Closed Bug 1854923 Opened 2 years ago Closed 2 years ago

Most used Accessibility extensions being blacklisted with no notice to user

Categories

(WebExtensions :: Untriaged, defect)

Product:
WebExtensions
Component:
Untriaged
Version:
Firefox 117
Type:
defect

Tracking

(Accessibility Severity:s3)

Status:
RESOLVED WONTFIX
Project Flags:
Accessibility Severity s3

People

(Reporter: mycosys, Unassigned)

Details

(Keywords: access)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0

Steps to reproduce:

Use Dragon Naturally Speaking.
Repeatedly follow prompts to install dragon extension as it has stopped working according to Dragon. Receive no error from Firefox.
Eventually go to extensions, see block.
No accessible option to remove block, so i have to torture myself to google without voice, and cant even find reasons why it is blocked, or an acknowledgement from Mozilla that it has been
Eventually find a user that lists about:config setting for completely disabling extension blacklist. More pain setting this.

Actual results:

I have to completely disable the blacklist, compromising my security (a significant detriment) entirely because i am disabled and using government provided and recommended accessibility equipment.
This is clear direct discrimination.

Expected results:

Notification of issue, choice whether to use one of the most trusted programs on earth if i wanted to.
Notification of reasons why it had been blocked rather than complete opacity.

The Bugbug bot thinks this bug should belong to the 'Firefox::Disability Access' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Disability Access

(In reply to BugBot [:suhaib / :marco/ :calixte] from comment #1)

The Bugbug bot thinks this bug should belong to the 'Firefox::Disability Access' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Thank you, oh bot, perfect. I had attempted to do so.

I'm sorry that you had such a bad experience, but I very much appreciate you taking the time to report it - thank you.

Since it seems like this is an issue with extensions, I'm moving this bug to the WebExtensions product and adding an "access" keyword - I suspect that group will know how to help. I'm triaging it as "access-s3" because there is a (painful) workaround.

Accessibility Severity: --- → s3
Component: Disability Access → Untriaged
Keywords: access
Product: Firefox → WebExtensions

Hello,

Sorry for this inconvenience.

I’m not sure why the add-on was removed from addons.mozilla.org as I can’t find it anywhere.

Searching the web lead me to https://dnsriacontent.nuance.com/15/setup/ffinstall.html, however I cannot install the extension from there as the install method uses InstallTrigger which has been deprecated.

I also found a piece of info stating that Nuances discontinued the extension for Firefox: https://www.nuance.com/products/help/dragon15/dragon-for-pc/enx/professionalindividual/Content/Web/about_firefox.htm.

It appears as for the moment, disabling the blocklist is the only method to allow the already installed extension to still be used.

I’ll NeedInfo one of our developers in hopes that they can shed some light on the matter.

Flags: needinfo?(lgreco)

Hello mycosys,

If you have the add-on installed already, the add-ons manager (available via about:addons), should show it as blocked, along with a "More information" link, that points to https://addons.mozilla.org/en-US/firefox/blocked-addon/dgnria_pro.firefox@nuance.com/1.40.0.5/ . This page lists the reason this add-on was blocked to keep Firefox users safe: The add-on executes remote code and collects data without disclosure, consent or control.

Flags: needinfo?(lgreco)

(In reply to Andreas Wagner [:TheOne] [use NI] from comment #5)

Hello mycosys,

If you have the add-on installed already, the add-ons manager (available via about:addons), should show it as blocked, along with a "More information" link, that points to https://addons.mozilla.org/en-US/firefox/blocked-addon/dgnria_pro.firefox@nuance.com/1.40.0.5/ . This page lists the reason this add-on was blocked to keep Firefox users safe: The add-on executes remote code and collects data without disclosure, consent or control.

Hello Andreas,
might I ask that you acquaint yourself with the ethical concept of disability discrimination and accommodation, or at a minimum Title 3 of the Americans With Disabilities Act 1990
https://www.ada.gov/law-and-regs/ada/#subchapter-iii---public-accommodations-and-services-by-private-entities-title-iii
since the law is so arcane, and the ethics apparently difficult, here is a fact sheet for you
https://www.adainfo.org/article-archive/adjusting-access-reasonable-modifications-policies-practices-and-procedures/
Also relevant, as i am Australian and the Mozilla Foundation conducts business here, are sections 5 and 6 of the Disability Discrimination Act, far more clear and concise, but to the same effect.

http://www5.austlii.edu.au/au/legis/cth/consol_act/dda1992264/index.html#s5
DISABILITY DISCRIMINATION ACT 1992 - SECT 5
Direct disability discrimination

         (1)  For the purposes of this Act, a person (the discriminator ) discriminates against another person (the aggrieved person ) on the ground of a disability of the aggrieved person if, because of the disability, the discriminator treats, or proposes to treat, the aggrieved person less favourably than the discriminator would treat a person without the disability in circumstances that are not materially different.

         (2)  For the purposes of this Act, a person (the discriminator ) also discriminates against another person (the aggrieved person ) on the ground of a disability of the aggrieved person if:

                 (a)  the discriminator does not make, or proposes not to make, reasonable adjustments for the person; and

                 (b)  the failure to make the reasonable adjustments has, or would have, the effect that the aggrieved person is, because of the disability, treated less favourably than a person without the disability would be treated in circumstances that are not materially different.

         (3)  For the purposes of this section, circumstances are not materially different because of the fact that, because of the disability, the aggrieved person requires adjustments.

DISABILITY DISCRIMINATION ACT 1992 - SECT 6
Indirect disability discrimination
(1) For the purposes of this Act, a person (the discriminator ) discriminates against another person (the aggrieved person ) on the ground of a disability of the aggrieved person if:
(a) the discriminator requires, or proposes to require, the aggrieved person to comply with a requirement or condition; and
(b) because of the disability, the aggrieved person does not or would not comply, or is not able or would not be able to comply, with the requirement or condition; and
(c) the requirement or condition has, or is likely to have, the effect of disadvantaging persons with the disability.

         (2)  For the purposes of this Act, a person (the discriminator ) also discriminates against another person (the aggrieved person ) on the ground of a disability of the aggrieved person if:
                 (a)  the discriminator requires, or proposes to require, the aggrieved person to comply with a requirement or condition; and
                 (b)  because of the disability, the aggrieved person would comply, or would be able to comply, with the requirement or condition only if the discriminator made reasonable adjustments for the person, but the discriminator does not do so or proposes not to do so; and
                 (c)  the failure to make reasonable adjustments has, or is likely to have, the effect of disadvantaging persons with the disability.
         (3)  Subsection (1) or (2) does not apply if the requirement or condition is reasonable, having regard to the circumstances of the case.
         (4)  For the purposes of subsection (3), the burden of proving that the requirement or condition is reasonable, having regard to the circumstances of the case, lies on the person who requires, or proposes to require, the person with the disability to comply with the requirement or condition.

DISABILITY DISCRIMINATION ACT 1992 - SECT 6
Indirect disability discrimination

         (1)  For the purposes of this Act, a person (the discriminator ) discriminates against another person (the aggrieved person ) on the ground of a disability of the aggrieved person if:
                 (a)  the discriminator requires, or proposes to require, the aggrieved person to comply with a requirement or condition; and
                 (b)  because of the disability, the aggrieved person does not or would not comply, or is not able or would not be able to comply, with the requirement or condition; and
                 (c)  the requirement or condition has, or is likely to have, the effect of disadvantaging persons with the disability.
         (2)  For the purposes of this Act, a person (the discriminator ) also discriminates against another person (the aggrieved person ) on the ground of a disability of the aggrieved person if:
                 (a)  the discriminator requires, or proposes to require, the aggrieved person to comply with a requirement or condition; and
                 (b)  because of the disability, the aggrieved person would comply, or would be able to comply, with the requirement or condition only if the discriminator made reasonable adjustments for the person, but the discriminator does not do so or proposes not to do so; and
                 (c)  the failure to make reasonable adjustments has, or is likely to have, the effect of disadvantaging persons with the disability.
         (3)  Subsection (1) or (2) does not apply if the requirement or condition is reasonable, having regard to the circumstances of the case.
         (4)  For the purposes of subsection (3), the burden of proving that the requirement or condition is reasonable, having regard to the circumstances of the case, lies on the person who requires, or proposes to require, the person with the disability to comply with the requirement or condition.

The policy failure consider the accessibility nature of extensions is 'indirect discrimination' in clear breach of section 6 and title 3, and the disadvantage induced and hurdles emplaced re-enabling the extension are direct discrimination, in breach of section 5 and title 3, as is your personal refusal to consider the reasonable accommodations requested in the 'expected outcome' section.
My apologies, but i really do not have the energy to research the provisions in Germany, but I do not believe they apply to the matter as the foundation is US incorporated and the action and disadvantage are in Australia.

I hope you can understand, and will re-read

That i even feel i need to quote law over an ethical matter seems like a core failure for the Mozilla Foundation, which is supposed to be based in ethics.

(In reply to Alex Cornestean from comment #4)

Hello,
hi Alex!

Sorry for this inconvenience.
Thank you for consideration, it really isn't me I am that worried about, I managed to get it figured out, not a complete moron so probably won't install random extensions exposing me to some enormous disadvantage, I'm also kind of old school and still use a commercial antivirus.
There's a lot of people a lot more dependent on the system than me, I suspect they won't find it is easy.
There is also the matter of the policy issue which is the primary problem. This shouldnt happen again.
I'm also worried what happens when i update. I guess it may be byebye Mozilla.

