Graphical Verification: Another Accessibility Challenge

Graphical Verification: Another Accessibility Challenge

The

Braille Monitor

November,

2003

(back)(next)(contents)

Graphical

Verification:

Another

Accessibility Challenge

by

Curtis Chong

Curtis

Chong

From the Editor: Curtis

Chong is president of the National Federation of the Blind in Computer Science.

He now lives and works in Iowa. We increasingly hear frustrated comments from

Federationists who have butted their heads against the problem Curtis describes

in the following article. It will be important in the months ahead for those

who have firsthand experience of the problem to register their objections to

the companies keeping them out. Remember that the NFB's technology department

is prepared to work with Web site developers to ensure that blind users are

not shut out. Here is the article:

A growing number of Web

sites have started to implement a new method for protecting their valuable data.

It involves the display of a picture of text which the computer user must then

copy into an edit box. The theory behind this verification scheme is that a

human is smart enough to extract the text from the graphic and enter it into

an edit box, while software is not. Web sites do not appreciate having their

data extracted by automated systems, which can steal more information in a few

seconds than a human can in an entire day. The unfortunate result for the blind

is that, since our screen-access programs can't extract information from the

picture of text displayed, we are effectively blocked from any service secured

in this way.

My

first encounter with this approach to protecting a Web site occurred about two

years ago when I signed up for PayPal, which is a service for people to send

money to each other over the Internet. At that time I was asked to copy a string

of text displayed on the screen into the appropriate edit box. I was also informed

that, if I couldn't see the text, I should click on an accessibility link. When

I chose this accessibility link, I was then presented with a choice to play

an audio file which would speak the text I was supposed to copy. Even though

the recording of text was extremely poor, I was able to sign up for the PayPal

service with the help of my trusty Perkins Brailler.

I

confess that at the time, even though I was a bit unhappy with the difficulty

of signing up for PayPal, I promptly forgot about the problem and went on to

do other things. After all, I was done with the sign-up process that had so

inconvenienced me, and I subsequently had no problem getting into PayPal whenever

I wanted to use it.

My

next encounter with the graphical verification scheme occurred last spring when

Tom Wlodkowski, director of accessibility for America Online (AOL), came to

me with a problem. He said that AOL was looking for a way to prevent computer

programs from acquiring screen names for its Instant Messaging service. The

method that the company had decided to use was the very same one that PayPal

had implemented years before. He wanted to discuss various ways for the blind

to acquire a screen name without being blocked by the graphical verification

method. I suggested the approach that PayPal had used, but apparently there

was a technical reason why it could not be implemented. Reluctantly both Tom

and I finally decided that the only immediate way to solve the problem was to

suggest that anyone who could not see the graphic of text to be copied should

contact AOL at a toll-free number that would be spoken by the screen reading

software but not displayed on the screen. Both of us agreed that, working together,

we would need to develop a long-term solution that would be more acceptable

to everyone.

Now

consider Network Solutions (www.networksolutions.com) and its "WhoIs"

service. The WhoIs service allows you to obtain information about Internet domains

such as nfb.org, npr.org, microsoft.com, or any other domain registered with

Network Solutions. This service is supposed to be available freely to everyone.

But today it is not available to the blind. Every time you inquire about a specific

domain using the WhoIs service, you are required to enter a string of text that

must match text contained in a graphic shown on the screen. This is not a one-time

inconvenience. Oh, no--this is a real show stopper for the blind! Perhaps most

aggravating of all, unlike AOL, Network Solutions never even considered discussing

its implementation with anyone in the blind community.

Now

I hear some of you asking, "Who cares about accessing information about

domain names?" Good question. The fact is that what Network Solutions is

doing is only the beginning of what could turn out to be a very serious problem

for us. If security administrators get the notion that this graphical verification

scheme actually works (and it does), they are more than likely to implement

it for all sign-in procedures, and that means that the blind will not be able

to sign in anywhere this approach is used. Forget about putting "alt-text"

on all graphics or any other accessibility requirements for the Web. If we can't

sign in, it doesn't really matter how accessible a particular site may be. If

we can't sign in, we can't access anything.

On

August 10, 2003, on behalf of the National Federation of the Blind in Computer

Science, I sent a letter to the president and chief executive officer of Network

Solutions, one W.G. (Champion) Mitchell. It took more than a month, but early

in September I received a phone call from Shelley Rawlings, Network Solutions'

director of customer care. Ms. Rawlings and I engaged in some frank telephone

and email discussions. The result of our discussion is this.

