Legal Distortion: How ADA Web Lawsuits Mimic Cybercrime – Part One

Introduction

In recent years, a surge of Americans with Disabilities Act of 1990 (“ADA”) Title III website accessibility complaints has flooded the federal court system. While the ADA is a critical tool for ensuring equitable access, many of these cases lack genuine merit. Instead, they exploit legal ambiguities, overwhelming small businesses, as well as the federal courts, with predatory lawsuits. A prime example of this is Primitivo Robles v. The Other Side Dispensary, LLC, a case emblematic of the broader issue of invalid ADA website complaints. This paper explores this case to highlight how these lawsuits pose a threat not only to legitimate accessibility advocacy but also to emerging industries like cannabis in New York and New Jersey. Further, it argues that ADA website complaints have a significant cybersecurity and cybercrime dimension.  This paper is broken down into three sections which (a) explains what and how a website should be accessible and what does it mean not to be, (b) looks at a case through the lens of the Robles claim, and finally (c) concludes with one of several recommendations to resolve the cybersecurity loophole.  

ADA Title III 

The ADA was enacted to prohibit discrimination against individuals based on their disabilities. The ADA defines disability as “a physical or mental impairment that substantially limits one or more major life activities.” Some of those major life activities are seeing, hearing, speaking, learning, communicating, and walking. While enacting this legislation, Congress declared that “physical or mental disabilities in no way diminish a person’s right to fully participate in all aspects of society, yet many people with physical or mental disabilities have been precluded from doing so because of discrimination.” In the physical world this is bathroom stalls that are not wheelchair accessible or a lack of handicap parking.  In the virtual world, From the ratification of the ADA until 2017, Title III offenses were limited to physical structures and to the limited list of private entities whose operations affect commerce that are classified by one of its twelve definitions.  Each definition encompasses a number of business types that provide similar services, such as “(B) a restaurant, bar, or other establishment serving food or drink; “(E) a bakery, grocery store, clothing store, hardware store, shopping center, or other sales or rental establishment;” or even “(F) a laundromat, dry-cleaner, bank, barber shop, beauty shop, travel service, shoe repair service, funeral parlor, gas station, office of an accountant or lawyer, pharmacy, insurance office, professional office of a healthcare provider, hospital, or other service establishment.  Examples of (B) would be Five Guys, Hooters, Domino’s Pizza, or a local diner.  Examples of (E) would be a Winn-Dixie, Hobby Lobby, or local flower shop.  Examples of (F) Winn-Dixie’s Pharmacy,  Metropolitan Life Insurance, or any lawyer’s office.  To state a claim for relief under Title III of the ADA, a plaintiff “must allege (1) that [he] is disabled within the meaning of the ADA; (2) that defendants own, lease, or operate a place of public accommodation; and (3) that defendants discriminated against [him] by denying [him] a full and equal opportunity to enjoy the services defendants provide.”

Appellate courts are split as to whether the provisions of the ADA, mainly those involving places of public accommodation under Title III, apply to online technology such as websites.  The Third, Sixth, Ninth, and Eleventh Circuits follow the approach that Title III applies to the services of a place of public accommodation and not limited to services only in the place of accommodation. In other words, Title III applies if there is sufficient nexus between the website and the physical location. However, if the physical location is not a place of public accommodation, then neither need be its website.  This is in contrast to the First and Seventh Circuit which broadly applies the ADA and does not limit its interpretation to a physical structure. The United States District Court, Southern District of New York, has started leaning toward following the First Circuit, but in the September, 2024 decision handed down by Laura Taylor Swain, Chief United States District Judge, in Meija v. HIgh Brew Coffee, Inc, this trend has been restrained.  In her decision, Judge Swain stated the “Second Circuit has not squarely addressed the question of whether a website, absent a connection to a physical location, constitutes a place of public accommodation.” She then ruled “the Court finds that a stand-alone website is not a place of public accommodation under Title III of the ADA. Plaintiff thus fails to state a claim on which relief may be granted under the ADA. Because Plaintiff fails to state a claim under the ADA, Count III’s request for declaratory relief is also dismissed.”  This is the latest precedent in New York federal courts, and although not controlling is strongly influential in what circumstances must a website be considered a place of public accommodation in New York.

