Why CAPTCHAs are evil

Have you ever signed up for an internet forum or web app? Chances are, you've seen a CAPTCHA: a little image with distorted letters demanding that you prove that you are human. Or is that what it is really asking? Perhaps instead, it's asking that you prove that you're sighted.

Phoney Security

CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart), are supposed to prevent automated computer programs from posting spam messages on public forums. It's a kind of Turing test that assumes that computers cannot pass.

Advantage: OCR

This is far from the truth. Optical character recognition (OCR) is getting pretty good at this, and the various attempts at making this more difficult usually cause more problems for humans than computers. Adding noise to the image can be filtered out, and colours can be scanned.

Let's assume that the standard "what letters do you see?" CAPTCHAS can be broken by computers, with a little work. As can be seen from an article in WIRED discussing Ticketmaster's CAPTCHAs, large scale, automated circumvention has been lucrative for years now.

How easy is it for humans?

There are a number of cases where CAPTCHAs actively discriminate. Are you blind? Tough luck. We can forward you to an audio version, which is even worse. Are you dyslexic? If you have trouble reading words in a consistent font face, how easy is it to read deformed letters? Not so easy. What about people with poor motor control? They may need to use a toggle switch to manually type in your letters. This is a major inconvenience to sign up for an account.

The Arms Race

The next step in the arms race is to present the user with some images, and ask them to categorize them. This steps out of the realm of OCR, a mapping of image to characters, and into knowledge systems. This requires some domain specific knowledge, and potentially culture specific knowledge.

This adds additional problems, like when users are asked to select all the phone images. Telephones from the 1980s and earlier, especially early cordless and mobiles, look nothing like telephones today. Iconography relies heavily on cultural knowledge, and can easily lead to problems.

The Mechanical Turk

The other problem of course, is that there may be little distinction between malicious computer programs, and systems that employ a human factor. An automated system could serve up these CAPTCHA images in real time to human agents, who can solve them and pass them back to the system. Perhaps this doesn't scale as fast as a purely automated solution, but the fundamental issue is still there.

The Recommended Solutions

The W3 Web Content Accessibility Guidelines recommend, very broadly, a text-based cognitive test, to be offered as an alternative to either a visual or audio test. I've tried using an audio captcha once, but it was interfering with the JAWS screen reader I was testing at the time.

Oh, the irony!

The irony is that many users who rely on assistive technologies also use browser plugins to help bypass captchas. They take advantage of the fact that captchas don't work in order to gain access.

I would argue that the concept of captchas is fundamentally flawed. As the captcha technology becomes more sophisticated, so do the attacks. The problem is that with each stage of the arms race, successfully completing these tasks becomes more difficult for humans. CAPTCHAs don't address the real problem. The problem isn't determining whether a human is physically present on the end of a web browser. The problem is behavior based. What particular behaviour is a captcha intended to prevent? Spam messages on a forum? Unsolicited bulk email? Why not address these issues directly, rather than with a CAPTCHA?

Solving the Real Problem

There is existing technology to grade messages with heuristics. Spam filters have gotten quite good. If messages from a new member of your site are also held in a moderation queue, there can be an additional check for appropriate content.

You can also analyze the browsing behaviour. What patterns emerge? For a social site, how much time is spent on existing content? For an auction site, how much time has been spent looking at different items? For certain types of sites, such as local auction sites, there may not be enough behaviour to adequately analyze, especially if a user does not need to create an account in order to participate.

Why are CAPTCHAs so prevalent? They're available as third-party developer libraries, and don't require any changes to system architecture. It's a band aid solution to the wrong problem.