Around 2013, my team and I finally embarked in upgrading our company’s internal software to version 2.0. We had a large backlog of user complaints that we were finally addressing, with security at the top of the list. The very top of the list was moving away from plain text passwords.
From the outside, the system looked secure. We never emailed passwords, we never displayed them, we had strict protocols for password rotation and management. But this was a carefully staged performance. The truth was, an attacker with access to our codebase could have downloaded the entire user table in minutes. All our security measures were pure theater, designed to look robust while a fundamental vulnerability sat in plain sight.
After seeing the plain text password table, I remember thinking a…
Around 2013, my team and I finally embarked in upgrading our company’s internal software to version 2.0. We had a large backlog of user complaints that we were finally addressing, with security at the top of the list. The very top of the list was moving away from plain text passwords.
From the outside, the system looked secure. We never emailed passwords, we never displayed them, we had strict protocols for password rotation and management. But this was a carefully staged performance. The truth was, an attacker with access to our codebase could have downloaded the entire user table in minutes. All our security measures were pure theater, designed to look robust while a fundamental vulnerability sat in plain sight.
After seeing the plain text password table, I remember thinking about a story that was also happening around the same time. A 9 year old boy who flew from Minneapolis to Las Vegas without a boarding pass. This was in an era where we removed our shoes and belts for TSA agents to humiliate us. Yet, this child was able, without even trying, to bypass all the theater that was built around the security measures. How did he get past TSA? How did he get through the gate without a boarding pass? How was he assigned a seat in the plane? How did he... there are just so many questions.
Just like our security measures on our website, it was all a performance, an illusion.
I can’t help but see the same script playing out today, not in airports or codebases, but in the cookie consent banners that pop up on nearly every website I visit.
It’s always a variation of “This website uses cookies to enhance your experience. [Accept All] or [Customize].”
Rarely is there a bold, equally prominent “Reject All” button. And when there is, the reject-all button will open a popup where you have to tweak some settings. This is not an accident; it’s a dark pattern. It’s the digital equivalent of a TSA agent asking, “Would you like to take the express lane or would you like to go through a more complicated screening process?” Your third option is to turn back and go home, which isn’t really an option if you made it all the way to the airport.
A few weeks back, I was exploring not just dark patterns but hostile software. Because you don’t own the device you paid for, the OS can enforce decisions by never giving you any options.
- On Windows or Google Drive: “Get started” or “Remind me later.” Where is “Never show this again”?
- On Twitter: “See less often” is the only option for an unwanted notification, never “Stop these entirely.”
You don’t have a choice. Any option you choose will lead you down the same funnel that benefits the company, and give you the illusion of agency.
What’s my incentive to accept all cookies?
So, let’s return to the cookie banner. As a user, what is my tangible incentive to click “Accept All”?
The answer is: there is none.
“Required” cookies are, by definition, non-negotiable for basic site function. Accepting the additional “performance,” “analytics,” or “marketing” cookies does not unlock a premium feature for me. It doesn’t load the website faster or give me a cleaner layout. It does not improve my experience.
My only “reward” for accepting all is that the banner disappears quickly. The incentive is the cessation of annoyance, a small dopamine hit for compliance. In exchange, I grant the website permission to track my behavior, build an advertising profile, and share my data with a shadowy network of third parties.
The entire interaction is a rigged game. Whenever I click on the “Customize” option, I’m overwhelmed with the labyrinth of toggles and sub-menus designed to make rejection so tedious that “Accept All” becomes the path of least resistance. My default reaction is to reject everything. Doesn’t matter if you use dark patterns, my eyes are trained to read the fine lines in a split second. But when that option is hidden, I’ve resorted to opening my browser’s developer tools and deleting the banner element from the page altogether. It’s a desperate workaround for a system that refuses to offer a legitimate “no.”
Lately, I don’t even bother clicking on reject all. I just delete the elements all together. Like I said, there are no incentives for me to interact with the menu.
We eventually plugged that security vulnerability in our old application. We hashed the passwords and closed the backdoor, moving from security theater to actual security. The fix wasn’t glamorous, but it was a real improvement.
The current implementation of “choice” is largely privacy theater. It’s a performance designed to comply with the letter of regulations like GDPR while violating their spirit. It makes users feel in control while systematically herding them toward the option that serves corporate surveillance.
There is never an incentive to cookie tracking on the user end. So this theater has to be created to justify selling our data and turning us into products of each website we visit.
But if you are like me, don’t forget you can always use the developer tools to make the banner disappear. Or use uBlock.