Designers on Privacy Dark Patterns

Designers can influence end-user privacy outcomes in profound ways, such as “nudging” users towards agreeing in consent requests or obstructing access to a website until the users have given away personal information. We conducted an interview and survey to Identify designers’ current privacy knowledge and practices, understand the motivations and hurdles designers face in advocating for user privacy at work, and examine how privacy design patterns are used in practice and their ethical implications. The research results will help reduce privacy risks in product design and enable organizations to make purposeful decisions about resource allocation and effective implementation of privacy controls in digital products.

Traditionally, research in usable security and privacy strongly focused on the end-user, in particular, on their behaviour and how security mechanisms could be designed that account for this behaviour. At the same time, it has been understood that designing successful security mechanisms requires considering stakeholders in all phases of product design, use, and support. There is a strong need to think in the design phase about how appropriate means for security and privacy can be integrated with a product. Adding such means post-hoc is likely to result in poor usability. As a result, there is a strong need to advance our understanding of how privacy and security can be made part of the design process.

Research identified that there is often a poor understanding of developers as to how basic security and privacy mechanisms can be integrated, but no studies have been conducted so far with designers, i.e., people who are responsible for designing the user interface and user experience of a product. Integrating security and privacy mechanism often requires effort and the benefit of this effort is not apparent. As a result, designers often focus on the primary feature that needs to be designed, and security and privacy become secondary. For example, consent banners are easy to design but selecting the right privacy parameters could be hard for the designers. Our research creates new knowledge in practitioner-focused security and privacy practices and extends the research on the ethical concerns of design practitioners in situated, contextual, and practice-led ways. Our approach elicits designers' perspectives, including their potential blind spots, on the complexities of adopting privacy and security practices in their work rather than making normative assumptions about "bad" design that causes privacy and security issues.