Muddy Waters sang about power imbalance — the authentic signal buried under noise, people held down by systems they did not choose, the thing you needed to hear getting drowned by the thing someone else wanted you to hear.

He was singing about the blues. He was also, without knowing it, singing about dark patterns, cookie banners, and the browser that became the server spy.

The Gutenberg/Semantic model describes two layers in every information system: the physical layer (bytes, addresses, infrastructure) and the logical layer (meaning, names, content). The waterline between them is where translation happens. When the waterline is clean and visible, users can navigate — they know which layer they are in, what each element means, and how to get to their goal. When the waterline is muddy, navigation fails. The user cannot tell what they are looking at, what it will do, or how to get out.

SUX: Shady User Experience.

Two Kinds of Muddy

Not all muddy waterlines are the same. The distinction matters because the fix is different.

Accidentally muddy — the ORM that hides the SQL without meaning to. The legacy system that grew organically until nobody understood it. The architect who collapsed the waterline through ignorance rather than intent. The failure is structural. The cause is proximity blindness or accumulated technical debt. The fix: go to the Gemba, find the sticky notes, clean the waterline.

Deliberately muddy — the cookie banner designed to make “reject all” impossible to find. The airline booking flow that reveals fees one screen at a time until cancelling costs more than continuing. The insurance policy with the exclusions in 6-point font. The newsletter modal that blocks the content until dismissed and whose close button is 8 pixels in the corner. The failure is intentional. The cause is a business decision that the user’s confusion is profitable. The fix: regulation, competition, and naming it clearly.

The Shady User Experience is always deliberate. The muddiness is not a side effect — it is the mechanism. The boundary between what the user was told and what actually happens is kept muddy because clarity would reveal a trade the user would not accept.

The Dark Pattern Catalogue

The cookie banner. GDPR was designed to give users meaningful control over their data. The correct implementation: a simple choice, equal prominence for accept and reject, no dark patterns. The actual implementation, on most sites: a large green Accept button, a small grey Manage Preferences link that opens a second screen with 400 toggles all set to on, no “reject all” button on the first screen, and a design explicitly crafted to maximise consent rates. The regulation was correct. The implementation was captured by the Def-Push tribe and turned into noise. The waterline between “you have control” and “you will click accept” was muddied deliberately.

The disappearing close button. The chatbot appears in the corner. The user does not want it. There is no clean close. There is a minimise that makes it smaller. There is an X that opens a feedback dialog before dismissing. The clean exit was removed because the Def decided the user should see the chatbot whether they wanted to or not. The cognitive tax is deliberate. The muddiness is the feature.

The exit intent popup. The cursor moves toward the browser chrome. A modal appears. The site is now intercepting the user’s attempt to leave — using JavaScript to detect the intent to close the tab and inserting a Def message before the user can act. The semantic intent (leave this page) is intercepted at the Gutenberg layer (cursor position, mouse trajectory) and redirected. The user’s agent has been subverted by the server.

The roach motel. Signing up is one click. Cancelling requires finding the account page, then the subscription tab, then the cancellation flow, then the retention screen offering discounts, then the confirmation screen, then a follow-up email offering to pause instead. Each step was designed. The asymmetry between entry and exit is not an oversight — it is the product of someone’s sprint ticket: reduce churn by adding friction to the cancellation flow. The Def optimised for the Def’s metrics. The Use paid the cognitive tax.

The forced account. You want to buy one thing. The checkout requires creating an account. The account requires an email address and a password. The email address will be used for marketing. The password will be stored in a database that may be breached. You wanted to buy a lamp. The Def wanted a CRM record. The waterline between “purchase” and “data collection” was muddied so you would not notice the trade you were making.

The Browser Arms Race

The browser’s formal name in the HTTP specification is the user agent — the software that acts on behalf of the user at the Gutenberg layer. It represents the user’s interests. It renders what the server provides. What the user does with that content is the user’s domain.

When sites began subverting the user’s experience — popup windows, popunders, right-click disables, exit intent scripts — the browser vendors responded on behalf of their users. Popup blockers. Gesture requirements for notification requests. Mixed content blocking. Each protection was Use-Pull: the browser vendor listening to the Use signal (users being harmed) and acting on it.

The arms race:

  1. Sites spawn popup windows without user intent
  2. Browsers add popup blockers
  3. Sites move to popunders — windows that open behind the current one
  4. Browsers block popunders
  5. Sites move to exit intent overlays — same manipulation, inside the page
  6. Browser vendors cannot block what happens inside the page without breaking legitimate use

At each step the browser vendor acted for the user. The server kept finding workarounds. The user agent tried to stay on the user’s side.

Right-click disable is the micro-example of where the server reaches through the Gutenberg layer to suppress the Semantic tools the browser provides. oncontextmenu="return false" overrides the context menu — the boundary marker that exposes what the browser knows about the element and offers semantic operations on it. It does not work for determined users (the image is still in the cache, the source is still accessible). It breaks accessibility and legitimate use. It signals that the site knows its content would not survive inspection.

