Dark Patterns in People Search Engines

/ cyber security, privacy / By

Almost a year ago we wrote about dark patterns which coincidentally talked about people search engines. You can read about it here.

Well, we’re doing again.

To start, let’s define what dark patterns are.

What are dark patterns?

According to the FTC’s 2022 report “Bringing Dark Patterns to Light” the term dark patterns was coined in 2010 by design specialist Harry Brignull. [Source: FTC, Bringing Dark Patterns to Light. Pg 2. September 2022. Last accessed March 31, 2025]

Dark patterns are “design practices that trick or manipulate users into making choices they
would not otherwise have made and that may cause harm.” [Source: FTC, Bringing Dark Patterns to Light. Pg 2. September 2022. Last accessed March 31, 2025]

In the Federal Trade Commission’s report, they lay out some of the common dark patterns consumers encounter.

Common dark patterns

Example fitness site with a fake countdown time created by the Federal Trade Commission to illustrate a dark pattern
Source: FTC’s report “Bringing Dark Patterns to Light” page 29. Fake countdown timer.
  • Design elements inducing false beliefs: Ads designed to look like news articles. Comparison sites where third parties are paying to be promoted, but to the consumer it looks like things are presented as being neutral.
  • Design elements hiding, or delaying, disclosure of material information: Hiding fees buried deep in a long Terms of Service.
  • Design elements leading to unauthorized charges: Signing up for a free trial, but the consumer is charged for the subscription because they didn’t realize they had to cancel by the time the trial period expired. There’s also designs implemented to make canceling of services difficult, such as having to navigate multiple screens before being able to cancel a subscription.
  • Design elements that obscure or subvert privacy: Some examples include confusing toggle settings and default settings that are meant to increase data sharing. Also burying privacy options on the site, making it difficult for consumers to find, is another tactic.

Again, all of the above comes from the FTC’s Bringing Dark Patterns to Light report pages 4-19.

We also recommend checking out the appendices of the report to see what other dark patterns they uncovered.

Some of the ones we found interesting were:

  • False countdown timers
  • Trick questions whose choice gets you to do the opposite of what you intended.
  • False activity, such as lying about how many people bought a good or service.

Having some insight to what tricks are used, let’s talk about how dark patterns affect consumers and businesses.

Dark patterns effects on consumers and businesses

A woman in a blue shirt with her arms crossed. She has an annoyed, frustrated, angry expression on her face. This is to symbolize what dark patterns do to people.On the consumer side, dark patterns can cause people to spend more than they intended to. They also waste time when a consumer has to go through multiple steps to close out an account, or remove data. They can also trick consumers into giving up more data than they intended to share which then allows the company to launch targeted advertising campaigns. Dark patterns also makes it difficult for consumer to opt out of data sharing.

In short dark patterns decrease trust in companies that engage in manipulative behavior.

On the business side of things, if you’re deploying dark patterns you’ll harm your reputation. There’s also the legal fallout as consumers can report you to the FTC and, depending on the state or country someone resides in, there are data privacy laws that can impose fines for violations.

If dark patterns are used to collect more information than give consumers the option to limit their data being collected, you are a prime target for a cyber incident. You’ll be responsible for protecting more data.

Data breaches are costly, which we’ve written about in this article. To sum it up, you have the costs associated with the breach, the reputational costs, and the legal costs that negatively impact your organization.

If you want to build a good strong reputation for your business, operate ethically and legally. Comply with data privacy laws to protect the data of your stakeholders.

Having an understanding about dark patterns, the next portion of this article talks about people search engines.

What are people search engines

People search engines allow you to search for information about a person.

The information you can typically find about a person on these types of sites varies. They include:

  • Name
  • Date of birth
  • Current/previous physical addresses
  • Email addresses
  • Phone numbers
  • People associated with the subject of interest.

Some of these sites may provide more information and they aren’t always 100% accurate.

The privacy issues are glaring and in the wrong hands can turn deadly.

Where do people search engines get their information?

People search engines get their data from:

  • Public records: Court records, property records, publicly available social media information, business records.
  • Data brokers: If you read privacy policies from people search engine sites they may use language like “data suppliers,” “third parties,” “marketing surveys,” “third party survey companies,” “marketing and contracting partners,” and “aggregators of data.”

Knowing what people search engines are, it’s time to shift and talk about dark patterns in people search engines.