In

the short term Network Solutions will implement what is, to us, an unsatisfactory

procedure to allow blind people access to its WhoIs service. A message will

appear on its Web site urging customers who are unable to interpret the graphical

picture of text to call the Network Solutions toll-free customer service number.

In theory a customer service agent will be able to help a blind person to interpret

the string of text and thus gain entry to the WhoIs service. I say "in

theory" because Ms. Rawlings was not forthcoming with specific information

about how the entire process would work. In the longer term I was able to secure

from Ms. Rawlings an agreement to have the National Federation of the Blind

meet with engineers from Network Solutions to discuss a more acceptable solution

to the problem. However, Ms. Rawlings made it quite clear that such a meeting

would not happen any time this year.

A

cynical person might say that what Network Solutions has done is to buy some

time--time which it probably needs to deal with a problem it never anticipated

in the first place. Such a person might also maintain that Network Solutions

has no real interest in solving the problem and will consequently put us off

as long as it can. I would prefer to think that the company is sincerely interested

in solving the problem, and to this end I am fully prepared to articulate our

position at the earliest possible opportunity.

I

will be the first to admit that we, the blind, do not have the kind of technical

expertise that is available to companies like Network Solutions. However, we

do have a unique knowledge of how blind people use computers. Network Solutions,

on the other hand, has the engineering talent to protect its assets and, if

it chooses to do so, the wherewithal to implement a solution to the WhoIs access

problem that makes everybody happy. Accordingly, I believe it is our responsibility

to tell the company how we want a solution to behave, from the blind computer

user's point of view, and let the company figure out how to develop it. Assuming

that we can get one company to do the right thing, it will be somewhat easier

to deal with other companies when, as I fear will ultimately happen, they decide

to protect their assets by requiring everyone to copy a string of text from

a graphic shown on the screen every time the person wishes to sign in.

Before

we can suggest any solutions to the graphical verification problem, it is important

for us to understand that graphical verification is not likely to go away anytime

soon. The state of technology today is such that this method of protection actually

does prevent computer programs from stealing valuable data. Accordingly, we

cannot simply demand that a company stop using it. We have to try to meet them

halfway.

To

begin with, I submit that any solution involving a phone call to a customer

service agent is not acceptable under any circumstances. While we might reluctantly

agree to this as an interim measure, we should not settle for a permanent solution

that requires us to call someone every time we need to have a string of text

verified.

Second,

I do not object in principle to the procedure implemented by PayPal in which

the computer user can play an audio file to hear the string of text that must

be entered. What I do object to is the way in which PayPal has implemented this

system. The problem with the current implementation is that the quality of the

audio is extremely poor, and there is no way to repeat what has been spoken.

However, if a company chooses to provide audio information of a better quality

and if a repeat function is available, then an audio file which speaks the text

string to be copied can serve as an acceptable solution for the blind.

Finally,

if a company such as Network Solutions does not want to implement an acceptable

audio approach, we could suggest the way the security interface should behave

from the blind computer user's point of view and let the engineers figure out

how to make it happen. It is conceivable, for example, that we might suggest

an entirely new way of verification which proves that the computer user is in

fact a human being, while at the same time making it difficult or impossible

for automated solutions to hack into the system.

Consider,

for example, a string of text that might be displayed in a fully accessible

(to the screen-access software) edit box. Instead of copying all of the text,

the computer user might be asked to select certain specific characters from

the string and enter them into the verification area. The choice of what characters

to copy could vary randomly, and the instructions could be written in such a

way as to make them impossible (or at least fairly difficult) for intrusion

software to comprehend. This is only one of many schemes I could think of, given

enough time.

But

before we can begin to contemplate the techniques that might be employed to

supplant the graphical-verification technology that is growing in popularity,

it is critical for the dialogue to begin between companies considering this

technology for security and the organized blind. I am happy to report that the

dialogue that began last spring between AOL and the NFB continues. We have the

beginnings of some positive dialogue with Network Solutions. And I have every

hope that as Federationists we will exercise the methods we know well to begin

discussions with other companies as we become aware of their use of this technology.

Make no mistake: graphical

verification works. It protects Web sites from automated data-grabbing software

and, for the time being at least, the blind. While it is mostly an annoyance

that some of us have tolerated over the years, if unchecked, it will become

the next accessibility barrier for the blind. I am confident that we as active

members of the National Federation of the Blind will not let that happen.

(back)(next)(contents)