We’ve mentioned dark patterns a few times on Security Bits over the years, they are commonly used design techniques engineered to be effective at tricking humans. They are the dark side of one of the areas of computer science enjoyed most when studying for my degree back at the turn of the century — HCI or Human Computer Interaction.
So, given my love for the field and my awareness that it has been perverted into a dark art, you’d think I’d be immune to dark patterns — NOPE!
Just because I know how dark patterns work doesn’t change the fact that I am a human, just like everyone else! We all are. The best we can do is keep ourselves educated and keep our guard up so we tilt the odds in our favour. We will mess up, and when we do, I don’t think we should feel shame. Instead, I think we seize the teachable moment and share our experiences to help others tilt the odds in their favour next time they meet a dark pattern.
So, how did I fall prey to a classic dark pattern, and what did it have to do with sour raisins?
One of the most important lessons I’ve learned on my health journey is the importance of portion sizes, and specifically, the importance of buying snacks that default me into healthy portions. I’m always on the lookout for tasty treats that come pre-portioned in snack-sized servings.
One of my absolute favourite mid-afternoon snacks has become a mini packet of Sun Maid Sour Raisins in watermelon or strawberry flavour. For years now a few of our local supermarkets have imported them from the US, and they’ve been easy to find. Until a few months ago that is, when they started disappearing from one shop after another. I noticed what was happening and stocked up, so I was fine for a while, but a few weeks ago my stocks began to run very low, and there was no sign of a return to Irish shelves. I figured they keep for ages, so I could buy in bulk online and the ratio of item price to shipping cost would be acceptable.
Anyway, I searched and searched and searched on every reputable site I could think of, but to no avail. However, all the search engines kept pushing me to one site. It seems there really is just one place to buy Sun Maid Sour Raisins online that will ship to Ireland. But, for reasons I can’t quite put my finger on, I was initially put off by the site. It had a .ie domain so I briefly thought it was an Irish company, but then I noticed it had a domain for just about every country in the world, it was not an Irish company, it was just trying to look like one. I later discovered it’s actually a UAE company!
It’s important to set the context — I was running low on stock, I’d tried everywhere I had a reason to trust, and I was squeezing this purchase in during my lunchtime walk, so I was on a small mobile browser. If you wanted to tilt the odds against you, that seems the best way to do it — so that’s lesson number one!
Anyway, I added a box of boxes of mini packets of sour raisins to my cart, and checked out. They offered me Apple Pay, which put my mind at ease, (probably too much at ease in hind-sight).
When it came to the shipping screen they offered me two choices, a big box with a clearly visible price that was more than the raisins themselves, and another big box with just one big word “Free”, though there was some small print underneath.
I didn’t read the small print — I was reading on a small screen and in a rush because I was nearly back at the office, and I had a big meeting first thing after lunch which my mind was already dwelling on.
Had I read that small print I would have seen that I was agreeing to a free trial of a membership program, and that unless I pro-actively opted out within 30 days, I would be automatically subscribed to a recurring annual payment for a little under €190!
I still had a chance to correct my mistake, because the company did email me to welcome me to their club, but I just assumed it was spam like you get from so many vendors once you make an initial purchase (looking at you Amazon, 12South, Sonos & Tefeca). A quick scan of the biggest words in the email would not have saved me, the bit about costing me €190 per year unless I acted was in there, but not at the top, and not in big letters!
I had a third chance to side-step the trap, and I ALMOST made it, but I was 6 hours too late. The day before my trial ended and my first annual payment would be charged, they sent one more email, and this one actually was clear. It was short, unbranded, and just had a few lines of plain text — in 24 hours they would bill my card for €190 unless I cancelled my trial. MEEP! I read the email on another lunchtime walk, and it was about 30 hours after the mail was sent, so too late! I opened my banking app and sure enough, there was a pending transaction.
I immediately called my bank to stop it, and then I discovered that not only is it impossible to stop a pending transaction (it’s been approved by VISA at that point, so it’s incomplete rather than in review), but they had set up a recurring charge on my account, and unless they cancelled it I would be charged €190 every year. I was shocked, I’d used Apple Pay, how is that possible? Apple Pay only gave them a one-time temporary number locked to one vendor, right?!
The nice representative from my bank explained that when I approved the transaction to buy my raisins with their free shipping and small print, I had approved both a one-time charge for the raisins, and the annual subscription with its free trial. The modern banking APIs used by all the credit cards support this ‘feature’ as standard.
I assumed I had been defrauded, so I asked the bank to stop the fraudulent transaction, and the representative asked me if the charge 30 days earlier was real, and if I had entered my details into website. I said it was and that I had. Well then, this is not fraud sir, they did not steal your details, you gave them to them. From VISA’s point of view, trying to claw the money back once the transaction had been approved and was pending would actually be me attempting to defraud the merchant for services they had delivered!
I asked what my options were, and I was told that because I gave them the card, my only option would be to file a dispute with VISA thtough my bank, and that I would need to provide evidence that I had been defrauded, and proof that I had tried to resolve it with the vendor before opening the dispute. The bank could stop the subscription from billing again next year though.
I set off to gather evidence of how fraudulent this site was, and of course, once I looked carefully it became very clear to that indeed, legally speaking, I had agreed to the recurring membership with large fees billing on a slow cadence. I could stop future transactions any time I wanted, but the €190 for this iteration was gone, because there were no grounds for me to open a dispute with VISA.
I did try get a refund from the company though, since I had nothing to lose and €190 to gain. TL;DR, I got nowhere.
The agent in the support chat had annotated screenshots and a full text description of everything I had done to agree to this contract ready to send at the push of a button. I asked if I could cancel and get a pro-rata refund for the percentage of the membership remaining? Nope, it’s sold in increments of 1 year, there are no refunds, but it is easy to cancel my membership and not be billed next year. Oh, and they were kind enough let me keep my benefits for the remaining 364 days.
The Lessons I Learned:
- Don’t purchase in a rush
- Don’t purchase on a screen that’s not comfortable for the site
- Watch out for and READ small print
- Don’t automatically ignore followup emails from companies you purchase from — they’re not always spam!
- ApplePay protects you from data breaches by making the card details useless to anyone but the merchant you interacted with, so it adds a lot of value, but it does not protect you from the merchants you do interact with in any way what so ever — they are regular credit card transaction governed by international rules agreed by the organisation representing all the major credit cards. The vendor gets the details they need to take your money, and you need to prove they defrauded you and that you tried to resolve your grievances with them before any credit card company will even consider refunding you.
- A country-specific top-level domain doesn’t mean anything. It doesn’t mean the company is really from that country — if you want local or regional consumer protections, you need to dig deeper and check where the company is actually located before engaging with them.
After reading and verifying the information, I took a few minutes to do so. All of the information is really clear and easy to comprehend.