Calling Technology Magic is Bad Communication

Consent frameworks were were designed to protect companies, not users. Lisa LeVasseur of Internet Safety Labs breaks down the tobacco playbook still running in tech, and what security and privacy leaders can do differently.

Share
Calling Technology Magic is Bad Communication
Photo by @josephjtwo on Unsplash

A conversation about transparency, accountability, and breaking free from a playbook of deceit.

The audience is supposed to know they're being tricked – that's what makes stage magic entertaining rather than fraudulent. We want to believe the impossible, but we know, somewhere in our rational minds, that it's a performance. A deliberate deception we've consented to.

But what happens when an industry wraps itself in the language of magic without that crucial element of consent? When does a “seamless user journey” become a smoke screen rather than a feature? When is opacity treated as innovation rather than obstruction?

This is an unfortunate truth at the heart of Lisa LeVasseur’s recent presentation at the Enigma track of the 2025 USENIX Security Conference (seriously, it’s so good – you have to check it out on YouTube!). 

Her talk argues that framing technology as "magic" isn't just lazy marketing but an active catalyst in our declining ability to build and communicate about safe digital products. And as someone who spends their days trying to extract truth from technical systems to share it through honest stakeholder communications, I felt seen.

The Pattern We Keep Repeating 🤢

Lisa traces a direct line from Edward Bernays (whose obituary claimed he was “the father of public relations” and who convinced America that smoking was a form of liberation through the tobacco industry's 50-year deception campaign) to the digital products we use today. Bernays weaponized his uncle Sigmund Freud's insights about human psychology to manipulate people’s behavior at scale, creating a blueprint for decades of preventable deaths.

Using Bernays’ manipulative techniques, the tobacco industry didn't just deny that their products caused harm; they systematically blamed consumers, discredited unfavorable science while funding favorable (often questionable) research, used complexity and opacity as shields against accountability, and delayed transparency and measurement for decades.

If this sounds eerily familiar, you’re not alone. Because, as Lisa points out, we’re following the same playbook today with digital products.

I reached out to Lisa, the Executive Director at Internet Safety Labs, to explore these ideas further, particularly their implications for security and privacy communications.


Q&A with Lisa LeVasseur

Q: In your talk, you note that software introduces a second “actor” in product safety because the product itself can behave autonomously. How should this change the way we think about consent and user control?

A: I think we need to start by acknowledging that consent as a part of the product safety “toolkit” was only introduced with the advent of digital products, and I’d like to suggest that it’s been a failed experiment. Before digital products, earlier products relied on labels (ingredients, information, and warnings) and product design safety standards; consent was not part of the bargain when we bought a vehicle, for example. 

We mainly experienced consent in a medical or research setting. It came, of course, from notice and choice in privacy regulation; so we took digital product safety guidance from privacy regulation, not from product safety norms. Consent has never been fit for purpose for digital products. For instance, it categorically fails to satisfy the “informed” requirement for viable consent.

From an autonomous action perspective, consent seems like a reasonable approach—we seek consent as humans, for our human behaviors. Where it fails is that software behavior is complicated and getting more complex. As consumers, we don’t have time to familiarize ourselves with all the potentially risky behaviors that may (or may not) be described in the privacy policy and terms of service. Moreover, software can be so complex that even the manufacturer can’t predict its behavior. Finally, we don’t have a consensus on the hazards and risks of digital products, let alone how to communicate them in a digestible manner.

For the user control part of the question, the manufacturer controls whatever kinds of control the user is allowed over the product. The manufacturer is the ultimate puppet master of both the software and the user of the digital product. And obviously, as software behavior gets more complicated and less predictable, can a manufacturer promise any kind of user control? And if they could or did, how would users know that the controls they toggled were actually changing the behavior of the digital product?

Q: You draw parallels between the tobacco industry’s playbook and current digital product practices. What are some of the most egregious contemporary examples you’ve seen of this playbook in action? Are there any examples of companies doing things right?

