Pixel Envy

Written by Nick Heer.

Archive for January 8th, 2020

Dark Patterns on Travel Websites

Chris Baraniuk, BBC:

Ophir Harpaz just wanted to get a good deal on a flight to London. She was on travel website OneTravel, scouring various options for her trip. As she browsed, she noticed a seemingly helpful prompt: “38 people are looking at this flight”. A nudge that implied the flight might soon get booked up, or perhaps that the price of a seat would rise as they became scarcer.

Except it wasn’t a true statement. As Harpaz looked at that number, “38 people”, she began to feel sceptical. Were 38 people really looking at that budget flight to London at the same exact moment?

Being a cyber-security researcher, she was familiar with web code so she decided to examine how OneTravel displayed its web pages. (Anyone can do this by using the “inspect” function on web browsers like Firefox and Chrome.) After a little bit of digging she made a startling discovery – the number wasn’t genuine. The OneTravel web page she was browsing was simply designed to claim that between 28 and 45 people were viewing a flight at any given moment. The exact figure was chosen at random.

I have some travel coming up, so I’ve spent a few weeks trying to get a good deal on a flight and a hotel room. I cannot imagine that any website is thirstier for you to act immediately than a travel booking website. I’d do everything I could to limit my accommodation choices to just those within my budget and in a specific location, but I’d still be offered sold-out five-star hotels nowhere near where I wanted to be — I suppose this was to encourage me to book something, anything, quickly.

Also, many of the biggest travel booking websites are owned by just a couple of companies: Bookings Holdings runs Booking.com, Priceline, Kayak, and Cheapflights; the Expedia Group owns Expedia, Hotels.com, Hotwire, Orbitz, Travelocity, and Trivago. Each group shares the same inventory, and they all use the same tactics. Users simultaneously get the impression that they’re shopping around and competing with other users, when neither is true.

Apple Recaps Its Year in Services


The App Store is the world’s safest and most vibrant app marketplace, with over half a billion people visiting each week. It remains the safest place for users to find software and provides developers of all sizes access to customers in 155 countries. Since the App Store launched in 2008, developers have earned over $155 billion, with a quarter of those earnings coming from the past year alone. As a measure of the excitement going into 2020, App Store customers spent a record $1.42 billion between Christmas Eve and New Year’s Eve, a 16 percent increase over last year, and $386 million on New Year’s Day 2020 alone, a 20 percent increase over last year and a new single-day record.

Big numbers. Investors sure seem pleased — the stock hit a new high.

Apple News draws over 100 million monthly active users in the US, UK, Australia and Canada and has revolutionized how users access news from all their favourite sources. Apple News+ offers an all-in-one subscription to hundreds of the world’s top magazines and major newspapers.

Apple does not disclose how many paying subscribers they have for Apple News Plus, nor for Arcade or Music. Perhaps it’s simply a matter of disclosure rules regarding the company’s upcoming quarterly earnings report. Of course, there’s another possibility.

Teen Vogue Publishes, Then Pulls, an Uncritical Interview With Facebook’s Election Security Team

Teen Vogue today ran an un-bylined article about Facebook’s election security efforts. Here’s the lede:

As the 2020 campaign gains speed, Facebook is taking measures to protect against foreign interference and stop the spread of misinformation. Social media is a fertile space for civic participation, and Facebook is at the forefront of encouraging civil discourse. But with the company’s huge platform comes huge responsibility.

Five women across Facebook and Instagram — Katie Harbath, Sarah Schiff, Monica Lee, Antonia Woodford, and Crystal Patterson — are key to ensuring the integrity of the 2020 election on Facebook. Behind the scenes, these women have helped overhaul the company’s approach to protecting elections, creating a new ad library to ensure transparency and partnering with over 55 third party fact-checking organizations. With just under a year until the election, Teen Vogue spoke with Facebook to learn more about what they’ve been up to.

This looks like a regular Teen Vogue article. On the homepage, it’s indistinguishable from older and newer pieces, aside from its lack of byline. For all intents and purposes, it is a Teen Vogue article — until you read it.

Ryan Broderick:

Publishing this sort of uncritical corporate propaganda is especially noxious on a website like Teen Vogue.

The website’s demographic doesn’t remember in a world without Facebook.

To frame this as a fun guide to election integrity is shameful.

Sophie Kleeman:

It is egregiously bad to omit a byline on pretty much any story, let alone a puff piece like this! What is happening!

No credit on these very PR-friendly photos, either. Curious!

It’s stranger than that: all of the photos in the article are screenshots, carrying file names like Screen Shot 2020-01-06 at 3.21.21 PM.png. Setting aside how unwise it is to present photographs as PNG files — they’re all well over 2 MB — the only time I’ve seen this technique used is to mask the source of the photograph, so no Exif data is retained from the camera or photographer. I’m not claiming that’s the reason Teen Vogue decided to screenshot these pictures instead of uploading the originals, but why wouldn’t they publish photographs as photographs?

Max Tani, about an hour after the article’s publication:

This piece was just updated with an editor’s note saying it’s “sponsored editorial content.”

Cecilia Kang, half an hour later:

Wait wait wait. The sponsored label is gone and I”m hearing from FB is it not sponsored content. WTF is happening?

