Bearer of Bad News

January 8, 2020
Sean Nelson

Good luck deleting your account on your own.

The second dark pattern we're honoring is painful user off-boarding. In this age of data breaches and privacy concerns, folks are particularly sensitive to how their data is collected, used, and stored. GDPR in particular requires giving users the option to download their personal data, however in some circumstances permanently deleting an account altogether is necessary for a variety of reasons, if not simply for peace of mind.

A trustworthy VPN is essential for protecting your online activity while working remotely from cafes, airports, hotels, and other public networks. During research trips our design team might be found uploading changes to a prototype in the back of a Lyft or pushing updates to Abstract from a hotel bar (makes for some fun commit messages), and doing so securely is high priority.

With dozens of mostly indistinguishable VPN tools available these days, TunnelBear seemed like a good place to start. It earned Wirecutter's pick for Best VPN Service and I appreciated their playful approach to marketing a (typically) nerdy tool in a way that appealed to a non-technical audience who could still benefit from its functionality. That said, I'm not married to VPN software in the same way I am to my favorite design tools, so when better deal came by for a similar service I switched.

What followed was a maddening and user-hostile off-boarding experience that uses dark patterns and emotional manipulation to keep you a paying customer.


UX writing can sometimes be dry, so there's often a desire to inject some personality into copy and calls to action. This is great! I think it's important for software to express some humanity, but often this approach becomes problematic when an interface speaks on behalf of its user, forcing them to make a decision in a voice that's not their own.

Consider a form that asks for donations to help find missing pets. The options to Make a Donation or No, thanks are wildly different than Make a Donation or No, I don't care about missing dogs. There are plenty of reasons why someone might not want to make a donation at that time, but their only option is to say that they hate dogs. Shaming a visitor for making a choice with language like this isn’t cute copywriting; it's manipulation.

TunnelBear makes use of this tactic throughout their cancelation flow.

After choosing to cancel a subscription, we see the bear we've grown to love crying at the thought of us leaving. "I thought we were friends," the copy reads. "We'll just tell the bear you went out to buy something, and you'll be back soon. The truth would crush him."

"I thought we were friends," says Bear.

After choosing a reason for leaving and clicking Cancel Subscription, the subscription isn't actually canceled. Instead, we must watch a ten second animation of that same bear slowing riding a conveyor belt towards a death — I mean shrink ray in a manner only a Bond villain could appreciate. Our choice is clear: save Bear by canceling the downgrade (and continue to pay for a subscription) or let Bear perish, I mean shrink.

"No, Mr. Bear. I expect you to shrink."

Say Goodbye

So we've done it. Our subscription was canceled but now Bear is dead, and that's a burden we've been forced to bear (sorry). As designed, this experience left me with a bad taste in my mouth—exactly what TunnelBear intended. Artwork once used to playfully illustrate the finer points of VPN software are now used as tools to taunt and gaslight users into feeling rotten. You wouldn't hurt this bear, would you? You can't possibly be upset with this company because look how cute these bears are.

In any other situation I would have kept my free plan lingering forever, but I instead opted to delete my account outright. Doing so opened an entirely new can of dark patterns.

Data Deletion

Designing UI for permanently deleting data is tough. When you can't lean on error recovery, error prevention is the name of the game. Designing the right amount of friction into your UI, however, is tricky. Making it hard to accidentally delete content without taking away the user's autonomy or insulting their intelligence in the process is a fine line to walk (we wrote a bit about how we do this at Hologram on Dribbble).

TunnelBear's approach uniquely includes lots of friction straight into a dead end.

After navigating to the Privacy tab, we choose to delete our account and confirm this action in a modal window with a big red button. So far so good. But clicking Delete my account doesn't actually do that. Instead, we're blocked by Bear again who is still crying and still sorry to see us go. Annoying, but we accept the double-confirmation and click Delete my account a second time.

Oops. Even though we went through three pages leading us to believe that we can delete an account ourselves, it looks like we have to contact support to do this for us. It's no exaggeration to say that TunnelBear has straight up lied to its users at this point. I've got to assume that drop off is high at this point, but I persisted.

Step 1: Select "Delete your account and personal data"
Step 2: Yes, I understand. Delete my account.
Step 3: Sorry Bear, but I need you to delete my account.
Step 4: Would have been nice to know 3 steps ago.

