On most Cloudflare-related HN threads, Cloudflare was really active and eager to answer the engineers' questions.
It's notable that this one is different. The fact that it's Sunday afternoon may be part of the reason, but I guess they really don't have anything to say. I'd really love to see their internal Slack now, though.
As someone who builds an open source remote browser myself, this is a non trivial task.
but anyone who wants to attempt to bring accessibility to a pixels only or drawing instructions only remote isolated browser security model is welcome to fork my repository and add that kind of stuff.
I appreciate the importance of accessibility but the tone of that article strikes me as strident and demanding, acknowledging only the situation feelings and difficulty of accessibility users, but not of the developers, nor of the other user groups.
Technically the issue is a trade-off between security and inspectability. the most secure remote browser technology simply sends pixels or in the case of S2 and cloudflare drawing instructions from the remote browser to the local client where the viewport is then presented so there is no HTML JavaScript or css sent to the client... which is the basis of that whole remote browser isolation security model. In order to make that accessible, without having the benefit of the HTML CSS and JavaScript on the client, it's not trivial. The more you expose that information from which you can bring accessibility to the client the greater the attack surface from a security point of view. So it's a trade off.
> I appreciate the importance of accessibility but the tone of that article strikes me as strident and demanding, acknowledging only the situation feelings and difficulty of accessibility users, but not of the developers, nor of the other user groups.
Who cares about the “feelings and difficulty” of the developers? This isn’t a niche side project they’re building for free on nights and weekends. They’re being paid handsomely by a multi-billion dollar corporation selling the software for profit.
And let’s be clear about what’s happening. The trade off isn’t about security. I’m sure you’re right that it’s not trivial, but problem is entirely solvable — it just costs money. Cloudflare has decided that accommodating visually impaired users is less important than their profit margins on this thing.
I think you always need to care about the feelings of the developers... Because that privileged and entitled attitude that I see prevalent in open source and even in complaints from customers to a company... I think it's a lacking in empathy thing and it's not a good thing to encourage at all... Also, I don't think you will achieve a good outcome for yourself or for anyone involved (and that's important) if you start from the point of view of let's just not care about the feelings of this group.
But I can also see how you feel like the feelings of accessibility users are not being cared about by this decision...but I encourage you to take a step back and see things in less absolute terms because I...think the situation has a lot of nuance which when appreciated changes the the way you'd be likely to choose if you are in charge of this.
Also in this specific category consider the idea that the isolation model is perforated by the need for accessibility so while you think you're getting simply a gain for accessibility users by opening the product up to be used by them you may be doing so in such a way that weakens the security model not only for all the other users, but for accessibility users as well... So, technically, or logically.. it very much is a trade-off about security, as much as you may wish to deny. I think if you weren't thinking in such absolute terms but more acquainted with the nuance of this technology you might see that as well.
but hey i could be misreading you in my own strident and stupid way, so i'm sorry if that's the case and it's possible i haven't yet considered the nuance of your view and feelings on this.
It is correct for the feelings of blind users to be prioritized over those of the developers. Blind and other disabled people have to deal with ableism in society every single day.
No that's not right, nor even correct. You can't just disregard their feelings, and put someone else above them no matter the issue. There's no justification for this.
Disabled people have a valuable contribution to make and their voice should be heard. They should have access. But this good cause is often misused by people using it as a fake pretext for abusing others under the delusion they are absolutely right, and persecuting anyone who disagrees as absolutely wrong. This it is correct to prioritize feelings over bullshit is part of this. It's ape brain shit of trying to dominate others with criticism and control, and pretend they're holy warriors. That attitude is a contributor to why I'm so scared to engage with people about this topic. It's also sad for disabled people because these abusive crusaders give the cause a bad name, and generate counter productive resistance all for the sake of their own compensatory ego gyrations.
But separating out how the topic is misused by some looking to criticize or control others...there is a real issue here and and it's an important and good cause. But the solutions posited, often by the same folks, are not I think the best technical solutions, they're not scalable or efficient. Asking every website to provide hints might be OK at a small scale, but at internet scale it doesn't work. I think the right solution is to direct AI at the problem and have these accessibility directives generated automatically. Intelligent accessibility is a feature that should be present in browsers (or screen readers) by way of AI. People who care about the topic and want change should get to work on that.
