Dark pattern with unsubscribe link

Unsubscribe links should work with privacy measures put in place. Edureka's does not.

Closeup shot of a letter box on a red door with a sign above that says "private."

At some point I probably subscribed to edureka’s newsletter. I don’t remember, but it’s also plausible that I did.

The emails however were not of use, so I clicked that unsubscribe link in the footer of the email that all newsletter should have. It’s a legal requirement in many jurisdictions, and all of the reputable email newsletter platforms will include it, no questions asked. You don’t even have an option of not including them.

And then there’s whatever Edureka uses. The unsubscribe link looks like this:

https://www.edureka.co/unsubscribe-v2?p=<some base64 encoded value>&e=<some base64 encoded value>&encoded=true&wzrk_ex=0

There are four different query arguments:

  • p, url encoded base64 encoded binary data
  • e, url encoded, base64 encoded binary data
  • encoded=true, I guess to tell whatever backend that the data is encoded
  • wzrk_ex=0, which is some implementation detail I suppose

This opens up a page that has the bare minimum on it: a form with a single input field for the email address and a button. The issue is that by default that input field is readonly:

screenshot of source of the unsubscribe page highlighting the input field that's read only

On top of that, the button calls a function. I can’t enter anything in the field. I can’t paste anything in the field. I need to remove both the readonly and autocomplete=off properties for that to work. But even when I do that and I get my email address in that field, clicking the button does nothing.

In my home network I have both uBlock origin and a pihole eating tracking scripts whenever they come across them. This particular site uses Clevertap’s “maximise customer lifetime value” functionality, which means in order for me to actually be able to unsubscribe, I need to let some script that will slurp up way more info from me that I’m comfortable with.

Not to mention all of that goes against the data minimisation principle of the GDPR: you can’t have tracking as a prerequisite for providing the thing I asked for. You can remove me from a list without the tracking info, you do not need all that extra info.

As a dark pattern the argument I suppose is that “well those encoded and encrypted query arguments make sure that you’re actually the person removing yourself, and you can’t be removed from the list against your wish,” but you could do a double opt-out if that was really what you wanted to protect with.

OR, and hear me out, you don’t need to have the javascript loaded. Put the query arguments in hidden fields in the form with about 7 lines of javascript in the html that is not specific to tracking, and then do the validation on the server side after I click the “Unsubscribe” link and the form sends a POST request.

I shouldn’t need to jump through a bunch of hoops and compromise my privacy because I want to get off your list. I wonder how many of us need to report these as spam before the companies catch on.

Photo by Dayne Topkin on Unsplash