Re: Amnesty International's "Mutant Font" from chaals@yandex-team.ru on 2015-04-26 (public-privacy@w3.org from April to June 2015)

From: <chaals@yandex-team.ru>
Date: Sun, 26 Apr 2015 07:11:45 +0200
To: Bernard Tyers <ei8fdb@ei8fdb.org>, Katie Haritos-Shea GMAIL <ryladog@gmail.com>
Cc: Nicholas Doty <npdoty@ischool.berkeley.edu>, Joseph Lorenzo Hall <joe@cdt.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <52751430025105@webcorp02g.yandex-team.ru>

22.04.2015, 15:36, "Bernard Tyers" <ei8fdb@ei8fdb.org>:
> I haven’t had a chance yet to pass my screen reader over it, but I wonder how the obfuscated font will work with assistive technologies? Has anyone tried it yet?
>
> When I get some desk space and proper Internet I’ll give it a try and see what I find.

I had a very quick look, and it creates random text replacing stuff. Which doesn't play well in a screen reader…

Did I miss something?

cheers

> I like the concept of privacy protection, but if it causes problems for AT users it is not a good approach. Surely HTTPS everything would be better, at which point the content is not readable in transit?
>
> Bernard
>>  On 3 Apr 2015, at 14:12, Katie Haritos-Shea GMAIL <ryladog@gmail.com> wrote:
>>
>>  Nice catch Nick,
>>
>>  For accessibility one would also want stay away from CAPTCHAS (as they stand today) as part of the solution, and perhaps rely on multiple biometric options. But biometrics wouldn’t fit the model where the user wants to avoid being indexed.
>>
>>  So what you suggest: some other evidence of interactive human participation to limit access to resources will have to be used.
>>
>>  * katie *
>>
>>  Katie Haritos-Shea
>>  Senior Accessibility SME (WCAG/Section 508/ADA/AODA)
>>
>>  Cell: 703-371-5545 | ryladog@gmail.com | Oakton, VA | LinkedIn Profile | Office: 703-371-5545
>>
>>  -----Original Message-----
>>  From: Nicholas Doty [mailto:npdoty@ischool.berkeley.edu]
>>  Sent: Thursday, April 2, 2015 7:09 PM
>>  To: Joseph Lorenzo Hall
>>  Cc: public-privacy (W3C mailing list)
>>  Subject: Re: Amnesty International's "Mutant Font"
>>
>>  On a brief review, it seems worrisome, although I like the idea of exploring alternative forms of obfuscation.
>>
>>  Does it give a false sense of security? Possibly. The obfuscation appears to be a simple substitution cipher, and if a bot wanted to translate back to the original text, it could: use the site's form itself to translate an alphabet and get the current substitutions; or download the corresponding font and use OCR; or run a simple cryptanalysis attack (maybe 50 or so characters would be required). The description of the project notes that the goal is just to "hinder", which is true in at least some sense: an attacker would have to write some code to follow one of those steps.
>>
>>  However, the main effect seems to be inhibiting accessibility, which would be relatively effective. No one with limited vision using a screenreader would be able to read your obfuscated text. :(
>>
>>  Finally, embedding the obfuscated text requires that the visitor load a font file and an image from the fontemutante.com.br and fontemutante.com (the latter over HTTP), which has its own privacy implications for your readers.
>>
>>  I would be curious to know whether there's an interest in using captchas or some other evidence of interactive human participation to limit access to resources online: for example, people who want to post content without its being indexed (and aren't satisfied with compliance with robots.txt).
>>
>>  —Nick
>>
>>  A sample of the generated HTML and substituted text for "abcdefghijklmnopqrstuvwxyz" (at least with today's code):
>>
>>  <style type="text/css">
>>  @font-face {font-family: 'Fonte_Mutante_4';font-style: normal;src: url('https://fontemutante.com.br/uploads/font_mutante/file/4/Mutante_stars_mix.ttf') format('truetype')}
>>  .fonte_mutante_4 {
>>  font-family: Fonte_Mutante_4;
>>  font-size:16px;
>>  letter-spacing: 1px;}
>>  </style>
>>
>>  <p class="fonte_mutante_4">
>>          LMNOPQRST!#(),.:/;?0123456
>>     <br><br>
>>     <a href="http://fontemutante.com" target="_blank"><img src="http://www.mutantfont.com/assets/img-01-12-72a751afbba717cf2c8e95f923daa5a5.png" class="img-hd"></a> </p>
>>>  On Apr 2, 2015, at 7:39 AM, Joseph Lorenzo Hall <joe@cdt.org> wrote:
>>>
>>>  http://www.mutantfont.com/
>>>
>>>  press story:
>>>  http://www.fastcocreate.com/3044569/amnesty-internationals-mutant-font
>>>  -promises-to-protect-your-privacy-online
>>>
>>>  At first I thought this might be a way to thwart font-based active
>>>  fingerprinting to make your font list dynamic in your UA... but it
>>>  appears to be a way to write content online in an obfuscated way (for
>>>  machines) that is still readable (for humans).
>>>
>>>  :/ (not sure if it's an "April Fool's Day" joke... didn't try to use
>>>  it)

--
Charles McCathie Nevile - web standards - CTO Office, Yandex
chaals@yandex-team.ru - - - Find more at http://yandex.com

Received on Sunday, 26 April 2015 05:12:16 UTC