Original author here. I am taking your comments to heart. I'm not yet prepared to concede that we should give up on accessibility standards for platform and application developers and expect AI to solve the whole thing; I need to discuss this with others in the blind community. I appreciate that expecting every application and website to implement accessibility standards doesn't scale, but it's the best we have so far.
You said the tone of my article was strident and demanding. Please note that it was addressed to the leader of a growing public company, calling on the company to live up to their own PR about their mission. I wouldn't take that tone with a solo developer like you. Even so, I don't believe I was abusive or persecuting. Still, it's likely that writing and promoting this article did make some part of my ape brain feel good about fighting for a righteous cause. So thanks for making me stop and think.
Man you're so welcome I mean it takes so much courage and self-awareness and insighy to even like... like admit that reflection to oneself in private little lone on a public forum. Thanks for inspiring me today and for directing some of that goodwill my way.
I don't think we can give up on accessibility standards but I'm really no expert. I think there's a good analogy between how you know commercial buildings need to have accessibility affordances like wheelchair ramps. And I think in that space it really works for number of reasons. Again I'm no expert in how this comes about but when you have a critical mass of standards in the construction industry and like a permitting process and an approval process where buildings are constructed only if they conform with you know standards which include accessibility then I think you can ensure, and there's sort of an expectation, that you get these affordances and then I think the marginal cost of adding this stuff when everybody in the supply chain, architects and so on, already conforms to this cost is very small for buildings... so I think that's the right allocation of cost in this case because it's efficient. Like I'm not even sure if accessibility ramps are such a great solution for disabled people but they seem to be addressing the opportunity to enhance access and they are pretty prevalent at least in developed countries. I think it's a better solution than asking every disabled person to have some special sort of wheelchair that can climb up stairs or some kind of intelligent wheelchair. Because I think in that case the cost of providing such technology to all these people right now with the technological landscape we have with consumers, it doesn't make sense, it's too expensive. It's more efficient and scalable to have building people include this stuff.
But I think accessibility doesn't have that critical mass across the supply chain of software and it is more expensive to include but on the other hand right now there's not really a good alternative on the sort of disabled consumer technology side there is no AI solution that can do this. I think a hybrid approach might work but I do think we need to look at like the AI side of having some sort of intelligent user agent that can provide the successibility information and at least have a discussion with that context that there are other options worth exploring. I think that shifts the discussion at least in appearance away from ideology and towards a solutions focus. and then maybe the sense will be cultivated that some of the resistance to including accessibility is not an ideological thing and not because people are uncaring about disabled people, it might become seen to be partly because there's a sense that this is not like a technical solution that smells good in some ways.
Anyway I'm not an expert but thanks for engaging and I'm humbled and grateful for your response here.
No that's cool, i thought you were coming with an antagonistic attitude in the first comment i just tried to play it cool and positive, i succeeded but you showed how you really felt above.
This product is not doing that to them, anymore than the visual world, and every image on the internet that isn't captioned in every detail is doing that to them. So don't pretend that it's somehow our fault that o
people are blind.
That's important. There are important issues here but too often i see people misusing the cause of disabled people as a fake pretext to abuse others, while pretending they're being righteous, by criticizing and trying to control others, driven by their own need to put others down and feel better than them, thinking they're found a legitimate way to perpetrate their abuse. But they haven't.
And that's why I'm really scared of talking with people about this because so many get caught up in that game. Especially worse when they say oh let's not care about the feelings of the developers. Because that's exactly what they intend to do... be abusive and then pretend they're righteous while disguising themselves in the cause of supporting disabled people. well they're actually hurting disabled people by proposing these ineffective solutions and poisoning the discussion about this rather than trying to constructively support effective solutions. so what I'm trying to do with this statement is bring it's important topic back from being this excuse for toxic behavior. That's not a respectful or a good use of this topic at all.
But separating that out, disabled people have a valuable contribution to make and their voice should be heard and they should have access. So there are important problems that need solutions but the solution proposed by a lot of these people being abusive is oh let's get every vendor to alter everything they do to make it conform to this standard...and agree the case of buildings it's important to have a disabled ramp or something... but in the case of software that's not a scalable solution. And it doesn't respect the developers. I think the better solution is something like a browser extension and I think the ultimate solution is to leverage The power of AI to direct that ability to create the accessibility trees and so on from websites without needing annotations surely that should be possible and I think that is the ultimate solution and you're only doing disabled people a disservice by focusing on these you know ineffective solutions when there are technologically much better and much more scalable and effective ones and then you're only doing developers or disservice by having this abusive attitude.
