hCaptcha Technical Architecture
This is a multi-part series that details the business and technical architecture of hCaptcha, the drop-in replacement for reCAPTCHA that pays website owners.
This post details how hCaptcha works on a technical level, in the interest of providing more transparency to our users and to communicate our thinking on how to build a secure and valuable service.
Note: hCaptcha is under active development and details may change in the future.
First, a quick recap
The hCaptcha service is designed to produce datasets for machine learning. It does this by providing a useful service to website owners. Protecting their sites from non-human actors and bots via a captcha lets hCaptcha use work from site visitors that would otherwise be unproductive effort.
Everyone benefits from this:
- Website owners secure their site by placing a captcha challenge to protect against unwanted bot/spam traffic. They receive protection and compensation by using hCaptcha.
- Website visitors enjoy a site with less spam and fewer bots.
- Labeling requestors get high quality human annotations for their machine learning needs.
High Level Design
From a broad perspective, hCaptcha automates and secures datasets and transactions that take place.
- What sort of task is this? (eg. “add labels representing what this image consists of,” “is this translation accurate?”)
- Where can related resources can be found? (eg. location of images for image tasks)
- What is your maximum bid amount for the execution of this job on our network?
We then aggregate these job requests and provide them in the form of captcha tasks served up by the websites who use our service.
Website owners are a crucial part of this infrastructure. To incentivize them to help in this process, we use the funds in escrow provided by the requestor to pay site owners in proportion to the correct answers supplied by their users.
Detecting Human Users
A common question that arises is: “how does hCaptcha know the answers to user-submitted, generic tasks if a human has never been involved?”
The answer is by combining a number of different techniques:
- Keeping track of human users vs. bot users over time and presenting them with captchas depending on their reputation.
- Using information from the client side environment to analyze data like browser data, mouse movements, and gyroscopic behavior.
- Presenting tasks multiple times in various forms, and comparing results via statistical analysis of the results.
- Using some of the latest machine learning techniques to enhance all of the above and verify the answers.
We have additional thoughts on how to improve this process down the road — this is just the beginning.
There’s so much we want to do with this and we are working towards these goals as quickly as possible:
- Open-sourcing the components of our technology in the interest of security, transparency, and customization.
- Adding different types of challenges so our vision of a “human protocol” can be fully realized.
- Listening to our customers to determine what improvements will be most valuable to them.
- Using all of the knowledge and data we gain to apply this concept to other problem domains not yet served.
In the near future we also intend to release a whitepaper covering the design to improve transparency, security, and share with the world our ideas and tools.
If this is interesting to you, get in touch! We’re looking for talented individuals that are excited by this mission to help us build it out.
We’re also looking for both sides of the equation described above. If you can benefit from our services — get signed up!