Dark Patterns For Disabled People

Years ago, I wanted to buy a car, so I tested the car. Everything went smooth, until I drove fast. “Huh?”. The sound of the car was different. I could not figure out why.

Afterwards I told the owner about this strange sound. His reaction was: “The car has winter tires.” I was driving in spring, so the hard tires made a lot of sound on the road.

If I would use these tires during spring and summer, then they would wear out more quickly than normal tires. That was not my intention.

My heuristic or effective way to determine this situation was: “Huh?”. For me, a heuristic is based on experience and useful in most cases.

I’m a tester after all

Some legal background

The last years the web sites changed for the users. General Data Protection Regulation, a European law, and California Consumer Protection Act, a Californian privacy law, became effective. For a tester like me these laws are legitimate reasons to report a bug.

For me, a law is an oracle, a reliable truthful source of information.

GDPR, General Data Protection Regulation, and CCPA, California Consumer Protection Act, explicitly require\ websites to request information from their website visitors.

The most popular way to gather information is cookies. A lot of people will think of sweet snacks as shown in the picture in the top of this blog post.

Today cookies are also small files left on the PC of the user. In the past cookies were mostly used for the proper working of the website. I need to buy a car with a digital radio and the website keeps track of my order. “That’s a good boy.”

Over time cookies were also used to increase sells. “Thanks for showing the cars with digital radio advertisements, but I do not consume them on an hourly basis.”

Disclaimer

I am not a legal expert, so it is better to consult your Legal department.
I am just a tester finding test ideas about privacy laws.
Thanks for joining in advance.

Some disabled personas

In the tester community personas can be useful during testing. Let me introduce some personas:

  1. My name is Andrew. I am blind.
  2. My name is Brian. I have a cognitive problem and have trouble to concentrate.
  3. My name is Cate. I am visually impaired. I cannot read small words or recognise small objects.

These personas will be used for testing a cookie banner. For them this is that annoying window popping up at the bottom of a website. Asking for all kinds of permissions.

Some first impressions

There is a simple trick to show a cookie banner: open the website in incognito mode. In this mode there are no cookies, so permission should be asked to gather personal information.

Heuristic in action

Cate has a mobile phone with increased font size. This way she can still read what is on her screen. It is easy for me to change the settings to get the same experience.

The cookie banner is too big for the screen. There is no scrollbar available. Huh? I cannot read all the information.


A cookie banner could contain a text like this:
“We use cookies for a number of reasons, such as keeping our sites reliable and secure, personalising content and ads, providing social media features and to analyse how our sites are used.”

Huh? For Brian with concentration problems, this is too much information to digest. Even I have to read this sentence several times to understand why cookies are used.


Andrew is blind and uses a screen reader, which reads the text aloud. He is fully aware of the presence of cookie banners.

I use the Tab key to get to the text of the cookie banner. After a lot of tabs, I hear the title of the banner and then “Accept”. Huh? The text of the banner is skipped. I went straight to the “Accept” button.

A look at the oracles

Andrew and Cate, the personas with sight problems, must be able to access all the information.

Note to the reader: in this blog post I will quote from some laws to show how I use oracles for testing purposes. If you want to save some time, then you can write down only the specific quote. E.g. GDPR Article 5. And continue reading after this article.

GDPR Article 5:
1.Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
Article 2 CCPA (2)
The notice at collection shall be designed and presented in a way that is easy to read and understandable to consumers. The notice shall:
[...]
d.
Be reasonably accessible to consumers with disabilities.

Brian is not able to understand all the shown information.

GDPR
Article 7; clear and plain language
2.If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

According to me Brian with a concentration problem did not get “an intelligible and easily accessible form”.


Some people think, that personal information is only shared with colleagues in the same company. It is possible to share this information with partners.

Imagine me looking for a car with a digital radio. “Huh? A car dealer from another company only showed me cars with digital radios.” He did not pay a penny for my thoughts.

It is even possible to sell this information to other companies. “Huh? When I visit a website, I see a lot of digital radio advertisements.” There is enough room, but I really need only one.

For all these situations I have to give permission in the cookie banner.

GDPR
Article 6:
4.Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia: (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
CCPA Article 2:
§ 999.305. Notice at Collection of Personal Information.
(a) Purpose and General Principles
(1)
The purpose of the notice at collection is to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which the personal information will be used.

Some buttons

Writing about giving permissions reminds me about buttons.

In many cookie banners there is a button to change the settings of the cookies. A lot of information and options are shown. There is a general story about the cookies. Then a list of all options is shown.

Heuristic in action

Let me show a button.
A horizontal button with the switch on the left!
Huh? Is this permission switched on or off?