I'm not saying you were exactly doing that but I did detect that antagonism so it seems like you could get caught up in that too but I'm making a larger point about a dynamic that I see in these types of discussions.
so the short way of saying it is it's a really important topic so the most effective way to deal with that is to respect the developers, respectfully engage The stakeholders and try to leverage the most effective technology not to misuse the topic itself as an excuse to be abusive because you feel you need to do that.
I think in order to discuss this we'd need to be clear about the actual solutions we're discussing...I'm not right now I'm sorry, so I can say no more than, in general, any additional data you send opens up the attack surface.
Tho I can say that, relevant to your idea, at least, in my RBI product[0], you can click somewhere in the viewport and say "Copy text" and then you get a HTML dialog open over the canvas viewport with the text. A screen-reader could potentially then read that.
But I think actual accessibility tools need to do so much more...Forgive me, I'm no expert in them.
Re the above tho, I don't see that as introducing a greater attack surface (tho I might be wrong) because on the server side we're just getting the innerText of the element the client clicked on, and sending that text back encoded in base64 (IIRC).
> But I think actual accessibility tools need to do so much more
Screen readers do more, but they are not rocket science. I am no expert either, but I've worked on adding accessibility to a project that had none. Screen readers have proactive & interactive modes. In proactive mode, they read whats visible on the page, perhaps just the high-level components, giving a lay of the land. In interactive mode, it gives more detail on the control/item that currently has focus and the actions available (follow link, expand/collapse section, etc), and one would tab to move focus between controls.
I'm no expert on RBI, but I looked at your product and it appears to respond in real time to user interaction (hover over elements), perhaps what is missing is a standardized way to integrate Screen readers this "streaming" information; most accessible sites have plain-text ARIA tags/attributes meant for screen readers (with fall backs to 'title' or 'alt'[1]). However, this is just plain text, so sending text to the client adds an attack surface, but not a very large one, IMO.
I believe every developer who makes user-facing software should be forced to sit down and use their app/site with the monitor off, interacting with just the screen reader in their headphones. www.a11yproject.com has really good information on how accessibility ('a11y') works, and how to implement it correctly on the web.
1. I'm simplifying by a lot here -screen readers do a lot of heavy lifting, especially for sites/software not designed with accessibility in mind
I agree with much of your vibe and attitude here. But in general while SR may not be rocket science, solving the problem of accessibility in a general and scalable way is rocket science.
It's a really important problem, and a good cause. Disabled people, for example blind people, have an awesome contribution to make to society and we need their voices to be heard, so to speak. In other words, we need their contributions to be made. They must have access. But the question is how to go about solving that?
I think the posed solutions of getting every website to adopt a certain standard is not a good technical solution. I think pointing AI at the problem and working out how to parse accessibility hints, possibly in a personalized and contextual way relevant to the particular person as well, is one approach to the solution that's better.
This part,
I believe every developer who makes user-facing software should be forced to sit down and use their app/site with the monitor off, interacting with just the screen reader in their headphones
No, just no. I appreciate the desire to do good, but I think your attitude here is in danger of falling into the trap in this topic of being abusive to others under the mere guise of a "righteous cause" -- and in the process hurting the very cause you pretend to stand for. The misuse of this issue by some bully-like people who want to abuse others by trying to dominate them with criticism and control is one reason I'm so scared to engage with this topic. They use the seriousness of the issue as a fake pretext to case the world in their own self-serving and ego-serving view of good vs bad, and go nuclear on anyone who disagrees with their stance. But this is just ape brain shit of bullying for compensation to make themselves feel better by pretending others are worse....Just avoid that.
There is a serious issue here, and a good cause. And any statement that seeks to coerce or force or minimize the feelings of any group of people, who could just be working together on a solution, don't get suckered by the delusion that such things are somehow the right way, they're not. They're just people being bullies because their lives suck, and they take it out on others instead of fixing their own stuff. These abusive misusers of the issue give disabled people a bad name, and hinder the very cause they are pretending to stand for by, among other things, creating unnecessary friction to collaboration, and pushback.
