84 comments

[ 1.7 ms ] story [ 193 ms ] thread
I'm pretty sure that Duolingo one is photoshopped. The mascot's name is "Duo", not "Language Bird." (The image, however, is what you get if you get too many words wrong: https://pbs.twimg.com/media/Bc9NiTxCUAA1Qek.png)
That was the only one up there that I thought was reasonably humorous and good natured.
Yeah, that doesn't belong there.

If I understand it right, the emails are trying to convince you to practice... as one needs to, when learning a language. That's like the only acceptable reason to annoy/spam people, "COME ON JOHNNNN, WHEN YOU GONNA PRACTICE YOUR SPANISH LIKE YOU SAID YOU WERE GONNA"

A couple weeks ago I got a "please come back"-type email from Duolingo with an identical image, but a more mundane message. Subject of the email is "We miss you!"

https://imgur.com/FOJubnI

Reminds me of mobile apps that periodically ask if I like the application. If I say yes, then they inevitably ask for a review on the app store.
I downloaded the FoxNews app to watch a presidential debate (must have been about a year ago) and I was shocked to see them doing that. The question was something like "Do you love this app?," the 'yes' button linked directly to an app store review prompt and the 'No' button just closed the prompt. I would have assumed that pre-screening reviews like that would be against the app store rules.

Also the app didn't work and I had to find a stream of it online.

There's no winning with some of them. If you select 4 stars or higher "Great, please continue to the app store and review us!". If you answer with 3 or fewer, "Oh no! Please visit our contact page and tell us how we can make it better!"
The sad reality is that you can have thousands of users and no reviews if you don't do that stuff. And because the (apple) app store wipes reviews every update, it also encourages devs to never update, lest they go and nag all their users again. All around difficult situation for apps, especially if you go about it as a solo dev.

Also sad that the most effective way to get a bunch of 5 stars is to say in your app: Have a free X item if you rate us 5 stars! <link to app store>, nevermind that there's no way of actually verifying that they left you any feedback, nonetheless plenty of people actually do it.

You can almost smell the "growth hacker" desperation.
Every app does this, and I hate it. What grinds my gears is the negative review dark pattern funnel (i.e., ask a user if they like the app, if not, keep them in the app and get feedback. If they do like the app, forward them on to the app store).

I was in the middle of using your app, don't bother me.

I will on occasion go out of my way to visit the app store and leave a 1 star review when this happens.
When a site insists that certain characters are not allowed in passwords, that is strong indication that they are storing them clear-text in text files.

Those characters are disallowed because they would cause delimiting issues for the shell/sed/awk/perl/php crap they are using to process those files, or db injection attacks.

A proper password hashing function takes any byte string.

I can give the quantum of the benefit of the doubt and assume that they're just possibly overly defensive for SQL injections if they're using the DB to do the hashing. They should be using parametrization anyhow and HAND, but maybe they missed that memo.
>When a site insists that certain characters are not allowed in passwords, that is strong indication that they are storing them clear-text in text files.

Except it really isn't, while stupid this is hardly uncommon in software that does hashing.

It's often just a reflexive behavior on a website. Fields which have to be displayed back to the user naturally tend to have reasonable restrictions on what characters they can contain (no linebreaks is a common one, for example). The fact that passwords will never be displayed back to anybody (ideally) is no deterrent to your typical business analyst writing a hundred page spec for the account management pages, and just like every other field on the site they will place some arbitrary length restriction on the field, and pronounce that certain special characters are off limits. Programmers will then implement the restrictions because hey, it's an easy two points.

There are, actually, a couple of reasonable UX reasons for placing some restrictions on the characters someone can use in a password. If you hope that they will be able to enter the same password from another device later, you want to encourage them not to exploit all the wonderful input possibilities afforded by their plug-in emoji keyboard on their phone. Sadly I don't think this kind of reason underlies any restrictions I've ever seen in the wild.