ADA website litigation has evolved into a form of legal and financial exploitation that parallels cybercrime. These cases are frequently initiated by high-volume plaintiffs or law firms relying on automated tools to identify “violations.” This strategy mirrors the methodology of cybercriminals, who deploy bots to find vulnerabilities in software or systems.  

Just as cybercriminals exploit software loopholes, opportunistic litigants exploit the lack of detailed federal regulations on website accessibility standards under the ADA.  ADA Title III website accessibility claims have grown exponentially with over 4,000/year since 2021, and New York eclipsing all other states.  In September 2024, there were 342 Lawsuits filed, with 65% of them filed in New York.  More importantly, these claims are filed by a handful of plaintiffs and firms. A small group of plaintiffs is responsible for a significant portion of lawsuits filed under the Americans with Disabilities Act (ADA), 31 Plaintiff Firms File 50% of ADA Website Accessibility Lawsuits.  Many ADA lawsuits are resolved through settlements because defending these cases can cost small businesses tens of thousands of dollars. This “settle or go bankrupt” dynamic is akin to ransomware attacks. Emerging markets, such as the cannabis industry in NY and NJ, are disproportionately affected due to their limited resources and regulatory challenges. These businesses already navigate complex state and federal laws, making them prime targets for predatory litigation.  Even with settlements under $25,000, that would still mean that these cases will cost approximately $100 million. Although small compared to the $42 billion from ransomware attacks in the United States, it is yet another potential cyber attack vector that businesses and their IT staff has to worry about.

As I outlined in my 2021 paper “The ADA and website accessibility: a technical problem without a technical understanding,” website accessibility  cases are rarely decided on the merits of the claim.  The courts have consistently taken the position as was indicated in the Winn-Dixie 2017 court, stating that “[r]emediation measures in conformity with the WCAG 2.0 Guidelines will provide Gil and other visually impaired consumers the ability to access Winn-Dixie’s website and permit full and equal enjoyment of the services, facilities, privileges, advantages, and accommodations provided through Winn-Dixie’s website.”

WCAG

Web Content Accessibility Guidelines (“WCAG”) 2 is developed through the World Wide Web Consortium (“W3C”) in cooperation with individuals and organizations around the world, with a goal of providing a single shared standard for web content accessibility that meets the needs of individuals, organizations, and governments internationally.  The guidelines are a set of internationally recognized standards developed through the Web Accessibility Initiative (“WAI”). WCAG provides guidelines for making web content more accessible to people with disabilities, including those with visual, auditory, cognitive, and motor impairments. WCAG is often referenced in legal frameworks, including: (a) 

Americans with Disabilities Act (“ADA”) in the U.S. (as applied to websites via case law), (b) Section 508 of the Rehabilitation Act (this applies to U.S. federal agencies and contractors), (c) European Accessibility Act (EAA) and EN 301 549 (European Union), and (d) other national and regional accessibility laws worldwide.

Key aspects of WCAG focus on being (a) perceivable, (b) operable, (c) understandable, and (d) robust.

  • Perceivable – Content must be presented in a way that users can perceive, including alternatives for non-text content (e.g., captions for videos, text descriptions for images).
  • Operable – Users must be able to interact with and navigate the content, ensuring functionality via a keyboard and providing sufficient time for interactions.
  • Understandable – Information and user interface components must be clear and predictable.
  • Robust – Content must be accessible across various technologies, including assistive devices.

Despite these guidelines, there is no set standard for how compatible a website has to be in order to be ADA compliant.  What appears in complaints are elements or attributes that are missing or incomplete.  In some cases, the lack of these elements or attributes are very detrimental to a disabled person’s use of a site because their screen readers cannot extract conveyable information without these values. An example of this is a picture (“image” in HTML) that does not contain the title attribute. This attribute contains the text description of the picture that appears when a visual user mouses over the image, it is lao what screen readers use to describe the picture in audio.  However, there are also many references to elements or attributes missing that may or may not create issues for the screen readers.  One such HTML construct is the ARIA attributes.  Accessible Rich Internet Applications (ARIA) is a set of roles and attributes that define ways to make web content and web applications (especially those developed with JavaScript) more accessible to people with disabilities.  Based on this definition, it should be obvious that it should be used without fail, and many website accessibility evaluation services like Google Lighthouse and WAVE will report on these when missing.  Ironically, the first rule of ARIA use is “If you can use a native HTML element or attribute with the semantics and behavior you require already built in, instead of re-purposing an element and adding an ARIA role, state or property to make it accessible, then do so.”  

