[HN Gopher] Cloudflare's inaccessible browser contradicts the co...
___________________________________________________________________
Cloudflare's inaccessible browser contradicts the company's mission
Author : mwcampbell
Score : 453 points
Date : 2021-07-30 19:24 UTC (2 days ago)
(HTM) web link (mwcampbell.github.io)
(TXT) w3m dump (mwcampbell.github.io)
| lbriner wrote:
| Sad but typical and not just from big "evil" companies (not
| suggesting that CF is!)
|
| I just ran Jekyll to migrate my Blogger blog to self-hosted and
| with the default importer and default theme, I clicked the Web
| Accessibility button and immediately got some several hundred
| contrast errors (lots of blog post links) and some incorrect
| heading levels. Just basics but people are too unaware of
| accessibility requirements that this even happens before a
| release.
|
| What is missing? Is there not an online checker like w3c does for
| markup or acid does for browser tests? Oh yes, it is here:
| https://wave.webaim.org/ and there is also a browser plugin so no
| real excuses.
| arp242 wrote:
| I don't know what you did exactly, but the default Jekyll theme
| is fairly simple black-on-white and doesn't seem to have any
| major issues from quick spot-check.
|
| I think it may be an issue with your import(?)
| miki123211 wrote:
| This problem unfortunately applies to a lot of remote access
| software, particularly when the web browser is the client.
|
| I know of one company that switched to Web VNC for accessing a
| specific piece of software. They had a lot of offices and the
| software was expensive (paid per machine). This way, they could
| switch to a much smaller number of licenses, letting any employee
| connect from anywhere and wait in line if necessary. A blind
| person has lost a job over this.
| digitallyfree wrote:
| I'm not sure if remote access programs (web browser or not)
| even support screen readers on the client, especially since
| many of those render the entire desktop server-side and send it
| back to the client as an image or video. A possible option may
| be to run the screen reader on the remote desktop itself if
| that's possible.
| mwcampbell wrote:
| > A possible option may be to run the screen reader on the
| remote desktop itself if that's possible.
|
| For generic remote desktop access, that's what we have to do.
| But piping accessibility information (in its generic form,
| not pre-rendered as speech) to the client side in that case
| is much harder than it would be for this Chromium-based
| remote browser. (I know this from relevant experience during
| my time on the Windows accessibility team at Microsoft.)
| yjftsjthsd-h wrote:
| > A blind person has lost a job over this.
|
| IANAL, but in at least the US and Europe that sounds like the
| easiest lawsuit of their life
| mwcampbell wrote:
| You're the third person on this thread to say that. Please
| check out the responses to the other two:
|
| https://news.ycombinator.com/item?id=28027986
|
| https://news.ycombinator.com/item?id=28028116
| cratermoon wrote:
| I read those "just sue them" responses as coming from
| people who have never even talked to a lawyer except when
| going through the paperwork of buying a house, much less
| been a party to actual litigation.
|
| Companies keep lawyers on retainer to fight suits like
| this.They have resources of time and money to easily
| bankrupt someone with a disability who has just lost a job,
| and typically it won't even cost the company anything above
| what their normal retainer fees run.
| cronix wrote:
| It is also extremely difficult to _prove beyond a
| reasonable doubt_ that you were let go _due to_ the
| disability, especially if there is only a single case in
| the company and not a track record to follow unless there
| is a blatant email along the lines of "they're blind,
| let's get rid of them."
| ithinkso wrote:
| This is a common misconception, proof _beyond a
| reasonable doubt_ is only needed in criminal cases. In
| civil cases most often _preponderance of the evidence_
| (i.e. 'more likely that not') is enough
| [deleted]
| [deleted]
| hbag wrote:
| Aren't Cloudflare the guys that're the only thing keeping
| Kiwifarms up and running? Fuck those guys.
| sokoloff wrote:
| > A blind acquaintance of mine once lost his job because of a
| newly added requirement that he use an inaccessible application.
|
| I find it hard to believe this happened as stated in the US,
| where any number of lawyers would be eager to take such an open-
| and-shut ADA violation case.
| hobs wrote:
| There are constant and flagrant ADA violations - while the
| lobbying group is not weak the war of attrition is definitely
| with the employers not the ADA; I have seen so many violations
| it makes my head spin.
| WORMS_EAT_WORMS wrote:
| No doubt it could happen but I agree with you. This entire post
| is very odd and makes absolutely no sense at all.
| mwcampbell wrote:
| Can you be more specific about what doesn't make sense? I'm
| willing to clarify anything I wrote.
| WORMS_EAT_WORMS wrote:
| To my understanding their browser isolation text just
| renders to canvas on their edge servers (don't quote me on
| this). Does canvas provide any accessibility at all and is
| actually a bigger problem with the creation of that
| standard / element in HTML5 with text generation? It's
| essentially an image block that allows text generation with
| almost no accessibility in mind? That's not really
| Cloudflare's fault if so.
|
| I agree accessibility needs to be of higher priority. It's
| a shame it's seems to be almost always a secondary priority
| to everything in tech.
|
| But this post feels like an open letter to some bigger
| issue when it seems like it's a very niche and non-common
| security tool.
|
| I mean no disrespect in this.
| junon wrote:
| Yes, canvas is able to be made accessible.
| [deleted]
| mwcampbell wrote:
| > To my understanding their browser isolation text just
| renders to canvas on their edge servers (don't quote me
| on this). Does canvas provide any accessibility at all
| and is actually a bigger problem with the creation of
| that standard / element in HTML5 with text generation?
| It's an image block that allows text generation with
| almost no accessibility in mind? That's not really
| Cloudflare's fault to be honest.
|
| The standard workaround is to create a parallel DOM
| that's invisible, e.g. covered up by the canvas. To be
| clear, this parallel DOM should be based on the
| accessibility tree of the remote browser, not based on
| the original DOM, as that would undermine the whole point
| of the exercise. This work-around may not be perfect, but
| Cloudflare hasn't implemented even this.
|
| > But this post feels like an open letter to some bigger
| issue when it seems like it's a very niche and non-common
| security tool.
|
| It seems to me, from Cloudflare's original pre-
| announcement of this technology [1], that they intend for
| it to be widely adopted. Here's the money quote:
|
| > Operating costs translate directly to customer costs.
| The S2 system was designed to make deployment to an
| entire enterprise and not just targeted users (aka:
| vaccinating half the class) both feasible and attractive
| for customers.
|
| [1]: https://blog.cloudflare.com/cloudflare-and-remote-
| browser-is...
| x0x0 wrote:
| How does building a parallel dom help, given the point of
| this is to not execute code on the endpoint?
|
| nm, see (your answer)
| https://news.ycombinator.com/item?id=28028892
| arp242 wrote:
| > Does canvas provide any accessibility at all and is
| actually a bigger problem with the creation of that
| standard / element in HTML5 with text generation? It's
| essentially an image block that allows text generation
| with almost no accessibility in mind? That's not really
| Cloudflare's fault if so.
|
| Not everything needs to be accessible; there are plenty
| of non-accessible reasonable use cases for canvas.
|
| For example, I made a small game with canvas some years
| ago. This isn't accessible for blind users, and that's
| okay. There is no real way to make this accessible as
| it's fundamentally a graphical game. It's called a
| disability for a reason: there are some things you just
| won't be able to do.
|
| The problem isn't with the non-accessible technologies,
| but when people use this in ways that make every-day
| stuff required for basic participation inaccessible.
| That's basically the issue with Cloudflare's product.
| wffurr wrote:
| It's absolutely Cloudflare's fault to build their cloud-
| based browser on inaccessible tech. There are
| alternatives.
| mwcampbell wrote:
| The pre-announcement [1] lays out at least some of those
| alternatives. I understand why they chose the approach
| they did, but they needed to do the work to make it
| accessible, as I advised them when that post came out.
|
| [1]; https://blog.cloudflare.com/cloudflare-and-remote-
| browser-is...
| true_religion wrote:
| Are screen readers capable of reading interfaces
| generated with QT or other desktop UI toolkits?
|
| A cursory look at QT's documentation seems to indicate
| that they are aware of screen readers, but I didn't dig
| deeply enough to find out if they were compatible by
| default.
|
| I know VoiceOver on OSX can at least read out the
| interfaces on the included apps, but I also don't know if
| that's true for every app---or if it actually extends to
| the browser and canvas/plugin rendered (flash, java,
| etc.) interfaces.
|
| As an addendum, I'm pretty hopeful that in this decade
| we'll get AI vision enabled screen readers so anything
| that's displayable to a sighted person can also be
| immediately used with some caveats by someone reliant on
| screen reader.
| mwcampbell wrote:
| > Are screen readers capable of reading interfaces
| generated with QT or other desktop UI toolkits?
|
| Qt is one of the very few UI toolkits that is more or
| less accessible. And even Qt's accessibility
| implementation isn't great. My advice for someone
| implementing a cross-platform desktop app would be to go
| with something based on the web platform. That doesn't
| have to be Electron; Tauri [1] looks promising, though I
| haven't tested it lately.
|
| > As an addendum, I'm pretty hopeful that in this decade
| we'll get AI vision enabled screen readers so anything
| that's displayable to a sighted person can also be
| immediately used with some caveats by someone reliant on
| screen reader.
|
| Sadly, that might be what it takes to get access to
| applications using the long tail of UI toolkits.
|
| [1]: https://tauri.studio/en/
| mwcampbell wrote:
| Here are the two (edit: three) public blog posts I could find
| from this guy. I'll let you decide whether I misrepresented
| what happened.
|
| https://blindaccessjournal.com/2006/02/the-cold-equations/
|
| https://blindaccessjournal.com/2006/02/torn-from-the-collect...
|
| Edit: Found the original announcement:
| https://blindaccessjournal.com/2006/02/my-job-lost-due-to-in...
|
| And yes, it was in 2006. And as it happens, his employer
| rehired him shortly after, but only because they found
| something else for him to do. I believe my point still stands;
| for a short time, he lost his job, without knowing what
| happened next, and he went through the emotions associated with
| that.
| brudgers wrote:
| ADA is Federal Law. It provides no damages. No attorney fees.
| The USDOJ is the plaintiff. Fines are imposed.
|
| California Law is different in that it is like other civil laws
| with damages and attorney fees.
|
| Consequently, cases from California make attention commanding
| headlines. Elsewhere in the US, citizens must beseech the USDOJ
| to act on their behalf...it usually doesn't.
| vmception wrote:
| Man, California sounds so great until you get here.
| kolanos wrote:
| Any U.S. resident can file an ADA complaint with the DOJ. You
| don't need to be disabled, you just need to be aware of an
| ADA violation. You can also file on someone else's behalf.
| [0]
|
| [0]: https://www.ada.gov/filing_complaint.htm
| brudgers wrote:
| You file a complaint with the DOJ. The DOJ is part of the
| Executive Branch. It is not part of the Federal Courts.
| bladegash wrote:
| That is not entirely accurate.
|
| While ADA is federal law and awards no damages, situations
| like what was described would be more appropriate as an EEOC
| matter.
|
| An award of damages is a potential remedy when discrimination
| (e.g., not providing a reasonable accommodation) is found to
| have taken place. It is also a perfectly acceptable offering
| during alternative dispute resolution or as a settlement.
|
| Lastly, civil litigation involving the ADA does not require
| support from the DoJ. The DoJ, as with other matters brought
| before courts on behalf of the government, CAN bring about
| suit and are generally responsible for enforcement.
|
| People with disabilities sue private companies all the time
| for alleged/actual discrimination without the DoJ.
| Animats wrote:
| We're probably headed for a world in which everything is rendered
| to an image server-side. The HTML/CSS/Javascript mess has become
| so bloated and attack-ridden that sending images needs less
| bandwidth and is simpler.
| rossmohax wrote:
| Reinventing X Server protocol?
| Jaxkr wrote:
| God I hope you're wrong.
| Animats wrote:
| Me too, but that's where Cloudflare and Google [1] seem to
| want to go.
|
| [1] https://thenewstack.io/google-docs-switches-to-canvas-
| render...
| novok wrote:
| Canvas rendering is not server side computation and
| streaming video, it's turning the web browser into even
| more of a desktop application platform. After a certain
| point, html breaks down.
| mwcampbell wrote:
| That wouldn't be so bad if the server sent down a tree of
| semantic UI elements, a.k.a. an accessibility tree, along with
| that image. That's basically what I advised Cloudflare to do
| ~18 months ago.
| miki123211 wrote:
| Except doing so is probably much more complicated than
| actually dealing with the CSS and HTML. Hell, it would
| probably take twice as much manpower to make this remote
| browser thing accessible than it took to make it work in the
| first place.
| mwcampbell wrote:
| I doubt that. Chromium's internal accessibility tree is
| already serializable; it has to be, so it can be sent from
| the renderer process to the main process. So Cloudflare's
| modified Chromium could send that tree down to their JS-
| based client, which could then construct a DOM with the
| appropriate HTML tags and ARIA attributes. This DOM
| wouldn't have any JavaScript or any references to remote
| resources, so it wouldn't pose the same security risks as
| the original web page.
| miki123211 wrote:
| Does this handle (lots of) (sometimes large) page
| updates, particularly across a semi-slow, semi-reliable
| network? Think lazy loading, sPA-style diff-based page
| transitions, or realtime progress bars. What about
| element positions (i.e. for switch control overlays that
| visually mark specific elements on the page)? Assuming
| this just sends keys directly to the remote browser, what
| about cursor-related events in editing fields? If
| latencies are over a few ms with those, some screen
| readers get confused.
| mwcampbell wrote:
| Good questions. You have an especially good point about
| the latency of responses to cursor movement commands; the
| developers of NVDA and JAWS might have to rethink their
| approach to that.
|
| But as far as I know, Cloudflare hasn't even tried yet.
| ggreer wrote:
| There are several problems with that approach. First,
| there's not enough information in the serialized
| accessibility tree to reconstruct the DOM.[1]
|
| Second, the serialization format is an internal API, so
| there are no constraints on backwards compatibility. It
| can change in any version of Chromium. In fact, the
| interface is updated all the time.[2] Cloudflare would
| have to constantly update their JS client to handle those
| changes. It's not an abstraction that can be relied upon.
|
| Third, the bandwidth and latency requirements for inter-
| process communication are far higher than what is
| available for most client-server communication. Even if
| the API were stable, I doubt it would be feasible to use
| on typical Internet connections. If you don't believe me,
| go to chrome://accessibility/ and click "Start recording"
| on a tab. I did this for an IRCCloud tab and got 4500
| events in approximately 2 seconds.
|
| 1. https://chromium.googlesource.com/chromium/src/+/HEAD/
| docs/a...
|
| 2. https://source.chromium.org/chromium/chromium/src/+/ma
| ster:t...
| mwcampbell wrote:
| > First, there's not enough information in the serialized
| accessibility tree to reconstruct the DOM.
|
| There doesn't have to be enough in there to reconstruct
| the original DOM, just enough to expose all of the
| information that screen readers and other accessibility
| tools need. The fact that that information would be
| exposed through an HTML DOM in this case is irrelevant;
| we know the Chromium accessibility tree has all the
| necessary information.
|
| > Second, the serialization format is an internal API, so
| there are no constraints on backwards compatibility.
|
| OK, you got me there. Maybe the server side has to go all
| the way and construct the HTML.
|
| > Third, the bandwidth and latency requirements for
| inter-process communication are far higher than what is
| available for most client-server communication.
|
| OK, again, maybe the server side has to digest the data
| some more before sending it. But at least Chromium is
| already pushing serialized tree updates. I'll withhold a
| rant on how it could be much worse.
| x0x0 wrote:
| Would you need the css?
|
| And mutations to this dom would need to be tightly synced
| to image updates to not confuse the hell out of nvda?
|
| Or am I misunderstanding?
| mwcampbell wrote:
| > Would you need the css?
|
| Since this DOM would be invisible, hidden behind the
| canvas, I'd say you'd need just enough CSS to make each
| element have the same bounding box as the original. Bonus
| points if you can safely do enough CSS to make the font
| size and colors match; screen readers do have commands
| for querying those things.
|
| > And mutations to this dom would need to be tightly
| synced to image updates to not confuse the hell out of
| nvda?
|
| Chromium has already taken pains to make sure this works,
| because its whole accessibility implementation is
| dependent on pushing tree updates from the renderer
| process to the main process.
| x0x0 wrote:
| got it, thanks!
| 5faulker wrote:
| Interesting. For images with few colors, manually optimized PNG
| can work better than WebP.
| cxr wrote:
| > _Their "client" was basically a fancy, highly specialized
| graphics terminal; all the real work was done on the server.
| For example, when you issued a command to an object, instead of
| sending a command message to the object on the server, the
| client would send the X-Y coordinates of your mouse click. The
| server would then render its own copy of the scene into an
| internal buffer to figure out what object you had clicked on._
|
| <http://habitatchronicles.com/2004/04/you-cant-tell-people-
| an...>
| sneak wrote:
| This makes logical sense. Smaller companies have fewer innovation
| tokens; large organizations like Cloudflare carry heavier burdens
| when releasing new products (i18n and a11y primarily among them).