I’m not sure why the add-on was removed from addons.mozilla.org as I can’t find it anywhere.
I don't think it was ever on Mozilla add-ons, possibly because like most accessibility applications it needs to be able to read virtually everything on the page in order to be able to do corrections, or to read things out.
And Nuance being Nuance, rather proprietary about how they do things.

I have searched Toolkit bugs for Dragon or Nuance and have not found a request to block the plug-in, which means the matter is completely opaque, and decided internally.

I suspect that the issue is that Nuance are quite open about the fact that by default they collect absolute reams of data on the user:
https://www.nuance.com/products/help/dragon/dragon-for-pc/enx/professionalgroup/main/Content/DialogBoxes/misc/abt_data_collection.htm
but they also make this very clear, and dedicate a page during install to allowing the user to opt out.
I also suspect very strongly that this coming 3 months after Microsoft acquired Nuance is no coincidence.

But it is impossible for me to know, be empowered to make my own decisions about my privacy, because the foundation is being completely opaque. This seems to be the antithesis of the point of the foundation existing.

Searching the web lead me to https://dnsriacontent.nuance.com/15/setup/ffinstall.html, however I cannot install the extension from there as the install method uses InstallTrigger which has been deprecated.

I hope that has been updated in version 16, released in February. It seems unfortunate to, again, not consider accessibility implications in these policy decisions - a lot of people cant afford $500 to update.

I also found a piece of info stating that Nuances discontinued the extension for Firefox: https://www.nuance.com/products/help/dragon15/dragon-for-pc/enx/professionalindividual/Content/Web/about_firefox.htm.

The extension manifest lists min version 48 and JavaScript files so i would say that has been updated since 2017.

It appears as for the moment, disabling the blocklist is the only method to allow the already installed extension to still be used.

I only hope those more dependent can figure that out, and find someone to help them do it. Otherwise I guess it's off to the much bigger privacy hole of Chrome.
(if that's you:
press alt-d to go to address bar & enter about:config
click 'accept the risk and continue'
where it says "Search preference name" enter extensions.blocklist.enabled
click the arrow that points both directions "toggle" button to set that to false)

I’ll NeedInfo one of our developers in hopes that they can shed some light on the matter.

Thank you so much

This seems an awful lot like political grandstanding, at the conscious cost of disabled users.
I really hope I am wrong, I remember when the Mozilla foundation became a thing, it seemed like a radical thing for the future of not just the Internet, but the world. People were using Dragon NaturallySpeaking to control it back then too.
I don't think anyone likes ScanSoft Inc later Nuance, but many of us have decades and thousands of dollars of purpose-built technology invested into the system, myself included. The system is used by most of the largest hospitals and legal offices on earth.

Well, removing that friendly, polite, accurate comment should play well in any proceedings.

The severity field is not set for this bug.
:rpl, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(lgreco)

Hello Folks.

I wanted to jump in to provide a quick status update.

Various folks internally who have a contact at Microsoft have been reaching out in an attempt to engage them on this extension since we have not had any luck getting a response from the add-on developer of record. As mentioned by others previously, in its current form this add-on allows for remote code execution, which poses a potentially serious security risk for any user who installs it and is also in violation of our Add-on Review Policies.

We try to make the add-on listing page as clear as possible when we do have to block an add-on and would welcome any feedback you have on how the messaging could be improved to be more informative. We try to clearly spell out the reasons the add-on was blocked (in this case because of the data collection opt-in issue and the remote code execution issue.)

Blocking an add-on is always a last resort and is only considered after attempts to reach the add-on developer have failed.

Again, thank you for bringing this to our attention and we will continue to engage with Microsoft to identify a contact we can work with to get this resolved.

Best regards.

Ed Sullivan
Add-ons Developer Relations

Also, mycosys, if you open a support ticket with Nuance, that would be helpful.

They wouldn't let me open a ticket because I don't own the product.

Status Update:

Despite our best efforts we have not been able to get in contact with anyone at MS/Nuance that we could work with on this extension. We have tried contacting the extension developer, reaching out to personal contacts at MS/Nuance, calling their support lines, and filling out support forms online.

None of the available status options on these tickets (FIXED, INVALID, WONTFIX, WORKSFORME, DUPLICATE) seem appropriate, so I selected WONTFIX for now. It's really more of a "CANTFIX" until we are able to get in contact with someone at MS/Nuance who is responsible for this extension.

Thank you.
Ed Sullivan

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
Flags: needinfo?(lgreco)
You need to log in before you can comment on or make changes to this bug.