Password has to be compatible with phone input -- legacy 0-9 phone, not mobile computing devices.
Why would this need to be restricted to A-z 0-9? Isn't it safe to assume that nobody will be typing in passwords from their land line?
Just today, I tried to return something on staples.com. They have a field called "optional comments". I left it empty, and got an error saying "Sorry, but an error has been made. Please check the following highlighted field(s)." with the empty box highlighted in red.
Did you report the bug? (Perhaps in the "optional comments" field.)
I expect the amount of effort it would take to find someone who could do something about it is more than it's worth.

I've reported bugs in Google products before, but it's usually just not worth chasing a company down for something that doesn't really impact me, and often they'll just refuse to acknowledge the problem or refuse to fix it anyway. E.g. the issue I described at https://news.ycombinator.com/item?id=10478264. Since then I usually won't bother unless it's hard to work-around or the company has a known bug-tracker.

I once went to a lot trouble to report a bug in an online precious metals trading site, and they gave me, like, 1% of an ounce of silver as a reward. :-) At the time, I seem to recall figuring out it was about $50. Of course, I had to open an account on their site in order to claim it, and there was a large initial deposit, so blah, nevermind....
I don't think it's safe to compare every internet site to Google. Google is notorious for not having good support, but many other companies take customer feedback very seriously.
I mentioned google as an example of a company with a public bug-tracker, not as an example of one that treats reports poorly.
Probably the weirdest password requirement I've seen was the one for my college's email: it had a maximum of 10 characters, and required it to contain no dictionary words or reverse dictionary words. I never figured out why they would have such strict requirements, and also force it to be so short.
Probably a legacy plain-text database field... if it makes you feel any better. :/
My university required us to change passwords every semester, and the password couldn't contain a similar enough substring of any of your old passwords. (I think 4 characters was the threshold, it would also detect reversed substrings).

I didn't really know much about web dev or security at the time, but thinking back to it now, there is no safe way they could have done that.

Technically, they might have been able to take the new password, which would traditionally not have been hashed on the client side, and try and permute it to see if it hashed to the same value as the old hash. Granted, with current best-practices in stretching, it probably shouldn't have been feasible to do even that -- but for salt+sha1 it might have worked.

They probably didn't though.

Actually my university requires exactly six characters for library passwords. They may only be changed by the library personnel and you must either write them down on a piece of paper for them to type or just spell it out loud...
(comment deleted)
If anything, I get a little chuckle when I see this stuff. I'm sure we've all been there trying to make things clearer for the user.

That said, I'm more concerned with the fact that I can't go to any web page these days without getting one of these pop-ups.

It's even worse when the pop-up comes 20 seconds later since loading all of the Javascript takes a while on mobile - and then shows up halfway down the page.

It's even worse when being scrolled down the page prevents the widget from rendering correctly.

The internet is quickly becoming a ghetto, and other parts of the internet (Facebook, Instagram, Reddit) are getting incrementally controlled and censored.

... Sigh ...

NoScript, my friend! Sadly no good solution for mobile.
What's wrong with NoScript on mobile? Just breaks too many sites?
Parent is likely talking about Chrome since it doesn't support extensions. Firefox on Android can use NoScript, uBlock or what have you without missing a beat.
Just getting a new phone set up with what I want. So, hadn't looked for it, previously.

By viewing the addons.mozilla.org NoScript entry and then clicking on "View All Versions", I was able to find a mobile (NSA) version in the version history. I started with that, as I'm leery of installing from third parties until I have some confidence that the source is authentic and uncompromised.

I'd appreciate some feedback on the current thinking / best practice for installing NoScript (Anywhere?) on Firefox mobile (on Android 6).