| devoutsalsa wrote:
| It seems like Cloudflare could embrace accessibility and use
| that in marketing as a competitive advantage.
| daviddever23box wrote:
| ...as a competitive advantage against whom? Who else is
| providing this capability at the moment, and are they more or
| less accessible?
| yjftsjthsd-h wrote:
| If they don't already have competitors, they will soon
| enough, and a11y is a moat to have.
| nonbirithm wrote:
| Anecdotally, even with websites like Twitter that obfuscate their
| CSS class names to prevent the use of selective adblock, they
| still leave the readable ARIA strings in predictable places,
| allowing uBlock Origin users to create blacklist rules matching
| them. I'm wondering if those two features are at odds.
| novok wrote:
| You can do ad block with text in tag types I've found out. I
| use it to block the email nag from reddit.
| wolfgang42 wrote:
| Do we know that Twitter is intentionally doing that to defeat
| adblockers? It's a common speculation I see about them (and
| maybe it's a convenient side-effect), but these sorts of
| mangled class names are also a common feature of popular CSS-
| in-JS libraries. (I work on an internal app that does the same
| thing, and it's incredibly annoying but definitely not
| explicitly intended to be hostile.)
| madjam002 wrote:
| Twitter uses react-native-web which generates random class
| names, they're not doing it to evade ad blockers.
| MattGaiser wrote:
| For people who have worked on accessibility related stuff in
| production projects, how much more expensive is it vs just
| ignoring it?
| BoorishBears wrote:
| Does it matter? Tomorrow morning you can wake up needing those
| accessibility features.
| MattGaiser wrote:
| I am trying to get a sense of how big an ask this is. Is it a
| million dollar ask? 100K? A million a year (does it need a
| full time team)?
| isbvhodnvemrwvn wrote:
| The cost is considerably lower if you watch out for a11y
| from the get-go, retrofitting it is more expensive since
| you have to retain the existing behavior, sometimes of
| existing and complex but non-accessible components. Add to
| that the need to e.g. caption all the existing pictures and
| it gets even worse.
| arp242 wrote:
| It really depends on the specifics; for something like this
| I suspect it's a non-trivial investment. For a lot of other
| things it's not that hard.
|
| For a lot of things a18y features are just good features in
| general; zooming text for example is something loads of
| people do, not just blind or low-vision people.
| mwcampbell wrote:
| For the specific project of making this remote browser
| accessible, my wild guess is that if Cloudflare were to
| hire me to work on the project (no, not available at the
| moment), it could easily take a few months, but probably
| not more than a year. They could probably cut down that
| time if they hired away someone from the Chrome or Edge
| team who's actually an expert on Chromium accessibility
| specifically; I admit my main expertise is in Windows
| accessibility.
| BoorishBears wrote:
| That's like asking "is writing a feature is a million
| dollar ask" without defining "feature".
|
| Need to define it at least a little to get anything
| resembling a useful answer.
| robin_reala wrote:
| It's part of every product team's baseline requirements to
| own and assess. It's considerably easier to do that up
| front than to retrofit. Think of it as analogous to
| security in this situation.
| wyager wrote:
| Of course it matters. If your model of the world is "we need
| to spend infinite resources ensuring every system can be
| operated by anyone with any disability", that's obviously
| nonsense.
|
| Accessibility is valuable but not infinitely so. Sometimes
| (usually) it's best not to encumber an innovation just
| because the innovation doesn't immediately apply to everyone.
| grishka wrote:
| I did screenreader support in a rather popular Android app. It
| took me several days to get from "can't focus anything at all
| on the main screen" to "all icon buttons are labeled and most
| of the functionality is usable, including the many very complex
| custom views with clickable elements inside".
| cupcake-unicorn wrote:
| Thanks so much for holding Cloudflare accountable for this. It's
| upsetting that they had so much input from you leading up to it
| and now they're dropping the ball. A lot of accessibility stuff
| and mission statements just honestly amounts to virtue signalling
| with companies and sad to see that's the case with Cloudflare so
| hope they step up. It shouldn't have to get to the point where
| they're sued but I feel like more often than not that's the only
| thing that changes things like this.
| daviddever23box wrote:
| Why not push the screen reader component upstream?
|
| It'd be another service add-on, but it might also be useful for
| folks who want to have narrative browsing, e.g., the equivalent
| of someone reading the news sites to the listener without having
| to interact with the site itself.
| marcinzm wrote:
| A screen reader is a two way device since it needs to expose
| ways to INTERACT with the site and not just read it. I assume
| there's many different settings for screen readers including
| voices, speed, ways of interaction with site elements (click,
| voice command, shortcuts, etc.), etc. It'd be like forcing you
| to use IE 6 to browse the modern web and then if you're not as
| efficient as someone on modern Chrome firing you.
| mwcampbell wrote:
| > It'd be like forcing you to use IE 6 to browse the modern
| web and then if you're not as efficient as someone on modern
| Chrome firing you.
|
| I might have to use that analogy next time this comes up.
| daviddever23box wrote:
| This scenario might very well require a FedGov or security
| audit-compliant reader application with a uniform interface.
| mwcampbell wrote:
| > Why not push the screen reader component upstream?
|
| Are you suggesting that a screen reader should run on the same
| remote machine as the remote browser and push its audio down to
| the client? Or something else?
| daviddever23box wrote:
| Yes - in the same manner as game streaming.
| mwcampbell wrote:
| That would be better than nothing, and if Cloudflare had
| done that, I don't think I'd be complaining publicly at
| this point. But there are still problems with this
| approach. The ones that come to mind:
|
| 1. Assuming the remote service only sends down streaming
| audio, this doesn't work for blind people that must use a
| refreshable Braille display, e.g. deafblind people. Perhaps
| one could hack a way to get their local screen reader to
| render specific text on the Braille display, but probably
| not without that screen reader speaking the same text. That
| leads me to...
|
| 2. A blind user is already running a screen reader, with
| its own text-to-speech engine, configured the way they want
| it. Adding a remote screen reader to the mix would mean two
| different TTS engines, and the user would need to have a
| way of configuring the remote one, e.g. to adjust its
| speed. For blind people, TTS settings are very personal.
|
| 3. The remote screen reader and the local one may clash on
| keyboard commands. And, depending on the screen reader,
| this is another thing that the use may have customized
| already; for example, some screen readers have desktop and
| laptop keymaps.
|
| 4. Also speaking of keyboard commands, some of them might
| not be implementable in a browser-based application. It's
| common, at least on Windows, for screen readers to use non-
| standard modifier keys, e.g. Insert or Caps Lock.
| daviddever23box wrote:
| To point 1, text/plain can be streamed; as for point 2,
| there may already be limited options, subject to
| application security audits.
|
| I hate to say this, but if there was one place I'd look
| for vulnerabilities within a purportedly-secure
| environment, screen readers would be near the top of the
| list.
| devwastaken wrote:
| Public services, even online, which are not accessible to those
| with major disabilities, is a violation of the ADA.
| https://youtu.be/IQjUCqVo4II
|
| This may apply in other ways to Cloudflare, and if so fines must
| be issued. It's 2021, there's no excuses for it other than not
| wanting to put in the work.
| ceejayoz wrote:
| The fines would apply to the companies _using_ CloudFlare,
| wouldn 't they?
| daviddever23box wrote:
| Yes.
| ggreer wrote:
| By that logic, isn't every screen sharing app violating the
| ADA? A screen reader can't read the text on someone else's
| screen in Zoom, Webex, Slack, etc. Zoom even admits to this in
| their accessibility FAQ and encourages speakers to supplement
| with notes.[1]
|
| 1. https://zoom.us/accessibility/faq#faq11
| mwcampbell wrote:
| > By that logic, isn't every screen sharing app violating the
| ADA?
|
| We'd love it if the legislation had that kind of teeth. As it
| happens, in my day job I've been developing a product to work
| around the inaccessibility of screen sharing in online
| meetings, starting with providing real-time access to
| PowerPoint slides. But I'm not here to plug that product.
| ggreer wrote:
| Just curious, but where do you draw the line? To use a
| silly example: we don't legally require every that everyone
| who posts an image on social media include a written
| description. There must be some ratio of cost to benefit at
| which accommodations stop being reasonable.