If you care about this topic, maybe you can do some AI work on it.
For what it's worth, I've known Matthew for many years. Although I wouldn't at all say we're close, I feel like I've had enough conversation to know who he is. Matthew is a good guy, I've never considered him to be tone deaf, and I genuinely believe he has the best interest of the many at his core. That said, the credence given to the visually impaired across the industry is categorically, absolutely, abysmally awful. I've never taken it as seriously as I should in my career, near all decision makers I know don't take it as seriously as they should, and I think shame on me and shame on everyone else. Things should be easier for visually impaired people, a) because it's the right thing to do and b) because it's low hanging fruit. While I don't think Matthew is unique, I do think he has a particularly significant responsibility given how important his technology is. As a shareholder, a friend, and a customer: I hope he takes this seriously, and I suspect he would.
> For what it's worth, I've known Matthew for many years.
And for what it's worth, I don't know him at all, and wouldn't dare to assume anything about his character. I appreciate that he responded at all to my cold email 18 months ago. I just wish the company would follow through.
I don't know you either, but if there's anything you can do to help my message get through, that would be greatly appreciated.
I submitted this on Friday, but for whatever reason, it didn't catch on then. Thanks to the HN mods for putting it in the second-chance pool. I've pinged Cloudflare and eastdakota again on Twitter, so let's see what happens.
Hey, I don't work on the Browser Isolation team, but want to let you know that there's a project in progress and your post is certainly being discussed. I'm hoping we can provide a solution that meets or exceeds your expectations.
PS-- Please ardon the throwaway account, CF employees have been getting targetted online.
I'm not targeting anyone and I'm not affiliated with Cloudflare. I used a throwaway account because sharing an opinion that goes against certain narratives is seen by some people as a valid reason to declare a personal vendetta against you, demanding that your employer fires you and any future one refuses to work with you. I am merely trying to avoid that, while expressing a point of view that I believe has merit.
I wish we lived in a free country and I didn't have to do that, but sadly this is no longer the case.
. I look forward to the results of that work in progress. In the meantime, I still think it's reasonable to expect an official response. As far as I can tell, Cloudflare has not publicly acknowledged the problem yet (please correct me if I'm wrong); even a disclaimer on the product page would be better than nothing. And the last private response I got about this was 4 months ago. But thanks for telling us what you can.
It’s not business hours for non-emergency press concerns until tomorrow at tech companies whose press office is in the US, such as Cloudflare. HN can be swell, but we don’t deserve weekend hours.
Fair enough. I just meant to say that I wasn't letting the company completely off the hook because of that response from a throwaway account, not that I expect an official response today.
It's a public company and there's probably only a few people who would be authorised and feel comfortable to speak on behalf of their employer. Most of them have been working hard building the company for years and shouldn't be expected to be on call for a non-production related concern being raised on HN on any given Sunday.
Cloudflare's management is exemplary when it comes to transparent comms, maybe we can wait a day for their response on this one?
This has been prioritized since long before Matt emailed me. It was specifically flagged during our diligence process of S2 Systems, the company we acquired for the Remote Browser Isolation (RBI) technology. It has been an engineering project that I have personally followed since we acquired S2 nearly two year ago.
Unfortunately, this has proved a non-trivial problem to solve, in spite of significant engineering resources dedicated to it, and we don't yet have an acceptable solution. But I'm confident we're on the right track.
The challenge is that the process of rendering content inert to local security threats also makes it also not compatible with current screen reader technology. Matt has helpfully suggested some ideas which are in-line with what we have been working on, but the diversity of the web makes the solution very complex in practice. While I appreciate his suggestion in this thread that if we would just hire him this could be fixed in a few months, I think he would acknowledge upon reflection that is flippant.
How the web is rendered and the diversity of web pages, especially dynamically updated pages, makes many solutions that seem obvious not tenable. We need to validate the solution we deliver will work across all the complexities of the web and across a broad range of accessibility devices while, at the same time, not introducing new threats. We already have a great team doing this work. RBI is still a new product for us, and it's only been recently that we've gotten the core technology to work to a level that's acceptable, but I'm confident with the work we're doing we will be the first RBI technology in the market with broad accessibility support.