There are cookie banners with a switch on the right in grey. After switching the button to the left the button with a switch on the left is shown. Huh? Brian with a cognitive problem has a tough time to figure this one out.

I might assume that the button is switched on in the left.
This is even not clear for people with normal sight. At first sight.


After clicking, the button will be shown in dark lines instead of grey lines. Huh? Brian is still struggling with the button.


Let me click the button switching from light grey to dark grey. Huh? Something might have changed for Cate with a bad sight. The contrast is not good enough to show which permission has been given.


There are at least 20 lines of information and permission. Huh? Brian with concentration problems is having a serious problem with all the information of the cookie banner.


Andrew, a blind person will use NVDA, a screen reader. I press on the button. Huh? I hear nothing. Is the button is switched on? Andrew would not have any clue at all.

A look at the oracles

During my research I was curious whether disabled people could rely onb any helpful articles in privacy laws.

GDPR Article 12; 1.
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

Article 13 is about information to be provided where personal data are collected from the data subject.

I interpret these articles as follows: asking permission from a disabled person is like asking them to sign a contract.

According to me “electronic means” includes things like using buttons, which can provide information about the state. For example the button for permission to share information with partners is switched on.

Basically, A blind person must be able to understand the contract before signing.


CCPA Article 2. Also refers to ... 
For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference. In other
contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format.
(3)
The notice at collection shall be made readily available where consumers

In this article there is a direct reference to accessibility standards.

Some confirmations

Now it is time to save the changed permissions.

Heuristic in action

Cate is not able to see small details. In a browser on a Windows computer, it is possible to use the Ctrl key and minus key at the same time to zoom out. I do this several times.

A solid green button is shown. This might be the Save button. I zoom in by pressing the Ctrl key and the plus key at the same time. Huh? I noticed that this is the “Accept all cookies” button.


Let me continue with experiencing Cate with a bad sight. I zoom out again using the Ctrl key and minus key several times in a row. Huh? There is no button to save the selected permissions.

I zoom in again using the Ctrl key and plus key several times in a row. Huh? A white button with a small green border appears. It is for “Save and exit”.


Brian with concentration problems has too much information to digest and presses a button. Huh? Did I give all permissions with the first button?

A look at the oracles

As oracles I use GDPR Article 12 1. and CCPA CCPA Article 2. These are described a few paragraphs above.

Disabled people must be able to fully understand, what they are agreeing to.

Some dark patterns

In this blog post I described some situations which can have disadvantages for disabled people. It is tempting to give a permission to a website, just to see a webpage.

For me, a dark pattern is an intentional or unintentional way to convince users to make choices without providing clear information. In all cases a tester should have a good look or listen to the website.

Some things to test

A lot of companies tend to buy software for cookie banners. This is a reasonable thing to do, because there are a lot of privacy laws in place. Cookie banner software takes care of all those differences in the international and national laws.

For the concerning people, there are different rules for countries within the European Union regarding GDPR. It is hard to keep track of them.

If your company wants to buy this software, it is advised to test it on accessibility. Ask for a website using this software and watch out for “Huh?”.

It is like buying a car. If I did not pay enough attention to the tires, then I would have a serious driving problem. If the car is broken, then the owner is still responsible.

Thanks for coming to my TED talk.

Some legal resources

These sources can be used as oracles:

  1. Overview of references to GDPR law in different languages
    https://op.europa.eu/en/publication-detail/-/publication/3e485e15-11bd-11e6-ba9a-01aa75ed71a1/language-en
  2. CCPA fact sheet
    https://oag.ca.gov/system/files/attachments/press_releases/CCPA%20Fact%20Sheet%20%2800000002%29.pdf
  3. CCPA full legal text
    https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf
  4. A short introduction of GDPR
    https://mindfultester.com/may-2018-testing

Return of The Script

The last years Exploratory Testing has gained a lot of followers. In the world of Agile development fast feedback by testers is really welcome.

There are people who have doubts about the structure and knowledge transfer, because there is no script. For an experienced tester, a note about a data life cycle test is enough. Writing out tests for creating, reading, updating, and deleting data is boring for me.

Exploratory is about finding information and using it during the same activity. This can be achieved with a script. Let me tell you some Exploratory stories.

Exploring while scripting

The search

Laptops are light and small compared to desktop computers. On the other hand, for the same price I get more RAM and hard disk space in a desktop computer.

SSD or Solid State Disk is a hard disk, which is used frequently in computers. I needed an extra hard disk for my data. The challenge was to prevent my SSD from overflowing of data.

