is a forum for a diverse range of computer science research with consumer protection implications. Last year, papers covered topics ranging from online dating fraud to the readability of security guidance. Panelists and invited speakers explored topics from preventing caller-ID spoofing to protecting unique communities.

We see ConPro as a workshop in the classic sense, providing substantive feedback and new ideas. Presentations have sparked suggestions for follow-up work and collaboration opportunities. Attendees represent a wide range of research areas, spurring creative ideas and interesting conversation. For example, comments about crowdworker concerns this year led to discussion of best practices for research making use of those workers.

Although our community has grown, we aim to keep discussion and feedback a central part of the workshop. Our friends in the legal community have had some success with larger events focused on feedback and discussion, such as PLSC. We plan to take lessons from those cases.

The success of ConPro in past years—amazing research, attendees, discussion, and PCs—makes us excited for next year. The call for papers lists some relevant topics, but if you do computer science research with consumer protection implications, it’s relevant (but be sure those implications are clear). The submission deadline is January 23, 2019. We hope you’ll submit a paper and join us in San Francisco!

When Terms of Service limit disclosure of affiliate marketing

By Arunesh Mathur, Arvind Narayanan and Marshini Chetty

In a recent paper, we analyzed affiliate marketing on YouTube and Pinterest. We found that on both platforms, only about 10% of all content with affiliate links is disclosed to users as required by the FTC’s endorsement guidelines.

One way to improve the situation is for affiliate marketing companies (and other “influencer” agencies) to hold their registered content creators to the FTC’s endorsement guidelines. To better understand affiliate marketing companies’ current practices, we examined the terms and conditions of eleven of the most common affiliate marketing companies in our dataset, and specifically noted whether they required content creators to disclose their affiliate content or whether they mentioned the FTC’s guidelines upon registration.

Affiliate program Requires disclosure?
AliExpress No
Amazon Yes
Apple No
Commission Junction No
Ebay Yes
Impact Radius No
Rakuten Marketing No
RewardStyle N/A
ShopStyle Yes
ShareASale No

The table above summarizes our findings. All the terms and conditions were accessed May 1, 2018 from the affiliate marketing companies’ websites. We did not hyperlink those terms and conditions that were not available publicly. All the companies that required disclosure also mentioned the FTC’s endorsement guidelines.

Out of the top 10 programs in our corpus, only 3 explicitly instructed their creators to disclose their affiliate links to their users. In all three cases (Amazon, Ebay, and ShopStyle), the companies called out the FTC’s endorsement guidelines. Of particular interest is Amazon’s affiliate marketing terms and conditions (Amazon was the largest affiliate marketing program in our dataset).

Amazon’s terms and conditions: When content creators sign up on Amazon’s website, they are bound by the programs terms and agreements Section 5 titled: “Identifying Yourself as an Associate”.

Figure 1: The disclosure requirement in Section 5 of Amazon’s terms and conditions document.

As seen in Figure 1, the terms of Section 5 do not explicitly mention the FTC’s endorsement guidelines but constrain participants to add only the following disclosure to their content: “As an Amazon Associate I earn from qualifying purchases”. In fact, the terms go so far as to warn users that “Except for this disclosure, you will not make any public communication with respect to this Agreement or your participation in the Associates Program”.

However, if participants click on the “Program Policies” link in the terms and conditions—which they are also bound to by virtue of agreeing to the terms and conditions—they are specifically asked to be responsible for the FTC’s endorsement guidelines (Figure 2): “For example, you will be solely responsible for… all applicable laws (including the US FTC Guides Concerning the Use of Endorsement and Testimonials in Advertising)…”. Here, Amazon asks the content creators to comply with the FTC’s guidelines, without exactly specifying how. It is important to note that the FTC’s guidelines themselves do not enforce any specific disclosure statement constraints on content creators, but rather suggest that content creators use clear and explanatory disclosures that convey the advertising relationship behind affiliate marketing to users.

Figure 2: The disclosure requirement from Amazon’s “Program Policies” page.

We learned about these clauses from the coverage of our paper on BBC’s You and Yours podcast (~ 16 mins in). A YouTuber on the show pointed out that he was constrained by the Amazon’s clause to not disclose anything about the affiliate program publicly.

Indeed, as we describe in the above sections, Amazon’s terms and conditions seem contradictory to their Program Policies. On the one hand, Amazon binds its participants to the FTC’s endorsement guidelines but on the other, Amazon severely constrains the disclosures content creators can make about their participation in the program.

Further, researchers are still figuring out which types of disclosures are effective from a user perspective. Content creators might want to adapt the form and content of disclosures based on the findings of such research and the affordances of the social platforms. For example, on YouTube, it might be best to call out the affiliate relationship in the video itself—when content creators urge participants to “check out the links in the description below”—rather than merely in the description. The rigid wording mandated by Amazon seemingly prevents such customization, and may not make the affiliate relationship adequately clear to users.

Affiliate marketing companies wield strong influence over the content creators that register with their programs, and can hold them accountable to ensure they disclose these advertising relationships in their content. At the very least, they should not make it harder to comply with applicable laws and regulations.