|
| If we required that screen sharing tools were compatible
| with screen readers, we'd have to revamp many layers of
| abstractions. It would require changes to every operating
| system, every UI framework, every browser, and every screen
| sharing application. An alternative would be to throw a
| bunch of machine learning at the problem (to try to turn
| pixels back into meaning), but that would have a lot of
| broken corner cases. The issues would likely be as bad as
| auto-generated subtitles, which are generally not good
| enough to be considered ADA compliant.[1]
|
| My guess is that if the law changed tomorrow and mandated
| that screen sharing tools accommodate the blind, we'd end
| up with no cross-platform screen sharing tools. Microsoft
| would make their Windows screen sharing. Apple would make
| their MacOS screen sharing. Google would make their
| ChromeOS screen sharing, and none of them would be
| interoperable. Also desktop Linux would be SOL.
|
| 1. UC Berkeley was forced to delete over 20,000 videos of
| lectures because their auto-generated subtitles weren't
| accurate enough: https://news.berkeley.edu/wp-
| content/uploads/2016/09/2016-08...
| dasyatidprime wrote:
| > we don't legally require every that everyone who posts
| an image on social media include a written description
|
| Not that it takes too much away from your point, but I've
| experienced an interesting gap in this example. While not
| legally required, big chunks of the short-form-text
| fediverse (Mastodon/Pleroma/...) have had circulating
| posts recommending descriptive text for image posts, and
| I'm actually surprised by how many people get into the
| habit of complying naturally--perhaps because there's
| also an easily-noticeable slot in the UI for it? Ten or
| so years ago I remember it being like pulling teeth to
| explain to some people doing media projects on the Web
| that this kind of accessibility was important, and now
| with what seems to be culturally a similar crowd... huh,
| y'know?
| mwcampbell wrote:
| > My guess is that if the law changed tomorrow and
| mandated that screen sharing tools accommodate the blind,
| we'd end up with no cross-platform screen sharing tools.
|
| Solving this problem in a cross-platform way is hard, but
| not impossible, especially for a company as well-funded
| as Zoom. And yes, I have ideas about how it could be
| done, though like my suggestion about the Chromium
| accessibility tree, they're not necessarily fully baked.
| nanankcornering wrote:
| and they're still passing traffic of 8chan and kiwi something..
| gnicholas wrote:
| They wouldn't be the first. An SVP of a major SV company once
| told me "[my company] doesn't give a shit about accessibility,
| and no one in Silicon Valley does." When I went to the CSUN
| accessibility conference that year, guess which company's logo
| was emblazoned across the lanyards? Yup, their marketing
| department was happy to write checks that their company had no
| intention of cashing.
|
| Silicon Valley is famous for its 'patina of accessibility':
| https://medium.com/@nicklum/silicon-valleys-patina-of-access...
| mwcampbell wrote:
| I understand and can relate to the feeling that nobody gives a
| shit. And it may be true that the leadership of all of these
| companies only care about the bottom line. But let's not make
| things look worse than they are. Whatever the motive, some SV
| companies _are_ doing good work in accessibility. The most
| obvious example is Apple; the introduction of VoiceOver on the
| iPhone in 2009 was groundbreaking and has been tremendously
| useful to blind people all over the world. Microsoft
| (disclosure: my former employer) is also doing good work on
| accessibility, e.g. its Seeing AI app. Of course, we have
| constructive criticism for these companies as well, but the
| state of accessibility in mainstream tech is not all bad.
| gnicholas wrote:
| I understand that no one is perfect. What bothers me is the
| hypocrisy: making it seem like they care when they really
| don't. Did they spend $100k to sponsor that conference? I'd
| prefer they spend that money actually training people to
| care.
| novok wrote:
| A more charitable explanation is they may care, but their
| organization might not put their money where their mouth
| is.
|
| Also organizations are not monolithic singular minds,
| especially as they get bigger and bigger. They are groups
| of people and one end doesn't talk to the other is quite
| common.
| lazide wrote:
| It is going to cost a whole lot more than $100k to train
| everyone necessary on accessibility. Especially when you
| factor in the opportunity cost involved in focusing on that
| over new features or the like.
| akagusu wrote:
| Why people are still using and promoting Cloudflare when the
| company is repeatedly trying to position itself as an internet
| gatekeeper?
|
| There is already a consensus that internet gatekeeping is bad for
| people, so why people are volunteering for this?
|
| This company already has a tremendous control over what people
| can or cannot see on internet since a lot of websites use it has
| CDN, but there should be a limit on what companies can do or
| cannot.
|
| In this particular case, we have blind people blocked from
| internet, and it doesn't matter if this is not on purpose or it
| is just a side effect, because in practice they are been blocked,
| and yet something like this is unable to make a scratch its
| reputation.
| wombarly wrote:
| Because without CloudFlare we would: Pay thousands in bandwidth
| costs per month; Double or triple our servers to handle peaks
| (they cache and serve the HTML for us); Be down constantly
| because of DDOS attacks.
| grishka wrote:
| Is DDOS such a frequent occurrence that you would be down
| "constantly"?
| MrStonedOne wrote:
| Yes
| rhizome wrote:
| Demand wouldn't drive bandwidth prices down?
| netr0ute wrote:
| If you're lucky, bandwidth is free.
| SimeVidas wrote:
| > Why people are still using and promoting Cloudflare
|
| I use Cloudflare because it hosts my website for free.
| vorpalhex wrote:
| I don't think Cloudflare is intentionally trying to gatekeep
| the internet. At the same time the road to hell is paved with
| good intentions.
|
| Their CDN service has allowed a lot more sites to exist than
| the two it has harmed (and I don't consider those two to be
| great losses).
|
| However they are certainly becoming an internet chokepoint and
| we need more alternatives to them for the good of the internet.
| saagarjha wrote:
| Perhaps they don't see it as "gatekeeping", but it is clearly
| an explicit goal of theirs that the internet goes through
| them.
| pxue wrote:
| Because the pendulum is swinging towards ease of creation over
| control.
|
| I can spin up a simple web app or a simple cloud function and
| get it globally distributed in minutes, for free. That's
| amazing
| alabamacadabra wrote:
| Perhaps amazing shouldn't be what wins in the long run?
| arodyginc wrote:
| If your function could be shutdown in minutes on a bad will,
| would that be amazing?
| pxue wrote:
| Nop. But likei said the tradeoff is clear, ease vs control.
|
| Im sure we would have had this talk when on-premise
| transitioned to the cloud. Same arguments apply
| MattGaiser wrote:
| People don't want the Internet gate kept. They do want their
| sites protected though.
| vbezhenar wrote:
| I like Cloudflare, because it provides some very essential
| services with free tiers. It is big enough, so I can trust
| them. I can be sure that they won't inject ads into my HTML
| pages. I can be sure that their DNS will not replace NXDOMAIN
| with fake ad responses. I can be sure that they won't log my
| VPN traffic trying to extract passwords or something like that.
|
| For sure I don't support their decision to ban blind users and
| hope to see that resolved. But that's not enough to change my
| mind, not even remotely.
| grishka wrote:
| > I can be sure that they won't inject ads into my HTML
| pages.
|
| But they will harass your visitors with captchas for no good
| reason. I also sometimes run into Cloudflare's "this website
| is using a protection service" with no way around; it turns
| out it's a geoblock because it does load just fine when I use
| a VPN through Germany.
|
| The internet was meant to be decentralized. The IP addresses
| were meant to be used for routing and for routing only, and
| otherwise treated equally.
| mattl wrote:
| People use Cloudflare to limit traffic from particular
| countries and Cloudflare exposes Tor as a country that can
| be blocked.
|
| The Internet wasn't meant be decentralized. The ARPANET was
| meant to be able to function in the event of a war.
| grishka wrote:
| > People use Cloudflare to limit traffic from particular
| countries
|
| Why would a website care where I'm from?
| azalemeth wrote:
| Companies use geo-ipv4 a _lot_ and it 's inaccurate and a
| giant, giant pain in the arse.
| mattl wrote:
| They only sell products in some countries and the vast
| majority of abuse comes from other countries is the one
| use case I've seen for it.
| grishka wrote:
| What if I want to just look at a product with no
| intention to buy it? What if I do want to buy it and use
| a parcel forwarding service to get it to me?
| Aldo_MX wrote:
| International customers are more trouble than it's worth
| when you're a small company and you as a seller are the
| one who absorbs the loss in cases of delayed, defective,
| lost or damaged items.
| mike_d wrote:
| > I can be sure that they won't inject ads into my HTML
| pages. I can be sure that their DNS will not replace NXDOMAIN
| with fake ad responses. I can be sure that they won't log my
| VPN traffic trying to extract passwords or something like
| that.
|
| But they have built the perfect shim in the middle to do ALL
| of these things at some point in the future.