No, I use Firefox. I just find NoScript on mobile to be way too much of a pain to use, so I don't think of it as a "good" solution. Maybe they've updated in their UI since I tried it a year or two again?
I ran into a site (tweaktown) recently that redirects you to an ad-blocker shame page if you block ads (they try to circumvent, though) or disable javascript (meta refresh wrapped in a noscript tag).
Thank god that NoScript has an option to catch those redirects. Whenever I see them the page has rendered just fine without needing to anything special for the script-less.
Yeah I see a fair amount of adblock-shaming on a routine basis now. How many of these beggars turn around and speak ill of homeless people begging on the street?
I love the Forbes.com one that said I should disable ad-block for a better experience - an experience they just made worse by preventing me from reading whatever half-assed article their editor approved.
The practice isn't designed to make things clearer for the user, it's a dark pattern. It's designed so that the user either doesn't notice or feels guilty about choosing to opt out. If you wanted to design a clearer interface, you wouldn't hide the "no" option, you'd make it parallel to and near the "yes" option so it was clearly conveyed that you have two options.
> I'm more concerned with the fact that I can't go to any web page these days without getting one of these pop-ups.

People use these pop-ups (Landing Pages, Optinmonster, etc) because they are extremely effective at capturing emails. Your average programmer or techie on HN is horrified when prompted to sign up via a pop-up, but many regular users will just comply. The site has now converted a random passer-by, into someone who might continue to receive new content (and marketing material) in the future. Nothing comes even close to the ROI that you get from people subscribing to your mailing list. Note that I'm not talking about whether this is right or wrong, just that it's done for a very good reason. Would I put a pop-up form on a programming blog? Obviously no. Know your audience. But on a regular site? Not doing so is literally leaving money on the table. And that's why they are ubiquitous. When you don't see one it's often either an ethical choice (the site owner decided to maximize user experience, not profit) or lack of knowledge of how effective these pop-ups are.

>"Your average programmer or techie on HN is horrified when prompted to sign up via a pop-up, but many regular users will just comply."

... especially if you shame them into it!

(comment deleted)
Exactly.

>>> Obviously no. Know your audience. But on a regular site? Not doing so is literally leaving money on the table. And that's why they are ubiquitous.

This.

Most (all?) of the mentioned ones are run by companies, not individuals who are not seeking any profit or anything. In terms of ethics, I wouldn't even call it unethical or a dark pattern. Some sneaky checkbox to receive spam is bad. Sneaky checkbox for addon when purchasing is horribly bad. But pop up with email field? Nope. Calling it ethical decision is a stretch. Worst case scenario - you close the tab and move on with your life. If anyone loses then it's the business, not you.

At the end, it's a business decision whether it's worth annoying some users in order to extract more value later from a fraction of them and it's the users choice to accept or not. It's a personal choice, to each their own.

You think the UX is so crap because of it and surely something better can be done? Take it as a business opportunity!

>Nope. Calling it ethical decision is a stretch. Worst case scenario - you close the tab and move on with your life. If anyone loses then it's the business, not you.

So here's the thing: That's a perfectly reasonable standpoint, but you can't have your cake and eat it too.

If you want to run your website like this, you lose the moral highground to declare it wrong when I order my browser to automatically disassemble their website and strip out all their cookies, all their ads and all their popups.

You are also the one that has to answer to your peers if I just leave those tools running out of sheer laziness when I go to other, less pernicious websites.

>In terms of ethics, I wouldn't even call it unethical or a dark pattern.

I disagree. Offering your user the option to get on your mailing list is fine. But when you a) shame them if they chose not to, and b) make it significantly harder to find the way to express their "No" choice, it becomes an unethical dark pattern. Arguably, blocking their access to the material you offered them until they make this choice is also dubious.

>>> shame them if they chose not to

It's not unethical to potentially harm your own business. I'd say it's just bad for the business, that's all.

Offline companies occasionally run silly/trying to be too clever campaigns. But no one really calls them unethical, as long as they stay clear from potentially discriminating topics. People mock them, but they don't call them unethical.

>>> make it significantly harder to find the way to express their "No" choice.

I see where you are coming from on this one. But, again, it's not preventing the user to quit using the standard way of quitting.

Obviously "No thanks", "Close", "Cancel" and so on are standard mechanisms for dismissing a form. You're arguing that it's standard to make the user read and understand that the funny or insulting quip is the mechanism to close the form. I disagree.
To me, it seems that UX decisions and business decisions are very conflicting with one another.
I think even many non techie types have spam emails accounts for signing into crap like this.
"The returns justify the investment!"

Where have I heard that before?