In the meantime, we provide our customers a way to bypass the RBI technology to accommodate their visually impaired employees. In these cases, we recommend that additional safeguards be put in place for these employees' machines to guard against potential security compromise. This isn't a perfect solution, but it does help significantly reduce the surface area of attack while allowing visually impaired employees to do their jobs.
I hope that others in the space with similar technologies — including Mighty, Menlo Security, zScaler, and others — will also dedicate the resources needed to make their products as accessible as possible. Matt is right to call on the industry to prioritize the needs of visually impaired users. As we solve these challenging problems ourselves, we will share what we've learned, how we overcame challenges, and we will not do anything to restrict the intellectual property behind the solutions so the entire industry can benefit.
As for the rest of the discussion in this thread, I agree that Cloudflare is fundamentally in the trust business. It takes 5 minutes to sign up for Cloudflare, but only seconds to leave. We need to earn the trust of our customers, as well as Internet users in general, on a daily basis or we won't have a business. Appreciate everyone holding us accountable to that.
> It was specifically flagged during our diligence process of S2 Systems, the company we acquired for the Remote Browser Isolation (RBI) technology. It has been an engineering project that I have personally followed since we acquired S2 nearly two year ago.
Then why is it that, as far as I can tell, Cloudflare hasn't publicly acknowledged the problem before now?
For example, the blog post announcing the acquisition of S2 said:
> (4) Transparent user experience: S2 remote browsing feels like native browsing; users are generally unaware when they are browsing remotely.
This is emphatically not the case for screen reader users, and there was no acknowledgement that that was a challenge yet to be solved. There was also no acknowledgement in the product launch blog post during Security Week [2], and I haven't been able to find any in public documentation, though perhaps I just haven't hit upon the right search term.
> How the web is rendered and the diversity of web pages, especially dynamically updated pages, makes many solutions that seem obvious not tenable. We need to validate the solution we deliver will work across all the complexities of the web and across a broad range of accessibility devices while, at the same time, not introducing new threats.
To be clear, I know why the more simplistic proposed solutions, which amount to sending down the original HTML or some sanitized version of it, would go against the goals for this product, particularly around security. I guess it's also plausible that my proposed solution, using the Chromium accessibility tree to reconstruct just enough of an HTML DOM to expose the needed information, would reopen some types of local browser escape exploits. Your team certainly knows way more about those vulnerabilities than I do.
Edit: OK, I'm convinced; I just found a report of a use-after-free vulnerability (now fixed) in Chromium accessibility code [3]. I guess I really didn't grasp how hard this is.
> In the meantime, we provide our customers a way to bypass the RBI technology to accommodate their visually impaired employees. In these cases, we recommend that additional safeguards be put in place for these employees' machines to guard against potential security compromise.
I'm sure the mechanism for configuring this bypass is documented. But does your documentation specifically call out the accessibility limitation of your product, the need for this workaround, and the recommended additional safeguards for these employees' machines?
> As we solve these challenging problems ourselves, we will share what we've learned, how we overcame challenges, and we will not do anything to restrict the intellectual property behind the solutions so the entire industry can benefit.
I hope that Cloudflare will not develop these solutions in a vacuum, but will consult with blind people who have the expertise to help ensure you're on the right track. I still offer my advice, free of charge; as I said in my other reply, my intent in the earlier comment with the rough time estimate wasn't to push for you to hire me. But enough about me; the point is that accessibility solutions developed for us shouldn't be developed without involving us.
On reflection, I think the real problem isn't how long it's taking to make the product accessible, but the fact that you went ahead and launched the product without an accessibility solution and with no public acknowledgement of the problem (as far as I can tell). I don't think it's right to sweep our needs under the rug like that.
> Edit: OK, I'm convinced; I just found a report of a use-after-free vulnerability (now fixed) in Chromium accessibility code [3]. I guess I really didn't grasp how hard this is.
Appreciate your understanding. We also understand how important this is. While we don't publicly discuss every challenge we struggle with, we're usually pretty good at finding solutions to hard but important problems. And this is clearly an important problem, and a hard one. Do hope you'll keep up the pressure on us — as well as others like Mighty, Menlo Security, and zScaler — to prioritize this. And, whatever the best solution, if we find it, we're committed to sharing it with the rest of the industry.
