An interdisciplinary path leads PhD student Johanna Gunawan to research on dark patterns

June 29, 2020

By Hannah Bernstein

After the 2015 San Bernardino shooting, Apple and the FBI embarked on a very public lawsuit about whether devices like the iPhone should have built-in “back doors” for law enforcement to use during investigations. The suit hinged on a long list of issues, including data privacy, consumer protection, encryption technology, regulation of the technology industry, and more.

At the time, Johanna Gunawan was in her senior year at Northeastern, studying political science and international affairs. She was thinking of going to law school, and her interest in the Apple/FBI suit made her consider technology law. But just becoming an attorney who had no technical background felt wrong — how can you develop regulatory solutions to computer science problems if you don’t understand computer science?

“There’s a lot of frustration with how we use technology as people or societies,” Gunawan says. “To only go about it from the theoretical or political science angle seemed too limited. What I was feeling was that there was so much more to learn.”

That philosophy propelled Gunawan into coursework in Khoury’s Align master’s program, then to the cybersecurity graduate program, and eventually to where she is now — a PhD student in cybersecurity, jointly advised by Khoury College and Northeastern’s School of Law.

In her program, she’s focusing on manipulative user experience (UX), which is how websites, apps, and companies make it difficult for users to retain control over their data or privacy. Part of her research is finding and categorizing these practices, sometimes called dark patterns, which can manifest as buttons, terms of use contracts, pop-up boxes, and more.

Documenting technical evidence of data privacy or consumer protection issues is one thing, she says, but it’s another task entirely to create legal infrastructure that can define the scope and scale of that evidence, as well as any injury it may have caused.

“The problem with tech is that it’s moving so fast that we need both of these things: both finding what’s wrong and what’s out there, then understanding why something is wrong and how wrong it is, and what things you can do to prevent it,” Gunawan says. “[Law and technology] have to work together, and they have to work together fast.”

Focus on dark patterns in the context of regulation

Because her research is so interdisciplinary, Gunawan has four advisors between Khoury College and Northeastern’s School of Law. Christo Wilson, David Choffnes, and Alan Mislove are computer science and security researchers in Khoury College, and Woodrow Hartzog holds dual appointments in Khoury and the School of Law.

One thing she’s found particularly interesting is that while all dark patterns are manipulative, not all of them are actually intended to be malicious.

“What we’re seeing is that a lot of reputable companies are still participating in these practices, not because they’re trying to be con artists, but because there’s not a lot of structure and regulation that prevents it,” Gunawan explains.

The problem comes when users want to take actions within an app that are counter to what that app wants you to do — such as delete your data or account, or contact support. Apps use these dark patterns to try and control what the user sees and does, disempowering the user and taking the control of their own information out of their hands.

“App designers don’t provide meaningful ways for users to exercise their own control over their data, or their consent,” Gunawan says.

To provide those meaningful ways, Gunawan says, the tech field has to understand what the practices are, who is utilizing them, and what they are being used for. That’s one of her main research questions right now, because in order to develop future regulatory infrastructure, you need that body of technical evidence first.

“The evidence is powerful when you’re actually trying to build this legislation,” Gunawan says.

From international affairs to computer science and the law

The road to her Ph.D. hasn’t been straightforward. Gunawan said she never felt like someone who could work in STEM because she didn’t excel in high school math and science classes. She came to Northeastern because of its excellent study abroad and international affairs program, but took co-ops in marketing and tech instead, eventually taking a job at Akamai as a technical writer once she graduated.

It was around this same time that Khoury began offering the Align program in Boston, a master’s program designed to bring in students without computer science backgrounds and give them an academic bridge to computer science. She was able to transition from the program to the Ph.D. track, and says her experience in Align was foundational — it allowed her to meet people who came from diverse backgrounds, all interested in deepening their knowledge of technology to have an impact on the world.

“What I was realizing was that you don’t need to be this prolific coder if you want to make a difference in technology,” Gunawan says. “It just seems like all people do is code, but there are so many other jobs you could do.”

Then, she got an email about an event with Woodrow Hartzog, a Northeastern law professor. Inspired by his work uniting law and user experience, she discovered more people at Northeastern asking the same questions she was and actively doing research at the intersection of law and technology. This led her to learn about Choffnes, Mislove, and Wilson’s work on issues in privacy and security.

Though initially nervous about the PhD, she jumped in anyway, beginning the program in fall 2019. Now, she’s hopeful that the work she’s doing could pave the way for better consumer protection laws in the future.

“Increasingly, the frontiers of computer science aren’t just about technical issues, they’re about the places where technology and humans meet,” says Wilson, one of her advisors. “We need more PhD students like Johanna who have strong technical skills but also the broader perspective to tackle issues of social importance.”

Hartzog, another advisor, says Gunawan’s interdisciplinary background makes her extremely well-suited to explore modern data protection frameworks that are concerned with how technology is made and how it’s used.

“Johanna draws from both computer science and legal studies to bring technical and policy sophistication to her research,” Hartzog says. “Her practical experience and deep wisdom about legal and technical systems allows her to meaningfully contribute to policy discussions in law and industry.”

Gunawan says although spending so many years at one institution may seem tiresome to some, staying at Northeastern was an easy choice — through all of her experiences, she’s always had the space to innovate and try new things.

“I felt confident that if I needed to do something new or something fresh, that I would have that support, culturally, at Northeastern and from my advisors,” Gunawan concludes. “After almost a decade thinking about my seemingly disconnected interests, I found that they could all be combined, which was not something that I thought was possible.”