20 Years of Websites Evolution: Part 8 – Legal & Ethical Consideration

This is part 8 in the series: 20 Years of Websites Evolution.
Previous part: Part 7 – Marketing.

Over the past 20 years, sites usage has become mainstream and many people were starting to depend on them for their daily activities. As more people were starting to use them, they had a real effect on people life. And this is when sites started to develop some darker practices. From email spam to users privacy violation and even using psychology in order to trick people into doing things they wouldn’t normally do, companies began abusing their powers and the trust of their users.

This is when it was apparent that some kind of regulation had to be made, and that regulation and how it affected site design is the topic of this chapter.

Legal

Accessibility

After all of that time and effort, we put into our site, we don’t want to deny people with disabilities from using it. This is why all modern websites must be accessible as possible in order for everyone to be able to use them. Most modern countries have rules or guidelines which details how to achieve it, and specialized companies perform accessibility audits in order to make sure it’s up to standard. Creating an accessible site is not easy and require deep understating of how people with disabilities use the site, and require adhering to the following guidelines:

  • Provide equivalent alternatives to auditory and visual content
  • Don’t rely on color alone
  • Use markup and style sheets, and do so properly
  • Clarify natural language usage
  • Create tables that transform gracefully
  • Ensure that pages featuring new technologies transform gracefully
  • Ensure user control of time-sensitive content changes
  • Ensure direct accessibility of embedded user interfaces
  • Design for device independence
  • Use W3C technologies and guidelines
  • Provide context and orientation information
  • Provide clear navigation mechanisms
  • Ensure that documents are clear and simple

Making an accessible site requires participation from all aspects of the sites:

  • the website itself – natural information (text, images, and sound) and the markup code that defines its structure and presentation
  • user agents, such as web browsers and media players
  • assistive technologies, such as screen readers and input devices used in place of the conventional keyboard and mouse
  • users’ knowledge and experience using the web
  • developers
  • authoring tools
  • evaluation tools
  • a defined web accessibility standard, or a policy for your organization (against which to evaluate the accessibility)

You can read more about web accessibility here, here and here.

Privacy, Compliance & Standards

Users Data privacy:

Users trust us with their data and we need to make sure we don’t violate that trust. The challenge of data privacy is to utilize data while protecting individual’s privacy preferences and their personally identifiable information. This is called Information Privacy and it includes:

  • Data-in-use encryption: prevent your friends/enemies/government spying on what you do on the web by using secured communication protocols. This includes using secured WiFi connection (like WPA2, although 2017 research shows it may be less secure than we initially thought) and secured web browsing by using HTTPS (TLS1.2 is mandatory now days). HTTPS is also important for public information sites like a wiki (for example when visiting LGBT articles especially in countries where it is not allowed).

  • Data-at-rest encryption: Preventing data retrieval from external or internal compromised(hacked) data storage, by using hashing algorithms, AES or RSA Cryptography.

  • Sharing & storing user data: is it OK to share user data with third parties without consent, for monitoring, logging or monetization purposes.
    The first law to address these issue was International Safe Harbor Privacy Principles that tried to limit user data location and access (of course Patriot Act was created to override that law). In the health industry, there is regulation like HIPAA and HITECH. There is a Financial Privacy Act that gives the customers of financial institutions the right to some level of privacy from government searches, and PCI standard is used when storing credit-card information. The FTC has a general standard called FIPPs which its principles are:
    Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, Enforcement/Redress.
    A similar regulation is going on in the EU – GDPR which also adds users right to download all of their information (The right to data portability).

  • User tracking: whether third parties can continue to track the websites that someone has visited. There is an official EU Cookie law that requires websites to get consent from visitors in order to store or retrieve any information on their computer, smartphone or tablet.

  • Data anonymization is a type of information sanitization whose intent is privacy protection. It is the process of either encrypting or removing personally identifiable information from users data sets, an effort to make the people whom the data describe remain anonymous.

Since the laws and regulations related to Privacy and Data Protection are constantly changing, it is important to keep informed of any changes in the law and to continually reassess compliance with data privacy and security regulations.

Employee Data privacy

Companies usually store personal employee data in their HR systems for billing purpose, which sometimes may include medical data (for insurance purposes). In the 2014 Sony hack, employee social security numbers, medical records, and other sensitive personal information were stolen as part of the hack. This is why even internal sites need to be secured and protect their employee data.

The problem is that protecting companies network usually requires Middlebox that decrypt HTTPS communication which means employee privacy is compromised when they check their Gmail & Facebook accounts or do online banking. Finding the right balance between security and privacy requires walking a very fine line.

Content Rights

Rules regarding the content in your site can be quite complicated. Here are some things to consider.