I always close that kind of pages. Do you really need to read everything?
It's even worse when the pop-up comes 20 seconds later since loading all of the Javascript takes a while on mobile - and then shows up halfway down the page.

How about when you're using a mobile device in landscape view and the popup was designed for a (taller) portrait-height screen?

> No thanks, I'll stick to the latest Adam Sandler films.

Okay, Esquire, that one's kinda good.

While somewhat egregious and dark, the Duolingo language bird one made me laugh.
Idea: browser extension that transforms the confirmation text to something more .. colorful.
I've got a list of rules for FoxReplace on a github repo... Mostly centered around taking the piss out of various contentious political issues, and I recently added the whole set of XKCD substitutions. I'd link it but I'm on mobile right now.
Yeah but instead transform the modal into something more.. invisible..
Reminds me of the canvassers on the street whose line is always "do you have a second for the environment?", "do you believe in equal rights?", "would you like to prevent puppies from dying?", etc.
Equal rights?? We should never have given <them> shoes!
What gets me is when the canvasser goes into mock-surprise mode when you tell them no.

Dude, you and I both know that your job here is to try to sell something to me, so don't be shocked if I'm not interested.

You and I both know their job is to feign surprise, why are you surprised?
There are two ways to get rid of them:

I am already a member, customer, etc

Just ignore them. Don't change you walking speed, don't acknowledge them, don't argue them.

You also see it in the naming of groups/movements (e.g. Black Lives Matter). "Do you agree with Black Lives Matter?". The almost reflective response is "yes" because saying no makes you sound like a KKK member.
Or the name of pretty much every anti-rights/anti-privacy bill like "The Patriot Act".
There is a UK comedian who has a joke along the lines of:

Canvasser: do you have five minutes to help cure children's cancer?

Comedian: ok, but I don't think we're going to get very far.

Seems to me this is the kind of behaviour that's going to have people reaching for technical solutions so as to never see the popover in the first place...
First Round Capital does this on their blog.

Reject subscribe popup requires clicking "No I don't want to learn more"

Curious: has confirmation shaming increased conversion? Can someone confirm or provide some insights?
Earliest I remember seeing this was the defunct mobile gaming platform OpenFeint. Every time you launched an OpenFeint integrated app, you'd get the splash screen and the dismiss button was "No thanks, I don't want these awesome features".
Interesting how many of them are literally true for me, with no shame whatsoever, because it's hard-won personal wisdom, which is a source of pride, not shame.

Examples: I don't want to know about power breakfasts. I'm not interested in delicious recipes. (I already know how to cook the things I like.) I'd rather be sleeping. (True dat.) Continue with boring old email. (It's fine.) I reject my free issue. (And all subsequent ones. Really just, don't encourage them.) I do not want to get the most important news in my inbox. I prefer to pay full price. (And thereby be free of a lot of bullshit.)

This is one of the reasons I still enjoy paper magazines and yes even catalogs. I remember being on a plane trying to read some article and just giving up and reading the SkyMall magazine the whole flight. The damn SkyMall magazine foisted on all delta fliers (and takes up valuable space) is less invasive than todays ad pop crap.

While magazines certainly have some annoying things (like the paper subscription post cards) and I suppose the eco unfriendliness these negatives are starting to look continuously better than the alternative. Ironical I think I was even shamed by a publisher recently for ordering "the paper copy". I know many banks do this as well... damn you for wanting paper... we must pop-up shame you and paper makes that difficult.

I suppose PDF is a good middle ground.

SkyMall no longer publishes printed catalogs to airplane seats.
I think a fair majority of these exit-intent popins are designed and delivered by BounceExchange, or at least influenced by what BounceExchange has set as the standard. They specialize in implementing this kind of stuff and have a wealth of data and a/b tests to back up their use and this type of "confirmshaming".
On Esquire: “No thanks, I’ll stick to the latest Adam Sandler films.”
Is there anything that blocks these modal dialogs on mobile? I absolutely hate these things, but they don't seem to be blocked by uBlock.
Does adblock catch these? Shouldn't it?