Clickjacking in cookie law popup windows. Duh.

Far be it for me to continue pointing out the inevitable results of legislating front-end code without no regard to UX or the social dynamics of technology use.

After all, you don’t have to write about it for a living to know it’s a problem:

Within months of implementation across Europe, consent fatigue had clearly set in and no discernible improvement in privacy – oh for those innocent pre-Snowden days – had resulted. Yet the law is the law. What could possibly go wrong?

So here we have MalwareBytes reporting on a clickjacking campaign payloading in cookie compliance popup windows. The trick is working because people have spent four years clicking those windows out of the way. Thankfully at the moment all it is accomplishing is PPC fraud. Of course, it would only take seconds to payload something worse.

The long-term implication is that web users already annoyed by the popups and consent mechanisms will now associate them with outright malicious acts. You can’t legislate, sell, or blame your way out of that.