“We’re Not That Gullible!” Revealing Dark Pattern Mental Models of 11-12-Year-Old Scottish Children

It is important to acknowledge the ongoing efforts to create a safer internet for children and adults alike. In UK, the controversial Online Safety Bill aims to make social media companies legally responsible for keeping children and young people safe online by making the risks and dangers posed to children on social media platforms more transparent and putting in measures to prevent children from accessing harmful and age-inappropriate content. The UK Council for Child Internet Safety, a group of more than 200 organisations across government, industry, law, academia and charity sectors, publishes regular guidance to help keep children safe online. The UK’s Information Commissioner released ‘Children’s code design guidance’ that sets out how online services that will be accessed by children should protect them online [35] while United Nations International Children’s Emergency Fund (UNICEF) released a report on ethical artificial intelligence for children [84]. Finally, the UK government recently proposed the Online Safety Act 2023,² an Act of Parliament to control online speech and media. The act creates a duty of care for online platforms, requiring them to take action against potentially harmful content. In October 2023, the bill received Royal Assent [36], but we do not yet know how it will inform online child protection efforts.

The concept of a choice architecture first emerged in Richard Thaler and Cass Sunstein’s 2008 book, Nudge: Improving Decisions About Health, Wealth, and Happiness, which explains all dimensions of the physical micro-environment within which decisions are made [48]. Thaler and Sunstein [79] also introduced the concept of the ‘nudge’, a deliberate manipulation of this choice architecture designed to gently coax people to make wiser decisions. By definition, a nudge has to benefit the nudgee and have their implicit agreement to be nudged. Nudge examples include displaying the most secure WiFi at the top of the list on a smartphone [82] or using visualisation to encourage stronger passwords [69]. The use of secure WiFi will prevent eavesdropping, and stronger passwords protect personal accounts. Both provide clear benefits to the nudgee. However, although nudges can benefit users, the technique can also be used for nefarious purposes when these principles are not respected [18, 45]. In these cases, they are termed ‘dark’ or ‘deceptive’ patterns, which are explained next.

Harry Brignull originally coined the term ‘dark patterns’ in 2010 [10]. In 2023, he published a book where he argued for the use of the alternative term ‘deceptive patterns’, citing a definition proposed by Lisa Blunt Rochester referring to them as ‘intentionally deceptive user interfaces that trick people’³ [11, p. 1]. Whatever the terminology, these deceptive techniques seek to persuade people to take some action to their own detriment. We shall use the term ‘dark patterns’ to refer to the concept in this article.

Dark patterns can compromise legal requirements, especially when they persuade the online user to grant consent unwisely, to click on links, to divulge information or to make ill-advised purchases. Kahneman [37] suggests a dual system of thinking: System 1 and System 2. System 1 thinking is automatic and fast requiring little effort. System 2 thinking is effortful, slow and deliberate. Because nudges often target System 1’s automatic processing [6, 83], they do not engage the user’s conscious attention, which might help them to spot deceptive attempts. This means that nudgees are unaware of their presence and influence [5].

A number of websites are dedicated to dark patterns, including Brignull’s hall of shame [10], Shopify’s dark patterns⁴ and Thomas Mildner’s Dark Pattern Cheatsheet [51]. Mathur et al. [50] reviewed 11K shopping websites and then developed a taxonomy of dark pattern features as well as the cognitive biases they exploit. None of the identified patterns benefit the nudgee, the core requirement of a genuine nudge [79]. On the contrary, they are deployed to benefit the nudger. We used Mathur’s taxonomy to create the dark pattern scenarios used in this study (see Table 1).

Mental models are defined as ‘A concentrated, personally constructed, internal conception of external phenomena (historical, existing or projected), or experience, that affects how a person acts’ [72, p. 16]. In essence, mental models reflect our understanding of topics and inform our choices [7] and online decision-making [90]. In the following sections, we discuss cybersecurity mental models, which are composed of structures generated by non-expert users to understand complex topics such as cyber threats [91].

