Clickjacking in cookie law popup windows. Duh.

Far be it for me to continue pointing out the inevitable results of legislating front-end code without no regard to UX or the social dynamics of technology use.

After all, you don’t have to write about it for a living to know it’s a problem:

Within months of implementation across Europe, consent fatigue had clearly set in and no discernible improvement in privacy – oh for those innocent pre-Snowden days – had resulted. Yet the law is the law. What could possibly go wrong?

So here we have MalwareBytes reporting on a clickjacking campaign payloading in cookie compliance popup windows. The trick is working because people have spent four years clicking those windows out of the way. Thankfully at the moment all it is accomplishing is PPC fraud. Of course, it would only take seconds to payload something worse.

The long-term implication is that web users already annoyed by the popups and consent mechanisms will now associate them with outright malicious acts. You can’t legislate, sell, or blame your way out of that.

About the author
Heather Burns is a digital law specialist in Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on internet laws and policies which affect the crafts of web design and development. She has been designing and developing web sites since 1997 and was a professional web site designer from 2007-2015. She holds a postgraduate certification in internet law and policy from the University of Strathclyde. Learn about hiring Heather to write, speak, or consult.