Quiz 1.1.5: Did a CAPTCHA catch ya?
A well known accessibility consultant said he’s fed up with spam. Aren’t we all! The first time we corresponded, he asked that I register with his screening service, Spam Arrest. 
That service uses a CAPTCHA to prevent spam bots from using the service. The invitation included a phone number that could be called in case the image could not be seen, and the registration page included a link to an audio version of the secret word. Not bad, but my browser wouldn’t play the audio and I didn’t want to pay for a toll call. Fortunately, I could see the image.
The American Federation for the Blind recently wrote about the accessibility of blogging to people with vision loss. They observed that establishing a new Blogger account requires passing a CAPTCHA test, and there is no alternative to the visual test. Pass the test or go elsewhere.
Darrell Shandrow writes often about these problems in his Blind Access Journal. One assumes that sheer determination got Darrell around Blogger’s barrier. He reports mixed results in persuading other services to offer alternatives to CAPTCHAs.
Simple CAPTCHAs have already been compromised. More complex versions escalate the “arms race” between those who want to thwart spam and the spammers. These can only complicate how we provide alternatives for people with vision loss.
Q. What are we to do about CAPTCHAs?
- A Just say “no” to using CAPTCHAs on any of our projects. Find another registration method that is accessible. Describe your alternative.
- B When using a CAPTCHA, always provide one or more alternatives.
- C Build a better, more accessible, Touring test. Innovation required. Some of you are smarter than Comp Sci grad students, so there have to be good ideas out there. Describe a better test.
May 22nd, 2005 at 4:05 pm
I was wondering about this, too. We all suffer from spam, just set up a blog and you’ll hear about different online gaming offers and mails interested in the size of your appendage soon enough. Captchas somehow are a good idea on the surface, but it once again smacks of sharing your problem of spam with the visitor. Also, clever spammers found a way to use humans to crack them for their purpose: http://www.wait-till-i.com/index.php?p=17
May 22nd, 2005 at 4:37 pm
A. it’s a losing battle, and you’ll never win in the long run. you can minimise the impact of spam floods and automated signups with server-side trickery, such as adding hidden fields with hashed names and values based on, say, the current time, and check for (correct) existence of these hidden fields at the receiving end, for instance.
May 22nd, 2005 at 4:50 pm
How would that work Patrick? I thought the issue is that any form - hidden values or not - can be filled by a script the same way it can be by a human being. And a receiving script on a mail server could ensure to send the right data back. A captcha tries to get around that by adding a human extra, something a script cannot simulate.
Either way, it is tricky.
May 23rd, 2005 at 3:57 am
For a recent web-app we’ve built, we went with C.
The alternative CAPTCHA we used asks a simple question with a one-word answer - for example, “What colour is an orange?” The questions are supposed to be simple enough to not cause problems for those with learning difficulties (although they did occasionally drift into pub quiz territory!)
May 23rd, 2005 at 8:38 am
I quite like the “What colour is an orange” type questions, but that may still lead to accessibility problems for those with cognitive disabilities. I think biometrics, such as fingerprint and retinal scanning, will lead to more accessible systems that could be used as a means to uniquely identify someone. It sounds a bit futuristic, but is already implemented on some PDAs.
May 23rd, 2005 at 4:58 pm
Gez, nothing stops somebody from generating biometric data randomly. Biometrics solves very few actual problems, it’s more of a buzzword than anything useful.
Personally, I have perfect vision, but when I visited msmvps.com recently, the captchas they use seemed fairly normal, but I made about six mistakes. Captchas are a real barrier to humans as well.
May 23rd, 2005 at 7:50 pm
“Captchas are a real barrier to humans as well.”
As well as non-humans?
May 23rd, 2005 at 11:31 pm
Sorry, I was being imprecise. As you know, captchas are a form of Turing test; they are designed to differentiate between actual human beings and automated processes.
It’s in this context I was saying “Captchas are a real barrier to humans as well” - as opposed to non-humans like a spambot.