We chose the dark pattern scenarios with great care to deliver insights into the children’s mental models. These are summarised in Table 1. The scenarios were reviewed by Education Scotland⁶ and approved by ethics review boards of all authors’ institutions.

Scenario 1: ‘Privacy Zuckering’—This dark pattern is mentioned by Brignull [10] and by Bösch et al. [6]. We wanted to include a scenario that is related to a privacy dark pattern because (1) these kinds of privacy-invasive patterns are particularly insidious, (2) people can easily lose their privacy, and once lost, privacy cannot be retrieved. Our design was inspired by a real case of a cryptocurrency exchanging free currency for iris readings [42]. The idea was to see whether the children realised that their biometric (eye scan) ought to be preserved and the possible consequence of this information being leaked to other entities. This information leak has possible cybersecurity consequences if the eye biometric is used for authentication.

Scenario 2: ‘Bait and Switch’—In this dark pattern, a deceptive link appears to lead the user to something desirable, while it actually sends them somewhere unpleasant. This pattern is also mentioned by both Brignull [10] and Greenburg et al. [33]. In this scenario, the children are offered free Robux⁷ but redirected to a fake website. A possible consequence of this action may be a drive-by download or loss of credentials if the fake website is convincing enough to elicit these. Hence, the cybersecurity consequences may be potentially severe.

Scenario 3: ‘Confirm Shaming’—It attempts to manipulate the viewer into diverting to the advertisement [10, 51]. This is a relatively mild dark pattern that guilts the user into opting for something. The option to decline is worded in such a way as to shame the user into acting to benefit the dark pattern deployer. We designed this scenario based on children’s reported use of YouTube [23]. The scenario does not offer a particularly enticing bait and has no real cybersecurity consequences. In reality, they might see an advert or be persuaded to buy something, but their device and/or information will not be breached.

Scenario 4: ‘Genuine Browser Warning’—It is included to see whether children would raise false positives by being suspicious of this warning instead of realising it was actually legitimate. A possible consequence of misclassification is visiting the fake website the warning is related to, and this may well trigger potentially severe cybersecurity consequences.

We recruited primary school classes from Scotland to participate in our workshops via educational authorities, who advertised the research study to all the schools in their districts. Two people from the educational authorities approved the scenarios we used during the workshops. We provided a short training session to participating teachers about the study and how we expected the activities to play out in the classroom. One school was in Aberdeenshire, two were in the Strathclyde area, and the others were in North Lanarkshire.

All schools in Scotland follow the mandated Scottish curriculum: the Curriculum for Excellence, which includes ‘Digital Literacy’. The guidance provided for 11- to 12-year-old children includes ‘I can keep myself safe and secure in online environments, and I am aware of the importance and consequences of doing this for myself and others’ [25]. While the curriculum is centrally provided, it is up to each school to decide how to teach these principles, which means that there will be some inevitable variability in terms of specific concepts taught.

The recruited classrooms had a varied number of 11- to 12-year-old children. Given that we were not present and did not count the number of students participating in each workshop, we used the number of drawings submitted per workshop as a proxy (Table 2). We carried out seven workshops in seven different classes.

We note that we chose not to capture demographic attributes such as the gender and ethnicity of the participants because we considered it crucial to guarantee their anonymity. Future research should investigate gender and/or ethnicity’s impact on the ability to detect online deception.

We carefully designed the studies to the highest ethical standards, especially since we ourselves had to attend virtually and rely on teachers to facilitate the workshops on our behalf. As such, we developed a rigorous methodology for carrying out research remotely with classes of children. Ethical approval was gained from the ethical review boards of all participating institutions before we commenced. We provide a substantive discussion of ethical considerations and our methods for resolving them in Morrison et al. [53] (summarised in Figure 1). A safeguarder, who had been vetted by the UK’s Disclosure and Barring Service, was present during all workshops to ensure that the children’s safety was monitored and assured.

Figure 1 presents the dimensions of the research. In particular, for each workshop, we followed the protocol below:

Due to the remote nature of the workshops and the lack of video footage, the study had several limitations, which we detail in Section 5.2.

Our data collection methodology resulted in two types of data: (1) children’s drawings and (2) transcripts of the audio data collected during the workshops when children spoke about their drawings and answered questions from the teachers or the researchers. As outlined in the previous section, we were unable to match the children’s drawings to their verbal explanations of their drawings. We thus analysed transcripts and drawings separately before discussing the entire study’s findings and implications in Section 5. The analyses are detailed in the next subsections. We had to exclude the first workshop from the drawing analysis due to a number of drawings being missing from the pack sent to the researchers.

In total, we analysed 468 drawings. Our analysis revealed that 144 (31%) mirrored our scenario back to us (Category 1 in Table 3), which indicates a non-intrusive reading of the scenario or the user giving access to information (e.g., an e-mail address or biometrics) in a tit-for-tat exchange. A total of 246 (53%) respondents began to imagine more than what was presented in any given scenario (Category 2). These responses identified that information was being tracked or collected via invasive means without user input (e.g., location services, information accessing). A total of 164 (35%) participants began to identify what might be lost in terms of security or privacy in response to the scenario (e.g., theft of credentials or account details) (Category 3), and 145 (31%) participants depicted worst-case scenarios where sensitive PII (e.g., bank details, postcodes, date of birth or phone number) was leaked (Category 4). In their drawings, 274 (59%) participants mentioned some form of the potential consequence of a given scenario. We can now consider drawings related to each scenario in turn.

The naming convention for drawings specifically mentioned in this Section is ‘Work Shop i’-‘Participant j’: WSi-Pj (see Figures 8–12 in the Appendix for drawings).

The transcripts from the workshops represented 22–29 different voices for each scenario, which corresponds to roughly 20% of all drawings. In the transcripts, each speaker was given a different participant label. The participant labelling convention for transcripts specifically mentioned in this Section is ‘WorkShop i’ ‘Scenario j’ ‘Child k’: WS \(i\) S \(j\) C \(k\) . Table 10 lists the labels for each interviewed participant and presents the total interviews at each workshop, as well as the total. However, as we could not observe the classroom while the children spoke, there is a remote chance that some children may have spoken multiple times (the facilitating teacher ensured turn taking, and we were not able to see children). Hence, a single label may not always refer to a distinct individual.

Even though we could not conduct an interview for every drawing, the transcripts provided a useful sample of what children thought of how and why a benign or malicious action would occur in response to a click. The transcripts were also richer in terms of children’s reactions to the scenarios and their expectations of online safety, security and support. Therefore, the sample was useful in revealing the varying views and understandings of privacy and security.

Three themes were produced by organising codes around a relative core commonality interpreted from the data: (1) dark pattern perceptions; (2) online behaviours and (3) security knowledge, which comprised nine sub-themes (see Figure 6). Table 11 in the Appendix presents themes, sub-themes, codes and additional examples from transcripts. The first theme characterises the ways in which participants described their drawings in relation to dark patterns. Dark pattern perceptions, unsurprisingly the most substantive points of discussion, illustrate the ways in which participants were found to understand the four scenarios in terms of nefarious actors, actions and consequences. Moreover, participants’ discussions on online behaviours were analysed and fell into cautious or risky practices. Beyond the scenarios themselves, and the initial scope of the project, participants also demonstrated some security knowledge and spoke about the sources of their knowledge. Collectively, these themes paint a picture of the way children in the selected age group at the participating schools viewed the online environment and guide themselves through it.

In discussing their drawings of dark patterns embedded within the four scenarios, children included four concepts: (1) leaked data via user interactions or snooping, (2) nefarious actors, (3) actions and (4) consequences. The children gave examples of different data they may be giving away either directly, e.g., filling out a form, or indirectly, e.g., through being snooped on. Actors relate to participants themselves as well as others within a given scenario. Actions pertain to what happens within, and in response to, a scenario. Expected consequences, the majority of the time, referred to negative outcomes, although, in some instances, children indicated that they thought nothing would happen.

Leaked Data via User Interaction or Snooping. This sub-theme includes discussions on what data are shared by the user by, e.g., filling in a form versus what data may be leaked even if the child does not enter any information. While children were vague, at times, in terms of what data would be at risk, resorting to ‘more information’, ‘your details’, and ‘private data’, they frequently pointed to being asked for e-mail, password and bank details. In addition, name, address/postcode, phone number, gender, birth date, photos and important files were mentioned.

However, it was clear that the children did not always know why this information was being requested: ‘not sure why they want things like your phone numbers, just know that they do’ (WS4S1C4).

For Scenarios 2 and 4, some children mentioned friends or friend lists, which we assume to be due to social media use triggered by the scenario, e.g., ‘Then they get access to your friends list and they tell them you’ve gone to the website’ (WS5S4C1). This demonstrated an awareness of the variety of data that may be at risk (‘personal data’ mentioned by European Union’s General Data Protection Regulation). In addition, they understood that others were likely to be impacted (friends being hacked as well) as a result of their falling victim to a dark pattern-enabled exploit.

Nefarious Actors. This sub-theme includes descriptions of who is involved in the scenario, also the honesty levels and capabilities of hackers. Children spoke about the scenarios through the lens of their own experiences or without pointing to a particular actor. They used statements like ‘I/you allow’, ‘I/you end up’, ‘I/you need to’, or ‘I/you have to’ when describing their drawings of scenarios.

However, when referring to the human behind the scenario or dark patterns, ‘hackers’ was the overwhelming term used. A gendered association was made with hackers, who were often referenced as ‘a guy’ or ‘he’; very rarely ‘she’ was used. In one instance, the offending party was named ‘people who want Gucci’ (WS3S3C1). In contrast to human actors, software was referenced as a non-human actor ‘it’. These actors ‘tell’, ‘want’, ‘direct’, ‘pressure’, ‘urge’, ‘guilt-trip’ or ‘bribe’, indicating different levels of manipulation by urging input or action.

Children also imagined different actor capabilities and sophistication. Hackers were understood to be able to use ‘high tech’ strategies motivated by financial gain. For example, one child said, ‘the hackers have strong technology’ (WS3S2C6). Motivations were often linked to financial gain. One participant aptly captured the capabilities of hackers when they remarked, ‘some people saying they’re not putting the details in money is getting taken out anyway’ (WS5S3C4).

Actions. This sub-theme captures the children’s descriptions of different steps involved in the scenario leading to deception. For example, in the Privacy Zuckering scenario, the children imagined different ways a device might ‘scan your eye’. Some imagined their torso being scanned, some their face or just their eye, thus demonstrating different levels of privacy invasion. For example, one participant shared, ‘They say they want your eye, but then they are going to take your whole face […] I’m going to have to zoom in so much, and then they can see my whole face’ (WS6S1C2).

One child commented ‘He says it’s bribing you to take a picture of yourself, and that’s all. You won’t get the gems it has promised. The game goes as normal’ (WS1S1C2) without mentioning any loss of privacy due to their eye scan being taken. Some children considered the scenario more a ‘Bait and Switch’—‘Direct you to take a picture of your eye, and then that will basically hack your phone’ (WS1S1C1). or ‘If you click this button a virus gets onto the computer. It will ask for your bank details’ (WS5S1C2).

In the ‘Bait and Switch’ scenario, children mostly expected to be taken to a fake website and asked to enter a username/e-mail and password, explaining: ‘So I clicked it and it took me to this website and it says please enter your Roblox username’ (WS6S2C1), or ‘And they click on a website called, notascam dot yay’ (WS7S2C2), which signals the deceit with the name choice in the example given for the website. Some children only loosely identified the scenario without mentioning visiting a fake website but expecting user information to be leaked or Roblox to be stolen (e.g., ‘So once you click on it, it will ask you for all your information’ (WS1S2C5) or ‘It’s a scamming tool. It will steal your Roblox’ (WS4S2C4)).

In the third ‘Confirm Shaming’ scenario, many communicated they would skip the ad and nothing will happen: ‘Just skip that and get your video on YouTube. That always comes up’ (WS6S3C1), ‘So what happens is when you click this button, you continue to watch YouTube, and that’s pretty much it. And then you’ll be happy’ (WS1S3C1), ‘nothing would really happen because I skipped a lot of ads before and nothing ever happened’ (WS2S3C2). One child said,‘It’s trying to guilt trip you into watching the ad’ (WS7S3C1), describing the dark pattern aptly. However, some also classified this as a ‘Bait and Switch’: ‘I think when you press skip, that’ll take you to another tab of YouTube, but it’s fake YouTube’ (WS2S3C1).

In the fourth scenario, some children recognised the legitimate warning: ‘Just click to safety and not get a malware virus’ (WS3S4C2). Typically, the children assumed ‘Advance Anyway’ would result in a ‘Bait and Switch’ style redirection: ‘So you click on advance anyway, and this isn’t the actual Instagram. It’s a knock-off Instagram’ (WS6S4C3).

These descriptions of different actions showed how children assessed a deceptive scenario and the risks attached to it, giving us more insights into RQ1 and RQ2. The children, the majority of the time, assumed malicious intent, even with the legitimate warning, and anticipated a ‘Bait and Switch’ style exploit behind them.

Consequences. The children mentioned several consequences, which we roughly categorised into five areas: (1) offline harm, (2) leaked data shared with others or used online to scam or spam the victim, their friends or others, (3) bank account hacked and financial loss, (4) web account(s) hacked and (5) device hacked or infected with a virus.

An example of offline harm (1) was communicated in response to the Privacy Zuckering scenario, where one child connected their online behaviour with physical safety and risk to imagine, ‘The camera can see your school uniform. Then they will see my badge, and then they can come to school’ (WS6S1C2). Others shared, ‘They could track you down and like maybe steal stuff in your house’ (WS3S1C3) or ‘[Data leak would be horrible] ‘cause you don’t really want someone to come to your address’ (WS7S4C1).

One example of the shared or leaked data online to scam the victim (2) was also shared in response to the Privacy Zuckering scenario: one child said, ‘They could maybe use your face and then just start spreading fake rumours’ (WS7S1C2). Another commented, ‘When you click that, it will take you to one of their applications and those guys spam you’ (WS4S3C2).

While the Privacy Zuckering scenario yielded more offline harm responses, the other three scenarios overwhelmingly resulted in either a financial loss or account or device hacking. Financial losses (3) were imagined to occur through a bank account being hacked, e.g., ‘then you get an e-mail from your bank account. There’s been an error, and all your money is being spent’ (WS3S2C5) or ‘they can hack into your phone and log into your robux account and use your e-mail to buy a lot of things’ (WS1S2C3).

Accounts were hacked (4) either by entering credentials and having them stolen or simply by clicking the wrong button. Another child discussed this in terms of being conned into entering login credentials to a fake website: ‘Then you tried to log back in [YouTube], they would have already changed your password’ (WS2S4C1).

Device hacking (5) was understood to occur in different ways, from taking control of a camera or software or shutting a phone down. In response to Scenario 4, one child (WS3S4C1) imagined that the example URL, ‘Instagram.con’ would enable a hacker to see their photos, continue using their camera or watch their victims. This child explained: ‘If you click on advance anyway, hackers will be able to take over your PC and move your mouse to their advantage, which is not recommended. Then they could be watching you through your phone camera on your phone.’ Most interestingly, a few suspected this scenario to be a ‘double bluff’ (WS6S4C1): ‘The back to safety button would also give you a virus. Either way, you are going to get a virus’ (WS4S4C3).

The behaviours in response to the four scenarios were discussed in two primary ways: cautious and risky behaviours.

Cautious Behaviours. The children exhibited cautious behaviours, such as not engaging, asking a parent or reporting suspicious activity. Several examples were communicated (e.g., leaving a game, not inputting any details, closing/refreshing an app or deleting it). For example, ‘I wouldn’t put my details in’ (WS5S2C2) or ‘I would just close the app and delete it’ (WS7S4C2).

Another common cautious behaviour was to ask a parent, exclusively a mother. Indeed, fathers were not mentioned during the study. One participant said, ‘I always ask my mum if I can get games [and that] my mum has to accept’ (WS6S1C5). Mums also put rules in place for online behaviour: ‘If it’s social [media], I have to ask her’ (WS6S1C5); an alternative was to use family sharing of app and content producers (e.g., ‘My mum and I have a thing called family sharing on my devices at home. On the App Store, I have to type in my password and then it says ask and then it sends a notification to my mum’s phone and she has to then accept it and type her password in’ (WS6S2C3). The children would report suspicious activity in certain instances. In response to Scenario 2, one child would report the behaviour to a reputable website, ‘report like on YouTube’ (WS6S2C3) and another shared, ‘the best way to prevent this by reporting in the person or contacting Robux. So he would not be able to scam anyone else’ (WS3S2C4).

Risky Behaviours. Several risky behaviours were mentioned, including not reading the ‘Terms of Service’, ignoring age-related warnings or brand bias. Similar to adults, these children did not read the terms of service: ‘I can’t be bothered. Click the accept button’ (WS6S1C4), another providing a rationale: ‘Because it’s too long. No one wants to read all of it’ (WS2S1C3).

Age-related content warnings were raised as items to ignore, as though barriers to playing a game. One participant said, e.g., ‘It’s just car racing’ (WS6S4C1) and thus not an important/relevant warning. Finally, some participants exhibited a degree of brand trust that influenced or underpinned risky behaviour. In response to Scenario 2, one child said, ‘You might think: it’s YouTube. It’s a big company. There won’t be any problems’ (WS6S3C1).

An important extension of the scenario-based discussion was where children had learned about navigating online risks, the challenges and dangers. While we did not set out to elicit this information, it became a relevant part of discussions and provided insights into knowledge gathering and patterns of online behaviour. Children demonstrated familiarity with terminology and shared two primary sources of information: (1) schools and teachers and (2) parents.

Parental influence. Parents were primary sources of knowledge. Some children asked their parents when encountering certain scenarios online. One child said: ‘I have asked my mum if it was like a scam or something; I just ask mum for advice about it’ (WS7S4C3) and another shared a personal experience at home with negative effects: ‘My mum was hacked once […] my mum always told me. Like, don’t trust things like that’ (WS7S2C1).

Schools and Teachers. Generally, the children cited their school as the source of their security knowledge. Although they could not give details on definitive programs or training, they did say that they had been taught about online behaviours. This was aptly phrased by one child: ‘I can’t remember what primary year it was, but we learned about it in school once as well’ (WS6S1C5). Teachers communicated the need for caution while online, which a child explained: ‘And my teachers always said that they [don’t trust things like that] as well’ (WS7S2C1).

Interestingly, where the children used tablets (often iPads) at school, devices were considered safe. It was assumed that they could not be breached, as one child explained, ‘[can they get into it?] not on our school iPads’ (WS6S1C4). Schools clearly informed children’s knowledge of internet safety, but there were noticeable gaps. The children and their teachers had less familiarity with the ‘Privacy Zuckering’ scenario. Hence, a few children questioned the motivation behind the request with queries such as ‘why would they want to see you? no app has ever asked to scan my eye’ (WS6S1C1), ‘cause they want the little kid’s face to do something [else]’ (WS6S1C3).

Familiarity with Terminology. The children had awareness of dark patterns, using phrases, such as ‘dodgy’, ‘sketchy’, ‘fake’, ‘scam’, ‘spam’, ‘hack’, ‘virus’, ‘malware’, ‘trojan’, ‘remote PC’ or ‘dark web’, as well as safety icons, like the ‘browser lock icon’, which one person attributed to safety, as in, ‘they’re safe websites with the lock at the side’ (WS4S2C5). The children did not mention more recent types of attacks involving, e.g., ransomware or deep fakes.

Some insights emerged that can inform future studies:

Children Need More Nuanced Insights. One child said, of Scenario 4: ‘It’s probably a real warning’ (WS7S4C2). When the researcher asked why, he said: ‘It’s hard to explain.’ It seems that children have been made aware of the presence of dark patterns but not really given enough information to help them distinguish between dark patterns and genuine warnings. They assume the presence of the one pattern they know a lot about: the ‘Bait and Switch’ leading to fear-based responses. One possibility would be to co-design card decks or serious games with different stakeholder groups to help develop this ability.

