Deceptive Design

While not as bad as being phished, certain programs and websites are deliberately misleading. I would like to show you two examples that have caught me: Norton and myYearbook.


When I got my laptop, it came bundled with Norton Internet Security. Anyone familiar with either Norton or McAfee know that they make the most annoying, intrusive products known to man (outside of actual malware). Well, I figured since it was free I’d give it a try, as I hadn’t used a Symantec product in a few years. Well, they’re tricky bastards. When it comes time to ‘register’ you are presented with the following screen. Everything is fine until you get to the ‘country’ box.

Interestingly, everything is just fine for ANY country except the United States. Here’s an example of selecting the UK; everything looks as it should, yes?

As soon as you select ‘United States,’ the program quietly rechecks the ‘spam me’ check boxes. Since they’re on the left half of the form, you probably won’t notice, and you’ll look straight down to the ‘Next’ button without realizing that you’ve ‘selected’ to receive their email.

Funnily enough, after going back and forth and consciously noting this ‘feature,’ I forgot to uncheck it the last time through. It’s an evil use of well-known UI design concepts, tricking you even if you’ve noticed it!


I’d received an email to try out this site. I like to make profiles on every website ever, so I decided to give it a try. My advice: don’t. It’s worse than MySpace, which is saying something. Don’t even touch it.

So my particular problem here is the ‘friend finder,’ which caused me to spam all of my Gmail contacts. Please disregard these emails. I am so sorry I got caught by this!

So you start out with a perfectly normal form:

It checks your contacts and tells you there are two matching ones. Your instinct is to click the button above to add these. But wait!

If you scroll down, you’ll note that they’ve also included all of your other contacts and will spam them with deceptive emails encouraging them to join this stupid site if you click that button.

Emails, last names redacted
Emails, last names redacted

What I actually did was click the button, immediately realize what they had probably done (an oh-shit moment), hit the stop button like five times, and then set my twitter/facebook/IM status to inform my friends to disregard the message. And yes, I changed my password. Do you have any examples of deceptive design such as these? Were you caught by it?

Andrew Guyton



Um, pretty much every Facebook “App” that isn’t written by some sort of reputable company or Facebook itself. 😛


What you’ve encountered is essentially a case of the third party password anti-pattern along with the spam your contacts anti-pattern.

Basically, don’t ever use that spammy “import your friends from your gmail” crap. It’s a very dangerous habit to get into.

Leave a Reply