Is Apple’s ATT a ‘Dark Pattern’ User Interface?

On April 29, 2021, the FTC held a workshop about ‘Dark Patterns’ which is the practice some websites may use to ‘trick’ you into buying something or agreeing to a certain request. Having spent 10 years working for a highly profitable company that offered a ‘Free’ credit report, I’m painfully aware of how these tactics are used. While the FTC panelists indicated that Apple’s new ‘AppTrackingTransparency’ framework (ATT) is a positive privacy development, these same critiques can be applied to whether the ATT consent mechanism is also a ‘dark pattern’.The FTC workshop defined ‘dark patterns’ as “the ways in which user interfaces can have the effect, intentionally or unintentionally, of obscuring, subverting, or impairing consumer autonomy, decision-making, or choice.” Breaking down how this definition is applied to Apple’s ATT, and comparing this to common privacy preferences, an argument can be made that the ATT is a ‘dark pattern’.

‘Obscuring’: The ATT prompt (see examples below) is 2 lines of text — one for Apple and one for the app. There are no links to ‘more information’, no cross-references to the App Store definition of ‘Tracking’, the app’s ‘privacy nutrition label’ or the app’s privacy policy. Every iOS app on the planet is now required to describe how they ‘Track’ users in these 2 lines of text. While some apps have implemented an ‘explainer’ message before the ATT prompt, most apps, according to this ‘ATT Prompts’ compilation website, have not implemented any such pre-ATT education. How is the approach of disabling the ability for apps to provide more clarity within the ATT prompt not considered ‘obscuring’ the details necessary to make an informed choice?

‘Misleading’: A parallel to ‘obscuring’, the ATT language combined with Apple’s ‘Tracking’ definitions and related policies do not align with common user perceptions of ‘Tracking’. If you haven’t seen Trevor Noah’s breakdown of the Apple ATT introduction, it’s worth a view. He mostly gets it right, but follows the common sentiment that the issue is about Facebook ‘Tracking’ and misses the more common app privacy issues. Facebook is not ‘vacuuming’ data surreptitiously from apps, but rather ‘receiving’ data from apps that choose to share it with Facebook. Most iOS apps do not share data with Facebook, but rather with ‘service providers’ who may only ‘measure the effectiveness of advertising without personally identifying you’. Apple’s ATT combines the concepts of ‘gathering metrics’ with ‘following you around’, which may confuse and mislead consumers since it can be applied differently to each app. Of course, how apps can narrow their described uses without being guilty of using ‘dark pattern language’ is endlessly debatable, but there is a huge difference between the perception that each app will be ‘following you around’ versus ‘gathering metrics’, of which iOS apps no longer have control to clarify.

‘Subverting’: Many of the FTC presenters focused on how websites or apps use a ‘consent default’ as a dark pattern such as this statement by Stanford’s Jennifer King “One of the things we look at is whether the accept button is highlighted in advance; you can argue that’s a dark pattern.” How can objective decisions be made about whether the order or language in a choice ‘enhances’ or ‘subverts’ that choice? There may be instances where it is more appropriate for “Allow” to be the first choice. I commend Apple for creating a choice mechanism, and the FTC for exploring tactics that may mislead consumers, however each app or website should be able to present their own approach to consent that matches their brand, ethos and their customer or user expectations. It’s arguable that whatever the default first choice is will be the most clicked on, whether it’s ‘Allow’ or ‘Reject’. However, with many similar consent forms, such as with cookie consent banners, we typically see the choices in an equivalent ‘side by side’ approach rather than the ATT’s required ‘one over the other’ approach. By forcing every app to use Apple’s default user experience, Apple may be ‘subverting’ the rights of app owners to present an equal-footing approach to consent.

Finally, I would be remiss not to point out this comparative example as another aspect of the ‘subversion’ argument as posted by Nicolas Rieul on Twitter;

‘Impairing Autonomy, Decision-Making or Choice’: Let’s compare what Consent Management Platforms (CMPs) have been offering versus the Apple ATT:

Any privacy or user experience expert would have a hard time arguing that Apple's ATT enables consumers to make better app-specific privacy decisions than what CMPs offer. In comparison to CMPs, it may even appear that Apple is ‘impairing’ these consumer education and choice options. I admit that some of the CMP cookie-related user interfaces, most notably with the IAB Europe’s Transparency & Consent Framework (TCF), make some of these privacy UI choices appear too complex (albeit they are simply trying to follow a precise compliance approach).

However, the mobile CMP industry is barely a few years old, and is a quickly evolving space. Whether Apple learns from these CMPs and builds their own enhanced CMP-like tools, or works with app developers to enable a better ATT privacy experience, they should take note of the FTC and Congressional inquiries into ‘dark patterns’ (as well as state laws such as the CPRA) and strive to improve upon ‘our’ iOS privacy user experience. In the meantime, feel free to report any ‘dark patterns’ you may observe to Consumer Reports by clicking here.