> we don't publicly discuss every challenge we struggle with
Of course. But that's not what I, and hundreds of thousands (or more) of other working blind people, are expecting of you. This isn't like blogging about some obscure network performance problem that the team has been struggling with. Instead, the team has been keeping decision-makers in the dark about something that's crucial for them to consider when evaluating this product. If decision-makers adopt the product without having this information about an important limitation, they may inadvertently prevent blind employees from doing their work. Even if the customer ends up making the accommodations you suggest for their blind employee(s), they currently have to be reactive about it. And in the meantime, the blind employees' productivity is disrupted, particularly if they weren't tech-savvy enough to diagnose their inability to do normal web browsing, as SLJ7 pointed out [1]. That's why Cloudflare has an obligation to publicly disclose this limitation in the product.
Also, I read just a few minutes ago that Cloudflare is partnering with Accenture Federal Services to start deploying some of your network security technology in the US federal government [2]. I know this is starting with your DNS service; so far, so good. But I'm sure you would like to offer your Browser Isolation product as well. That product is currently not in compliance with the relevant accessibility requirements for products that are sold to the federal government. I was reluctant to reach for that particular stick, but maybe it will give the team more motivation to solve this problem.
This seems a bit of a failure of communication. Let's be honest: we all know that "thanks for your suggestion, we take this very seriously!" is business speak for "yeah yeah, go away" more often than not. Even if Cloudflare is better than this (I don't know), it's still the industry average and context in which Cloudflare exists.
So if you want to show you're actually taking something serious a bit more signalling is needed. I don't think anyone really benefited that there's a team actually working on this was only communicated after this article.
naive question, but why can't you run the screen reader on the remote instance and wire key presses through? I do something similar when I need to remote desktop without using my hands - I install hunt-and-peck on the target machine, then I can say the hotkeys to bring it up and say letters to click things in the remote windows.
even if you have a crappy screen reader, it's better to throw your disabled users some kind of bone than to make them wait for some perfect solution that will never get properly funded.
I'm afraid I might be partially responsible for the lack of this work-around. In a phone conversation with the Browser Isolation product manager a few weeks before the product launch in March (but remember, well over a year after I first contacted Cloudflare about accessibility in this product), I articulated some version of the problems with a remote screen reader that I laid out in [1]. But I may not have emphasized enough that this would be better than nothing. Since it was a phone conversation and not an email exchange, I unfortunately have no record of what I said. Still, I can't take full responsibility for the fact that, to all outward appearances, they have done nothing about this problem so far.
> For blind people, TTS settings are very personal.
Is there a whitepaper that articulates concrete solutions to reconcile the myriad flavors of screen reader configurations with Browser Isolation technology?
the other issue is that while this would work for screen readers, it wouldn't work for me. I can see fine, but I'm losing the use of my arms, so I use vimium with dictation to navigate pages. they'd have to bake vimium into it as well...
...which suggests to me, why not allow approved browser extensions to run on the remote side? you could have a screen reader extension, I could have vimium, it wouldn't be great but it would be secure, and again, better than nothing.
Your suggestion is probably the correct solution technically speaking, as it funnels the screen reader I/O stream through browser APIs.
The immediate objection is that most popular screen readers (JAWS, NVDA) are native apps and not browser extensions, (some?) extension-based screen readers being immature. mwcampbell articulated it as much in a different post, asking for a native desktop client as opposed to a browser based client. Alas, 'native desktop client' is a different technology than Cloudflare RBI, subject to different tradeoffs, which may well be at odds with the goals of Cloudflare RBI as a product.
A hypothetical browser accessibility protocol is likely to prove insufficient, as native screen reader apps will themselves become an attack vector.
Unlocking the situation requires a wider industry buy-in beyond Cloudflare. Screen readers must be rearchitected with security in mind. IT departments must manage accessibility apps. Advocacy groups must commit to roadmaps that include a lot of change, and that may even degrade the status quo for many years to come. Given that existing screen reader apps have decades of engineering already poured in, it will be hard and expensive to enact change. A good early step could be creating an industry standard various entities can rally behind.
I've struggled with security vs. accessibility myself. my work won't allow my dictation software on the secure workstations we have to use, at least for the near future. they allow Dragon, but Dragon sucks for interaction and programming. companies can't just throw their hands up and say "security" though.. or at least they shouldn't. they can and do, I guess.
