Ban the use of ‘dark patterns’ by tech companies, say US lawmakers

By Danny Bradbury

Lawmakers are getting wise to online companies’ manipulative user interface design practices. Congressional leaders in the US unveiled a new law this week to ban the use of ‘dark patterns’ by large online players.

What are these dark patterns? Senator Mark Warner, one of the Act’s sponsors, describes them as design choices based on psychological research. They are…

…frequently used by social media platforms to mislead consumers into agreeing to settings and practices advantageous to the company.

Warner’s Deceptive Experiences To Online Users Reduction (DETOUR) Act makes it illegal for online companies with over 100 million users to design interfaces that aim at:

Obscuring, subverting, or impairing user autonomy, decision-making, or choice to obtain consent or user data.

What kinds of techniques are we talking about, and what decisions do they coerce users into making?

The website darkpatterns.org, created by user experience consultant Harry Brignull, calls out several kinds of manipulative user interface behaviors with some delightful names.

These include confirmshaming. This guilts the user into opting into something. You’ll have seen this on some passive-aggressive websites that try to make you sign up for mailing lists. Instead of just offering a ‘No’ option, they’ll say something like “no, I don’t want to stay abreast of current industry trends”.

Other examples include Privacy Zuckering, which trick users into publicly sharing more information about themselves than they wanted to. Guess who it’s named after?

Read more at https://nakedsecurity.sophos.com/2019/04/11/us-law-would-make-dark-patterns-illegal/

App could have let attackers locate and take control of users’ cars

By Danny Bradbury

A smartphone app used to control vehicles across North America left them wide open to attackers, it was revealed on Monday. The MyCar application, from Canada-based AutoMobility Distribution, allowed anyone that knew about the vulnerability to control, monitor, and access vehicles from an unauthorized device, experts said.

MyCar is an app available on both iOS and Android devices that serves the aftermarket telematics market. Users can install connected devices into their cars, turning them into IoT devices that they can control via a cellular connection. According to its website, the MyCar app lets users control their cars remotely from anywhere by communicating with one of these devices via AutoMobility Distribution’s servers.

Users can remotely start their car, lock and unlock vehicles, or locate them. Other features include getting the temperature and vehicle battery levels, and sharing your vehicle with other users or even transferring it to a new owner.

The company sells the app under a service plan. Users get the smartphone app, the hardware device to install in their car, and service for a set period of one or three years.

It all sounds very convenient, especially when you want a nice warm car waiting for you on those cold winter mornings. Unfortunately, according to a vulnerability note issued by Carnegie Mellon University’s Software Engineering Institute, the app also enabled attackers to take control of your car.

Read more at https://nakedsecurity.sophos.com/2019/04/11/mobile-app-gave-attackers-access-to-users-cars/

Toddler locks father out of iPad for 25.5 MILLION minutes, or until 2067

By John E Dunn

Last week a father thought he’d been permanently locked out of his Apple iPad after his young son repeatedly entered an incorrect passcode.

‘Permanently’ in this context means 25.5 million minutes (or 25,536,442), equivalent to over 48 years. That’s the wait time that confronted journalist Evan Osnos last week when he looked at the iPad screen after recovering it from the youngster’s grasp.

Naturally, he turned in his hour of need to the world’s biggest tech support system, Twitter.

But how does such a thing happen? The short answer is not easily.

A lot of stories mention that Osnos’s son entered an incorrect passcode 10 times without mentioning how hard that is to do this in a short space of time.

It’s common knowledge that if you get the code wrong five times, the user is locked out for one minute – that could have happened in seconds.

Read more at https://nakedsecurity.sophos.com/2019/04/11/toddler-locks-father-out-of-ipad-for-25-5-million-minutes-or-until-2067/