About half an hour after that, the article or advertisement was pulled. If you’re curious, I’ve uploaded a copy to Dropbox.

If this was an example of native advertising, why wasn’t it initially and clearly identified as such? Why was it so easy to confuse it with an article? If it was just a regular article, why wasn’t it bylined? Why was it so easy too confused with an ad?

Update: Before it was deleted, Sheryl Sandberg shared this ad that’s definitely not an ad.

Update: Peter Kafka:

Newest in teenvoguegate: Facebook sponcon *was* supposed to be sponcon: “We had a paid partnership with Teen Vogue related to their women’s summit, which included sponsored content. Our team understood this story was purely editorial, but there was a misunderstanding.” – FB spox

How to parse that, per source: FB piece was supposed to be sponcon, tied to Facebook sponsorship of a Teen Vogue event last fall. Then, supposedly, FB decides they don’t want/need the sponcon after all.

But! Sponcon was created anyway, and was floating around the Teen Vogue CMS, and then…

And then it was published, tweeted about by Facebook, shared by Sandberg on Facebook, and was somehow labelled with a contributor’s name who has since stressed that she did not write the piece.

Condé Nast, which publishes Teen Vogue, began using their editorial staff to write stuff like this about five years ago, rather than leaving it up to their ad teams. This seems like a predictable consequence.

Why Not Both? Or: Privacy Laws Won’t Fix Everything and That’s Okay

There’s a silly dismissal of privacy laws that goes something like this: because these laws require that data processors get opt-in consent from users, they empower Facebook and Google, which means these laws are failures on a grand scale. I thought this argument was absurd when it first appeared last year in relation to Europe’s GDPR, but California’s new CCPA has made it ripe and juicy again.

Mike Masnick of Techdirt covered a story by Nick Kostov and Sam Schechner of the Wall Street Journal last year:

We warned folks that these big attempts to “regulate” the internet as a way to “punish” Google and Facebook would only help those companies. Last fall, about six months into the GDPR, we noted that there appeared to be one big winner from the law: Google. And now, the Wall Street Journal notes that it’s increasingly looking like Facebook and Google have grown thanks to the GDPR, while the competition has been wiped out.

“GDPR has tended to hand power to the big platforms because they have the ability to collect and process the data,” says Mark Read, CEO of advertising giant WPP PLC. It has “entrenched the interests of the incumbent, and made it harder for smaller ad-tech companies, who ironically tend to be European.”

So, great work, EU. In your hatred for the big US internet companies, you handed them the market, while destroying the local European companies.

Antonio García Martínez:

The result is that not only is there a privacy/convenience tradeoff that users must navigate, there’s a privacy/competition one that regulators must navigate as well.

You want users to have transparent, wide-ranging choice in how their data is used, with companies they know?

Then you’ve got to limit data use to first-party companies with a big public brand and lots of public scrutiny, rather than a complex ecosystem of many data producers and vendors.

There is absolutely nothing wrong with making it harder for any company — large or small, American or European — from abusing users’ privacy. Besides, it isn’t as though most big websites carry only one tracker. The fewer companies that are able to build highly personalized profiles, the better.

More relevant, though, is that you probably can’t name many of these smaller ad tech companies, but you can name the three biggest ones: Google, Facebook, and Amazon. That’s probably because you have a profile with at least one of them, if not all three, so of course it’s easier for them to get consent from you. If you have a user account, they already have your consent.

I doubt that compliance costs — in the sense of documentation or technical support — is what is preventing smaller firms from competing with the big three. It’s the first-party relationship that these companies have with their users. Remember: Google is not a software and services company, it is an advertising company with several interactive and useful features. Facebook is not a family of social networks and chat apps, but a personalized advertising company that entices you to give them as much data as you can. Amazon — well, they’re everything, but they’re also a big fan of advertising to you Amazon listings for the things you just bought off Amazon.

Complying with GDPR really is much harder for a company nobody has ever heard of that asks permission to keep a copy of your name, phone number, email address, and anything else you submit to an unrelated service. But why shouldn’t it be?

These privacy laws are not perfect, yet they’ve had an immediate impact. In the year-and-a-half since GDPR has been in effect, hundreds of millions of Euros worth of fines have been issued. Plenty of companies have had to tighten their privacy and security measures as a result. But, yes, Google, Facebook, and Amazon have become stronger as a result of their ease of compliance.

And that’s probably why the E.U. also has antitrust concerns about all three of these companies. There are currently open investigations into Amazon and Facebook. Google was fined a billion-and-a-half Euros for abusing its dominance in online advertising, which is particularly important since they have controlled the most widely-used ad exchanges even before GDPR went into effect.

GDPR and CCPA are largely good — if imperfect — first steps towards regulating the unhinged worlds of advertising technology firms and data brokerages. We should encourage our public representatives to set broad expectations about how our data may be collected and used. We also ought to fight for more people-friendly interpretations of antitrust law. It isn’t a failure that privacy laws fail to address antitrust concerns any more than it is a failure that restaurant sanitation requirements don’t rein in corn subsidies.

It’s possible to do both, and it isn’t indicative of poor policy that we should do both. Well, it isn’t indicative of poor privacy regulations, anyhow; it absolutely does point to missed opportunities for decades. Now is as good a time as any to fix those shortcomings.