>I'm sure the mechanism for configuring this bypass is documented. But does your documentation specifically call out the accessibility limitation of your product, the need for this workaround, and the recommended additional safeguards for these employees' machines?
This is super important. Remember that while a bunch of us are nerds who know how computers work, some blind people might just know enough to use the web and do their job--as most people in the world do. They won't understand why the product doesn't work, let alone know how to fix it. The problem with a solution this transparent is that a request will have to go way up the chain before someone will actually know enough to address it and determine the problem. Of course it's not the job of Cloudflare to fix corporate ignorance, but a note like this one in the documentation might be a good start.
Also, it's worth noting that when using Browser Isolation with a screen reader, the product itself doesn't tell the user anything informative, e.g. through one of those off-screen messages that are sometimes added to websites specifically for screen reader users. Instead, the user gets a debug UI that isn't even visible on the screen, followed by an unlabeled graphic. So as far as anyone on the outside can tell (at least, before today's conversation), Cloudflare has done nothing about accessibility in this product.
I think it's more to do with the timing (it's the weekend). You'd really want to talk to the relevant team before saying much. Given that this isn't an urgent worldwide problem, paging team members during their weekend would be the wrong move. They'll probably have a meeting on Monday and I think that's when we'd see an update from them.
FWIW, I completely agree with you. It would be unreasonable of me to expect a response today. Edit: And, in fact, it was a bad idea for me to send the tweet I did a few hours ago when this hit the HN front page. Apologies to any Cloudflare folks whose weekend I interrupted.
Because the only publicly acceptable answer would be to agree to all the poster's current and future demands, regardless of the cost, priorities, risk of breaking other features, etc. And it never works out because the demands tend to increase over time, and the PR damage of rejecting the very last demand is proportional to the number of ones previously accepted.
Make a thought experiment: think what if Cloudflare answered trying to explain the complexity, risks, and maybe cost estimates for supporting something like that, but refusing to add it right away. Nobody would listen to their reasoning. They would be immediately labeled as blind haters or whatnot, supported by endless news articles and retweets.
Make another thought experiment: assume they comply with the current demands and add the functionality at some fixed cost. Then in the future, the poster decides that the accessibility support is not sufficient and still makes life hard for blind people. He would come up with another set of demands and Cloudflare would again be forced to comply, because nobody would listen to their reasoning. And because it is physically impossible to make a blind person as productive at certain tasks as a non-blind one, there will be always room for improvement and room for more demands.
If you want to truly help the blind, please go ahead and launch a competing product. Or offer an ML-based tool working on top of existing products. Or create Wiki-like system where people would maintain semantic models of commonly used non-accessible sites, letting the accessible tools work over them. But all of that requires hard work, countless hours and numerous trials-and-errors. Trying to strong-arm someone else to put in that effort surely gives a much faster gratification, but it only results in further alienation and ghosting.
Sure, Cloudflare will release an official statement saying how they are committed and dedicated and working and planning and hoping, and the whole thing will get forgotten in a few weeks, but ultimately if you want to someone to help you, maybe try to understand their constraints and find a compromise, rather than trying to use the buzzwords to throw the mob at them.
> If you want to truly help the blind, [...] all of that requires hard work, countless hours and numerous trials-and-errors.
I do work hard on products to help blind people, and I have been for years, but I can't solve every problem by myself. I even quit my cushy job at Microsoft (on the Windows accessibility team) to develop a product that works around the inaccessibility of screen sharing in online meetings -- imperfectly, but still better than nothing. But neither I nor my tiny company are well-positioned to compete with Cloudflare in the field of security products (such as Browser Isolation) targeted at corporate IT departments. And unfortunately, this particular accessibility problem is not one that we can work around from the outside, at least not yet. So I felt it was worth some of my time to advocate for Cloudflare to make this product accessible.
> And because it is physically impossible to make a blind person as productive at certain tasks as a non-blind one,
Of course; vision is a higher-bandwidth medium than hearing or touch. But that full bandwidth isn't always needed. And unless you've watched a blind person who's proficient with their screen reader, you may be surprised at how productive they can be at a great many tasks.
> there will be always room for improvement and room for more demands.