These claims do contain accessibility evaluation reports that reflect the count of missing parts in order to support the claim that the site is not accessible to their plaintiff on the day in question. This is a step forward in making the claims more substantive, but it does not actually prove the site was not accessible as the plaintiff claims.  The real world equivalent would be similar to indicating that NOT ALL of the parking spots are handicap accessible. In the real world, with the rare exception of less than 10 spots, the number of accessible spots does not exceed 10%.  So to indicate that certain elements and attributes are not present is equivalent to pointing out the non-accessible spots with no regard to the number or nearness of the accessible ones.

Come back soon to read Part Two

New Paper on Data Breach Harms

This is a draft of my paper Cybersecurity and Data Breach Harms: Theory and Reality, forthcoming in the Maryland Law Review.

ePrivacy Regulation Proposal

On February 10, 2021, the Council of the European Union released its proposed ePrivacy Regulation. If adopted, the ePR will complement and extend the GDPR. The ePR would be deemed lex specialis in relation to the GDPR as lex generalis, meaning the ePR would take precedence in the event of any conflicts. The ePR would apply to organizations and providers that facilitate electronic communications. The next step is the trilogue process. Most observers think the European Parliament will ask for some potentially significant changes to the Council Proposal. In subsequent posts we’ll unpack some significant aspects of the Proposal.

Published
Categorized as ePR, GDPR

North Korean Hacker Indictment

Today Federal prosecutors in California unsealed an indictment against North Korean members of Lazarus Group and APT38 alleging $1.3 billion in theft and extortion. The Indictment is notable for the scale of the nation-state sponsored economic criminal activity it describes.

Published
Categorized as Cyber Crime

The Virus and Ransomware

In the middle of the pandemic, things we used to take for granted feel frightening.  A trip to the grocery store, taken only when truly necessary, seems like stepping onto the set of a post-apocalyptic movie, as shoppers eye each other suspiciously from behind face masks while picking over thinly-stocked shelves.  Cyber criminals, unfortunately, know how to prey on these fears.  From early in the COVID-19 crisis, cybersecurity experts have warned about a rise of social engineering attacks, such as phishing emails, spoofed websites impersonating public health authorities such as the World Health Organization and the U.S. Centers for Disease Control, and fake coronavirus mobile apps.   

Some of these social engineering campaigns have been linked to ransomware attacks on health care facilities, financial services providers, and other essential businesses.  A study done by Carbon Black, for example, showed a 148% increase in ransomware attacks between February and March 2020.  Another study released by Checkpoint Research on April 16, 2020, found that ransomware attackers are increasingly engaging in “double extortion.”  This kind of attack begins as a typical ransomware incident:  the attacker encrypts the victim’s data and demands a ransom to decrypt it.  It also adds a second stage:  the attacker makes a copy of sensitive data and then, after receiving the decryption ransom, demands a second payment to prevent public disclosure of the stolen data.

Although the COVID-19 crisis creates fear, it also prompts generosity and altruism – ranging from the heroism of front-line health care workers to everyday acts of kindness like checking in virtually on friends and neighbors.  At the start of the crisis, leading ransomware groups such as DoppelPayemer and Maze seemed to join this wave of altruism by promising to avoid attacks on health care facilities.  These groups try to position themselves as modern-day cyber Robin Hoods, stealing from wealthy banks and other for-profit companies while avoiding entities such as healthcare facilities that serve the poor. 

Almost immediately after this promise, however, Maze hit Hammersmith Medicines Research, a British company that may serve as a COVID-19 vaccine test center.  The truth is that these are ruthless organized crime operations that will not hesitate to take advantage of this crisis.

Now more than ever, even as we practice social distancing to flatten the curve of the coronavirus infection, we need to practice good cyber hygiene to flatten the curve of cyber attacks.  It’s a good time to remind employees working from home of some basic principles: 

  • Be wary of texts or emails that seem unusually alarmist or urgent, particularly if they purport to originate from high-level government or corporate sources.

  • Avoid apps and websites that claim to offer some inside information or cures beyond what is being reported by official government sources and reputable news outlets.

  • If presented with a request for information that seems suspicious, use recognized channels, including a phone call to the supposed source, to confirm whether the request is authentic.