|
| The only thing preventing it is a handful of moral
| executives, who someday will move on or retire. At that point
| a smart Wall Street type is going to figure out that a merger
| between CloudFlare and $adnetwork is going to generate a shit
| ton of money (think Google+DoubleClick).
|
| I don't doubt that CloudFlare is full of smart well meaning
| people, but what they have built is a ticking timebomb. The
| solution is to have ten CloudFlares so that the path between
| consumers and websites isn't regulated by a single
| organization.
|
| Edit: to be clear, the internet was successful because any
| host could talk to any other host. If people did dumb shit
| you could work around it in creative ways. Even in the most
| oppressive countries censorship is still bypassable.
| CloudFlare's business model is centered around convincing
| companies to effectively disconnect their services from the
| internet so they only talk to CF servers.
| plankers wrote:
| I was with you up until "The solution is to have ten
| CloudFlares so that the path between consumers and websites
| isn't regulated by a single organization."
|
| This is hardly a solution, it just spreads the pain around.
| A solution would be a democratically planned organization,
| or group thereof, which is responsible to all shareholders
| including users, employees, executives, and investors.
| lbotos wrote:
| Uh, I still don't one one company to be between me and
| most of the internet, no matter how it's governed.
|
| (And if you wanna be snarky and say "what about your ISP"
| I can choose to use different ISPs. And even that is
| getting threatened.)
| kinjba11 wrote:
| To me saying any $X big company is a ticking time bomb is
| nonsense.
|
| The fact is, a number of companies control a huge number of
| eyeballs. An unethical exec taking advantage of that would
| cause enormous PR nightmare. If you're making money with a
| great brand reputation, you don't mess with the recipe.
| edoceo wrote:
| Yes, they do mess with the recipe. They've got money to
| mask it out and assist with conditioning the population
| to the new norm. And they can do this cause the service
| is sticky. Mass client exodus is very unlikely. And the
| ones that move out for morals are quickly replaced.
|
| Juggernaut is unstoppable.
| ignoramous wrote:
| > _But they have built the perfect shim in the middle to do
| ALL of these things at some point in the future._
|
| Ngnix/Websever-as-a-service is _literally_ their business.
| They could not have provided the services that they do, any
| other way.
| manquer wrote:
| Is there a case for ML based advanced screen readers which do not
| need assistance from the application ?
|
| The problem seems fairly tacklable . Learning what is on a
| display screen is relatively easier than most computer vision
| problem spaces. There are many repetitive patterns in typical
| application UX.
|
| For example let say there is a label for Save Icon that is an
| image (a Floppy Disk in most apps) and not alt tagged. By
| visually reading the image of the screen the model should not
| have to much difficulty in tagging it that as Save button ?
|
| Most consumer / biz app UX do follow many standard conventions if
| only out of convenience and lack of imagination, so building a
| learning algorithm around these components should be possible ?
| peterkos wrote:
| This paper[0] takes a look at something like this, but it's
| notable that this is seen as a springboard for more accessible-
| focused design, rather than the beginning and the end (See
| "Discussion & Future Work").
|
| [0] https://dl.acm.org/doi/abs/10.1145/3411764.3445186
|
| Edit: I realize I've just linked to the same paper as the
| comment below. Oh well!
| mwcampbell wrote:
| This is being worked on. AFAIK, Apple is the first to
| incorporate this approach into a released product, with the
| Screen Recognition feature of VoiceOver starting in iOS 14.
| manquer wrote:
| Thanks for the response Matt. I leave the link here for
| others to look into [1].
|
| Their effort seems currently limited to iOS based Phone
| screens. iOS is perhaps easier to solve given the strong
| Apple design guidelines for apps to pass the App Store review
| process.
|
| Perhaps a community supported distributed approach to help
| build the database of annotated screens for the model to
| learn from, combined with open source models for all kinds of
| screens and applications( not just Apple) would be
| interesting project to work on.
|
| [1] https://machinelearning.apple.com/research/creating-
| accessib...
| nickdothutton wrote:
| When requesting new functionality please complete the "revenue
| opportunity size" field in the Jira and indicate what quarter you
| expect this opportunity to close.
| geofft wrote:
| You're not wrong, and the answer is that this sort of thing
| needs to impact their bottom line somehow - either because
| customers insist on it as part of a purchase checklist, or
| because the legal system will actually go after violations, or
| because they'll lose important employees.
|
| I don't have a real sense of which of those is most realistic.
| daviddever23box wrote:
| I'm not so sure that there's a legal recourse for this on
| Cloudflare's part, but it's certainly possible for the
| customer-at which point, the demand will increase to a
| tipping point.
| tomklein wrote:
| Out of curiosity: Do screenreaders use OCR nowadays and if so, is
| it working good or rather bad due to the lost HTML markup?
| arp242 wrote:
| OCR is a poor substitute since it can't really effectively
| navigate things due to lack of navigational information,
| recognition of semantic elements like headers, etc.
|
| I'm not blind myself, but I've tried to use some screen readers
| in the past to get a feel of what it's like. While I'm a _very_
| inexperienced user, one thing I noticed is that even with the
| best designs it 's actually really time-consuming compared to
| regular browsing. I would imagine that an OCR solution would be
| even more time-consuming, if it even works well at all.
| thatguy0900 wrote:
| I've heard that actual blind people train themselves to use a
| speed of speech that is almost unintelligible, so it might be
| significantly faster for them to use the same software
| mwcampbell wrote:
| Please be careful about drawing conclusions on what web
| browsing must be like for blind people, based on your limited
| experience with a screen reader. One of my blind friends put
| it more eloquently:
| https://news.ycombinator.com/item?id=9284744
|
| A sibling comment makes a good point about blind people
| running their speech synthesizers at high speeds. Experienced
| screen reader users are also good at using their screen
| reader's many keyboard commands to jump around a web page.
| arp242 wrote:
| Sorry, I didn't mean it to come off as definitive or to say
| that it's _exactly_ like your experience - that would of
| course be silly and misguided.
|
| It's one thing to listen to people talk about it, but it's
| another to actually use it. Not to be stubborn about it,
| but wouldn't you agree that while you can certainly be
| effective with screen readers, that in general it's (or can
| be) less convenient than "normal" computer usage and comes
| with some downsides? After all, if it was of equivalent
| convenience then loads of people would be using it, no?
|
| I should get back to this; but unfortunately I found it
| very hard to get a screen reader running on Linux :-/
| mwcampbell wrote:
| > Not to be stubborn about it, but wouldn't you agree
| that while you can certainly be effective with screen
| readers, that in general it's (or can be) less convenient
| than "normal" computer usage and comes with some
| downsides?
|
| Of course. Vision is a higher-bandwidth medium than
| speech or Braille. But you don't always need all of that
| bandwidth. And, at least in my experience, sighted people
| tend to underestimate how well a blind person can
| compensate for their impairment, in this case by being
| really good at using a screen reader. That's why I
| replied the way I did. Sorry if I came off as too
| accusing.
|
| BTW, I'm not even an especially skilled screen reader
| user. I have enough sight to read the screen up close
| with largish fonts, and I used computers that way for a
| long time before I started routinely using anything
| resembling a modern screen reader. (I did use early
| screen readers as a child in school, but didn't have
| access to them at home.) Even now, I do my programming
| visually. But make no mistake, there are blind
| programmers who are very productive programming with a
| screen reader; I'm just not one of them, at least not
| yet.
|
| > I found it very hard to get a screen reader running on
| Linux :-/
|
| Unfortunately, IMO the best screen readers are on
| Windows.
| londons_explore wrote:
| There is _so much scope_ for using ML to make a screen reader
| work on any old software.
|
| Yet nobody is really investing in screen readers.
| miki123211 wrote:
| They sort of do. Voice Over on iOS, and it's screen
| recognition, is probably the most notable example. It even
| tries to recognize some UI controls and emulate common
| behaviors (like sliding a slider), for example. It's far from
| perfect. It might help when you need to click the odd
| inaccessible button, but is definitely not enough for daily web
| browsing.
| miki123211 wrote:
| On most Cloudflare-related HN threads, Cloudflare was really
| active and eager to answer the engineers' questions.
|
| It's notable that this one is different. The fact that it's
| Sunday afternoon may be part of the reason, but I guess they
| really don't have anything to say. I'd really love to see their
| internal Slack now, though.
| neom wrote:
| For what it's worth, I've known Matthew for many years.
