W3C home > Mailing lists > Public > public-apa@w3.org > March 2019

privacy and security issues re: WD: Inaccessibility of CAPTCHA

From: Nick Doty <npdoty@ischool.berkeley.edu>
Date: Thu, 7 Mar 2019 19:27:09 -0500
Message-Id: <1A5B3DC0-85F7-4F16-8218-E2141DE76100@ischool.berkeley.edu>
Cc: Christine Runnegar <runnegar@isoc.org>, Tara Whalen <tjwhalen@google.com>
To: public-apa@w3.org
Hi Accessible Platform Architectures folks,

In response to the call for review of the Inaccessibility of CAPTCHA Working Draft, I started a thread with some comments among the Privacy Interest Group (PING) [0]. We were hoping to discuss this on a teleconference as well, but it got pushed off our last agenda and I’m not sure we’ll be able to talk about it again as a group before your March 15th request for feedback.

To that end, I’ve opened three GitHub issues to highlight the comments I had in reading over the draft, along with some of the suggestions I heard on the public-privacy mailing list thread. That may not be exhaustive review, but could still help.

security and privacy properties of biometrics unstated or confused
https://github.com/w3c/apa/issues/14 <https://github.com/w3c/apa/issues/14>

privacy/accessibility implications of relying on logged-in identity provider
https://github.com/w3c/apa/issues/15 <https://github.com/w3c/apa/issues/15>
Many of the suggested services/mechanisms in the draft seem to be identity providers or individual authentication mechanisms, which really have very distinctly different privacy properties from trying to prove a single characteristic about oneself (namely, that you’re a human).

blinded verifications and related work are currently missing
https://github.com/w3c/apa/issues/16 <https://github.com/w3c/apa/issues/16>

And I see that there was already an overarching privacy issue in the list as well:
https://github.com/w3c/apa/issues/7 <https://github.com/w3c/apa/issues/7>

Hopefully this feedback can be useful. If there’s interest in discussing further with the Privacy Interest Group (PING), our chairs, CCed, might be able to schedule a teleconference. Or I think there’d be interest in further discussion on the mailing list. For example, if APAWG has interest in further developing (or encouraging development) of blind verification protocols that would allow for accessible and private CAPTCHA services, I think there’s interest in discussing that further and we could help make introductions.


[0] thread starts here: https://lists.w3.org/Archives/Public/public-privacy/2019JanMar/0049.html <https://lists.w3.org/Archives/Public/public-privacy/2019JanMar/0049.html>

Received on Friday, 8 March 2019 00:24:02 UTC

This archive was generated by hypermail 2.3.1 : Friday, 8 March 2019 00:24:03 UTC