SC 1.3.5 Identify Input Purpose - autocomplete technique VS Privacy/Security

[goetsu]

As the Working group considered an exception to this SC in a context where it may be problematic for security or privacy.

For example imagine a shared device showing (or a lost device by its owner) a website using autocomplete to comply with this SC. If user input personal data and save them by mistake or just because he doesn't know or understand that they will be saved in the browser once for good. It mean that the next people that will use the device will have access to the personal data of the previous user.

This may be a serious issue to consider and I don't think autocomplete must be showed in the understanding as the best and technique to use. This leave use to some aria techniques but that are still fare from being standardized and implemented in tools

[alastc]

imagine a shared device showing (or a lost device by its owner)...

A shared device should not be set to save & use people's data, that's basic IT. I remember browsers asking me whether they should save data (the 1st time), it is not done by default without the user's knowledge. Any shared computer (e.g. in a library) should not be configured to save user-specific data.

If someone looses a device and people can access the contents, they have bigger issues than saved form data.

This is a user-agent issue, and the things you are highlighting are true now regardless of whether people use autofill or not. The browsers (and plugins) also use heuristics to fill in data, so any input with 'name' in the label, ID or somewhere nearby will often be filled in automatically, if you have that setup.

This SC makes it a more concrete requirement, and if people use autocomplete it should improve accuracy, especially for 'enterprise' auto-generated code that uses random IDs.

[goetsu]

A shared device should not be set to save & use people's data

it's a very common situation for family computer for example. I'm not sure someone victim of domestic violence reporting it using family computer would be very happy to let abuser see that the reporting form already been filled by is victim.

it is not done by default without the user's knowledge

people with memory trouble can easily forget it and people have cognitive disability may easily not understand that it will save it once for good

if people use autocomplete it should improve accuracy, especially for 'enterprise' auto-generated code that uses random IDs.

sorry but that was not the exacte purpose of this SC, it was purpose of "SC 2.2.6 Accessible Authentication" that as been removed in most recent version of 2.1. This SC is about possible personalization not about helping to remember format of data to input

[alastc]

This feature (amongst many others) was requested by people with memory / cognitive issues (and people who do research in that area). I'm sure there are some situations where it is not desirable, and there are people who may not understand all the implications. But that has to be balanced against the good it can do for a wide population of people.

For someone who wants privacy, there is private browsing mode (fairly well known), and personal devices, and many other options. [EDIT:] Also, if the name and other bits of info are saved by the browser and autofilled on a particular website, that doesn't tell another user if that particular site has been used (although the browser history might), it only tells you that your information has been saved on a site. In the domestic abuse scenario autofill doesn't tell you about that form.

This SC is about possible personalisation, and identifying the purpose of inputs is a small part of that possible space. For some websites with clean code it's a minor thing, UAs may already be able to accomplish it with heuristics. For some websites with auto-generated IDs etc, the addition of a clear signal should make it more accurate. (Example for a particular website.)

I did a lot of work on "Accessible Authentication", I'm not sure why you raise that as it was to do with having methods of logging in that don't require memory, [EDIT] autofill/autocomplete wasn't a big factor in that.

[goetsu]

I raise "Accessible authentication" because it cover the auto-generated ID situation as with this SC you was supposed to offer a way to recover this kind of hard to remember data

[alastc]

Ok, I see the overlap there.

Do you take the point that autofill doesn't give away what forms you have filled in?

[goetsu]

yes I get it but I still think it may be problematic in certain situations and already know some public administration websites that will not comply with this SC because of that privacy/security issue

[alastc]

I've talked this through with a public org who had set autocomplete to "off" due to how they thought browser entry happens, and it was especially complex because they are in the process of getting organizations off shared-logins and on to unique logins.

The key factors for them were:

• It is dependent on the browser's profile, so doesn't get used by other logins on the same computer.
• Regardless of their markup, it was already being filled in by some of the more 'aggressive' plugins (e.g. my lastpass pluggin).
• The user could review the information (in the text fields) before it was submitted, there was no auto-submit. (This was perhaps the key misunderstanding for the lawyer.)

I'm struggling to see a scenario where autofill causes an issue, given that:

• It must be on the same computer, login and browser to work.
• It is opt-in by the user, usually at the point of saving any data in the first place.
• The browser history provides far more detail about what people have done.
• It is easy to wipe both history and form data.
• It is easy to engage a privacy mode, such as private browsing.

Can you see a specific scenario where it could be a problem, or is a general feeling that there must be a problem?

[michael-n-cooper]

This issue was moved to w3c/wcag#407