I just noticed an interesting new communication pattern in a security update email from Dropbox: Burying bad news behind a second click that a recipient is unlikely to follow through on.

It’s the exact opposite of clickbait. So let’s call it click-repellant.

This approach will keep the 99% of the recipients who won’t actually click through that link from panicking, while still technically covering dropbox’s legal obligations in notifying them of potentially compromised data. This is the email equivalent of fine print in a legal contract. Very clever.

Reading this email you would think Dropbox is just performing routine updates and is no big deal. But if you click through the link, you learn the truth (also buried below the fold on their support page - relevant portion screenshot below).



So this is a definitely clever way to avoid bad PR buzz, but does this count as a dark (evil) pattern? That’s debatable.

Since the user still has to update their password regardless, their Dropbox account will be safe.

On the other hand there are a LOT of idiots normal people who continue to use the same password all over the web. Perhaps if they knew that password / email combo data was currently available in the wild they would take pains to change it more globally.

Does Dropbox have an obligation to be crystal clear with users about this? If the breach originated with them, I’d argue that they they do.

Have an opinion on this? Discuss this post on Hacker News.