Advocates for digital accessibility and those in compliance and governance roles sometimes say that accessibility should be prioritized at the same level as privacy and security. Absolutely, it should be, but it's time to take the argument one step further — not only should accessibility be prioritized in the same way as privacy and security, it needs to be recognized that accessibility is privacy and security.
People use the same websites and apps in different ways
For those who are being introduced to or getting up to speed on the concepts of digital accessibility, perhaps the first thing to know is that based on need or preference, people navigate, consume, and contribute to web content in different ways — sometimes very different ways. This can include keyboard-only navigation, using a screen reader or refreshable Braille display, switches and alternate input devices, speech recognition software, magnification or color contrast adjustments, or preference for one device type or screen orientation, just to name a few.
When these differences aren't accounted for, some people are more vulnerable to privacy and security risks
At the heart of accessibility and at the heart of this particular topic is the fact that when people do not face unnecessary barriers to completing tasks online, they are able to take care of personal matters and complete day-to-day tasks more independently and with more confidence.
Financial exploitation and theft
Financial abuse and exploitation disproportionately target people who are older and people with disabilities. When people are forced to rely on the help of others to complete tasks they could complete themselves if the website or app were accessible, there is an added risk of financial exploitation that didn't need to happen. Consider the information one receives by simply viewing another's personal account details, login credentials, balances, transaction history, and other digital pieces that are meant to be personal for a reason. Now, consider the damage one can do by acting on that information for personal gain.
In many cases, "exploitation" sounds quite generous and the actions cross over into pure "theft." Consider these examples, what vulnerabilities they present, and how prioritizing accessibility could have gone a long way toward fortifying privacy and security.
- An ATM is not accessible to a person who is blind because the menu options and machine configurations have changed but the changes haven't been communicated well. That person who could have independently entered their PIN and securely completed their transaction now asks an acquaintance for help.
- A person with a mobility disability prefers to do her banking online from home. Being able to take care of things digitally has allowed her to avoid using a power of attorney to manage her finances; however, her financial institution has made changes to its online banking platform that are no longer compatible with her assistive technology. She has several accounts and manages her money meticulously, so instead of going through the hassle of changing banks or filing a complaint and waiting for improvements that may never come, she decides it's easier to use a power of attorney who can go to the bank and handle things on her behalf.
- Someone with low vision who is able to use websites when they're magnified is checking out on an e-commerce site, but the form labels are very far away from the input fields. So, when the page is magnified to the level he prefers, it becomes difficult to be sure that he's entering the right information in the right fields. Because of this, he accidentally duplicates his credit card number in a field meant for delivery driver instructions.
Some digital security measures can actually present accessibility challenges
Sometimes organizations put extra checkpoints in place designed to safeguard the privacy and security of both the company and the customer. They want to be sure that you are who you say you are, not a robot and not a would-be identity thief. Most people appreciate that their security is a top priority, but sometimes the very tactics intended to protect people end up preventing them from accessing or updating their own profiles and personal information.
A CAPTCHA (or, a completely automated public turing test to tell computers and humans apart) requires human responses to a prompt to prevent spam and robotic software programs from completing forms or accessing certain content. This tool also has accessibility concerns because the default state relies on sight. While audio alternatives are usually present, they often don't work or aren't audible. In this scenario, a security measure intended to block a robot has instead blocked a human being trying to access content.
The case of CAPTCHA is pretty common, but what about the use of retinal scans or fingerprint scans? What assumptions are made about the person and their abilities by requiring these forms of authentication? The two most obvious are that everyone has these body parts and that they are able to complete whatever maneuver or task is required to activate a successful scan. For any number of reasons, these assumptions are faulty, and attempts at increased security may have actually increased the likelihood that these measures discriminate against people with certain disabilities. If an organization isn't prepared to handle the necessary accessible alternatives to these types of authentication methods, or doesn't ensure the same level of privacy and security for those accessible alternatives, then the organization and its customer or user both could be compromised.
User error increases risk
Mistakes introduce extra risk. While there is risk associated with anything and everything, the greater the opportunity for error, the greater the opportunity for risk.
The Web Content Accessibility Guidelines (WCAG) offer the best roadmap to creating accessible digital experiences, and all the guidelines and checkpoints are important. Some criteria, however, are specifically focused on helping users avoid and correct mistakes.
Here are the Level A and AA success criteria under Guideline 3.3 Input Assistance:
- 3.3.1 Error Identification: If an input error is automatically detected, the item that is in error is identified and the error is described to the user in text.
- 3.3.2 Labels or Instructions: Labels or instructions are provided when content requires user input.
- 3.3.3 Error Suggestion: If an input error is automatically detected and suggestions for correction are known, then the suggestions are provided to the user, unless it would jeopardize the security or purpose of the content.
- 3.3.4 Error Prevention (Legal, Financial, Data): For Web pages that cause legal commitments or financial transactions for the user to occur, that modify or delete user-controllable data in data storage systems, or that submit user test responses, at least one of the following is true:
- Reversible: Submissions are reversible.
- Checked: Data entered by the user is checked for input errors and the user is provided an opportunity to correct them.
- Confirmed: A mechanism is available for reviewing, confirming, and correcting information before finalizing the submission.
Improve accessibility to improve privacy and security
These examples and evidence of the relationship between accessibility, privacy, and security form an incomplete list, but hopefully they make the message clear: accessibility is privacy and security, so strengthening accessibility strengthens privacy and security, and falling short on accessibility jeopardizes privacy and security.
For help with your digital accessibility initiatives, contact us or get started with a free and confidential website accessibility scan. Looking for more content like this? Subscribe to our blog and newsletter.
We look forward to helping you achieve, maintain, and prove digital compliance.