  • Notify the appropriate persons in your organization of contacts that appear to be social engineering scams.

Legal Ethics and Technology

I’m speaking tonight at the Gibbons Institute of Law, Science & Technology’s “Legal Ethics, Technological Competence and New Technologies” event.  I’ll focus on Comment 8 to ABA Model Rule 1.1, ABA Formal Opinion 477, and ABA Formal Opinion 483, all of which concern a lawyer’s ethical duties in relation to new technologies.  Here’s the slide deck.

[google-drive-embed url=”https://drive.google.com/file/d/1Jp61G_IzBN0nqH7yzXx5FIgtbB3ILH0l/preview?usp=drivesdk” title=”slidesforethicscle2018.PPTX” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.openxmlformats-officedocument.presentationml.presentation” width=”100%” height=”400″ style=”embed”]

AI Data Privacy Concerns

Here’s a working list of legal concerns regarding AI and data privacy:

  • Legal Problem #1: Do you have authority to collect the data?
  • Legal Problem #2: Do you have authority to use the data?
  • Legal Problem #3: Do you have authority to retain the data?
  • Legal Problem #4: Does your algorithm need to be fair?
  • Legal Problem #5: Are you providing data to a business partner that is using it in AI applications?
  • Legal Problem #6: Are you obtaining services from a business partner that is processing data in AI applications?

AI in the Pharma Industry

On Thursday I’m speaking at the Mayer Brown Life Sciences Symposium on AI, Blockchain, and Automation in the pharma industry.  Here’s a graph from a recent EY Report showing the ways in which big data and automation will impact the pharma and healthcare industries.  

These developments promise to revolutionize healthcare for the better.  From a security perspective, these developments present both benefits and risks.  On the risk side, one of the themes I’ll emphasize is the increased attack surface that comes from the integration of information across multiple vendors, devices, platforms, providers, and patients.

Encryption and the Fifth Amendment

This afternoon I’m presenting at the Hofstra Law School IP Colloquium on my paper The Skeleton in the Hard Drive:  Encryption and the Fifth Amendment.  Here are my slides.

[google-drive-embed url=”https://drive.google.com/file/d/1BGkHdofptEBeJjkbbi9gkpycbnjtmlMa/preview?usp=drivesdk” title=”The Skeleton in the Hard Drive.pptx” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.openxmlformats-officedocument.presentationml.presentation” width=”100%” height=”400″ style=”embed”]

Disrupt NJ

Speaking tonight at Disrupt NJ on “Corporate Social Responsibility and Cybersecurity.”  Here are my slides.

[google-drive-embed url=”https://drive.google.com/file/d/1drmCVDg-mNkCfTp8bD6Mr56i_iqVnr2x/preview?usp=drivesdk” title=”csrtechethics.pptx” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.openxmlformats-officedocument.presentationml.presentation” width=”100%” height=”400″ style=”embed”]

Law and AR / VR: “Asymmetric Reality”

On Friday I spoke at the “Virtual Legality” symposium at the University of Maryland Law School.  Here are my slides.  My talk emphasized the “second half of the chessboard” effect concerning data collection in AR / VR.

[google-drive-embed url=”https://drive.google.com/file/d/1w5Vew5vBXL_fL26ZbYatwEiqlgTUpFjr/preview?usp=drivesdk” title=”maryland presentation.pptx” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.openxmlformats-officedocument.presentationml.presentation” width=”100%” height=”400″ style=”embed”]

Published
Categorized as AR / VR

Russia’s Other Cyber Attack

Russia’s meddling in the 2016 Presidential election obviously has captured plenty of media attention.  Less well known is that, according to a recent U.S. CERT Report, Russia has been “targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors” with cyber intrusions.  The CERT Report notes that the initial intrusions proceeded through trusted third-party suppliers with networks that were less secure than those of the infrastructure entities and that the targets were deliberately chosen.

Russia’s manipulation of social media to influence U.S. elections is a deep concern, but the fact that Russia is probing weaknesses in our power, water, air, and other critical networks is even more sobering.  Coincidentally, this week I’m teaching a class on cybersecurity and the international law of war.  Cyberwar is a fuzzy domain that does not map neatly onto the existing international law of war.  Here’s a video lecture of the materials for that class: