I am trying to evaluate the barriers of online security and privacy to people with cognitive disabilities.
This work will help inform the effort of the W3C’s Cognitive and Learning Disabilities Accessibility Task Force to recommend standards on how to make online security and privacy more accessible.
Problem
I am struggling with how to go about this evaluation. It is a daunting task to come up with common barriers and solution recommendations across:
- the many end-user security and privacy techniques, e.g.:
- passwords;
- two-factor authentication;
- biometrics; and
- encryption
- the variety of platforms upon which the techniquesare implemented, e.g.:
- operating systems;
- devices;
- web and mobile apps; and
- messaging
- the different ways the many techniques within the various platformshave been implemented by the major players, e.g.:
- Apple;
- Google;
- Microsoft; and
- Open Source
Background
It is well known that people sacrifice security and privacy for the sake of convenience. Security and privacy techniques are too difficult to use, and thus are inconvenient. For people with cognitive disabilities, such “inconvenience” amounts to a significant barrier. (See my recent blog post about CAPTCHA for an illustration.)
It appears to me, from my research so far, that there is a lot of work on how to improve the security standards of information and communications technology (ICT) without much focus on the usability and accessibility of it. For example, I could not find even the terms “usability” and “accessibility” in the ICT Security Standards Roadmap of the International Telecommunication Union, an agency of the United Nations.
Improvement
Determining how to make online security usable for everyone must include people with cognitive disabilities. Doing so will mean that the related user experience will be designed to be as simple as possible. The more the experience is easy to use, the more everyone will protect their assets and privacy.
A piece of good news is that the Electronic Frontier Foundation is researching how to measure the usability of implementing secure messaging as part of its “Designing a Prize for Usable Cryptography”. I expect that work would be enough to help develop usability and accessibility-evaluation standards for online security and privacy in general; and to inform the creation of related recommendations for people with cognitive disabilities.
Solution?
I am working on a list of barriers, based upon functional limitations, which are common to end-user security techniques, and sublists unique to each technique. I am not a security and privacy expert. Thus the limitations I am considering are based solely upon my expertise in accessibility and cognitive disability, and what seems logical to me. (For an example, see my recent blog post about CAPTCHA.) I suppose that effort will have to suffice until a security expert, such as the Electronic Frontier Foundation, determines how to measure related usability.
Help Needed
I welcome comments with:
- suggestions about how to evaluate the barriers of online security and privacy to people with cognitive disabilities; and
- information about any effort to evaluate the usability and accessibility of online security and privacy techniques
Notes:
- See Stay Safe Online for online security-related instructions and information.
- No endorsement is intended or implied of the organizations and their efforts mentioned in this blog post.
Great topic. But I wish you had laid out your plan here so that cognitive users can see it visually.
In accessibility for cognitive disability, the first rule is a well thought display of a web page, using color & font size headers, and a logical positioning of the items.
It also is more common for security & privacy setting to be located in the upper right corner. In fact, I wish the Internet would adopt a “privacy settings standard” for location & font type & terms. This universal approach will go a long way to make security setting access more universal.
My other privacy & security recommendations:
1. Using a system that recognizes a user’s PC, table, or mobile device for automated sign-in of the person.
2. Use of standardized 3rd party password apps with clear instructions on heirarchy and how to use, eg. you should not keep banking passwords here; but online shopping & most credit cards are OK as there’s a transaction record where errors & exploit purchases can most often be reversed.
Once the above become more standardized, sign in & access becomes as simple as visiting the web site.
Stephen Dolle
Expert on Cognitive Accessibility
Soon to host CognitiveAccessibility.org
Hi Stephen,
Great criticism! It is with some shame that I admit I do not present visual equivalents of my blog-post text.
Thank you for your cognitive-accessibility suggestions. I agree with them. My entire blog is about my research of, and experiments with, cognitive accessibility.
I too wish the Internet would adopt more user-interface standards, not just for security, but for site navigation and much more.
Your suggestions about automatic recognition of a user dovetail nicely with work I began a couple of weeks ago with members and advisors of the Coleman Institute for Cognitive Disabilities. We are working now to publish a related white paper.
I agree that use of standard password-keeper apps, along with the safeguards you suggested, would be beneficial to people with cognitive disabilities.
I look forward to your future website about cognitive accessibility. You may be interested in the work of the W3C’s Cognitive and Learning Disabilities Accessibility Task Force, of which I am a member. See http://www.w3.org/WAI/PF/cognitive-a11y-tf/
John
John, thanks for the update. I recall communicating with several folks at the Coleman Institute as far back as 2002. I am an affected user and have undergone 12 brain shunt operations for hydrocephalus (w/ numerous shunt malfunctions) since a 1992 auto accident. I have a strong health care & tech bkg, and invented a neuro dx program in 1997, and began creative uses of assistive cognitive aids that put me in touch with HP, Coleman, and others.
About a year ago, I began writing about cognitive challenges in what I termed a “Cognitive Accessibility Crisis.” I host content on the page below, but I should really just copy the content over to the stand-alone web site. I’ve got way more to do than I have the time or health to juggle. I’ll offer input when I can. I recently received a paper from your committee asking that I review and answer an online questionairre. In good time. http://www.dollecommunications.com/cognitive_accessibility.htm Best, Stephen