Privacy considerations for detectability of assistive technology using CSS

[ShivanKaul]

PING recently reviewed the WAI-ARIA 1.2 spec (https://github.com/w3c/aria/issues/1371) and suggested adding a privacy considerations section (none exists right now) discussing how aria-hidden can be used in combination with JS to heuristically reveal that a user is using assistive technology. In the ensuing discussion, it was brought up that several web technologies, including CSS, can be used heuristically to detect AT (please see https://github.com/w3ctag/design-principles/issues/293).

@alice pointed out that the content-visibility spec has discussion about this risk - could there be similar text for other CSS specs? Would it be useful?

[frivoal]

In principle, yes. If something introduces (or compounds) security/privacy/accessibility considerations, the spec should probably mention it, and cover adequate mitigation. That said, I think that besides agreement on the general principle, this needs to be treated as individual issues per spec (or per feature), as each individual situation needs to be assessed separately.

[cookiecrook]

The simplest method I'm aware of is: <a href="/confirm_at" tabindex="-1" style="position: absolute; left: -9999px;">only AT users or bots will click this link</a> Changing the way positioning works is not an option, so a note related to the positioning properties may be warranted.

[cookiecrook]

Obviously there are several media features in the CSS MQ spec, too. A few that could be used to infer accessibility settings, but more that could be used for device fingerprinting.