Cloudflare have made it impossible for me to unsubscribe from marketing emails
Dark pattern one: You must login to manage your marketing preferences. There's no security related emails here, so this is completely unnecessary.
Dark pattern two: "...confirm your email address to save your communication preferences.". I've no idea how we have a several-year old account without a confirmed email, but it should not have to confirm an email to remove old marketing preferences - or if cloudflare is so careful about this, why did it end up opted-in ion the first place?
Dark pattern two-point-five is that the email somehow became unverified - something it seems is only necessary to adjust marketing emails.
Okay, so I hit the "Resend verification email" link and check my inbox, nothing just yet. I wait a little longer. It's odd that I immediately got a security email about the login from a new IP, but I've not received this verification email yet.
10 minutes later, and I've still not got anything. I know these things can take longer, but I don't have the patience, especially since Cloudflare are clearly trying to make this hard.
Going to the preferences page, I hit that verify link again - still nothing. Okay, F12, I switch to the network inspector and click the link again.
To my surprise: Absolutely nothing. There's no network requests being initiated by this link. Maybe it's websockets, or maybe there's a script that failed to load? The UI does respond when I hit the link, but nothing else. I opened up the element inspector to find a click handler:
function () {
return a.setState({
toast: 'verificationResent'
})
}
That is certainly less than I was expecting. If that's just a react setState... this link is literally doing nothing other changing the UI when I press it. Perhaps some silly frontend developer reads that `toast` state elsewhere to trigger the real behaviour? Nope the only other reference to verificationResent is a ternary statement in the render function.Dark pattern three: Just break unsubscribe. The cynic in me says this was intentional. Hanlon's razor tells me perhaps it is just a mistake, in which case dark pattern three is the overengineering of the unsubscribe function so you can get as much dropoff as possible and it's most convenient if it just breaks.
So wtf Cloudflare?
Oh, and to supplement dark pattern two: The verification check is only on the frontend. In the end, I was able to use the debugger to skip the verified check and edit & submit my email preferences anyway.
202 comments
[ 3.4 ms ] story [ 253 ms ] threadIt’s the exact same bs as using someone’s contact list to spam them with farmville.
Marketers have no respect for their audience whatsoever.
Cloudflare is awesome.
It helps that cloudflare isn't too big to fail yet and still trying to get better.
Hopefully they'll fix this email situation.
In the words of a limbo competition judge, "that's not a high bar".
His response here was perfectly adequate and beyond what the CTO of almost any other large tech company would ever do. Not that it deserves unbridled praise and admiration or something, but the immediate attacks and "weasel word" accusations from others are really weird. HN is way too cynical, sometimes.
Because it's trying to avoid accepting any responsibility for a problem that is quite clearly Cloudflare's intentional doing.
However I also think the previous commenter has a point - "we're sorry you're having trouble and we're looking into it" or words to those effect are things anyone who reports issues to big companies hears over and over again and it usually means "we don't give a damn about you and we're not gonna do anything. Suck it, puny human".
For anyone who doesn't recognize you except as a random person who popped up speaking for CloudFlare, it probably seems reasonable to interpret your words as corporate weasel speak, especially on a post accusing your company of potentially illegal behavior. Even if you didn't mean it that way and this does turn out to be an honest and temporary mistake.
Do not criticize those who USE it. It is a symptom of a larger problem.
Rather, criticize people (like many in this thread) who say "you should sue" in response to any problem you have with a corporation. That litigiousness is what makes corporate weasel speak necessary. If the result of acting like a human and saying "oh, my bad" is to get sued (and have a slam dunk case, because they admitted to it!), then people are going to stop saying "my bad" and start saying "that sucks".
This is a cultural choice that we make in the US, and the choice is made in places like this thread. If you want to change it, start here and shame those who say "sue!" after a person encounters a bug trying to unsubscribe.
Or we can all continue to assume that everything is malicious, everyone is in on it, and there are no good people. And we'll continue to get a lot of corporate weasel speak. And we'll deserve it.
I do not think when you said "you are having difficulty" that you implied it was the users fault.
I don't think you can really know that. It's the sort of thing that would be very easy to slip through testing (or that a lower-level employee could slip through unapproved), and lots of companies don't pay as much attention to the technical side of their marketing operations as they do their main product tech.
> Because it's trying to avoid accepting any responsibility
I would argue the opposite. If you are not taking responsibility then you shouldn't use the word "Sorry" as it actually implies that it was your fault. You ought to use "I regret" in those cases - there's a blog post on this floating around somewhere.
There is one key thing to keep in mind for those advancing uncharitable critiques of JGC and Cloudflare. It is entirely plausible that JGC is well-intentioned. Yet, Cloudflare has had to hire quite a few people recently.
