Ophir Harpaz just wanted to get a good deal on a flight to London. She was on travel website OneTravel, scouring various options for her trip. As she browsed, she noticed a seemingly helpful prompt: “38 people are looking at this flight”. A nudge that implied the flight might soon get booked up, or perhaps that the price of a seat would rise as they became scarcer.
Except it wasn’t a true statement. As Harpaz looked at that number, “38 people”, she began to feel sceptical. Were 38 people really looking at that budget flight to London at the same exact moment?
Being a cyber-security researcher, she was familiar with web code so she decided to examine how OneTravel displayed its web pages. (Anyone can do this by using the “inspect” function on web browsers like Firefox and Chrome.) After a little bit of digging she made a startling discovery – the number wasn’t genuine. The OneTravel web page she was browsing was simply designed to claim that between 28 and 45 people were viewing a flight at any given moment. The exact figure was chosen at random.
Not only that, the website’s innards were surprisingly blatant about what was going on. The bit of code that defined the number shown to users was even labelled “view_notification_random”.
“There is not a piece of truth in this artefact – unless 38 people were actually looking at the site,” says Harpaz, whose Twitter thread about the discovery went viral.
‘Dark patterns’ are aesthetic or verbal nudges intended to guide customers toward making a specific decision or clicking on something (Credit: Getty Images)
BBC Worklife contacted Fareportal, the firm that owns OneTravel, for comment. A spokeswoman said:
“The code that you are referring to was part of a beta test, and was never meant to be exposed outside of a small test environment.
“One Travel is a high traffic site, and we run multiple tests every day to enhance user experience and customer satisfaction.”
She added that OneTravel was now taking steps to prevent the same thing from happening again.
Similar code has been found on other websites. Graduate student Arunesh Mathur at Princeton University recently investigated PureVPN, a company that sells virtual private network software for secure web browsing.
Subscription deals were listed on its website with a notification that the last time someone bought a package was mere minutes or seconds ago. Upon closer inspection, the code turned out to be choosing a random number for these statements.
I think it is OK to show the customer that the item is very popular, but you have to be honest – Ophir Harpaz
BBC Worklife analysed the code and confirmed Mathur’s findings. When contacted, a spokesman for PureVPN said that a team had been assigned to remove the code in question immediately – though he added that random number generators like the one PureVPN removed were “quite a common practice”.
“PureVPN has moved away from the same since we don’t want to be associated with anything that conflicts with our reputation, credibility and most importantly, how our customers and prospects perceive us as a brand,” the spokesman said.
Social proof, or the tendency to mimic the behaviour of others around us, can be manipulated to make people act a certain way (Credit: Alamy)
It is possible to represent demand and scarcity accurately. Websites do track how many people view their pages, so many retailers may well be making accurate statements to consumers about the popularity of items.
But Harpaz says she’ll be far less likely to trust them again.
“I think it is OK to show the customer that the item is very popular,” she says. “But you have to be honest.”
When online retailers use web design and verbal nudges to guide customers towards clicking something or making a particular decision, they are deploying what have become known as “dark patterns”. The term was coined by design consultant Harry Brignull about 10 years ago.
Perhaps the biggest harm from dark patterns is a loss of trust in the online environment and a degradation of our online experience – Arvind Narayanan
While some dark patterns might be subtle – a pre-ticked checkbox on a form signing you up to a newsletter during registration, for example – others are “intended to gaslight the consumer”, says Brignull.
He gives OneTravel the benefit of the doubt. While the code was clearly untruthful, he says the firm “made a mistake”, was likely experimenting and will hopefully now be more rigorous.
Arvind Narayanan, associate professor of computer science at Princeton, has worked with graduate student Mathur on unearthing dark patterns found on retail websites. In research published earlier this year, they showed that in a sample of 11,000 retail websites, about 11%, contained dark patterns. Of those dark patterns, 234 were found to be deceptive.
“Perhaps the biggest harm from dark patterns is a loss of trust in the online environment and a degradation of our online experience,” says Narayanan.
It’s this loss of trust that can hurt both consumers and the companies trying to sell to them, says Renée Richardson Gosline at the MIT Sloan School of Management.
It’s common practice for companies to insert random number generators onto their sites to display information to the user (Credit: Getty Images)
It’s a common marketing tactic to use nudges – subtle cues or indirect suggestions – to steer decision-making in a particular way. In this case, by displaying prompts such as “X many people are viewing this product!” or “Y many minutes remain until the price increases!", firms are tapping into “social proof”, or our tendency to mimic the behaviour of groups of people.
But, Richardson Gosline says, nudges should never be based on manipulations of information asymmetry, where the firm knows things that the customer does not.
“It can be effective at first, but when it starts to smell fishy, you’ve really made yourself vulnerable not only to competition, but you’ve also minimised loyalty, which is unwise.”
Because they erode trust, says Narayanan, “dark patterns are like pollution, which is why we can't rely on individual apps and websites to regulate themselves.”
Brignull agrees. He says drafting codes of ethics for web designers won’t work – designers could be asked to bend the truth by their bosses and therefore may exert little ethical control. He argues that deceptions will become more common unless society takes a tougher stance against them.
“I think really what we need is good regulation and we need a regulatory system that moves as fast as the internet does,” he says.
We need a regulatory system that moves as fast as the internet does – Harry Brignull
Such a response may be on the cards. In recent years, consumer groups have taken a keen interest in the rise of deceptive dark patterns, including the Norwegian Consumer Council, which published a report last year on the subject. It recommended that firms be as transparent as possible when engaging customers online – for example by not pre-ticking checkboxes on forms that lower privacy protections.
In the UK, consumer watchdog Which? has exposed false claims on travel websites. Rory Boland, travel editor, says, “Despite work by the Competition and Markets Authority [CMA] to clean up the industry, we know that not all hotel booking sites are following the rules.”
“Until the whole industry complies with the rules the CMA has introduced and makes the necessary changes, UK holidaymakers are still at risk of being misled by unscrupulous practices."
Harpaz says she would like to see the public become more aware of these online sales tactics. She was pleased to see her Twitter thread retweeted around the world and shared by users speaking a variety of languages.
“I think it’s just important that people are aware of such things,” she says. “This is something that should be talked about.”