More Realistic Expectations of Consequences. We observed a tendency for children of this age group to conflate cybersecurity risks with threats to personal safety. This seems to infuse cybersecurity with a measure of anxiety, which is bound to hamper their ability to distinguish good from bad. This generation of false positives suggests that while they are aware of threats, they do not have a sense of what cyber criminals might be trying to achieve nor what their motivations might be [78]. We should be educating children to anticipate cyber criminal motivations and deceptions rather than focusing on specific attack and deception types.

We need to do more research to find better ways to educate children rather than scaring them [67] and risking their construing personal safety consequences from cybersecurity threats.

Understanding Exploitation. The children seemed to realise that permitting an eye scan could make them more likely to give more information: ‘cause you think like oh they just asked me for my eye you might put in that information anyway’ (WS6S1C4). This child knows about the human need for consistency: having given one piece of information, this human tendency is likely to prompt further divulging of information. However, they did not seem to understand that their biometrics were valuable and that asking for these was another form of exploitation. They should be taught that they have the right to privacy and that their biometrics are personal data which should not easily be divulged.

Building Resilience. The children seemed to have a sense of doom and fatalism, feeling that if they were deceived, there would be no way of recovering. ‘He has all your details, and you can’t do anything about that because you’ve agreed to all these terms of services’ (WS6S2C3). Hence, they ought to be given the skills to know how to recover from compromises and reassured that it is not impossible to recover and move on.

The Role of Parents. A number of children mentioned their parents (mums, actually) having given them advice about online deception possibilities. This suggests two directions. The first being that educating parents about dark patterns would be a good way of ensuring that the message is reaching children [62], which is especially beneficial since it would reach more children and also equip parents themselves to detect and resist dark patterns. The second is that it is essential to speak to both parents and their children, to gauge the influence of parents’ knowledge and efforts to educate their children in this respect.

The contrived nature of our study, due to pandemic constraints, has led to limitations which we acknowledge. The primary limitation stemmed from the ethical protocols we elected to employ and accommodations we made resulting from COVID-19 (i.e., inability to collect data in person) and ethical sensitivities to online data collection with children. This limited data collection and analysis practices. Our preference for this work, which we suggest for future directions in this area, would have utilised in-person data collection wherein drawings could be matched with individuals and researchers could follow-up consistently and comprehensively with the participants.

Due to the remote nature of the workshops and the decision not to collect video footage, we were unable to directly observe the classroom during the workshops, which had several implications: (1) some children might have spoken multiple times, with others remaining silent; (2) some children may have been able to see each other’s drawings while others may not have and (3) children may have discussed their drawings with one another while drawing, while others may not have. Similarly, while it would have added value to the data, we were not able to link the drawings to individual children. We considered this preferable to de-anonymising children, or asking teacher facilitators to issue children with anonymous codes, which could have been an error-prone process. Given our reliance on teachers as facilitators, we did not want to burden them with additional requirements that we would not be able to verify.

The children in Scottish schools mostly sit in groups of four at a single desk, which meant they could see each others’ drawings as they drew. An element of groupthink might have influenced the outcomes of particular workshops. Factors such as perceived peer pressure [87] and fear of missing out may be particularly strong in teenage children [1], threatening to override trust considerations.

We presented the scenarios in the order we present them here, which might have biased perceptions. Finally, their teachers’ clarifications and instructions (as our facilitators) differed from workshop to workshop, and this, too, might have had an impact on the children’s drawings and responses. We also acknowledge that the instructions given to participants may have focused their attention on risk and the presence of bad actors more so than might be the case outside a workshop.

Finally, we do not claim that our findings generalise to other children of a similar age, even in Scotland. This was a snapshot of a few particular classes at a specific point in time. What our study does do is point the way forward for future work in this area, and highlights the need for more studies of this kind.