I opened a text editor and noted all kinds of information. My SSD was my default drive to store my information. I had to redirect all data to my HDD or Hard Disk Drive.

In the past I had changed this in the Windows registry, but I did not like this. It could lead to errors. I preferred to change the direction of the data using a command or a dialog.

Like a lot of programmers, I searched on the web. I found some articles and blog posts. In the meantime, I was copying links and making notes how to reproduce the steps.

The script

The first time I executed the script, I was about to copy all the steps in my notes. This is a waste of time, so I just added my observations in the script.

For personal reasons I changed the script on a few places.

network cable out
[current PC] copy all files in Kid on external hard disk
check on Appdata 08:25
[current PC] make a copy of the mail program and game subdirectory in the subdirectories of Appdata of Kid.
08:56
[current PC] remove all stuff from the mail program (after check?)
09:30
network cable in

Network cable out of new PC
[new PC] check %APPdata%
mklink does not work properly.

environment variables => no appdata found/
[New PC] old files app data
[New PC] copy all mail program and game program subdirectories to app data.
[New PC] make extra copy of files
[open Thunderbird] remove all files.

Network cable in new PC
check game
check mail program
network cable out of new PC

In case of problems:
- restore old files of mail program and game.

The details

There are some parts which need some explanation.

network cable out

So long the current PC is connected to the internet, the mails will be downloaded all the time. During the move of the files  of the mail program I might miss emails.


[current PC] copy all files in Kid on external hard disk
check on Appdata 08:25

The reason I chose an account of one of my kids is the small amount of data, which is used by this account. This is easier to restore than the huge bulk of data on my personal account. Hoarded as charged.

Appdata is a specific place for Windows. In this subdirectory there are subdirectories for programs to store information. E.g. for a mail program the address book and the mails are stored over here.

At the end of the line, I wrote down the time of the action.


network cable in

Network cable out of new PC

During my review I noticed that this was quite confusing. I added new PC in the last line. Looking at my script, the problem of downloading mail on my current PC was back. I remember that I left the network cable out.


[new PC] check %APPdata%
mklink does not work properly.

environment variables => no appdata found/

There was a step missing in this script.  The precise use of mklink was not included.  I had used this command and described the following steps in this script. However there is still enough information to reconstruct the process.

Here things go wrong, because appdata could not be found., I did not note the time, but the message is clear.


[New PC] old files app data

This is short for copy files from the old PC to on the HDD on the new PC.


check game
check mail program
network cable out of new PC

The most important thing of changing stuff is testing whether this went right.


In case of problems:
- restore old files of mail program and game.

This was my contingency plan.


While blogging I noticed that the other files to be copied were not mentioned. I forgot to include this step. Probably this was  too obvious at that time.


Debriefing or telling, what I did, is a way to discover what went wrong.


Who said: “You cannot change the script”?

Exploring while debugging

The command mklink was not the proper solution for my problem. I removed the created account and all files. This time I switched my search results to video.

After a while I got a script to make the proper redirection: when I saved the files, then they would be saved on my HDD. My first steps went right and then nothing happened. It did not work.

Time for my clean up again: remove the created account and all files. Then I could start in a clean environment.

There was a bug or error in my script which I had to remove. But what went wrong?

I opened the video to the browser and watched it again. All the time my thoughts were like “Yeah, it is in my script”. Imagine me nodding all the time.

Then something was mentioned in the voice over: I had to wait. Imagine me saying: “Oh”.

I only watched the first part of the video and stopped. I assumed that the change in my configuration would be immediate. Computers are fast. In this particular case the change took seconds.

The next time I repeated the steps in my script. I waited long enough at the crucial step. Then my files were saved on the HDD instead of the SSD.

You should always listen to the end of the message.

Exploring while planning

Years ago, I was a test coordinator for several projects. Several components would be changed and the question was: can you test whether everything went right?

I had serious doubts about the number of actions and their consequences. My goal was to explore the deployment. Less surprises means less tests.

It took me little effort to convince the project manager to have a meeting about the deployment plan. I volunteered for the chairman. Some of the questions about this meeting are answered in thhee Q&A.

You do need think about the implications of the things you create.
– Jemma Simmons

An Inspired Evening

Every company has its own way to engage with his users. Some years ago,  my team members and I spent an evening with the users.

The invitation

One day I received a mail asking for volunteers. It was for a special session. I was curious, so I asked the other testers about it.
“The backlog contains a lot of tickets. So, once in a while user representatives will choose items they want to be solved.”

It was difficult for me to imagine how things would evolve. The other tester continued with: “The programmers will program the solution on that very evening.”