| Although I wouldn't at all say we're close, I feel like I've
| had enough conversation to know who he is. Matthew is a good
| guy, I've never considered him to be tone deaf, and I genuinely
| believe he has the best interest of the many at his core. That
| said, the credence given to the visually impaired across the
| industry is categorically, absolutely, abysmally awful. I've
| never taken it as seriously as I should in my career, near all
| decision makers I know don't take it as seriously as they
| should, and I think shame on me and shame on everyone else.
| Things should be easier for visually impaired people, a)
| because it's the right thing to do and b) because it's low
| hanging fruit. While I don't think Matthew is unique, I do
| think he has a particularly significant responsibility given
| how important his technology is. As a shareholder, a friend,
| and a customer: I hope he takes this seriously, and I suspect
| he would.
| mwcampbell wrote:
| > For what it's worth, I've known Matthew for many years.
|
| And for what it's worth, I don't know him at all, and
| wouldn't dare to assume anything about his character. I
| appreciate that he responded at all to my cold email 18
| months ago. I just wish the company would follow through.
|
| I don't know you either, but if there's anything you can do
| to help my message get through, that would be greatly
| appreciated.
| mwcampbell wrote:
| I submitted this on Friday, but for whatever reason, it didn't
| catch on then. Thanks to the HN mods for putting it in the
| second-chance pool. I've pinged Cloudflare and eastdakota again
| on Twitter, so let's see what happens.
| whoaisme wrote:
| When google makes arbitrary decisions we hate on google. When
| hn makes arbitrary decisions we say thank you. And we wonder
| why the tech industry is so fucked up. Imagine how even more
| pathetic this site would be if dang paid you all 6 figures.
| oknhy30ao wrote:
| Hey, I don't work on the Browser Isolation team, but want to
| let you know that there's a project in progress and your post
| is certainly being discussed. I'm hoping we can provide a
| solution that meets or exceeds your expectations.
|
| PS-- Please ardon the throwaway account, CF employees have
| been getting targetted online.
| mwcampbell wrote:
| . I look forward to the results of that work in progress.
| In the meantime, I still think it's reasonable to expect an
| official response. As far as I can tell, Cloudflare has not
| publicly acknowledged the problem yet (please correct me if
| I'm wrong); even a disclaimer on the product page would be
| better than nothing. And the last private response I got
| about this was 4 months ago. But thanks for telling us what
| you can.
| floatingatoll wrote:
| It's not business hours for non-emergency press concerns
| until tomorrow at tech companies whose press office is in
| the US, such as Cloudflare. HN can be swell, but we don't
| deserve weekend hours.
| mwcampbell wrote:
| Fair enough. I just meant to say that I wasn't letting
| the company completely off the hook because of that
| response from a throwaway account, not that I expect an
| official response _today_.
| throwaway42day wrote:
| Because the only publicly acceptable answer would be to agree
| to all the poster's current and future demands, regardless of
| the cost, priorities, risk of breaking other features, etc. And
| it never works out because the demands tend to increase over
| time, and the PR damage of rejecting the very last demand is
| proportional to the number of ones previously accepted.
|
| Make a thought experiment: think what if Cloudflare answered
| trying to explain the complexity, risks, and maybe cost
| estimates for supporting something like that, but refusing to
| add it right away. Nobody would listen to their reasoning. They
| would be immediately labeled as blind haters or whatnot,
| supported by endless news articles and retweets.
|
| Make another thought experiment: assume they comply with the
| current demands and add the functionality at some fixed cost.
| Then in the future, the poster decides that the accessibility
| support is not sufficient and still makes life hard for blind
| people. He would come up with another set of demands and
| Cloudflare would again be forced to comply, because nobody
| would listen to their reasoning. And because it is physically
| impossible to make a blind person as productive at certain
| tasks as a non-blind one, there will be always room for
| improvement and room for more demands.
|
| If you want to truly help the blind, please go ahead and launch
| a competing product. Or offer an ML-based tool working on top
| of existing products. Or create Wiki-like system where people
| would maintain semantic models of commonly used non-accessible
| sites, letting the accessible tools work over them. But all of
| that requires hard work, countless hours and numerous trials-
| and-errors. Trying to strong-arm someone else to put in that
| effort surely gives a much faster gratification, but it only
| results in further alienation and ghosting.
|
| Sure, Cloudflare will release an official statement saying how
| they are committed and dedicated and working and planning and
| hoping, and the whole thing will get forgotten in a few weeks,
| but ultimately if you want to someone to help you, maybe try to
| understand their constraints and find a compromise, rather than
| trying to use the buzzwords to throw the mob at them.
| mwcampbell wrote:
| > If you want to truly help the blind, [...] all of that
| requires hard work, countless hours and numerous trials-and-
| errors.
|
| I do work hard on products to help blind people, and I have
| been for years, but I can't solve every problem by myself. I
| even quit my cushy job at Microsoft (on the Windows
| accessibility team) to develop a product that works around
| the inaccessibility of screen sharing in online meetings --
| imperfectly, but still better than nothing. But neither I nor
| my tiny company are well-positioned to compete with
| Cloudflare in the field of security products (such as Browser
| Isolation) targeted at corporate IT departments. And
| unfortunately, this particular accessibility problem is not
| one that we can work around from the outside, at least not
| yet. So I felt it was worth some of my time to advocate for
| Cloudflare to make this product accessible.
|
| > And because it is physically impossible to make a blind
| person as productive at certain tasks as a non-blind one,
|
| Of course; vision is a higher-bandwidth medium than hearing
| or touch. But that full bandwidth isn't always needed. And
| unless you've watched a blind person who's proficient with
| their screen reader, you may be surprised at how productive
| they can be at a great many tasks.
|
| > there will be always room for improvement and room for more
| demands.
|
| I appreciate that you and others on this thread don't know
| me, but I've been active in the online blind community for
| about 20 years, and I don't believe I'm known for making
| endless demands of mainstream tech companies. And in this
| case, there's a natural stopping point: when the remote
| browser is either as accessible as a local browser on the
| same website, or as accessible as it can be within the
| constraints of the web platform (where the client for that
| remote browser runs). And my original advice to Cloudflare on
| this subject was targeted at getting the product all the way
| to that logical endpoint.
|
| Having said all that, I realize that what you said may
| reflect what people at Cloudflare think; after all, they
| don't know me either. I vouched for your comment when it was
| dead because I felt someone should be allowed to say what
| others might well be thinking, and I didn't think your
| comment was too inflamatory. I'd appreciate suggestions on
| how to better signal that I won't, in fact, put them in a bad
| PR situation by making ever mode demands of them.
| Rapzid wrote:
| > Now, four months later, this problem is still not solved
|
| Further I would have never expected something like this to
| get teed up right before the start of a quarter, and so of
| course it wouldn't be completed at the end of the quarter.
| mwcampbell wrote:
| OK, that sentence probably should have been something like,
| "Now, four months later, there has been no visible progress
| on this problem."
|
| Also, remember that Cloudflare first announced the
| technology 18 months ago, and I advised them of the need to
| pay special attention to accessibility back then. If I had
| first raised this 4 months ago, then of course I would
| understand why they couldn't have solved the problem in
| that much shorter time.
| frakkingcylons wrote:
| I think it's more to do with the timing (it's the weekend).
| You'd really want to talk to the relevant team before saying
| much. Given that this isn't an urgent worldwide problem, paging
| team members during their weekend would be the wrong move.
| They'll probably have a meeting on Monday and I think that's
| when we'd see an update from them.
| _moof wrote:
| Fighting discrimination is difficult and can be exhausting. As
| someone in a (different) protected class I just want to say kudos
| for doing this work.
| dnzkw wrote:
| Isn't demanding that non-trivial work is done just to
| accommodate your class the opposite of discrimination?
| codezero wrote:
| They shouldn't have to demand accommodation. That's the
| point.
| dnzkw wrote:
| And my point is that discrimination is an active effort,
| which this is not. Things are, by default, not accessible,
| because things are generally crafted for able bodied
| humans.
| tobr wrote:
| Where did you get the idea that discrimination has to be
| the result of an active effort? Anything that makes one
| group of people excluded or treated worse is
| discrimination, even if it is the result of an oversight.
|
| Your second sentence is basically exactly the problem:
| able-bodied people are arbitrarily treated as the
| "default", and others are left out.
| dnzkw wrote:
| If it's an oversight how can it be an active effort?
|
| Able bodied people are the default because they are the
| absolutely overwhelming majority.
|
| Let's agree to disagree, I think.
| _moof wrote:
| Discrimination absolutely does not require an active
| effort. Neglect is just as effective at keeping people
| out.
|
| In any case Cloudflare's inaccessibility is a direct
| result of choices they "actively" made. Technical
| decisions, prioritization, maybe even company culture.
