Category Archives: Legal

Dark Patterns For Disabled People

Years ago, I wanted to buy a car, so I tested the car. Everything went smooth, until I drove fast. “Huh?”. The sound of the car was different. I could not figure out why.

Afterwards I told the owner about this strange sound. His reaction was: “The car has winter tires.” I was driving in spring, so the hard tires made a lot of sound on the road.

If I would use these tires during spring and summer, then they would wear out more quickly than normal tires. That was not my intention.

My heuristic or effective way to determine this situation was: “Huh?”. For me, a heuristic is based on experience and useful in most cases.

I’m a tester after all

Some legal background

The last years the web sites changed for the users. General Data Protection Regulation, a European law, and California Consumer Protection Act, a Californian privacy law, became effective. For a tester like me these laws are legitimate reasons to report a bug.

For me, a law is an oracle, a reliable truthful source of information.

GDPR, General Data Protection Regulation, and CCPA, California Consumer Protection Act, explicitly require\ websites to request information from their website visitors.

The most popular way to gather information is cookies. A lot of people will think of sweet snacks as shown in the picture in the top of this blog post.

Today cookies are also small files left on the PC of the user. In the past cookies were mostly used for the proper working of the website. I need to buy a car with a digital radio and the website keeps track of my order. “That’s a good boy.”

Over time cookies were also used to increase sells. “Thanks for showing the cars with digital radio advertisements, but I do not consume them on an hourly basis.”

Disclaimer

I am not a legal expert, so it is better to consult your Legal department.
I am just a tester finding test ideas about privacy laws.
Thanks for joining in advance.

Some disabled personas

In the tester community personas can be useful during testing. Let me introduce some personas:

  1. My name is Andrew. I am blind.
  2. My name is Brian. I have a cognitive problem and have trouble to concentrate.
  3. My name is Cate. I am visually impaired. I cannot read small words or recognise small objects.

These personas will be used for testing a cookie banner. For them this is that annoying window popping up at the bottom of a website. Asking for all kinds of permissions.

Some first impressions

There is a simple trick to show a cookie banner: open the website in incognito mode. In this mode there are no cookies, so permission should be asked to gather personal information.

Heuristic in action

Cate has a mobile phone with increased font size. This way she can still read what is on her screen. It is easy for me to change the settings to get the same experience.

The cookie banner is too big for the screen. There is no scrollbar available. Huh? I cannot read all the information.


A cookie banner could contain a text like this:
“We use cookies for a number of reasons, such as keeping our sites reliable and secure, personalising content and ads, providing social media features and to analyse how our sites are used.”

Huh? For Brian with concentration problems, this is too much information to digest. Even I have to read this sentence several times to understand why cookies are used.


Andrew is blind and uses a screen reader, which reads the text aloud. He is fully aware of the presence of cookie banners.

I use the Tab key to get to the text of the cookie banner. After a lot of tabs, I hear the title of the banner and then “Accept”. Huh? The text of the banner is skipped. I went straight to the “Accept” button.

A look at the oracles

Andrew and Cate, the personas with sight problems, must be able to access all the information.

Note to the reader: in this blog post I will quote from some laws to show how I use oracles for testing purposes. If you want to save some time, then you can write down only the specific quote. E.g. GDPR Article 5. And continue reading after this article.

GDPR Article 5:
1.Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
Article 2 CCPA (2)
The notice at collection shall be designed and presented in a way that is easy to read and understandable to consumers. The notice shall:
[...]
d.
Be reasonably accessible to consumers with disabilities.

Brian is not able to understand all the shown information.

GDPR
Article 7; clear and plain language
2.If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

According to me Brian with a concentration problem did not get “an intelligible and easily accessible form”.


Some people think, that personal information is only shared with colleagues in the same company. It is possible to share this information with partners.

Imagine me looking for a car with a digital radio. “Huh? A car dealer from another company only showed me cars with digital radios.” He did not pay a penny for my thoughts.

