SoS Musings #71 - Security and Privacy for Blind and Low-Vision People

SoS Musings #71 -

Security and Privacy for Blind and Low-Vision People

Security and privacy are critical for everyone, including Blind and Low-Vision (BLV) individuals. In reality, BLV people are particularly vulnerable to cyberattacks due to the accessibility tools and devices they use to traverse the digital world. BLV users may need to rely on others to help them manage their personal and financial information, increasing the risk of falling victim to compromise if such information is exposed to the wrong people. BLV people may be more likely to fall for social engineering attacks because they may not be able to detect the tone or context of a message that may indicate it is a scam. These users may be more vulnerable to phishing scams because they cannot see the visual cues that may indicate a message is fraudulent. They may not be able to tell if an email is coming from a legitimate source or if a website is secure. BLV people may be more likely to download malware inadvertently because they rely on assistive technology to navigate the Internet. Malware can be disguised as legitimate software or embedded in files downloaded from the Internet. Therefore, it is essential to continue research and development efforts to improve security and privacy for BLV users.

Security and privacy awareness and concerns among BLV people must be considered. As Hyung Nam Kim of North Carolina A&T State University in Greensboro, North Carolina, pointed out, there are significant privacy concerns regarding the use of camera-based assistive technology on smartphones. There is a concern that visually impaired individuals who rely on this technology for facial recognition and object identification may expose themselves and others to compromise if their device, connections, or software are breached by third parties. Kim wrote a report titled "Digital Privacy of Smartphone Camera-Based Assistive Technology for Users With Visual Disabilities." He conducted a small-scale survey of users with visual impairments who use this technology and associated software, finding that very few users were knowledgeable of the privacy policies and potential risks posed by the use of assistive technology, and that they were generally unaware of the potential problems related to privacy and security breaches. Kim's research aims to help researchers and professionals provide greater support and education for those with visual impairment who rely on this technology. According to Kim, since many people with visual impairments in the US are just as likely as fully sighted individuals to use and engage with social media sites such as Facebook, there is an urgent need to improve and enhance their privacy awareness given the additional risk they must face in using software to interact online in order to maintain their independence.

A team of researchers at Texas Tech University released a paper titled "Internet Use and Cybersecurity Concerns of Individuals with Visual Impairments," in which they shared findings from a survey of 20 individuals with visual impairments. The purpose of the survey was to gain insight into individuals' Internet use and to study the relationships between Internet usage metrics and cybersecurity-related knowledge, skills, confidence, and attitudes. They wanted to research the Internet use of visually impaired individuals and investigate their cybersecurity challenges and concerns while using the Internet. Findings from the survey revealed that reading and composing emails was the most common activity (80 percent). The participants also commonly or extensively engaged in browsing the Internet for entertainment purposes (70 percent), downloading and uploading files (70 percent), and conducting educational tasks (65 percent). The most common social media activities among participants were listening to podcasts (83 percent), using instant messaging services (77 percent), updating status on personal web spaces (77 percent), and adding someone to personal web spaces (77 percent). Participants reported often encountering a variety of problems while browsing the Internet, including security-related issues, such as misleading links, malware, unauthorized software, and spam emails. Most of the participants (80 percent) reported feeling "concerned" or "very concerned" when asked about cybersecurity threats. The theft of private information (70 percent), unauthorized individuals gaining access to financial information (65 percent), and personal information becoming public (65 percent) were the most worrisome among the participants, while the risk of a computing device becoming infected with a virus or malware (35 percent) scored the lowest in regard to concerns. The participants who were more knowledgeable and skilled in cybersecurity were found to be more concerned about it and to use the Internet less frequently than those with less cybersecurity knowledge. The researchers highlighted that concerns about cybersecurity may cause individuals with visual impairments to reduce their Internet use, which could exacerbate the digital divide.

