By Andrea McColl and Esther Silver. To the uninformed, it might seem that the goals of digital accessibility and cybersecurity would be rivals. After all, isn’t accessibility about making it easier for people to come in, and cybersecurity about keeping people (or at least bad actors) out?
A recent UC-wide panel discussion on accessibility and cybersecurity, hosted by UCSF as part of the 2022 UC Cybersecurity Awareness Month programming, helped turn that notion on its head. The event increased awareness of how both goals can (and should) work together. However, this is not necessarily easy. The panel reviewed specific steps that must be taken and factors that must be considered for such a collaboration to succeed.
Moderator Cecile Puretz, Assistant Director of Disability Access and Inclusion at UCSF, opened the panel by reviewing the fundamental role that digital technology plays in everyone’s lives. She underscored that the playing field is not level for those with disabilities: “The reality is,” said Puretz, “for many people with disabilities, security measures are often largely inaccessible.”
The panelists discussed this point in more detail, describing the experiences of those with disabilities when it comes to cyber security, and the broader implications of inaccessible security measures. They emphasized that all people have a right to use a secure digital environment and to have their data protected. However, it should not be protected to the point that it is inaccessible to them.
Yue-Ting Siu, PhD, who teaches students with visual impairments at San Francisco State University (SFSU), emphasized, “When [people] don’t have access to the information that impacts them, they are no longer part of the conversation and they become disempowered.” For example, she talked about how, during disasters, information is often presented in a very visual fashion, making it unavailable to her students who are blind or have low vision unless alt-text and/or textual descriptions are provided.
The panel also discussed accessibility challenges related to the technology known as CAPTCHA, “Completely Automated Public Turing test to tell Computers and Humans Apart.” CAPTCHAs are typically used to protect websites from automated attacks by having humans perform a task such as identifying objects. However, unless accessible alternatives are not provided, people with disabilities can be completely locked out of a website. (For a detailed discussion of the interplay between security and accessibility for CAPTCHAs, see “Inaccessibility of CAPTCHA: Alternatives to Visual Turing Tests on the Web” by W3C.)
The panel went on to emphasize the criticality of engaging people with disabilities when developing, vetting, and implementing new security technologies. Lucy Greco, UC Berkeley Web Accessibility Evangelist, described several examples of teams that did this. At UC Berkeley, an exam proctoring technology risked blocking students with visual impairments if they did not hold their photo ID in the right direction, facing the camera. Greco also worked with another project team to convert a previously inaccessible password vault tool into one that all people can rely on.
Diane Tyo, UCLA Health IT Operational Continuity Analyst, drew attention to the fact that there is a wide range of disabilities that need to be considered [See “The Spectrum of Ability call-out box, above, or visit Introduction to Digibal Accessibility at UCSF]. For this reason, it is critical to engage people with disabilities when creating and evaluating tools and systems instead of just making assumptions about how people might be impacted by technologies. She also pointed out that making resources accessible to people with disabilities “is the law.” According to the Americans with Disabilities Act (ADA), Section 504 of the Rehabilitation Act, and California state law, public entities like the University of California must ensure that people with disabilities have equal opportunity to participate in, benefit from, and be free from discrimination in all programs, services and activities.
Several panelists reinforced the importance of establishing a dialogue between both security experts and accessibility experts. Jiatyan Chen, formerly Online Accessibility Program Manager at Stanford, summarized the roles of the two groups by saying that “if you see anything that’s front-end related, and it impacts a lot of people, send it to the Accessibility team to have them check it out. And for the Accessibility folks, if you see anything data-related that impacts a lot of people, anything private, send it to the Security people.”
Nicholas Borton, Chief Information Security Officer (CISO) at UC Davis Health, discussed some practical issues in balancing accessibility and security, particularly during technology procurement and development. For the purchase or creation of new technologies, he said, “[UC Davis Health deploys] a comprehensive IT evaluation. Our accessibility unit is one of the important signoffs on that…so that metric is used in the decision making.” However, for smaller-scale projects, he said “oftentimes [the] third parties or services that we need [to meet accessibility needs]…just aren’t there.” Then the organization needs to weigh the risks associated with purchasing inaccessible technology against the need for that vendor or service when making a final purchasing decision.
The UC system has policies that establish requirements for technology to be both accessible (UC Information Technology Accessibility Policy, IMT-1300) and secure (UC Electronic Information Security Policy, IS-3). These policies are coupled with resources, such as the UC Electronic Accessibility Workgroup and the #accessibility and #security channels in the UCTech Slack channel. These important resources provide a framework for the UC campuses to keep improving both digital accessibility and security.
Beyond this framework, for accessibility and security to synergize we need to build a culture which integrates both accessibility and security at all levels of IT. The UC system, UC Berkeley in particular, played a key role in the rise of the disability rights movement in the ‘60s and ‘70s. Now we have the opportunity to lead again in the global push to make technology more accessible and more secure through our innovations, education of future tech leaders, and even our influential purchasing power.
As Dr. Scott Hollier, CEO & Co-founder of the Centre for Accessibility Australia, said, “I think one of the benefits we can look at going forward is… [combining] some of the great benefits of security along with the great benefits of accessibility.”
- Inaccessibility of CAPTCHA: Alternatives to Visual Turing Tests on the Web
- Accessibility and Digital Security: A guide to cybersecurity for people with vision loss, hearing loss or a disability
- Accessibility is Privacy and Security
- How to center disability in the tech response to COVID-19
Background on the Event: “Accessibility and Security Panel Discussion”
Nicholas Borton, Chief Information Security Officer, UC Davis Health
Jiatyan Chen, Online Accessibility Program Manager, Stanford
Lucy Greco, Web Accessibility Evangelist, UC Berkeley
Scott Hollier, CEO & Co-founder Centre for Accessibility, Australia
Yue-Ting Siu, TVI PHD, Teacher of Students with Visual Impairments, San Francisco State University
Diane Tyo, IT Operational Continuity Analyst, UCLA Health
Cecile Puretz, Assistant Director of Disability Access & Inclusion, UCSFHosted by UCSF