Government Websites Can’t Rely on the Claims of Accessibility Overlays

By Mike Gifford, Senior Strategist, CivicActions

If you’re a government employee striving to make your agency’s website more accessible for people with disabilities, good for you! If you are also thinking about how to do it the most convenient way possible, that’s understandable.

But you may want to think again if you’re considering an accessibility overlay — a third-party service that automatically changes the code of your website in an attempt to make usability improvements on the front end.

Although many companies claim to have “effortless” solutions, the topic has been surrounded by controversy in the accessibility community. Accessibility leaders such as Karl Groves and Adrian Roselli have spoken about the drawbacks of these services, which are a classic example of “too good to be true.”

Most accessibility overlays fail in their claim to make the user experience better. They also present some alarming security and privacy issues, which are especially problematic for the government.

Security concerns

The more code you need, the more precarious your security and privacy are. Permanently adding an overlay to your website makes it easier for problems to develop.

But there’s an even deeper concern. Forbes published an article on how third-party JavaScript can be a vehicle for malicious attacks. It came in the wake of the cyberattacks on Ticketmaster and British Airways, which compromised the private information of millions.

For proof of how risky overlays can be, consider the 2018 hack of BrowseAloud, an assistive tool that translates text-to-speech. It was infected with malware that caused users’ browsers to mine cryptocurrency for the hackers.

Or take accessibility plugin Nagich, which was compromised in 2019 and used by a hacker group to destroy over one million high-profile web pages. Because the websites were using a third-party Javascript plugin, they were all vulnerable to the attack once the plugin was infected.

Both of these attacks garnered a lot of attention, but there are many other ways a JavaScript file can compromise privacy or threaten security — most of which would be much harder to notice or trace.

Privacy concerns

Aside from cyberattacks, overlays can create privacy issues, which is particularly important to government. People often enter personally identifiable information (PII) into public websites. Many accessibility overlays will send that information back to the third-party server (outside of the government’s ability to keep it private and secure).

Additionally, some overlays compromise user privacy by requiring them to identify that they have a disability. This population is often more vulnerable, and so protecting privacy is especially important.

If you do choose an accessibility overlay, be sure to check the vendor’s terms of service (ToS) to see how the privacy of your website visitors is protected.  It’s worth noting that this is difficult, even on the most popular websites in the world. Many have ToS that rate very poorly in privacy protection.

Best practices

Whether you’re considering an accessibility overlay or any other third-party JavaScript addition, you should keep these best practices in mind:

Build accessibility in early

The earlier you incorporate accessibility into your IT lifecycle, the cheaper and more robust it becomes. Ensure that accessibility is considered when you buy digital tools and that you involve people with disabilities in the design process.

Keep code up to date

All code requires maintenance to remain updated and secure. Outdated code quickly becomes a disaster waiting to happen. So if you’re adding third-party tools to your site, you need to know there is a good security team behind them.

Avoid “set it and forget it”

Automation is a beautiful thing, but it doesn’t work for everything. Accessibility is not something you can “set and forget” by throwing on an overlay. The vendors selling these overlays could go out of business, get hacked, or let their security certificates get outdated. Your team should have security professionals routinely auditing your site’s third-party JavaScript libraries.

Invest in accessibility

In the end, it is important to realize that a quick fix to accessibility barriers doesn’t actually exist. Adding overlays will lead to increased costs and greater technical debt. Should your website be compromised, the expense of security experts and lawyers will be higher than hiring an accessibility professional to help you make your site more usable by everyone.

Mike Gifford is Senior Strategist at CivicActions and a Drupal Core Accessibility Maintainer. Previously, he was CEO of OpenConcept Consulting Inc. and Co-founder of CivicTech Ottawa.

Leave a Comment

Leave a comment

Leave a Reply