There was no need for extensive documentation and discussion. It was about asking and making it work. Because this sounded agile to me, I volunteered as a tester.

The preparation

In the following weeks the team for the session slowly began to form. There were 3 programmers. An analyst also joined. People with different skill sets were on board.

Welcome in the club.

The selection of the tickets was a balancing act. On one hand a ticket should add real value to the users. On the other hand, it should not take too much time to solve it. The outcome of the session would be a set of solved tickets, which annoyed the users for a long time.

As expected, the users sent a big list to the product owner. In turn he sent the tickets to the programmers. Another selection took place.

During the days before the session, I heard the words “Too big” in different volumes. I interpreted “Too big” in a normal tone as “Solving this ticket will cost a big deal of the session.”. A shouted “Too big” sounded to me like “We need more than 1 session.”.

The meal

The evening started with a meal. Users recognised some developers. There was some small talk.

The session

After the meal we moved to a room with a big table for the laptops. On one wall a big screen was attached.

The problem

The first Jira ticket was shown on a big screen. This was not the application they were looking for. I noticed that the users were disturbed. Imagine your problem described in an unfamiliar form. It was a wall of text. This was not a good start.

A user representative also saw the confused look on the faces of her colleagues and started to talk. Everyone started to look at her instead of that screen with all that text.

She started with “You know that window with …”. People began to nod, while she continued to describe the window and the functions. “Now the problem is, that …”, she continued. Annoyance could be felt, when she described the details.

Then she told: “It would be great, if …” followed by a solution. Her peers showed appreciation for the proposal. She ended with: “Other things to take into account, are …” followed by domain knowledge and their way of working.

She told a first-hand user story. Nothing was lost in translation. There is no shorter path to a user than the shortcut I just described.

The clarification

The single male programmer stepped forward: “I take this one.”

“Can you plug me in?”, he asked. Someone connected his laptop to the big screen. The users saw a familiar window. This was the application they were looking for.

The programmer continued: “So you want the buttons on this window?” Users nodded their heads. The mouse pointer moved to two different locations: “I can place a button here. And here. It will look similar like …”

“this screen”. The programmer was now showing another window on the big screen. “Here are the buttons placed on similar locations.” This sounded good enough for the users.

The laptop of the programmer was disconnected and the next Jira ticket was shown.

The queue

This time the user representative scanned the text in a few seconds and started to talk about the problem, a possible solution, and other relevant information.

Then the first female programmer asked the second female programmer: “Shall I take this one?”
“Yes”
Another round of questions and answers followed. Then she started to program.

Rinse and repeat

Then it was the turn of the user representative and the second female programmer to repeat all the steps for the next Jira ticket.

The wait

It was silent in the room. Three programmers were ticking on their laptops. The other people were quiet.

Once in a while a programmer would ask some questions:
“You wanted to order things.”
A nod followed.
“Is the order ascending?”
“Yes, that would be handy.”

And the silence started again.

The demo

After a while the male programmer said: “I want to show something.” His laptop was connected to the big screen. “On the window I added the buttons.”, while pointing them with the mouse pointer.

“If I do this, …”, he pushed a button, “then this happens.” He told how the buttons interacted with the window.

The 6 users started to ask questions. Some of them were answered by a small demonstration of the application. This was the fix they were looking for.

The business analyst and I were also looking from other perspectives:

  • What is the consequence of the shown information?
  • What happens, if …?

After all the questions were answered, the programmer was available for the next ticket.

The stack

During the evening the stack of tickets slowly decreased. Three different user stories were taken care of at the same time.

The closing

Towards the end of the session the tickets were chosen were with more care: could it be fixed before the end of the session?

I think I can make it.

At the end there was a positive buzz in the air. An evening of working after a complete workday had tired the participants of the session. Afterwards people talked a little before going home.

The follow up

It was a productive evening. The programmers had solved some annoying problems for the users. These were the fixes they were looking for.

The programmers had worked in a development environment, so the fixes were not available on the workplace of the users the next day. The code had to be merged with the code for the next release. Then standard tests and regression test had to be executed by the testers.

The context

It is tempting to compare Jira tickets with low hanging fruit. Is it interesting to invite 6 users for a few hours in an evening to see a development team picking 1 apple?

Strawberries are hanging lower than apples: are 100 strawberries more worthwhile than 100 apples? There are also different strawberries: are green strawberries more worthwhile than red strawberries?

In this company the time to fix the ticket and the value of the ticket were used for the selection of the tickets. These factors might be different for another company.

Later I shared this experience with different companies, but it was not applicable.

Your mileage may vary.

Sharing knowledge about testing and other things on my mind