- Slaw - http://www.slaw.ca -

Security vs. Accessibility

A lot of attention has been paid lately to ‘cybersecurity’, much of it aimed at system-wide security or ‘critical infrastructure’ security, but a good deal also to individual questions of authentication, identity management, vulnerability to hacking/phishing/malware and so on. Among the solutions at the individual level, one finds suggestions about using locked-down versions of documents in PDF, various degrees of encryption and so on.

To what extent is the use of these measures problematic for people who rely on technology to make information accessible to them because of physical or other disabilities? The simplest example is the inability of text readers to read PDF images, so a scanned text that becomes such an image is not accessible.

Besides the risk of reducing one’s intended target market (or simply one’s destined reader), is there a legal issue in not meeting the increasingly demanding standards of electronic accessibility? Ontario’s standards under the Accessibility for Ontarians with Disabilities Act [1] are applying to the private sector [2] more and more broadly, government often being the first to have to comply.

The basic principles of electronic accessibility have been developed by the WC3 consortium [3]; most legislated rules rely on them. Are they sufficiently mindful of security needs? Are people (including businesses and governments) that create ‘secure’ documents or sites or services that are not accessible simply not paying sufficient attention to these laws or standards?

We have discussed before the private actions for enforcement in the US, the likes of which could spill over into Canada. There have been suits against Target Stores [4] for insufficiently accessible web sites, and against Netflix for distributing movies without closed captioning for the deaf. Both suits have settled. Netflix recently agreed [5] to have closed captioning in all its first-run movies by 2014. Can these actions be settled because there are fewer security demands on the kinds of services or sites at issue? Or is this the wave of the future for all applications?

What do your clients do, or what do you advise them to do? For that matter, what do you do to ensure your own communications are accessible to all? Do you worry about security in any sense in doing so, or should you?