There may not necessarily be a culture fit. Some new marketing hires may have thought that this dark pattern was fair game. And JGC can strongly disagree without really being aware of this dark pattern. Those two things can hold at the same time.
[0] https://news.ycombinator.com/item?id=30743891
Sorry you are offended by that characterization.
"Weasel phrases" are non-apologies. A simple non-apology is something like, "I'm sorry you are feeling that way". Let's say Bob wrecks Alice's car after coming back from the bar last night. When Alice wakes up, she notices the car is wrecked and she will be unable to take a client out for lunch in it. Alice becomes angry at Bob as a result and indicates he is responsible for wrecking the car and not telling her the night before, so she could get another car to drive. Alice would want a resolution, either in the moment (Bob giving Alice another car) or an assurance that it won't happen again (a real apology accepting responsibility). An "I'm sorry you are feeling this way" from Bob becomes the non-acknowledgment of the actual cause of the emotional output from Alice. Instead, it deflects back to Alice for resolve. This is tedious, at best.
A good tip for Bob avoiding these "you statements"[1] is to leave out "you" as the object of his stated emotional output. Instead, Bob could say "I hear you are feeling sad and angry because I had a wreck and came home last night and went straight to bed without telling you". This comment from Bob becomes a non-you statement by splitting on the "because" and the "without". There exists a separate acknowledgement of the emotional output from Alice, "I hear you are feeling sad and angry" and an acceptance of the action and result, "I wrecked your car and didn't tell you about it."
It is my opinion you get a lot of these types of comments in public forums, where the conversation is a matter of public record. When given the choice between leaving a public trace of "We were the cause of your difficulty...we'll fix you up though." vs. "We hear you are having issues...", I do think companies will tend to do the later, waiting to give the more specific comment to the recipient outside the public view. Maybe our tendency to think we need these comments aired in public is some sort of error in our reassignment of another's emotions. Their emotional output isn't ours, but we may have empathy for it.
As others have mentioned, the comment comes from someone who seems to care about these things, so if Alice trusts Bob, she'll let the comment slide knowing he'll come through for her in the future.
[1] https://www.cnvc.org/
"That's valid, we'll fix this"?
Pitting a corp against Google's customer support is a nice revenge.
If reporting the email as spam is quicker than unsubscribing, that's what I do.
- Logging in
- Clicking between multiple confusing tickboxes of which emails I want to unsubscribe from. Hint: If someone is actually going to the trouble to hit "unsubscribe", the answer is simply all of the bullshit non-critical emails.
- "You've been unsubscribed from Saturday morning emails sent by this particular product manager" ... implying I have to go find where to unsubscribe from all the rest of the damn emails.
But after that, or if any of these things are too onerous, I hit "spam" with a vengeance on. every. single. email. I get from that company ever again.
That said, I actually never got any Cloudflare spam at all, which is impressive.
For my personal email I run my own mail server, create a unique address for each vendor and ban the address if it is abused.
If keyboard shortcuts are enabled, '!' is mapped to "Report as spam". I don't recall whether the status popover that appears at the bottom of the UI has an "Undo" link, though...
You have to:
1. click on the email from the inbox
2. click on the three-dot hamburger menu on the far right of the sender line
3. click on the 'Block "Evil Sender"' entry in the popup menu
4. confirm that you do in fact want to stop receiving spam from the spammer by clicking the "Block" button
5. Click the "Move to spam" button in the dialog box that appears
I do the same and it's immensely useful!
I find it's also a great indicator of how well that vendor protects my info... if there's a sudden surge of spam to an address only that vendor knows, there's a chance they leaked/sold my info and I know it's time to change passwords and/or reassess my relationship with the vendor.
I had read somewhere that Gitlab does the same. They have a "How to respond discussions on Hackernews." or something in that line.
Regarding GitLab, it[1] was discussed here[2].
[1] https://about.gitlab.com/handbook/marketing/community-relati...
[2] https://news.ycombinator.com/item?id=30003221
There is no excuse whatsoever for requiring someone clicking a link in an email you sent them, to verify their address with you (by clicking a link you sent them.) OP is right, you're engaged in dark pattern techniques and you know damn well that you're doing it.
OP: don't give him a pass. Sue him under the CAN-SPAM act.
(The "sorry" further makes it sound more like talking down. Have you noticed how in a hierarchy the bosses are the ones usually saying "thank you" and "sorry"?)
The correct phrasing is "it is clear to me our system is broken [for you], let me …".
Edited to address the "sorry", it is easy to slip it in without thinking. I'm sure CF rep here did not use that phrasing intentionally either.