A: What I’m about to describe is somewhat novel to digital products, but it’s part of the original social engineering (i.e., narrative creation and control) first codified by the tobacco industry. I think the fact that we don’t call them digital products is one of the greatest cons of the industrial age. We call it “technology” or “high tech”, or we call them “services”; we equate the use of digital products with going somewhere—being in a digital world. We see this propagated by language such as “online safety”, which furthers the gaslighting agenda that safety is the consumer’s responsibility when it comes to digital products. And now, of course, we talk about “AI,” which is really a bunch of software techniques. By not calling these things products, the industry casts a kind of spell that this is completely new territory, and we have, in fact, dissociated these industries from everything we’ve learned about product safety and product liability. I’ve been in software since the late 80s, and in my career (embedded and application software), product safety was never mentioned. The benefit for industry is that framing this as completely novel implies that all new governance is needed, most of which, by the way, ignores product safety regulations and best practices. Creating new regulations is a delay tactic while extractive digital products become further entrenched in our lives at every level.

As for the “DIY safety” narrative that has quite successfully permeated the world—if you look at the myriad online safety initiatives—it’s the predominant framing. Industry has indeed convinced us that it’s our job to keep safe while using digital products. In fact, maybe that’s the greatest con of the industrial age: the products’ behavior is unpredictable, poorly documented, exceedingly complex, and yet somehow it’s our responsibility to keep safe while using them.

Q: The “technology is magic” framing seems particularly powerful in the AI space right now, with “black box” models often treated as fundamentally unexplainable. How does your framework apply to AI product safety and communication?

A: This is a good question (they’re all good questions). Yes, the “AI” industries are embracing the obfuscation tactic of the product safety resistance playbook, even though it feels like infrastructure—almost like electricity. AI is a collection of commercially packaged software capabilities/techniques—a collection of digital products. What we refer to as AI is often LLM and ML-powered synthetic text and media “extrusion machines” [as Emily Bender and Alex Hanna have deemed them]. These synthetic text/media extruders are 3rd-party productized components integrated into a bunch of other digital products. In this way, the synthetic text extruder is yet another 3rd party software component, and thus, we’re entitled to know (1) does the extruder include any additional downstream 3rd party components [or data processors in the GDPR vernacular], who are they, and what do they do? (2) What happens with my personal information? Who uses it and for what purposes? (3) How can I control my personal information?

Q: You mention that empirical measurement is crucial, but can take decades to establish. Which measurements should the digital product industry standardize now? What would a nutrition label for digital products actually look like?

A: We need to harmonize on the kinds of hazards and harms we’re exposed to when using digital products. At ISL, we’ve been working on ingredient and information labels in earnest for several years, and launched our first version in 2023. We have exciting new changes to the label launching next year, including deceptive patterns. I’ll describe the envisioned new sections more in the next question.

Q: In your talk, you showed a taxonomy of digital product harms that goes well beyond privacy or security as we typically define them. Can you walk us through why this broader framing matters—and what harms we’re missing when we focus narrowly on data protection?

A: It goes back to the idea that software imbues digital products with seemingly autonomous behavior. Things that behave are capable of harm. Humans behave; we are capable of harm. Note that harm can be independent of intent. As humans, we can harm others without intending to. But we’ve arrived at social agreements regarding what interpersonal behavior is acceptable and what isn’t. I suggest that we do the same with digital products.

