The following letter was composed and sent to Dr. Marc Maurer, President, National Federation of the Blind, on July 28, 2007. It has been five weeks now. We continue to await a response from the organization concerning their official position and willingness to dedicate additional resources to these critical accessibility concerns.
July 28, 2007
Dear Dr. Maurer:
My name is Darrell Shandrow. You and I met a number of times at NFB national conventions and the National Center for the Blind. I am an online accessibility evangelist, operating a blog known as Blind Access Journal. It can be found at http://www.blindaccessjournal.com. My purpose for writing this letter is to ask you to direct some of the resources of the National Federation of the Blind toward effectively advocating equal accessibility of CAPTCHA (visual verification) and other multifactor authentication systems for the blind and visually impaired.
In CAPTCHA and some hardware based multifactor authentication schemes, a string of distorted characters is presented visually, and entry of those characters into an edit field is required in order to be granted access to a protected system. The purpose of CAPTCHA is to differentiate between a script or other automated computer program designed to abuse a resource and a real human being who desires legitimate access. Visual multifactor authentication schemes provide a second level of security beyond the traditional username and password. Pictures can’t be interpreted or automatically conveyed using Braille or speech access devices and many hardware security keys still do not provide any alternative output mechanisms. Until an accessible alternative is made available, people with vision loss can’t see the code to be entered into the box to be granted admission.
There now exists a number of techniques to reasonably accomodate CAPTCHA and multifactor authentication for the blind and visually impaired. The most commonly implemented accomodation is an audio CAPTCHA, where the characters in the image are audibly played back to the blind or visually impaired user for correct entry into the edit box. America Online, Microsoft and PRWeb are examples of companies offering this form of accomodation.
Another form of accomodation is a text based CAPTCHA. In such a scheme, a user is asked to solve a simple logic or math problem or answer a basic question in order to be granted admission. The Federal Emergency Management Agency (FEMA) is an example of an agency that uses such a text based solution. Some technology experts say this solution is relatively easily cracked by computer programs, so it probably will not be widely implemented in its current form.
A third form of accomodation involves the need for manual human intervention on the part of the company requiring the CAPTCHA. In such a scheme, the resource is protected with a visual CAPTCHA along with a link to click, an e-mail address to write a message or a telephone number to call. The blind person clicks the link, writes the e-mail or calls the telephone number to receive assistance. Unfortunately, this approach is fraught with serious challenges that make it completely unworkable in most cases where it is in use. When a blind user fills out the form, writes the e-mail or calls the number, it is absolutely necessary that the request for help be fulfilled immediately in order for the solution to provide a level of access equal to that enjoyed by his or her sighted peers. In almost all cases, such requests for assistance either go completely unanswered or are answered in an inappropriate time frame, perhaps days after the request is made. Another serious problem is the actions taken once the requests are answered. Are there specific processes in place for effectively delivering these reasonable accomodations? Are all employees who may be taking the calls properly trained to follow the procedures? It has been proven to us over and over that the unfortunate answer to both questions is a resounding “no”. Though some companies are willing to offer these manual interventions as reasonable accomodations, it is clear that, in all cases we have experienced, they do not take seriously the promise to actually deliver the goods. Examples of web sites supposedly offering the human intervention method of accomodation include GoDaddy.com, Slashdot.org, ticketmaster.com and Yahoo.com.
Unfortunately, there still exist many web sites that do not offer any reasonable accomodations to their visual CAPTCHA at all. Examples of sites in this camp include activate.sirius.com, friendster.com and myspace.com. When a blind person does manage to find someone at these companies to contact, assistance is rarely, if ever, offered.
At a bare minimum, visual only CAPTCHA locks blind people out of equal participation in web sites such as information portals and social networking resources. More seriously, visual CAPTCHA without reasonable accomodation actually prevents blind people from completing business transactions, as in the CAPTCHAs on godaddy.com and ticketmaster.com. Finally, visual only multifactor authentication schemes, such as security keys, can prevent blind people from accessing their money or even obtaining or retaining employment!
I am writing to ask that you direct the National Federation of the Blind, as the largest consumer organization of the blind in the United States, to show clear leadership in advocacy for access to CAPTCHA and multifactor authentication. In the short term, please officially support the Yahoo! Accessibility Improvement Petition at http://blindwebaccess.com and make higher level efforts to contact Yahoo! executives to discuss the need for a better CAPTCHA solution on Yahoo! web sites. In the longer term, please consistently support existing grassroots advocacy efforts in this area and carry out new efforts on an organizational level to exercise influence and, possibly, legislation to address these serious concerns.
Darrell Shandrow – Accessibility Evangelist
We thank the American Council of the Blind for joining us in support of the Yahoo! Accessibility Improvement Petition along with the organization’s willingness to consider taking on additional future efforts surrounding accessibility issues involving CAPTCHA and multifactor authentication. A cross-organizational approach to this and other critical access needs would serve to further these vital causes.