the cups blog


SOAPS: Challenges in Universally Usable Privacy and Security

Presented by Harry Hochheiser.

User diversity (young, old, varying motor skills), technology diversity, and context of use (home or office environment, physical factors, social factors) impact the way that people can interact with systems.

Security and privacy mechanisms require users to “jump through hoops” to prove themselves (or pay attention to things they’d rather disregard).

  • Additional information (security indicators)
  • Additional tasks (email encryption)
  • Harder tasks (passwords, CAPTCHA)

These mechanisms raise accessibility barriers.

Anti-phishing tools

  • These tools depend on the site content and cues available in the browser; elements that are inaccessible in screen reading software.
  • Features of the tools may be hard to understand by seniors, the visual impaired.


  • Remember passwords, manage multiple accounts – may be difficult for people w/ cognitive disabilities and physical disabilities


  • Visual CAPTCHAS and Audio CAPTCHAS may be difficult for people who are visually impaired, or in loud environments.

Several tools exist to check for accessibility, but all the tools will give you different results from each other. There is a lack of really good tools to help developers check. The tools themselves are not enough; screen reading software should also be used; else, the developer should check by turning the screen off and not using a mouse and seeing if they can still navigate.

Possible approaches for universally usable privacy and security:

  • User diversity
    – Providing alternative forms of content (cons: may curb effect, incur high dev and maintenance costs
    – Development of a single system that is accessible by diversified populations.
  • Gaps in user knowledge
    – Development of easily understandable vocabulary and icons
    – Transparent system actions
    – Better training
  • Technology diversity
    – Consideration for small displays
    – Consideration for small input devices

(Audience: Universally Usable designs benefit _everyone_. )

Running user studies: try diverse users groups to find out how and why people are falling for phishing attacks.