Dark patterns in people search engines

What we linked at the beginning of this post was an article we wrote about a year ago detailing alleged dark patterns we observed with a people search engine.

Here are the alleged dark patterns observed when helping a client remove/suppress their data in what we wrote about last year:

  • Multiple screens (between 6-8) to progress through to get our client’s data suppressed.
  • Fake progress bar.
  • The “Next” button changed to a different button in the middle of the process.
  • Each window you had to go through had a 10 second countdown timer. You had to wait until the timer hit zero before you could advance to the next page.

We’ve also observed information removal hyperlinks on these types of sites buried deep in dense Terms of Services that hat one word containing the hyperlink, which anyone can easily miss.

Here is the process we experienced most recently when helping another client have their information suppressed:

  • First you have to find the link on the main landing page to get access to the company’s suppression tools.
  • You’re redirected to the parent company’s site to the page that starts the process.
  • You’re then asked to provide an email address.
  • You’re then emailed a verification code. It took the code roughly 5 minutes to arrive in our email inbox. We believe this is intentional, especially when coupled with the steps that follow.
  • Once you receive the verification code, you enter it into a text box so that the company can verify you.
  • Next you’re brought to a screen to enter your Date of Birth.
  • Next you’re brought to a screen to enter your legal name.
  • Then you’re brought to a screen that shows you information about yourself (physical addresses, phone numbers, email addresses) If you’re presented with multiple options, choose the one that’s the most accurate.
  • Click on the radio button for the information that is relevant to you.
  • In the next window, you’re asked to select one of the forms of contact associated with you to send a verification code to. Make sure that whatever you select to have the verification code sent that you’re able to access it.
  • The form of contact the site presents to you might have the same email address that you used to get the first verification code, or it might not be. If it isn’t, then you have to log into that inbox to receive the second verification code.
  • Once you have the second verification code, you enter it in the verification box that appears on your screen.
  • Finally you’re at the last step where you can choose to keep your information on the site displayed as is or to suppress it.
  • Choose the suppression option.

With all of these steps, we allege that from the start, everything is designed to get someone to give up partway through the process of suppressing their information.

The dark patterns that we allege exist are:

  • An intentional delay in receiving the first verification code. Someone going through this process might think they never received the verification code. This delay also adds to an unnecessarily time consuming process.
  • A lengthy verification/removal process that would reasonably cause someone to give up partway through the process. This is done by going through multiple screens to enter information and having multiple verification processes.
  • Requiring a second verification code, especially if it has to be sent to another email inbox of yours. This means you having to spend time logging in to the second email account. There’s also the problem of only being presented contact information to email addresses and phone numbers that you no longer have access to, have abandoned/don’t know login the information for, or where the password reset will go to should you need to change the password. This situation would prevent you from completing the final step.

We truly believe this process should at most be no more than two clicks without any delay cased by the people search engine.

What can you do as a consumer?

Go through the process and meticulously document everything:A set of stairs with two railings. Between the two railings is the phrase "STEP BY STEP"

  • Steps taken.
  • Screenshots of each step on the page.
  • How many screens you had to go through.
  • How long it took you.
  • What the links were that you navigated to.

Then once you have all your documentation go to the Federal Trade Commission’s Report Fraud page, https://reportfraud.ftc.gov/, assistant and go through their process to share your experience.

And after that, if you live in a state in the U.S. that has it’s own data privacy law that forbids the use of dark patterns, report your findings to your Attorney General.

What you can do as a business

When you’re building an application, be transparent about the process. Make important links easy and quick to find.

Don’t make consumers waste their time. A process someone has to go through should be as minimal as possible.

With things like email marketing, since the Google and Yahoo rules have gone into effect, one thing you must provide is the ability of a person to unsubscribe from receiving your emails with one click .

How we help

Personal Services
On the personal side of things, our data breach reporting service will look for other information your contact information is tied to, such as people search engine sites. Where possible we will see if we can remove or have that data suppressed, but we can’t guarantee success.

We can also create a custom project solely looking at people search engines to see what we can remove you from, or at least have your information suppressed. A conversation with you is the first step so you’re aware of limitations.

Business Services
For businesses, as part of our External Cyber Risk/Threat Assessments we can also tailor this service to include reviewing processes a consumer experiences.

Your next steps

Reach out in the contact form below to schedule time to for a free strategy call.

Contact Us | Bsquared Intel

Please fill out the form below, or call 203.828.0012, to learn how Bsquared Intel can assist you.

Name(Required)