Re-reading my comment, I can see now that it looks like I’m talking about disabled people as if they are non-human, and that’s definitely not right!
My actual point was “Captchas are a real barrier to fully-able people as well”, but I’m so used to talking about the downsides of Captchas in a general context that my point was inadvertently obscured. Sorry for the confusion.
PS: the Referer HTTP header checking on this website is annoying. What is it meant to accomplish? It’s easily spoofed by spammers.
May 24th, 2005 at 7:15 am
“Sorry for the confusion.”
No worries; I apologise for reading your response out of context.
May 24th, 2005 at 3:58 pm
No matter how complex such “accessibility barriers” are made, they will only separate humans from other humans. They only work to a degree for their intended use, because they are not used everywhere — yet.
It all comes down to our wish to separate the “humans with good intentions” from what we see as “humans with bad intentions”. No Touring test can do that, so that race is already lost.
Once the problem: CAPTCHA or whatever, is known, then no one with some minor knowledge about how artificial intelligence works will have to work very hard to solve or crack them - everywhere and every time. No human interaction needed, since these barriers can only exist within the limits of artificial intelligence, and on a quite low level too. After all: these barriers are meant to be cracked, or we wouldn’t use them anyway.
I would remove these “accessibility barriers” completely, and use methods similar to intelligent mail-sorting. Artificial intelligence can be trained to near perfection on an “out of view” level, and it is much harder (but not impossible) to manipulate.
It will be a constant battle just to stay ahead, no matter what, but our chances of winning a game of poker is slightly improved if we don’t show our cards, and are prepared to play against real humans.
Not to mention: FOR real humans.
May 25th, 2005 at 7:23 pm
I’ve been looking at a couple of variations of CAPTCHAs and from what I’ve seen, they all rely upon vision so I’m intrigued by “What colour is an orange?” At least it has the potential to be accessible for more people.
I played around with the ESP-TEXT CAPTCHA (http://www.captcha.net/cgi-bin/esp-text) and failed numerous times. The instructions are, “Type a word or string of characters appearing in the picture.” I admit, I was trying to see which words or strings of characters were not included in the “pass” list. On the other hand, I’ve failed ones I tried to get right and have had to help friends and co-workers get through them. The creators of these things really need to take into account all the possible character combinations for a correct answer. I agree it is frustrating at times.
Yesterday, I ran into a CAPTCHA with an “if you can’t see this” message. Being curious, I clicked on the link and was given a number to call but only if I am visually impaired. The creators of the site had thought about it and provided an alternative but it’s rude to expect such an unreasonable amount of additional effort to complete the transaction.
Personally, I would vote for something that removes the need to frustrate users but I don’t know what that would be at this point. What are the alternatives to CAPTCHAs and how well do they work? If there are no alternatives that work, then I vote for a toolbox of Touring tests. It seems silly to get rid of the ones that currently work but we definitely need other alternatives.
Maybe the solution is a combination of methods. If innovation is required, then we need a brainstorming session. The question is, “How do we separate ‘humans with good intentions’ from what we see as ‘humans with bad intentions’?”
The goal is to generate as many diverse ideas as possible without judgment. Here’s the list so far with my contribution:
”Use server-side trickery, such as adding hidden fields with hashed names and values based on, say, the current time, and check for (correct) existence of these hidden fields at the receiving end, for instance.”
”Add a human extra, something a script cannot simulate.”
”Ask a simple question with a one-word answer - for example, ‘What colour is an orange?’”
“Use biometrics, such as fingerprint and retinal scanning, which will lead to more accessible systems that could be used as a means to uniquely identify someone.”
”Use methods similar to intelligent mail-sorting. Artificial intelligence can be trained to near perfection on an ‘out of view’ level, and it is much harder (but not impossible) to manipulate.”