Properly handling opt-outs is part of it. MailChimp does the right thing by soliciting feedback, including the option "I never signed up for these emails", hopefully that goes into whatever scoring mechanism they use to kick out abusive customers. Sadly the current state of what passes for front-end development is abysmal, with pages often not working if a user has cookies or javascript disabled, or an ad-blocker.
As for JGC, he deserves credit for doing the right thing, but that does not change the fact his company violated the law, and their marketing department richly deserves any fire and brimstone is raining down their necks right now. I would say most companies should probably have their email service provider contracts controlled by legal rather than marketing, most marketing departments have an inherent conflict of interest in this regard.
There's typos, unverified domain, big warning and all that, but gmail still thinks I'm interested in buying amazon gift cards in bulk. What changed?
There's not enough humanpower to manually vet these things and do anything about them. Far easier to spam than to fight spam. Just block it.
Aside from my article※ explaining the basics of email aliasing to avoid this sort of thing, a few more suggestions:
You can use a service like Mailinator or Mailnesia for one-time disposable emails, but I actually use it for services that I will use for a limited time, even if I pay for them. Sometimes companies make it hard to delete an account, and others make it impossible. So just generate a very long random email and it'll be unlikely that anyone would collide with it. Then just fill in random or fake data for anything personally identifiable. When it comes time to delete the account, just abandon it rather than jumping through hoops to delete it.
If you need something that is more secure and still trivially easy, I highly recommend AnonAddy. Just make up an email alias (for you_subdomain.anonaddy.com or a domain you point to it) and those emails will get forwarded to an email address you specify. All emails forwarded from AnonAddy have some controls on the top, so if you get spammed with automated email from PMs asking for your feedback you can just delete the alias from the email.
This would not be of use for something like Cloudflare though as it's a critical service, but very useful for less important services that cost between $0-10/mo). If they end up being critical you can just change the address to an alias on your main domain.
※ - https://jonpurdy.com/2020/06/using-email-aliasing-to-detect-...
And with 1Password integration, most new services that I wouldn't give my real name to will get a Masked Email too.
If I get spam, I know exactly where the adress came from and I can just destroy the address with one click.
Have you noticed that some services won't let you use their name in the email through?
Samsung, for example, wouldn't let me spell out the word "samsung" in the email field at all.
I wonder if this is, in their mind at least, a sort of phishing prevention/deterrent.
I also use the [foo-company]@[my-domain] structure, and the number of times a customer service rep has asked me "Oh, do you work for [foo-company]?" is more than I can count.
> You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request.
https://www.ftc.gov/business-guidance/resources/can-spam-act...
You're not reaching my inbox one way or the other. May as well have a pleasant unsubscribe flow so it doesn't impact your spam rating
Did you just give your credentials to a website linked from a spam email?
All customers were receiving marketing emails.
Don't assume malice. Those things are rarely tested.
For me, there must be intent to cause harm.
I'm yet to see a company that went out of business because they forgot to put a link in their email.
This may be in violation of US law:
> You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request.
I wonder if requiring a login means that additional personal information is sent, or that the recipient must perform additional steps other than visiting a single page.
https://www.ftc.gov/business-guidance/resources/can-spam-act...
Spam got better because Gmail, not because the law did anything...
I'm not saying this because I'm anti government, I just don't remember any of the spam laws doing anything, historically, vs the technological defenses invented by the community.
Hell, almost all of the spam I get these days is FROM the government begging for campaign donations, because they so thoughtfully excluded political spam from the laws. Gee, thanks. Now I just globally block anything from NGP VAN.
Just as the USPS allows for personal mailing, each person should be provided an email address that has unhindered access to send email to any other email address in that domain. government ID required for the email address, so there is accountability if you abuse it the same way you would be held accountable for mailing dangerous goods from your home mailbox
An email system with the speed of the USPS, the ease of use of the DMV, the security of the social security system, and the billing of the IRS. It already sounds like a digital gulag, lol
for example, Google could provide the service - but they would have to avoid co-mingling the service with their existing one. They wouldnt have the same rights to the content within the email as they do with a gmail account. And they wouldnt be spam filtering small businesses into oblivion for trying to talk to each other directly.
technically the service can be fulfilled by multiple vendors adhering to the same specification.
Political activity was specifically excluded from our already sad and almost never enforced spam laws. Further, individual campaign donations are considered a matter of public record. So individual donors get recorded in these databases, and then private companies like NGP will harvest those databases, cross reference / deduplicate people with other databases, figure out their email and text contacts and then sell that information to candidates and parties who will in turn use it to spam you nonstop across email and SMS for every subsequent or similar election.
Good times.
"The advertising message must include a "Remove me" link. If a recipient clicks on this, he must be removed from the distribution list."
https://www.bakom.admin.ch/bakom/en/homepage/digital-switzer...