| mwcampbell wrote:
| And remember, I advised them of the need to pay special
| attention to accessibility in this product over a year
| before it launched.
| Xorlev wrote:
| It takes something that once was made accessible, through
| active effort, and makes it inaccessible. That's the
| point.
| x0x0 wrote:
| It's not a matter of agreeing; it's a matter of the US
| govt is saying these are the rules for doing commerce or
| hiring employees in the US. As codified by the ADA. Post
| domino case, that clearly applies to company websites.
| rini17 wrote:
| In this case the data basically exist in accessible form and
| they are doing nontrivial work to make them inaccessible.
| chmod775 wrote:
| At this point browsers are a basic building block of our society.
|
| There is absolutely no excuse for lacking acessibility features.
|
| You might as well say your "browser" can't render Arabic.
| kevin_thibedeau wrote:
| > There is absolutely no excuse for lacking acessibility
| features.
|
| Then how are the kids going to have their flashy Electron apps?
| mwcampbell wrote:
| > Then how are the kids going to have their flashy Electron
| apps?
|
| This Electron-bashing is misplaced. In point of fact,
| Electron is one of the most accessible cross-platform UI
| solutions.
| em-bee wrote:
| what is the legal situation here? wouldn't laws that require the
| employer to make accommodations for the disabled simply force the
| company to not use this tool for blind employees?
|
| the company would have to prove that using this tool is strictly
| necessary, which i believe is hard to prove, because if it was
| strictly necessary then everyone at home should be using it too.
|
| there should only be few places where such a tool is strictly
| necessary, and those places already use it. anyone who only
| starts using it now when it gets more convenient can't make the
| claim that they could not do their work without it because they
| could until now.
| brudgers wrote:
| The legal situation is akin to speeding. While technically it
| is illegal to drive 56 in a 55, you won't get a ticket for it.
| And lots of places the flow of traffic will be 85 in a 65 and
| the cops are not about to hold things up.
|
| Same with accessibility only there are powerful economic
| interests at play too.
| adventured wrote:
| > And lots of places the flow of traffic will be 85 in a 65
| and the cops are not about to hold things up.
|
| They sure will. They'll pull a traffic break when something
| is wrong. They get out in front of a block of traffic, throw
| on their lights, and begin swerving across lanes, instructing
| the speeding flow of traffic to collectively slow down. I've
| seen cops routinely do that in both California and on the
| East Coast.
|
| Cops will do that for various reasons, including safety
| purposes (if something has happened up ahead) or just to
| reassert control if they decide the flow of traffic is going
| too fast. Here is a safety example of it in action in Utah:
|
| https://www.youtube.com/watch?v=P9IsAu_96oo
|
| The Germans apparently do this for safety as well:
|
| https://www.youtube.com/watch?v=a-TZBhy-jDk
| namibj wrote:
| The German example was about debris on the traffic lane(s)
| that had to be removed ASAP, and for a safe working
| environment, the traffic has to be slowed down/stopped.
| mwcampbell wrote:
| > what is the legal situation here?
|
| Honestly, I don't know.
|
| We may disagree on whether browser isolation is strictly
| necessary. But to the extent that Cloudflare's marketing
| efforts convince IT departments that it is, and that it's
| important to adopt it company-wide, that's bad for blind people
| unless Cloudflare makes the product accessible. I don't know if
| their marketing efforts are succeeding, but I'm being proactive
| here.
| em-bee wrote:
| well, i mean strictly necessary in the eyes of the law. but
| that's something we won't find out until affected people
| start suing employers for discrimination or whatever the
| appropriate claim here is. and until then there will be
| casualties as you already predict.
| novok wrote:
| TBH it only becomes an issue when its required for the blind
| people to use this browser. If I was running a company and ran
| into this, I would just say the blind people and other unserved
| edge cases should just use normal chrome until cloudflare
| delivers the full version.
|
| Security is a probability spectrum, not a binary as many are
| fond to think of it.
| mwcampbell wrote:
| I hope any companies that adopt this product agree with you
| on this point. But in case they don't, I still think it's
| important to urge Cloudflare to make this product accessible.
| novok wrote:
| A small company TBH would not adopt this kind of browser,
| and a large company that might is too paranoid about
| lawsuits & CYA behavior to not make such an exception once
| it got escalated. And if it became very wide spread, I
| think it would have that stuff built in too, because to get
| some big company / govt contracts an accessibility
| requirement eventually gets thrown in somewhere.
| mwcampbell wrote:
| > A small company TBH would not adopt this kind of
| browser
|
| At $10 per month per user, that's dependent on whether
| one decision-maker in that small company can be swayed by
| Cloudflare's marketing, right?
| Sebb767 wrote:
| > A blind acquaintance of mine once lost his job because of a
| newly added requirement that he use an inaccessible application.
|
| IANAL, but wouldn't this be grounds for a lawsuit?
| Ensorceled wrote:
| Yes. But then you have to hire a lawyer after just losing your
| job, survive during the time the lawsuit will take, win the
| lawsuit ("plaintiff was let go because position was
| redundant"), collect, resume your job or job hunt with a
| "trouble maker" label.
|
| I really wish HN contributors would not suggest the legal
| system as a solution for these types of problems, it's totally
| unrealistic.
| Sebb767 wrote:
| IMO this is a pretty clear-cut discrimination case. I'm aware
| that lawsuits can be problematic for quite a few reason, but
| just eating it up would be a just as horrible suggestion.
| arp242 wrote:
| Aside from practical concerns such as time and money, these
| kind of battles can be _very_ emotionally draining. Some of
| the most stressful experiences I 've had in life is when
| some company or person did me a serious injustice and it's
| hard to get your rights.
|
| I found it's better to let go, for my own sake. It's very
| stressful and very easy for the situation to consume you,
| which isn't healthy and on balance you may be worse off if
| you factor this in. Everyone is different, and other people
| may experience these kind of things different, but I've
| seen the same in various other people, both publicly and in
| my private life.
|
| Of course this really sucks and is very unfair. But it
| doesn't change it.
| Sebb767 wrote:
| Fair enough. Let's just hope said acquaintance was in a
| position to handle it without regrets.
| mwcampbell wrote:
| He got lucky; as I mentioned in another comment [1],
| which links to more details on what happened, he was
| quickly rehired in a different role. But for a short time
| before then, he went through everything that comes with
| unfairly losing a job. And again, it might not have ended
| so well.
|
| [1]: https://news.ycombinator.com/item?id=28028099
| ushakov wrote:
| i'm getting more worried about where Google is going with their
| accessibility strategy
|
| flutter and the canvas-based google docs are completely
| inaccessible
| heavyset_go wrote:
| Several months ago I asked the Flutter engineering director[1]
| this question[2] on a Flutter 2 HN submission:
|
| > _I don 't understand how breaking accessibility with Flutter
| wouldn't mean that companies that use it on the web are
| violating the ADA._
|
| And didn't get a response.
|
| I'm still left wondering how a company that adopts Flutter on
| the web wouldn't be violating the ADA by breaking
| accessibility.
|
| [1] https://news.ycombinator.com/item?id=26335062
| miki123211 wrote:
| Flutter is (somewhat) accessible with the help of an alternate,
| hidden DOM, only provided if an "enable accessibility" button
| is pressed, for performance reasons. Unfortunately, some
| privacy zealots prevented web browsers from communicating that
| a screen reader was detected, so we need to press an extra
| button anytime we visit a Flutter app.
|
| Google Docs has had two relatively good accessibility
| implementations for a long time, none of which relied on the
| original DOM, which was hidden from screen readers. The default
| one relies on pushing raw strings for the screen reader to
| speak, while the other one (called Braille mode, as the first
| method couldn't provide braille display compatibility), uses
| more modern APIs to provide the required information in the
| DOM, relying on special announcements only where necessary.
| konaraddi wrote:
| > the canvas-based google docs are completely inaccessible
|
| AFAIK Google docs is still accessible. See the "Additional
| details" at the bottom of
| https://workspaceupdates.googleblog.com/2021/05/Google-
| Docs-...:
|
| _Compatibility for supported assistive technologies such as
| screen readers, braille devices, and screen magnification
| features, will not be impacted by the canvas-based rendering
| change. We will continue to ensure assistive technology is
| supported, and work on additional accessibility improvements
| enabled by canvas-based rendering_
| ushakov wrote:
| see, they didn't say that canvas-based Google Docs will be
| accessible - all they promise here is that it will be
| "compatible"
|
| "compatible" could just mean that assistive technology will
| work while browsing Google Docs and nothing beyond that
|
| this is a textbook example deceptive corporate doublespeak
| arp242 wrote:
| What more do you want beyond "will work"?