Find ways to track how humans with good intentions habitually interact with the system and test for a lack of habitualness that might indicate the user is not human or has bad intentions. For example, there is a security tool used for authenticating users taking an online test. The user’s style of typing is recorded and analysed when the user first enters the system. If someone else attempts to take the test for the user, there is a significant difference in how the person types, which can be statistically identified and flagged.
Find ways to track how humans with bad intentions habitually interact with the system and look for their digital footprints.
May 27th, 2005 at 10:03 am
I found someone working on providing an audio version for alpha-numeric CAPTCHAs if anyone is interested http://viebrock.ca/code/16/turing-with-audio
May 30th, 2005 at 6:18 am
these questions with one-word are not always possible (multi-language, …)
why not use a simple calculation?
let visitors make the sum of 2 random numbers between 0 and 10
June 3rd, 2005 at 2:39 pm
jan831,
“What color is an orange?” type questions do indeed face an internationalization problem. Are you going to translate the question into each possible user’s language? And how will you reliably interpret the provided answer especially considering the array of input methods for non-ASCII characters.
Unfortunately, using math problems will not address the problem. It would be *very easy* to write a script to “scrape” the contents of the screen, perform the math and include the result in the posting, thus defeating the purpose of a CAPTCHA.
June 3rd, 2005 at 2:53 pm
Georg,
“these barriers are meant to be cracked,” ???
These barriers are not meant to be cracked. This is like saying “passwords” are meant to be cracked. No, passwords and CAPTCHAs are not *meant* to be cracked. Their primary purpose is to make it fairly easy for humans with good intentions to gain access to a system and very difficult for all but the most determined spammers, human or spammers, to crack and exploit in a way that becomes a nuisance.
If a CAPTCHA can be made that’s just enough of a barrier that a bad guy has to expend considerable resources (either via software development or by running a sweat shop of humans) to assault your system, what’s the harm? You may need to update the CAPTCHA over time to stay ahead, but this is part of running a publicly accessible system, unfortunately.
It seems you are suggesting using filtering techniques to obscure the content created by bad guys from the good guys. This “solution” really has the same exact problem as a CAPTCHA. Namely, over time the bad guys figure out how to workaround the AI rules (your term) to get past the filters and a system administrator needs to work to stay ahead of them. What’s more problemmatic about this “solution” is that it offers a wonderful opportunity for denial of service (DOS) attacks on your system. If you can allow all content in, filter it out, yet thwart DOS attacks by limiting rate of content posting, okay. But then you still have a scaling problem. How much content should you allow any user to put into a system potentially wasting system resources. I’ve I’ve misinterpreted the suggestion to “use methods similar to intelligent mail-sorting,” please ellaborate so that I better understand this proposal.
I think it’s still a useful problem to consider how to make accessible CAPTCHAs as well as improve CAPTCHAs to be more usable by able-bodied good guys. Perhaps in trying to address the accessiblity problem, we can come up with a much better alternative to the fuzzy, blurry, unreadable image problem.
June 4th, 2005 at 12:15 am
Evan,
CAPTCHAs are meant to provide well intended humans with a simple ‘password’ - and that’s what I meant by my wording. Passwords are meant to be kept secret all the way, while CAPTCHAs can at best only separate humans from software. At worst CAPTCHAs separates humans from humans, whether these humans are well intended or not.
CAPTCHAs and ‘no-barrier followed by AI-filtering’ do not suffer from the same problems, in that the latter isn’t discriminating humans based on how able-bodied they are. I firmly believe the most accessible alternative to “the fuzzy, blurry, unreadable image” is ‘clear text’, and the problems should be dealt with on other levels - sorting the good from the bad.
The weak point with ‘AI’ is simply the “I” - not much intelligence there yet. However, there’s a lot more intelligence than any CAPTCHA can provide–once we get off the web. The playing-field is too leveled on the web, so my approach would be to keep it plain and open on this playing-field - say “no to CAPTCHAs and other barriers”, and improve AI to do the job usually done by a human administrator, on a level that’s completely outside control from the web.