Other sites content

Before using any type of content from other sites (be it images, text or videos), it is important to make sure you are not violating any copyrights the other site has on the content, otherwise you will be hit with DMCA (in the USA) or EU Copyright Directive strike and may have to pay a fine.
In order to make sure it’s OK to use external content or media you will need to either a) pay Royalty or Royalty-free fee or b) only use Creative Commons licensed content like CC BY-SA.
In both ways, you will usually need to add attribution to the original author.

Your content

In many cases, your published content is automatically (even without registration or attaching the (C) notice) subject to Copyright law which means no one can use it without your permission (except for Fair Use purpose).
If you do want to allow sharing (or even modifying & selling) your content you need to explicitly say so on your site by using Creative Commons notice. The same is true for software by using Free software license like GNU.

Users content

90% of the world data has been generated over the past two years alone – most of it comes from the site users (and not the site publisher):


domo- data never sleeps

This brings up interesting questions like who owns the data? what rights does he have?
In the last couple of years there has been some cases and regulation which address those questions, and may be relevant when designing a site:

Spam

In many countries there are laws that try to prevent email spam, for example asking for user consent or allowing them to unsubscribe. The rules very a bit between countries but the principals are usually the same:

  1. Ensure you have permission to email the people on your list (implied permission/direct permission)
  2. Don’t use misleading header information
  3. Identify your email as an advertisement
  4. Include your address
  5. Include a way to opt-out of receiving future emails from you
  6. Honor opt-out requests promptly

Email servers automatically try to fight fake/spam/phishing emails by DNS-based blacklist and DNS checks (SPF), which requires to Whitelabel your domain.

Dark Patterns

Sometime business requirements may be considered “Dark Patterns“, which means the requirement itself may not be ethical. In many cases, those dark patterns are used to bypass spam laws (see above) or make people subscribe/pay for something they didn’t ask for. Dark patterns use psychology techniques like Decision fatigue in order to trick people into agreeing to something they did not ask for. Common examples of dark patterns include:

  • The Tyranny of the Default › abusing opt-in vs opt-out, for example pre-checking the desired outcome in order to take away the need for the user to decide whats good for him, like allowing to sell their data to 3rd party companies.
  • Hidden Costs › You get to the last step of the checkout process, only to discover some unexpected charges have appeared, e.g. delivery charges, tax, etc.
  • Sneak into Basket › You attempt to purchase something, but somewhere in the purchasing journey the site sneaks an additional item into your basket, often through the use of intentional misleading opt-out radio button or checkbox on a prior page.
  • Bait and Switch › You set out to do one thing, but a different, undesirable thing happens instead.
  • Misdirection › The design purposefully focuses your attention on one thing in order to distract your attention from another.
  • Trick Questions › You respond to a question, which, when glanced upon quickly appears to ask one thing, but if read carefully, asks another thing entirely.
  • Disguised Ads › Adverts that are disguised as other kinds of content or navigation, in order to get you to click on them.
  • Forced Continuity › When your free trial with a service comes to an end and your credit card silently starts getting charged without any warning. In some cases, this is made even worse by making it difficult to cancel the membership.
  • Friend Spam › The product asks for your email or social media permissions under the pretense it will be used for a desirable outcome (e.g. finding friends), but then spams all your contacts in a message that claims to be from you.
  • Roach Motel › The design makes it very easy for you to get into a certain situation, but then makes it hard for you to get out of it (e.g. a subscription).
  • Privacy Zuckering › You are tricked into publicly sharing more information about yourself than you really intended to. Named after Facebook CEO Mark Zuckerberg.

You can see some dark patterns examples here:

When working on site requirements it is important to avoid those so-called dark patterns. EU has already rules against some of them and more countries are sure to follow.

Social Concerns

There are many cases site features are not being used for their intended purposes, or an early design decision has unforeseen social consequences. They usually fall into the following categories:

 

Conclusion

Most new industries & practices repeat the same maturity pattern: in the early years, they operate with little or no supervision, and as they mature and adaption rate increases, consequences of failures or abuse are begging to hurt real people. This is when the government steps in, and start to regulate the new business.

We can see examples of this pattern in many places, for example, medical practices, automobile industries and insurance and investment business – when they started they had no rules or regulation but when real people lost their money, health or even life it forces the government to step in and start to regulate them.

In the last 20 years, the Cyber Industry was allowed to self-regulate and suffered very little consequences when users privacy was breached or when psychology attacks were used against their own users. But this age is starting to end now, and the faster it happens the better. It is the only way to create a sustainable digital reality where it’s citizens feel safe.

Diving Deeper

If you want to find out more about the topics discussed in the User Interactivity chapter, I’ve created the following table where each topic is broken down to the requirements developers need to know in order to be able to fulfill it.

In the next chapter, we will learn about Security consideration when designing a site.

Next part: Part 9 – Security

What do you think?