Hello, support?

I reached out to support and made my case clear. (I trimmed all correspondences for brevity, but the meanings have remained.)

Dark Mode: I shouldn't need to give you a reason to delete my account, nor do I appreciate these dark patterns that prevent me from doing it on my own. Please delete this.

Five hours later I get my first response.

TunnelBear: Sorry to hear that you'd like to delete your account. Can you clarify "dark patterns that prevent me from doing it on my own."?

Since you have a paid account, you'll have to cancel your subscription before you can delete it. Then, once your subscription has been cancelled, you can delete your account when your data expires.

Or, if you'd prefer that we delete your account immediately, let me know. Keep in mind that you'll lose access to any remaining data on the account (this is also the reason users can't self-delete their paid account, to avoid accidental deletions).

I had, in fact, already canceled my subscription (remember when we murdered, sorry, shrunk Bear?), so in no way was this a blocker. It's also interesting to learn users can't self-delete paid accounts, given we clicked through three separate prompts that led us to believe that we could. I replied.

Dark Mode: Clicking "Delete your account and personal data", then clicking "Delete my account", then clicking another "Delete my account" button, and then being told that I need to contact support. This is a dark pattern.

I already canceled my subscription before attempting this and visited that URL before, which didn't work and told me to contact support. I am now requesting that you delete my account immediately.

Nearly 16 hours later I'm notified that my account has been deleted, but not without a challenge.

TunnelBear: Regarding the deletion process, there's actually a few things you'd need to consider (as a website designer) before creating a big simple 1-step 'Delete' button on user's account pages.

First, we do feel that a few steps to delete your account allows users to ensure that this is actually the action that they'd like to take. It is not hidden and should still be straight forward by design.

Consider things from a support perspective. While the decision of deleting your account might be a straight forward thing for someone like yourself, this might not actually be the end result some of our other users actually intend. We have many users that are not tech-savvy or who's native language is not English. There are many users who simply wish to cancel their subscriptions and not delete their account (because they'd like to re-subscribe later, or they simply wish to downgrade to a free account).

We also don't want users who are paid and still have unlimited tunneling time to self-delete and then ask where their paid tunneling time went (sometimes, people do decide to continue the service!).

There is a fine line between making self-deletion accessible, yet not 'too-quick' which would actually create more problems in the long run in many cases.

And it goes on, but here's the thing: I don't inherently disagree with this sentiment (apart from the sass). There is a fine line between making self-deletion accessible and not too quick and there are plenty of tricky edge cases that need to be handled delicately. Unfortunately TunnelBear's execution doesn't live up to this.

The account deletion process is certainly "not too quick", I'll give them that, but after every prompt and CTA led us to believe that we can delete an account ourselves only to hit a "you must contact support" wall, that is in no way straight forward design. And making sure that users don't lose tunneling time that they've paid for is an important consideration! Thing is, we can do better.

Bear Essentials

Look, critiques are easy. But I believe that if you're going to criticize you should be able to recommend an alternative, so I took a few minutes and mocked up what I think might be a better off-boarding experience for TunnelBear that's gives autonomy back to the user, isn't emotionally manipulative, and still offers enough friction in the deletion process so it can't be done accidentally.

My rendition still has lots of character, but this time Bear waves us goodbye above some rewritten copy. No more emotional manipulation and the death shrink ray is nowhere to be found.

Deleting your account is simplified this time, too. A single confirmation modal requires you to type "DELETE ACCOUNT" before committing to a destructive action to help prevent accidental deletions.

And if for some reason deleting an account still requires contacting support, we make that easy to do right from the first step by changing the CTA to—wait for it—contact support.

Only you can prevent dark patterns

TunnelBear is doing a lot right. Their attention to detail in injecting personality into their product is excellent and the software itself is very easy to use. I mean, look at how Bear follows your typing but covers its eyes when you focus on the password field. This is adorable and really well executed.

I think that's one of the reasons why I was so burnt by the off-boarding process here. TunnelBear's product is so considered with their use of adorable moments like this, but it's used against their users when it challenges the bottom line.

Allowing someone to easily leave your service shows confidence and maturity in the product. Using shifty tactics and misleading copy may cloud the process and prevent some users for leaving, but for others it gets them running away even faster with no chance of returning. And what's the benefit of that?