|
| Does it not actually work now? What are the issues and
| practical concerns right now?
| wffurr wrote:
| Have you tried using a screen reader with Flutter apps or the
| canvas-based Docs?
|
| From the very first result on "Flutter accessibility":
|
| >> We strongly encourage you to include an accessibility
| checklist as a key criteria before shipping your app. Flutter
| is committed to supporting developers in making their apps more
| accessible, and includes first-class framework support for
| accessibility in addition to that provided by the underlying
| operating system
|
| https://flutter.dev/docs/development/accessibility-and-local...
| ushakov wrote:
| encouraging accessibility is not enforcing accessibility
|
| edit: what i meant here is, instead of making the framework
| accessible out of the box, Google is trying to shift the
| responsibility to the developers
| arp242 wrote:
| Enforced accessibility would be horrible. What if I want to
| make an application just for me? Or a game or something
| else where the basic concept isn't fundamentally accessible
| for blind people?
|
| A lot of the open source software I release is for one
| reason and one reason only: it's useful for me. I generally
| try to make it a bit useful for others as well, but that's
| mostly just a nice bonus. I do care about accessibility in
| general (actually, I've been meaning to ask Matt about
| accessibility on CLI programs) but it's not really
| something I think about on these kind of programs, just
| like I usually don't consider most use cases outside of my
| own. If someone were to bring it up then I'd see if
| something could be done (like any other issue people bring
| up), but this depends on my available time and "if I feel
| like it" as well.
|
| The alternative would be to never release it at all and
| keep it in my ~/code directory. I think that would be a
| loss.
| mwcampbell wrote:
| > (actually, I've been meaning to ask Matt about
| accessibility on CLI programs
|
| Assuming you meant me and not some other Matt, go ahead.
| In general, I'd say it's pretty hard to make line-
| oriented CLI programs inaccessible. Screen-oriented (e.g.
| ncurses-based) programs are, in my experience, harder to
| use with a screen reader, but still generally not
| terrible. Anyway, happy to answer any specific questions
| you have.
| daviddever23box wrote:
| Whose statutory responsibility is it to enforce
| accessibility? And by what methods?
|
| I'm not encouraging folks to flout this, but one needs to
| be quite specific as to what is required where, and for
| whom.
| [deleted]
| goodpoint wrote:
| Cloudflare is also killing Tor with its blockpages.
|
| It's a global threat to privacy and freedom of information.
| tmikaeld wrote:
| It's up the the site owner if they want to block Tor or not,
| the site owner cloud just as easily have blocked Tor if they
| where using a normal server.
| goodpoint wrote:
| > It's up the the site owner if they want to block Tor or not
|
| No. Cloudflare does that automatically when the owner selects
| "high protection" without clarifying the impact of the
| choices or discouraging such practice.
|
| > the site owner cloud just as easily have blocked Tor if
| they where using a normal server
|
| Not at all, it's difficult to implement to the same level as
| cloudflare.
| junon wrote:
| It is _super easy_ to implement this at the same level as
| cloudflare. You just check the connection against the exit
| node lists.
| judge2020 wrote:
| > Not at all, it's difficult to implement to the same level
| as cloudflare.
|
| https://check.torproject.org/torbulkexitlist
| Asooka wrote:
| But is blocking Tor a decision the site owner has to make, or
| is it the default and requiring you to set up custom site
| protection rules if you want to accept Tor traffic?
| zinekeller wrote:
| Explicit, using the special "country code" T1. However, I
| also noticed that natural blockrates (on my non-CF servers)
| tends to be higher on Tor exit addresses due to (seemingly)
| more aggressive hacking attempts - probably the same on CF
| (the real anonymity of Tor is both a blessing and a curse)
| prophesi wrote:
| You can explicitly block all TOR nodes, but by default
| the security settings is set to "Medium" which blocks the
| majority of them.
|
| I'd also like to know Cloudflare's definition of
| "malicious traffic". I think the main fears are DDoS
| attacks (which is a nonexistent threat to the majority of
| site owners) and scraping email addresses for spam. Which
| can be addressed by informing site owners to use a
| contact form widget instead of putting their email on
| their contact page.
| judge2020 wrote:
| > but by default the security settings is set to "Medium"
| which blocks the majority of them.
|
| Citation needed, as my Enterprise zone with security
| level set to 'high' doesn't block my own Tor visit (and
| /cdn-cgi/trace does indeed show loc=T1).
| zinekeller wrote:
| See my corollary comment on some of my non-CF servers and
| the blocking - Tor does provide important anonymity, and
| I understand that Cloudflare, which is bigger, can
| probably absorb it without much damage, but unfortunately
| Tor exit nodes have a much higher attack and hacking
| attempts than regular IP addresses. In high-security
| applications when anonymity is already lost anyway
| (logging into a bank, for example) it is reasonable, due
| to the inherent risk, to block Tor exit nodes.
| prophesi wrote:
| Ironically, Cloudflare's default protections is probably
| the largest contributor to any radical usage of TOR. It's
| assumed you've a subversive motive since it's impossible
| to navigate the open web with it.
|
| Edit: I'm also not sure what "attacks" and "hacking
| attempts" mean. I'm guessing credential stuffing of admin
| pages? Brute-forcing the SSH password for root? These
| also can be prevented in a myriad other ways that doesn't
| disenfranchise TOR users.
| zinekeller wrote:
| > Brute-forcing the SSH password for root?
|
| Not in this context. Cloudflare-protected pages don't
| need to worry that.
|
| > I'm guessing credential stuffing of admin pages?
|
| More complex than that, but you've got the point.
|
| Funnily, there is silence on Fastly's filter - sure, it's
| not active until you toggle it, but even without explicit
| Tor block you get the same result.
| prophesi wrote:
| Can it not be defined beyond "it's complicated"?
| zinekeller wrote:
| It's quite hard, because it's not just "use known
| vulnerabilities on this specific address" - you can block
| it easily, and there are projects (such as CRS:
| https://github.com/coreruleset/coreruleset) that tries to
| emulate this. It's more of combined specific attacks,
| which is amplified because if CloudFlare detected an
| attempt on a single high-profile site, then that IP
| address can be propagate to all of Cloudflare-protected
| "properties" (as they called it). Combine that with how
| random is an address allocated in Tor (and frequent
| rotations), and you've got blocks without using an
| explicit Tor list.
| prophesi wrote:
| > it's not just "use known vulnerabilities on this
| specific address"
|
| Ok, so they're not blocking complicated attacks. Just
| automation of attempts to exploit known vulnerabilities.
| And then their IP is marked as high risk. Rinse and
| repeat until the majority of TOR nodes are blocked.
| Definitely can't see that causing issues for TOR (or VPN)
| users.
|
| Edit: And to comment on this:
|
| > Funnily, there is silence on Fastly's filter
|
| > Cloudflare is used by 80.6% of all the websites whose
| reverse proxy service we know. This is 17.4% of all
| websites.
|
| https://w3techs.com/technologies/details/cn-cloudflare
|
| > Fastly is used by 5.7% of all the websites whose
| reverse proxy service we know. This is 1.2% of all
| websites.
|
| https://w3techs.com/technologies/details/cn-fastly
| goodpoint wrote:
| > In high-security applications when anonymity is already
| lost anyway
|
| There are countless sites that only serve static contents
| and yet cannot be accessed over Tor.
|
| Furthermore, many other provide an optional login that
| could be made to block Tor exit node, but the default
| settings of cloudflare still block the whole site.
|
| Additionally, "anonymity is already lost anyway" when
| logging on a banking website is incorrect. Users might
| want to protect their browsing from untrusted WiFi access
| points or nosy ISPs or country-level censorship.
|
| > (logging into a bank, for example) it is reasonable,
| due to the inherent risk, to block Tor exit nodes.
|
| How many attackers have the skills, experience and
| knowledge to successfully break into a bank and yet don't
| know how to anonymously rent a VPS or use a botnet or a
| compromised host or a starbucks WiFi? 0.0001%?
|
| [Edit: silent downvotes do not help.]
| zinekeller wrote:
| I personally don't use CloudFlare but do manage a website
| which uses one for a job, and there's a button to mangle
| e-mail addresses, so I don't think this is their concern.
|
| DDoS attacks are surprisingly negligible, comparable for
| ordinary IPs, so I don't think that's what they're
| protecting at.
| [deleted]
___________________________________________________________________
(page generated 2021-08-01 23:00 UTC)