Your Smart Devices Are Trying to Manipulate You With ‘Deceptive Design’

Tricky interfaces in smart speakers, internet TVs, and other devices can nudge users into giving up privacy, security, and even their money

By Kaveh Waddell

April 17, 2023

Dominating IoT products and a cell phone showing an example of dark patterns.

If you’re looking for a free movie or show on an Amazon Fire TV, you might have to navigate an obstacle course.

A good chunk of the platform’s home screen is devoted to content that’s available only if you pay $139 a year for a Prime subscription. Even though it only takes a second or two to scroll past the rows of subscriber-only options, their top-shelf placement turns every movie search into a subtle nudge to sign up for a Prime account.

Experts call designs like these “deceptive design” because they can push users toward decisions they might not otherwise make, such as signing up for an expensive subscription.

At first glance, many examples of deceptive design seem like mere annoyances. One common trick, for example, is to display a preselected check box that subscribes you to marketing email unless you untick it. Worst case outcome: more spam email.

But under the mildly irritating surface, there’s potential for real harm. Nudges toward pricey subscriptions or away from options to keep your data private help companies make money at your expense.

Researchers have studied deceptive design in websites and apps for years. But until now, internet-connected devices like smart speakers, connected TVs, and video doorbells haven’t had the same close scrutiny.

They’ve been overlooked in part because these “Internet of Things” (IoT) devices are much harder to test than a bunch of websites or apps. You have to probe each one individually and with different tools. One might require a TV remote, another a companion app, and a third just your voice. But despite their limited interfaces, manipulative design turns up consistently in IoT devices, according to a new study.

When researchers at Northeastern University and Boston University examined 57 IoT devices in a variety of categories, they found that every single one contained at least three examples of deceptive design—and that the average device had more than 20.

The permanent rows of Prime content on the Fire TV home screen are an example of “nagging self-promotional content,” according to the researchers—an advertisement for a paid product that you can never hide. It was one of 60 types of deceptive design they identified. (Consumer Reports funded part of the research.)

Older people and younger children might be particularly susceptible to tricky design. But a seasoned gadget head might fall prey, too, if they’re more excited by a new tech purchase than they’re wary of it, says Johanna Gunawan, one of the study’s lead authors and a doctoral student at Northeastern.

Experts say it’s worth being extra aware of the way smart devices quietly nudge your behavior. Internet-connected speakers and cameras often record audio and video in or around your home, so a push toward an invasive data-gathering feature could be particularly harmful. Plus, the simple controls on many devices mean that users have less access to important settings like privacy options. For example, you might have to go exploring deep in a companion app to a video doorbell to find a setting that would be easily accessible on a website.

“IoT dark patterns are harder for consumers to evade because IoT devices have limited user interfaces,” says Arvind Narayanan, a computer science professor at Princeton University who studies deceptive design but wasn’t involved in this research. “They are also harder for researchers to study because most IoT devices can’t be studied using the automated browsing tools that are used for web-based dark patterns. That’s what makes studies like this all the more important.”

To test the varied group of connected devices, Gunawan and co-lead author Monica Kowalczyk videoed themselves as they poked through every single available navigation option and settings page for each device. Then they reviewed the many hours of footage they captured, cataloging deceptive design as they went.

Cameras, doorbells, and speakers had the greatest concentration of deceptive design, they found. Health devices (like a connected scale), home-automation devices (like a smart thermostat or lightbulb), and smart hubs (which connect smart devices to one another) had the least. In general, they determined that complicated devices with more features are more likely to have deceptive design than simpler ones.

The most common types of deceptive design were so-called visual preference patterns, where one option (“accept cookies”) is highlighted and another (“reject cookies”) is diminished. On average, each device had six of these.

Also frequently seen were opaque permissions options, like unexplained pop-ups asking for location access; clunky or missing user settings, some of which require users to open a website to make a change; and obstacles to deleting your data or account.

Of the devices studied, the Amazon Fire TV was one of the worst offenders, racking up a total of 79 examples of deceptive design of 25 different types. It was edged out only by an Amazon Ring video doorbell, which had 90 examples of deceptive design of 19 different types.

New Rules to Curb Deceptive Design

When dark-pattern prompts are stacked on top of each other, the pull on consumers can be even stronger than when they appear individually, according to the Federal Trade Commission and the UK’s Competition and Markets Authority.

The stacking effect was on display in a 2021 study in which researchers at the University of Chicago made up an identity protection service and offered it to three groups of online survey takers. The three cohorts were solicited using no deceptive design, mildly deceptive design, and aggressively deceptive design. They found that compared with the no-dark-pattern group, the mild nudging doubled signup rates and the additional aggressive pushes quadrupled them.

“One nag in isolation is easy to ignore,” Gunawan says. “But it’s simple math to see how a constant barrage of nudges adds up to consumers’ disadvantage.”

Lawmakers and regulators are paying increasing attention to deceptive design, but they’re still playing catch-up. A bipartisan bill barring big tech companies from manipulating users through user interface design tricks died in a previous session of Congress and hasn’t been reintroduced. The Federal Trade Commission has taken action against several companies for misleading design, including Vonage and Fortnite.

The FTC is currently investigating Amazon for allegedly making it too cumbersome to unsubscribe from Prime. Just last month, the agency proposed new rules that would require companies to make it just as easy to unsubscribe as it is to subscribe. “The proposal would save consumers time and money, and businesses that continued to use subscription tricks and traps would be subject to stiff penalties,” Lina Khan, chair of the FTC, said in a statement announcing the proposed rule.

Some states are moving ahead of the federal government. Draft regulations for a new California privacy law would ban companies from using manipulative design to get consent to use or sell user data. Similar rules in Colorado and Connecticut would also outlaw deceptive design that tricks users into giving up their privacy.

What to Look Out For

While the government chases deceiving design, there are a few things consumers can do to protect themselves. “Head to the settings options provided as soon as you’ve set up a device and configure them to fit your privacy and marketing sensitivities,” Gunawan says. How to get to the settings will differ on every device, but if there’s a companion app or website, you might find them with your account details. Pay particular attention to settings that have to do with your privacy and data security.

If you have the time when you’re shopping for a new IoT device, consider how different devices will use your data. To make that job easier, Consumer Reports is working to develop an information box modeled on nutrition labels for IoT devices that can help shoppers make comparisons much more easily.

You might also step back to consider whether the device you’re shopping for needs to be connected to the internet in the first place. A smart speaker won’t work without a wireless connection, but a fridge or a bathroom scale will—and the “dumb” versions won’t try to trick you.

Kaveh Waddell

Kaveh Waddell is an investigative reporter who worked at Consumer Reports from 2020 to 2023, focusing on digital rights and environmental justice. Before that, he reported on emerging technology at Axios and covered digital privacy and surveillance at The Atlantic. Follow Kaveh on X.