It is even possible to sell this information to other companies. “Huh? When I visit a website, I see a lot of digital radio advertisements.” There is enough room, but I really need only one.

For all these situations I have to give permission in the cookie banner.

GDPR
Article 6:
4.Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia: (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
CCPA Article 2:
§ 999.305. Notice at Collection of Personal Information.
(a) Purpose and General Principles
(1)
The purpose of the notice at collection is to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which the personal information will be used.

Some buttons

Writing about giving permissions reminds me about buttons.

In many cookie banners there is a button to change the settings of the cookies. A lot of information and options are shown. There is a general story about the cookies. Then a list of all options is shown.

Heuristic in action

Let me show a button.
A horizontal button with the switch on the left!
Huh? Is this permission switched on or off?


There are cookie banners with a switch on the right in grey. After switching the button to the left the button with a switch on the left is shown. Huh? Brian with a cognitive problem has a tough time to figure this one out.

I might assume that the button is switched on in the left.
This is even not clear for people with normal sight. At first sight.


After clicking, the button will be shown in dark lines instead of grey lines. Huh? Brian is still struggling with the button.


Let me click the button switching from light grey to dark grey. Huh? Something might have changed for Cate with a bad sight. The contrast is not good enough to show which permission has been given.


There are at least 20 lines of information and permission. Huh? Brian with concentration problems is having a serious problem with all the information of the cookie banner.


Andrew, a blind person will use NVDA, a screen reader. I press on the button. Huh? I hear nothing. Is the button is switched on? Andrew would not have any clue at all.

A look at the oracles

During my research I was curious whether disabled people could rely onb any helpful articles in privacy laws.

GDPR Article 12; 1.
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

Article 13 is about information to be provided where personal data are collected from the data subject.

I interpret these articles as follows: asking permission from a disabled person is like asking them to sign a contract.

According to me “electronic means” includes things like using buttons, which can provide information about the state. For example the button for permission to share information with partners is switched on.

Basically, A blind person must be able to understand the contract before signing.


CCPA Article 2. Also refers to ... 
For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference. In other
contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format.
(3)
The notice at collection shall be made readily available where consumers

In this article there is a direct reference to accessibility standards.

Some confirmations

Now it is time to save the changed permissions.

Heuristic in action

Cate is not able to see small details. In a browser on a Windows computer, it is possible to use the Ctrl key and minus key at the same time to zoom out. I do this several times.

A solid green button is shown. This might be the Save button. I zoom in by pressing the Ctrl key and the plus key at the same time. Huh? I noticed that this is the “Accept all cookies” button.


Let me continue with experiencing Cate with a bad sight. I zoom out again using the Ctrl key and minus key several times in a row. Huh? There is no button to save the selected permissions.

I zoom in again using the Ctrl key and plus key several times in a row. Huh? A white button with a small green border appears. It is for “Save and exit”.


Brian with concentration problems has too much information to digest and presses a button. Huh? Did I give all permissions with the first button?

A look at the oracles

As oracles I use GDPR Article 12 1. and CCPA CCPA Article 2. These are described a few paragraphs above.

Disabled people must be able to fully understand, what they are agreeing to.

Some dark patterns

In this blog post I described some situations which can have disadvantages for disabled people. It is tempting to give a permission to a website, just to see a webpage.

For me, a dark pattern is an intentional or unintentional way to convince users to make choices without providing clear information. In all cases a tester should have a good look or listen to the website.

Some things to test

A lot of companies tend to buy software for cookie banners. This is a reasonable thing to do, because there are a lot of privacy laws in place. Cookie banner software takes care of all those differences in the international and national laws.

For the concerning people, there are different rules for countries within the European Union regarding GDPR. It is hard to keep track of them.

If your company wants to buy this software, it is advised to test it on accessibility. Ask for a website using this software and watch out for “Huh?”.

It is like buying a car. If I did not pay enough attention to the tires, then I would have a serious driving problem. If the car is broken, then the owner is still responsible.

Thanks for coming to my TED talk.

Some legal resources

These sources can be used as oracles:

  1. Overview of references to GDPR law in different languages
    https://op.europa.eu/en/publication-detail/-/publication/3e485e15-11bd-11e6-ba9a-01aa75ed71a1/language-en
  2. CCPA fact sheet
    https://oag.ca.gov/system/files/attachments/press_releases/CCPA%20Fact%20Sheet%20%2800000002%29.pdf
  3. CCPA full legal text
    https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf
  4. A global overview of GDPR
    https://mindfultester.com/may-2018-testing

The Clokie Project

In December 2018 Katherina Clokie, a known speaker, announced to look more outside the Tester community.

My reaction

Amazement, grief.

After a few months I realised that it was not a bad idea.

My change of heart

My wife has some really tough questions I have to answer. The biggest one is:
“What did you learn?”
Right behind each test conference.

So I reduced my number of test conferences and number of hours at the conferences. There are still some really good conferences like TestBash, Agile Testing Days, and European Testing Conference with plenty of awesome few insights.

I attended a lot of other conferences and after a while I would be just happy to pick up something new.

There is more to gain at a conference if you only know the basics. With more than 20 years of experience it is a way less.

It was time for my Clokie project.


Time for a small flashback to October and November 2018. I already had looked outside the Test Community.

Here are some notes from Infosecurity 2018:
In case of doubt treat data as personal data. Zip code and house number are personal data.

In EU there are several privacy government organisations, but they have different focus on privacy issues.

Steps in case of data breach:
Secure proof
Look in the logging
Determine scope
Communicate
Remediate
Learn

A change of behaviour can indicate an identity theft.

The way of accessing data in the cloud is the weakest link.

In GDPR, the European Privacy Law, a penalty is used to let the company feel the pain instead of putting a company out of business.

GDPR is not applicable for dead persons. But there can be other laws which are applicable for dead persons.

Meet the expos

How to attract people to an expo? Goodies, free access, and talks.

Some Healthcare and ICT notes of me in random order
Anonymize pictures, determine objects of interest, and annotate them using smart software.

First step is vision and then involve stakeholders like care providers, health insurers, and suppliers.

Patient panel discovered that 60 % of the patients want a personal health environment.

Care providers like hospitals and doctors are stimulated. They get money on basis of results and not on actions taken.

Law of customer’s rights. E.g. A care provider should only get information which is needed for the care to be provided.

Misconfiguration is becoming the weakest point in defense.

Meet the meetups

010dev is a small meetup in Rotterdam. It has Dutch characteristics like gezellig (cosy) and Buy Own Drink. It is in a pub after all. Once in a whole while it is in a company.

During my meetups there are no lectures, but I still listened a lot. As a tester was I am able to follow the small talk and tech talk?

In a few hours a lot of subjects passed. Programming languages, projects, and new trends were discussed. Somehow I could understand bits and pieces.

Developers.nl had a more traditional format for the meetup: free drinks, free meals, and free lectures.

I went to two meetups. The first one was abstract. It was about architecture. What are good guiding principles to set up a complex environment?

The second meetup was about vue.js. This was a challenging one. I had only basic knowledge about JavaScript and HTML. So I read some ebooks about vue.js which are based on these languages.

This talk was more understandable for me. The speaker shared some tips about vue.js.

How to speed up the performance by loading the needed content in 2 stages? First the necessary stuff was loaded for the web page. The rest followed while the user had a first impression of the page.

Looking under the hood

My blog has been made with WordPress. One day I was blogging and a conference in Rotterdam was announced in the dashboard.

There were some particular benefits: 25 Euro for a ticket including lunch, an environment friendly environment, meeting other WordPress users, short traveling distance.

As a tester I had not had a chance to attend a talk about accessibility. I honestly don’t understand this.

This conference offered more talks about this subject than I could process. I skipped the last ones.

Another interesting subject was security headers. It is possible to make WordPress secure. I was thinking that a header only contained some information.

For the interested reader have a look at my conference digest mind map.

Finishing thoughts

Retro: did I learn more than previous years?
Yes.

But what did I pick up in those previous years?
Mostly subjects related to programming and law. Less about testing.

Just made me think.


On Twitter Trish Koo placed a thought provoking tweet. In order to become better in software development  you have to learn both testing and programming.

A Bit More Responsive

Years ago some websites looked terrible on my smartphone. They looked like websites viewed from 6 meters distance.

The first time I visited my blog with my smartphone, I was really anxious: “Does it look right?”

5 seconds later “What did I worry about?”

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a legal expert.

I am just a tester finding test ideas about accessibility. Thanks for joining in advance.

Some test responsiveness stories

My first tablet app to be tested was intended for an iPad. I had a Windows PC instead of the tablet. This was not right.

My solution was to install Safari and let it emulate an iPad. In other words: “I know you are a Windows machine. Now you function like an iPad.”
It sounds like a hypnosis act.
“What did I worry about?”

This work around did not stop me to demand an iPad. There is nothing like the real thing.

Responsive web design is basically about creating the best possible user experience in the assigned space on the screen.

This blog looks good on a mobile device and a laptop. The same features are shown only in a different order and in a different way, but it feels the same. Really responsive.

The last years I learned CSS or Cascading Style Sheets. CSS determines how the websites looks. It is even possible to change the locations of web elements.

If I look to this website in a browser on a laptop, I can make the window smaller by resizing the window. The effect is that elements of the web page are resized or relocated or not shown any more.

During a debriefing a developer showed me this resizing trick.
Resize and look for bad things like hidden buttons or partially shown texts.
It is a fast way for the first impression.

Can not install on my machine

All that resizing stuff is not an exact science and Safari … cannot simply be installed on a company laptop because of a company policy. So I did a bit of research. If you don’t mind.

Firefox has a special feature Dev Tools. It can be accessed using the F12 key. In the upper right corner of this sub window there is a button with two rectangles, which look like a smartphone and a tablet.
A green eclipse marking a button with a smartphone and a tablet in the menu bar of Dev Tools!

This opens a lot of options to test smartphones and tablets.

It also support the screen orientation like portrait and landscape.

Just look to this website on a mobile phone while holding it in portrait mode. Then change it to landscape. In portrait mode only the headers of my last blog posts are shown, in the landscape mode the last complete blogs posts are shown. Courtesy of my website software.

Chrome and Edge also have Dev Tools which can be accessed using F12 key. Both Dev Tools windows have an emulator tab for mobile devices.

Concerning responsiveness

One of the biggest search engines decided to give a higher ranking to mobile friendly websites. So support for small screens can give a positive boost to let a user find a website.

Most people have a PC or laptop with 1 screen. It is sometimes tedious to switch application. So I tend to resize the applications to fit more of them on my screen. My preference is squeezed and usable.

Another thing for responsiveness is language. Some customers prefer to use a website or application in their own language. OK is translated to OK, but Cancel to Annuleren or Annullieren. So the button should be resized after translation.

Responsiveness is not only about reshuffling web page elements. It is also about resizing the web page elements in case of bigger fonts.

Suppose I have bad eyes, then I need to make fonts bigger so that I can actually read the text. Pressing the Ctrl key and the + key at the same time will enlarge the text in browsers and Windows applications.

Problem solved?
No, I am so sorry.

As a user I have to scroll a lot. It is like watching a picture which is split over three different screens. I have to change my seat to get the whole picture.

In 2024 this could have some legal consequences in Europe.
In Annex 1 of the European Accessibility Act “flexible magnification” is mandatory for specific commercial websites.

In case of American customers for an e-commerce website there is a law already in place at this very moment. Americans with Disabilities Act (ADA) explicitly points to  the WCAG or Web Content Accessibility Guidelines on page 196 of Americans with Disabilities Act Title III Regulations.

In WCAG  also attention must be paid to screen size and orientation.

One more chat

“How would you like your website?”
“Responsive please.”
“No problem.”
“Thank you, my dear.”
“You are welcome, grandma.”