I appreciate that you and others on this thread don't know me, but I've been active in the online blind community for about 20 years, and I don't believe I'm known for making endless demands of mainstream tech companies. And in this case, there's a natural stopping point: when the remote browser is either as accessible as a local browser on the same website, or as accessible as it can be within the constraints of the web platform (where the client for that remote browser runs). And my original advice to Cloudflare on this subject was targeted at getting the product all the way to that logical endpoint.
Having said all that, I realize that what you said may reflect what people at Cloudflare think; after all, they don't know me either. I vouched for your comment when it was dead because I felt someone should be allowed to say what others might well be thinking, and I didn't think your comment was too inflamatory. I'd appreciate suggestions on how to better signal that I won't, in fact, put them in a bad PR situation by making ever more demands of them.
I don't work at Cloudflare. I am merely trying to share my personal pragmatic point of view.
In this specific case I would argue that the problem is taken out of scope. The idea of browser isolation is to specifically replace the "smart" stream of data that is prone to attacks with a "dumb" pre-rendered version that is much more rigid. This eliminates the whole class of attacks by design.
Sure, it won't work for blind people. So if your organization employs them and you want to achieve comparable level of security, you set them up with a properly isolated VM, install the accessibility software there, and add an exception rule for that VM. Problem solved: the blind person has comparable experience to a regular browser, while the average level of security in the company has raised. If the employer specifically refuses to set up such a VM, it would be reasonable to demand it or sue them.
To put it into a perspective, a blind person cannot drive a car in regular traffic due to obvious reasons. So it's reasonable to provide them with alternate means of transportation, but it would be unreasonable to demand that all cars should be banned until they can accommodate blind drivers. It can be technically done if you make every car remote-drivable, but the cost and safety considerations make it completely unviable.
> I appreciate that you and others on this thread don't know me
mwcampbell has also been active on HN itself for a pretty long time, and reading over his past comments should make it pretty obvious that:
A) he knows what he's talking about.
B) he is putting in a lot of effort to be reasonable and accommodating to other people and businesses.
C) he is personally contributing to and supporting efforts to build products and tools to make things better, not just complaining.
mwcambell's response above is very charitable, and I applaud that; it's good to reach out to people diplomatically. But personally, I also feel like it really wouldn't require that much work for skeptics to go over a few of his past posts and to see for themselves whether or not he is the type of person who would "use the buzzwords to throw the mob at [Cloudflare]."
None of mwcambell's past or present advocacy efforts are secretive, he is probably one of the most recognizable blind/vision-impared advocates on HN right now. I'll risk being slightly less charitable than he is being, and I'll say that people can put in the 5 minutes of effort it would take to figure out whether or not he's a good faith actor -- especially in the context of suggestions to him that the blind community should go out and build their own Cloudflare competitor.
Beware the good intentions. You likely left the big company because you hated being a small cog in the machine filling out the TPS reports.
You went to work in a smaller company because you feel that you are actually making a change. You see the direct result of your actions and motivates much more than a steady paycheck.
I understand that making a small niche product and having to monetize it yourself could be extremely tough, and it looks like a much bigger change to talk a huge player like Cloudflare in following your path, although there's a caveat. If you want them to do the job, you will be always seen as an extra expense line and dealt with it accordingly.
Imagine that you are approached by another blogger demanding that you add support for right-to-left languages to your program, and due to some technicalities, it would push your release date another 6 months on. Or some people find the voice used in the program offensive. Would you happily take on the extra work, or would you just try to sweep them under the rug?
It's always the same formula. Requiring others to do what you believe is right (and they don't) sparks tensions. Offering others something that solves a specific problem they need gives money to you and satisfaction to them. Unfortunately, recently we see too much of the former and too little of the latter.
> Now, four months later, this problem is still not solved
Further I would have never expected something like this to get teed up right before the start of a quarter, and so of course it wouldn't be completed at the end of the quarter.
OK, that sentence probably should have been something like, "Now, four months later, there has been no visible progress on this problem."
Also, remember that Cloudflare first announced the technology 18 months ago, and I advised them of the need to pay special attention to accessibility back then. If I had first raised this 4 months ago, then of course I would understand why they couldn't have solved the problem in that much shorter time.
It's notable that this one is different. The fact that it's Sunday afternoon may be part of the reason, but I guess they really don't have anything to say. I'd really love to see their internal Slack now, though.