The browser is the user agent. Not the server’s enforcement mechanism. When sites disable right-click, they are not protecting their content — they are muddying the waterline between what you can see and what you can do with it.

Chrome: Another User Agent Corrupted into a Big Tech Spy?

The question mark is doing real work. Chrome still does many things that genuinely serve users. But the direction is clear and the mechanism is visible.

Corrupted is the precise word. Not broken. Not incompetent. Corrupted — the original purpose deliberately subverted by a conflicting interest while the vocabulary of the original purpose is retained to mask the subversion.

Chrome launched in 2008 as a genuinely better browser. Faster, cleaner, more standards-compliant than IE. The V8 engine improved JavaScript performance for everyone. Process isolation improved security. Google’s interests (more web usage = more searches = more ad revenue) aligned with the user’s interests (a better browser). The user agent acted for the user.

Then the interests diverged. Chrome’s market share grew to ~65% dominance. Switching costs accumulated. Google became simultaneously the browser vendor, the largest digital advertising company, the dominant search engine, and the owner of YouTube. Every genuine privacy improvement that served users cost Google advertising revenue.

Manifest V3 was announced as a security improvement. The practical effect: ad blockers became less effective. The webRequestBlocking API that allowed ad blockers to intercept and block requests dynamically was deprecated. The replacement declarativeNetRequest API uses pre-declared rules — significantly less capable against dynamic ad injection and the tracking techniques that matter most for privacy.

A genuine user agent would strengthen ad blocking — hundreds of millions of users install ad blockers because they want them. Chrome weakened ad blocking. Google’s revenue requires ads to be delivered and measured. The sequence is not ambiguous.

The Privacy Sandbox and the Topics API complete the inversion. Third-party cookies (cross-site tracking via the server) are being replaced by the Topics API — the browser watches what you read, categorises your interests, and reports them to advertisers on request. The tracking moves from the server into the user agent. The browser is now the spy. The data never leaves the browser — technically. The surveillance profile is still built. The targeting still happens. The cheerfulness of “we’re building a more private web” continues.

The Firefox and Safari contrast:

Mozilla kept webRequestBlocking. Mozilla has no advertising business. uBlock Origin works fully on Firefox — because there was no business reason to weaken it. Apple’s Intelligent Tracking Prevention is genuine — Apple’s revenue is hardware and services, not ad targeting. The user agent with no advertising conflict acts for the user. The user agent with the advertising conflict acts for the conflict.

The browser you choose is a Def-Push / Use-Pull decision. Chrome’s Def is now shaped by Google’s advertising business. Firefox’s Def is shaped by users and a non-profit mission. The browser that actually represents you is the one whose business model aligns with your interests — not the advertiser’s.

Chrome is now both the user agent and the server spy. That is the muddy waterline at its muddiest — the software that is supposed to represent you, representing someone else, while telling you it is still on your side.

The Regulatory Response and Its Limits

When the waterline is deliberately muddy, regulation is the only corrective mechanism — because the market rewards the muddying and punishes clarity. Higher conversion rates, lower cancellation rates, more data collected: the Def’s metrics improve when the waterline is muddier. The Use signal (user frustration, distrust, abandonment) is diffuse, delayed, and hard to attribute.

GDPR was the attempt to mandate a clean waterline between your data and their data. The regulation was correct in principle. The implementation was captured: the cookie banner industry exists to produce technically compliant banners that maximise consent while minimising genuine user understanding. The regulation added a layer of noise without delivering the benefit. The waterline got muddier.

The correct regulatory target is not the specific dark pattern but the waterline itself: the boundary between what the user was told and what actually happens must be visible, accessible, and honest. Not “you clicked accept on a 47-toggle preference screen” — that is a muddy waterline laundered through compliance theatre. The user’s informed consent is the Semantic layer. The consent mechanism is the Gutenberg layer. The two must be honestly connected.

Muddy Waters Knew

The authentic signal — what the user actually wants, what the content actually is, what the system actually does — is not hard to find. It is buried. Deliberately, systematically, profitably buried under cookie banners and exit popups and Terms of Service agreements and mandatory account creation flows and Manifest V3 API changes that weaken ad blockers.

Muddy Waters sang about the same structural problem. Power held by those who control the infrastructure. The authentic signal — the music, the voice, the thing that needed to be heard — getting buried under the noise of those who controlled the pressing plants, the radio stations, the distribution networks. The Use side producing genuine signal. The Def side muddying it for profit.

The fix is the same in both cases: name it, clean it, and where cleaning requires forcing someone to give up a profitable muddying, legislate it.

The browser is the user agent. Not the server spy. The waterline between what you are shown and what is actually happening should be visible, accessible, and honest.

That is not a technical requirement. It is a basic standard of dealing with people fairly.

This post is part of the Gutenberg/Semantic series. Related: Hiding the Waterline Makes You Drown Without Knowing Why on the cost of invisible boundaries, The Complaint Department Has Been Transferred to Another Dimension on enshittification and closed feedback loops, and Competition Is Use-Pull. Monopoly Is Def-Push. Government Is Both. on why regulation is sometimes the only fix.