We have to put limits on what can be entered from outside - simple and understandable rules and filters with no override. However, the AI behind the surface shall not be ‘locked in’ by rules more than a human counterpart is. All logic says that rules makes every system predictable. Whether its human or software based doesn’t matter. Ever heard the bad guys play by rules?
I may simply be too focused on open access, and too aggressive towards both the bad guys and the whole “arms race”. I’d solve problems with access first, and deal with the bad guys later.
June 6th, 2005 at 9:48 pm
Interesting discussion ..
CAPTCHA is not *not* a true Turing test, it doesn’t really test intelligence, it merely tests perceptual skills, which quite apart from being ambiguous in just the ways we’re discussing here, is nothing to do with intelligence. The Post Office uses letter-recognition technology to scan postcodes, and exactly the same technology can crack CAPTCHA tests.
For the time being, A is the only real answer for me. In the absence of a viable alternative, just don’t do it. It’s the same as generating email addresses in javascript or with images, or using those ridiculous SPAM-proxy filter services that make you write back and confirm that you’re a real person … it’s making other people take responsibility for your problem.
On a practical level, I’m afraid I have no ideas. I just don’t know how any such system could work without cutting out a proportion of legitimate people.
March 27th, 2006 at 10:53 am
From what I’ve seen on my client’s sites, the autobots blindly fill in all the form fields with a target e-mail address and obscure bcc code in hopes of getting a response. I started using graphic CAPTCHA things, but recently changed to a pop-up list that fails the submit in php if left in its default state.
This seems to be stopping the spambots while humans actually get to pick something that makes sense, is fully accessable, and adds another bit of useful data to the client.
April 6th, 2006 at 5:35 am
Until there’s a better way to keep spam bots from sending me 100’s of rediculous and many times ofensive emails a month then losing out on an ocassional visitor blind or not is worth it. I volunterr my time and pay out of my own pocket each year for the fishing charter referals I give local boats and if I was stronarmed by any legislation or individual to remove my current captcha then I would rather shut down my website. So basically until there’s a better way I will take that risk of an ocassional blind fisherman who I do offer my phone number through my accesible alt image text where I also offer my email in the form whatever at whatever dot com. I don’t see any problem with Yahoo or any other sites who use the captcha because there are a plethora of other ways for people who can’t use captcha or the audio version and this is just a group of people very eager to sue and/or complain. BTW, I am disabled and I don’t expect people nor care if people don’t change their accesability for my sake. I worked on a fishing boat and have gladly helped the ocassional fisherman in a wheelchair or other need to get on the boat and fish and they were perfectly happy and weren’t there to bitch out the captain or myself for not making the boat perfectly wheelchair friendly. Most persons I have met with disabilites including myself would rather tough it out as to make businesses and now even websites change how they run their business for me. Yahoo and other sites offer multiple ways to contact them and shouldn’t have to endure millions of pieces of jumk email every hour just because their most effective tool for spam offends any individual or group. We need to focus more on less attorneys and proctecting companies like Yahoo from frivilous content like this website offers. Instead of sitting around blogging get out and get some fresah air.
May 11th, 2006 at 4:35 pm
CAPTCHA at yahoo is driving me crazy. Unless they find a less intrusive approach and address my complaints they will soon loose me as a paying customer.–Tom
October 23rd, 2006 at 9:25 am
[…] So, much of this is learning from usability: Stop hurting the users! There are so many problems with traditional CAPTCHAs described already by me, Roger Johannson, Peter Krantz, Michael Mahemoff, Bob Easton, Christian Heilmann. […]
September 2nd, 2007 at 5:57 pm
I had a real disheartening experience on a website with captcha.
I was asked to “Check all of the boxes with a picture of Mario.”
I know who Mario is; he’s a video game character, but I do not even know what he looks like, so I fail the captcha without question.Try registering for the forums at
V G Music
and see for yourself.