Cenzic 232 Patent
Paid Advertising
web application security lab

Target sued over inaccessability

I know I’ve been batting around a lot of the accessability issues with CAPTCHAs and turing tests in general when used to discriminate against robotic activity and how that relates to the blind.  Sometimes what I talk about is theoretical and sometimes it’s not.  Here’s a case in point.  Target had a class action suit filed against it by the National Federation of the Blind (NFB).

My general feeling on this matter is it is always better to allow alternate applications to visual CAPTCHAs.  Audio versions are one example.  Email is another example.  Out of bound methodologies can provide reliable alternatives to visual CAPTCHAs and can still allow users to proceed through the flows in question.

5 Responses to “Target sued over inaccessability”

  1. MERLiiN Says:

    I disagree with your suggestion about using audio, as I don’t think it is ok to replace one disabled group with another and discriminate against the deaf.
    There are quite a few functional methods that can deal with plaintext captcha’s which can be read by deaf and through a braille reader. Email as you mentioned is also a viable option. I think any corporate entity should really ensure that their website is WAI compliant (http://www.w3.org/WAI/).

    MERLiiN

  2. RSnake Says:

    If I’m understanding you correctly a plaintext CAPTCHA would be something like:

    * type an uppercase w
    * type the answer to 1+3
    * type the eigth letter of the alphabet

    While I completely agree about not morphing the problem from one disabled group to another, plaintext CAPTCHAs are pretty insanely weak. Not to mention they discriminate against people who cannot do math or handle other abstact concepts. I certainly didn’t mean to imply that someone who was deaf should be discriminated against (that’s why I mentioned the email alternative).

    But you do bring up a very good point that shifting the issue from one disabled group to another represents a very real issue that the security industry has not completely figured out yet.

  3. MERLiiN Says:

    Well, there is a plethora of weak graphical CAPTCHAs out there as well, which can be programatically broken. See;
    http://sam.zoy.org/pwntcha/
    http://www.cs.sfu.ca/~mori/research/gimpy/
    http://www.brains-n-brawn.com/default.aspx?vDir=aicaptcha
    Both plaintext and graphical CAPTHAs are also subject to statistical sampling.

    In all honesty CAPTCHAs are best used for fighting spam applications that use crawlers or just hits default scripts. If someone decided to target your website your CAPTCHAs could (easily?) be broken. Although in that case I would be more worried about other aspects of security.

    Personally I rely more on having an approval system after the comment / trackback has passed an RBL and content filtering.

    MERLiiN

  4. RSnake Says:

    I don’t think anyone would argue with why they are useful, it’s where they can get you sued is what this post is actually about. And anyway, if I wanted to get around a CAPTCHA for spam or otherwise I’d just use a porn proxy. It sorta defeats the purpose of having a spam, and lots of spammers also have access to porn sites, so it’s not much of a stretch.

    I personally do not use them for this site, and instead use several layers of homegrown spam filtering as well as my own human eye to moderate them. It seems to be pretty effective thus far and it gives everyone the chance to use the site, regardless of physical or mental abilities (sometimes to my own detriment, I’ll hand it to you, but still…). :)

  5. ha.ckers.org web application security lab - Archive » Target Sued By The Blind Says:

    […] Once again, the blind are at it - wanting equality and accessibility. Those pesky blind people! No but seriously, this is really pretty important and although I am pretty anti-litigious I think the National Federation of the Blind is making a statement by suing Target. Yes I know I’ve mentioned this before, but I started thinking about this some more in the wake of this recent MSNBC article. Blind people cannot use the Internet in the same way people with vision can. They cannot “see” the page layout. One thing I haven’t talked much about is semantic relationships in HTML. It’s a very simple concept that eludes most people who claim to know HTML (at least they put it on their resume). […]