I'd be interested to see if that interpretation has been upheld by a court. Has anyone taken legal action arguing that the server should have used the GET request as the action to unsubscribe, not made the user click an extra button to get that POST request.
Took a look and indeed there are a lot of email clients that don't support the form tag.
https://www.caniemail.com/features/html-form/
What I want to know is: has there ever been even a single case of the FTC going after one of these real companies?
> Q. What are the penalties for violating the CAN-SPAM Act?
> A. Each separate email in violation of the law is subject to penalties of up to $46,517, and more than one person may be held responsible for violations. For example, both the company whose product is promoted in the message and the company that originated the message may be legally responsible.
https://www.ftc.gov/business-guidance/resources/can-spam-act...
That's ... not a trivial amount of money.
Wait for them to send you a dozen spam, and it's even more substantial.
Meaning the same as "not more than". And $0 is of course not more than $46,517.
If the FTC cared, they would have made an example of at least one company in the intervening 20 years.
I never leave it in the opt-in state. Ever.
And a vast number of these companies go ahead and email me anyway.
Sometimes they’re 100% marketing emails and they’ve just blatantly ignored my opt out, other times the emails are under the guise of being related to my account/purchase as opposed to marketing (eg those annoying drip feed “getting started with our product” daily emails) but the lines are very (deliberately) blurred.
In either case, the amount of inbound communication seems very heavily geared towards benefiting the company in being able to send out marketing messages / increase “engagement” as opposed to being actually necessary or useful from the point of view of a customer.
These thoroughly annoy me.
Edit: ironically Cloudflare is among the few companies who I do willingly receive marketing emails from - but even so, if the unsubscribe flow is as OP described, this is not really acceptable and needs looking at.
> Organisations must not make it difficult to opt out, for example
> by asking customers to complete a form or confirm in writing.
> It is good practice to allow the individual to respond directly to
> the message – in other words, to use the same simple method
> as required for the soft opt-in. In any event, as soon as a
> customer has clearly said that they don’t want the texts or
> emails, the organisation must stop, even if the customer hasn’t
> used its preferred method of communication.
https://ico.org.uk/media/for-organisations/documents/1555/di... (page 43)
And then it turned out the name still persisted somewhere. So I complained again (I technically have some legal leverage beyond GDPR to have it pruned). To their credit, they did conduct an investigation, apologized a lot and let me know they had improved their process.
They also seem to have stopped using your name in emails. (I guess I did that?)
But it does seem to be rather systemic to how Cloudflare handles data.
For Gmail the email "myemail@gmail.com" is interchangeable with "my.email@gmail.com". Some services that rely on simple email auth do not make the same distinction (Such as Slack). You may have signed up with periods and are attempting to restore access to a non-period address.
You might be interested in one approach we've been working on for this: https://www.hcaptcha.com/privacy-pass
(full disclosure: work on hCaptcha)
Checking what can and cannot be sent to my account must be taken seriously. I'm like a firewall, deny EVERYTHING by default, if something interests me (almost never) then I'm willingly subscribing.
When I can't unsubscribe from something I get very frustrated and I always go full annihilation mode and create a new rule to sweep everything coming from that domain to junk and instantly delete everything, I don't care.
The FAQ[2] shows an example of a CASL violation for requiring multiple steps to unsubscribe.
[1]https://www.fightspam.gc.ca/eic/site/030.nsf/frm-eng/MMCN-9E...
[2]https://crtc.gc.ca/eng/com500/faq500.htm#wb-auto-28
As we use groups for some SSO auth at work, the thing that tipped me off to this was having my work Dropbox delete itself from my machine. Nearly gave me a heart attack.
But I get it, putting up barriers around account cancelation and unsubscribe functionality increases retention. I mean look at Facebook's "delete my account" workflow.
Kind of, I would suspect it wasn't a conscious decision for many services that do this. More like "damn we suck at session management in React" and nobody noticed or thought about why a particular view was not accessible without a pre-existing session.
The retention methods and analytics for getting them create the perverse incentives to never notice though.
"The A/B test says users looooove staying on our website! great KPI folks!"
People aren't sitting in a shadowy room thinking about how to get their users stuck and lost on their website. They're just not looking at the CAN-SPAM act, and likely would be willing to make that exception to how their session management system works.
I've been trying for months to delete my Nexo account. For some reason the only way to delete account is via their support...They haven't replied to me in months.
Of course they also like to block your login, so I've been getting their spam to close to a decade now.
This is an immediate Report Spam for me. I also forward all my emails from Gmail into Fastmail, Protonmail, and iCloud, so I go and report spam here as well.