What is The Non-Consensual Cookie Bandit?

A satirical web experience that parodies cookie consent popups by "auditing your life" instead of tracking your data. It's a humorous exploration of digital consent culture.

Is this actually tracking my cookies?

No. Despite the name, we don't actually track cookies in the traditional sense. This is a parody project that uses "cookies" as a metaphor for life decisions.

Is the life audit real?

The audit is generated for entertainment purposes only. Results are satirical and should not be taken as genuine life advice.

Can I play games on this site?

Yes! We have several mini-games including the Reject Button Game and Cookie Clicker. More games are being added regularly.

Friend Spam is when an app uses access to your contact list — granted for "finding friends" — to send unsolicited mass invitations or messages to everyone in your contacts, often without clear authorization for each send. The messages appear to come from you but were generated and sent by the platform.

Is Friend Spam illegal?

In many implementations, yes. The FTC has brought enforcement actions. GDPR applies to EU-based contacts whose data is processed. CAN-SPAM governs mass email. LinkedIn paid $13 million to settle FTC claims specifically about Friend Spam. The pattern persists because many implementations stay just within legal lines while remaining clearly contrary to user and contact intent.

How do I prevent apps from spamming my contacts?

Decline contact access during onboarding until the app has demonstrated its core value to you. If you do grant access, check the platform's settings for what was or could be sent to your contacts. Review your email "sent" folder and any notification history for evidence of automated messages sent on your behalf.

← Dark Pattern Encyclopedia

Social Manipulation☠️ War Crime

Friend Spam

AKA: The Address Book Raid · Viral Loop Exploitation · The Uninvited Invitation

Bureau Classification

What It Does

Friend Spam requests access to a user's contacts — framed as "find your friends" or "see who's already on [Platform]" — then uses that contact list to send unsolicited invitations or messages to every contact, often without the user's specific authorization for each send and never with the contacts' consent to receive them. The user becomes an unwitting spammer, their name and likeness co-opted for a mass marketing operation against their social network. Variations include: sending invitations that appear to come from the user but were composed entirely by the platform; repeatedly re-sending invitations to contacts who have not responded; importing contacts and sending invitations that misrepresent the relationship (implying the user specifically selected these contacts rather than uploading an entire address book); and using harvested contact data for retargeting ads to people who never signed up for the platform.

Why It Works

Viral growth loops are the most cost-effective acquisition mechanism in consumer apps, and Friend Spam industrializes that loop by removing the friction of selective invitation. An invitation that appears to come from a known contact has dramatically higher open and signup rates than cold marketing. The platform borrows the user's social capital — the trust and recognition their name carries with their contacts — without the user's meaningful authorization and without compensating the user for the resulting signups. It works because the user doesn't realize the full scope of what "allow access to contacts" means until after the invitations have been sent.

How To Spot It

Any request to "find friends" or "import contacts" that is made during onboarding — before you have established any value from the platform — should be declined. The legitimate use case for contact import is finding existing users you already know; the dark pattern use case is sending invitations to everyone regardless of whether they already use the platform or would want to. Check permissions: "find friends" functionality does not require sending messages to contacts. If an app uses contact access to compose and send messages on your behalf, it has exceeded the scope of what "find friends" implies.

Documented Incidents

#01

LinkedIn: FTC settlement in 2015 for sending repeated email invitations on behalf of users without clear disclosure, costing $13 million

#02

Facebook: "Friend Finder" feature that imported contacts and sent invitations in ways users did not fully understand or authorize

#03

Path: uploaded entire contact books to servers without disclosure, a scandal that triggered significant regulatory response in 2012

#04

Various dating apps: "see who you know" features that used full contact access to generate invitation spam

#05

Growth-stage consumer apps: onboarding flows that request contact access as the second or third screen, before any core value has been delivered

Body Count

Every contact in every harvested address book who received an unsolicited invitation they did not ask for is a data subject whose contact information was processed without their consent. Across the major platforms that have used this pattern, this figure is in the billions. The Bureau notes that the contacts — not the users — are the primary victims of Friend Spam, and they are also the least likely to have any recourse.

Legal Status

The FTC has taken action against LinkedIn and others specifically for Friend Spam under the FTC Act's deceptive practices provisions. GDPR applies to contacts' data processed through contact imports in the EU, and sending communications to people who haven't consented may violate the ePrivacy Directive. CAN-SPAM in the US applies to email communications. Multiple cases have been settled but the pattern persists in modified forms.

Bureau Verdict

"Friend Spam is a war crime because it conscripts users as vectors of attack against their own social networks, using their name and social capital without meaningful authorization, to contact people who never agreed to be contacted. The Bureau observes that "we had permission to access contacts" is not the same as "we had permission to contact those contacts," a distinction that every legal team in Silicon Valley understands and that many product teams choose to ignore."

— Bureau of Non-Consensual Cookie Bandits

Frequently Asked Questions

Companies Caught Using This Pattern

Meta →LinkedIn →

Full audits available in the Privacy Policy Hall of Shame.

← All Patterns Hall of Shame →Internet Autopsy →