Work led by researchers at the University of Colorado Boulder aims to improve digital privacy for blind users. As Grace Wilson, content and communications specialist at the university, pointed out, blind people, like sighted people, use Instagram, Tinder, and group chats. To learn about their visual environment, they often share images with identification software such as Microsoft's Seeing AI, Be My Eyes, and TapTapSee. However, when BLV users share photos, they run the risk of inadvertently capturing private information. Danna Gurari, professor and the founding director of the Image and Video Computing group in the Department of Computer Science at the University of Colorado Boulder, is a member of a multi-institutional team that was awarded more than $1 million by the National Science Foundation's (NSF) through a Safe and Trustworthy Cyberspace (SaTC) grant to study the issue. Blind individuals must rely on friends or family members to review their photos for private information before sharing them publicly, which can have its own social consequences. Alternatively, they can accept the privacy risk associated with posting. The objective of the team's interdisciplinary project is to develop a system capable of alerting users when private information is present in an image and, if the user so chooses, concealing it. Gurari's group is leading the project's automatic image analysis in collaboration with human-centered computing expert Leah Findlater from the University of Washington and privacy expert Yang Wang from the University of Illinois Urbana-Champaign. The Image and Video Computing group is developing methods for sharing what private information may be contained in an image and allowing the user to choose whether to use the image as-is, reject it, or obscure the private information before sharing the image. One of the challenges faced in this effort is determining what the most prominent object in an image is and obscuring everything else. Since blind individuals often share images for object identification, this feature could reduce the presence of sensitive information revealed during this task. The focus is on developing algorithms that are robust enough to counteract image blur and other common properties of images captured by blind photographers. The team must also develop algorithms that do not require training on specific things in order to recognize them as significant.

Researchers at the University of Waterloo and the Rochester Institute of Technology, in collaboration with BLV people, have created a novel authentication method that could enable BLV users to access their devices more securely. OneButtonPIN is the new method allowing users to enter PIN codes using a single large button and haptic vibrations. Existing identification methods, such as drawing patterns, fingerprint and face scans, and PIN codes, have been found to frustrate BLV users as the absence of visual data makes it difficult to effectively use some methods. Other methods are susceptible to the compromise of users' privacy. OneButtonPIN addresses these security concerns through the use of haptic vibrations that are imperceptible to outsiders. Through OneButtonPIN, when the BLV user is prompted to enter a PIN code on their smartphone, they press and hold a big button on the screen, initiating a series of vibrations separated by pauses. The user counts the number of vibrations corresponding to the number they want to enter, then releases the button, repeating the process until all desired numbers have been entered. Stacey Watson, a computer science lecturer and one of the researchers behind OneButtonPIN pointed out that biometrics such as fingerprints and facial scans are easy to use and are distinctive, but cannot be modified or reset. Watson stated that the more conventional entry methods are vulnerable due to the use of screen reader technology by many BLV people. Those who use PINs are vulnerable to eavesdropping and shoulder surfing attacks, in which a nearby person observes the user's device without them knowing. Nine BLV participants installed OneButtonPIN apps on their smartphones for the study. Their first task was to enter randomly generated PINs using the OneButtonPIN method multiple times. Then, as part of a diary study, they were instructed to use the app at least once a day for one week. Findings from the study showed that OneButtonPIN users entered codes with an average accuracy of 83.6 percent or higher, compared to older techniques' accuracy of 78.1 percent. In addition, the approach proved to be significantly secure. In the second phase of the study, ten sighted participants looked at videos showing individuals using traditional PIN input methods and OneButtonPIN, and then attempted to guess their PIN codes. All of the sighted participants successfully guessed the PINs of those using traditional methods, but none of them were able to guess the codes of those using OneButtonPIN.

In addition to developing more solutions for enhancing security and privacy for BLV users, it is essential to continue efforts to teach such users about cybersecurity and provide more opportunities for BLV people to explore cybersecurity careers. For example, ten BLV high school students attended a GenCyber Camp at the University of Alabama in Huntsville (UAH) to learn about cybersecurity. The camp was a collaboration between UAH, the Center for Assistive Technology Training at the Alabama Institute for Deaf and Blind (AIDB), Microsoft, the Federal Bureau of Investigation (FBI), and the American Printing House for the Blind. Through the camp, the students were introduced to various cybersecurity and computer-related topics. They built a computer, developed programming skills, as well as encrypted and decrypted secret messages. The campers heard from guest speakers, including those with visual impairments who work in the technology industry. To learn about cybersecurity, many campers used assistive tools such as screen readers, magnifiers, braille devices, and more. Jesse Hairston, assistant director of the UAH's Center for Cybersecurity Research and Education (CCRE), stated that the camp encourages students with visual impairments to explore careers in cybersecurity by providing camp experiences with skills, technology, and tools used in the field.

The Science of Security (SoS) community should continue delving into the unique privacy and security concerns of BLV individuals associated with technology, particularly in regard to using Internet services.