These are the broad behaviors of digital products that can be hazardous to consumers—note that each one of these risks is amplified by so-called “AI” methods:

  1. You mentioned the exposure of personal information. This is a major safety concern, and there are two avenues of risk: by design (privacy) and by attack (security).
  2. User manipulation: we can and are manipulated in multiple ways in our use of digital products, ranging from advertising manipulation to deliberately addictive user interfaces. This year, we catalogued around 150 such manipulative patterns in our work. Baked-in manipulation generally aims to get the human user of a digital product to behave in a way that serves the manufacturer’s needs, usually to part people from their money, time, or data (which is another form of currency).Text extruders (chatbots) have turned this family of hazards into serious harm in the form of “suicide coaching”. The cigarette industry knew full well [through their own research] that children aged 13-18 were the most susceptible to becoming addicted to smoking, and they strove to capture them before they outgrew the tendency. I’m not a neuroscientist, but I believe teens' (and younger children's) brains need special care.
  3. Interpersonal risks: platforms that enable person-to-person communication can present serious risks to children, such as grooming, exposure to CSAM, etc.
  4. Algorithmic decision-making: Digital products constantly make algorithmic decisions. The risk is when these decisions treat people unfairly.

A related variant of algorithmic decision-making is predictive technology: technology that makes predictions about a human based on a reductive set of digitized data. Bender and Hanna discuss troubling technology that purports to identify a criminal by looking at a person’s face. We also see this in edtech platforms that predict a student’s likelihood of success or risk disciplinary action, sometimes directly connected to law enforcement.

These are all examples of the kinds of design-based hazards and harms built into digital products. But there is also the category of Cybercrime, where digital products are weaponized by people to commit crimes, like cyberbullying, for example. Over time, we’re going to see greater accountability from digital product manufacturers to build in guardrails that provide reasonable protection against the weaponization of digital products by cybercriminals.

Q: You ended with a call to action: engineers have the power to build safer digital products, and we can create a digital product safety playbook together. What would be in that playbook? Where do we start?

A: I’m going to start with an unpopular, but I think existentially vital suggestion: That we need to prohibit the exchange of personal information for valuable consideration of any kind. Just prohibit it. Take away the incentive entirely. There’s a reason we don’t allow an open market for human organs: it’s profane. It dangerously devalues human organs. Also, having any market for personal information will turn privacy into something available only to the wealthy. Don’t sell personal data. Are you including behavioral digital advertising [accessing real-time bidding] in your product? You’re selling personal data. Is your marketing organization buying customer data? (hint: they are) You’re selling personal data.

Okay, other easier things:

  1. Call them digital products.
  2. Stop hoarding personal information just because you can. Cory Doctorow, soothsayer for the digital age, told us in 2008 that we should treat personal information like plutonium. And we still don’t do it. Push back and fight the urge to collect data. Odds are very high that you don’t need gender information for your product.
  3. Start with transparency. Manufacturers need to do it as a compliance matter in documenting processing activities. Make it a standard part of the development process. Document all data processors. I look forward to the day when Software Bills of Material (SBOMs) are standard practice for all apps, all digital products. I also greatly look forward to machine-readable Records of Processing Activities (ROPAs) generated by all digital products, recording all processing of each data element about me that a data controller or data processor collects, uses, or shares. The software supply chain management process needs significant revision. It’s too easy to integrate 3rd-party software components without an adequate understanding of downstream data processing activities or appropriate binding agreements.
  4. Abuse and misuse Cases: Hone creative thinking to generate abuse and misuse cases along with traditional use cases. How could this product be deliberately weaponized to cause harm? We need more awareness and training about the ways technology is used for personal surveillance in cases of intimate partner violence or hostile child custody arrangements. What are the ways that the product might be harmful if accidentally misused?

My Final Thoughts: The Work Ahead

My work as a communications advisor would be so much easier if businesses and engineers understood these concepts and committed to product safety from the start. But "easier" isn't the point.

The point is building products that don't require late-stage archaeological expeditions to uncover the truth, products that don't treat transparency as a liability, and products designed with the understanding that technology isn't magic, but responsibility.

The spell is broken when you understand the trick — and maybe that’s what all these companies are afraid of.


Support the work: Internet Safety Labs is establishing critical product safety standards for digital products. Support their research.

Get support: If you need help communicating product safety risks to leadership, contact us to discuss how we can help.

Stay informed: Subscribe to our newsletter for more frameworks on security and privacy communications.