Capturing the Problems with CAPTCHA
CAPTCHA — a nifty acronym for the somewhat less palatable ‘Completely Automated Public Turing Test to tell Computers and Humans Apart’ — is a ubiquitous security feature that every internet user has undoubtedly encountered. For those not in the know, they consist of an assortment of tests used to distinguish between humans and computers — the rhetoric being that a human user will be able to decipher that crackly text or pick the bicycles out of that blurry street image, while computers are typically not able to do so. Here’s one on Wikipedia’s website, and here’s what Google has to give.
CAPTCHAs can be highly useful in preventing malicious activity, like stopping storms of bots from buying and hoarding concert tickets for resellers to scalp; that’s why they’ve become so prevalent and why web developers, owners, and companies are so reluctant to accomodate. However, they create new problems for users with unique access needs. CAPTCHAs pose selective access concerns and are particularly prone to improperly denying access to individuals with disabilities, but assistive outsourcing to other humans can help ameliorate the problem, as can new programs that rely on background behavioral analysis strategies rather than presenting challenge-response tasks.
Within industrial design, there’s a concept known as affordance — for instance, a standard chair encourages humans to sit and allows humans to instead use the chair as a step-stool or table. A doorknob at waist level requests that people turn the knob with their hands; it actively discourages but does not refuse using feet or elbows instead. And as the digital world has grown and evolved, this affordance principle has extended to programming as well. Web programs afford various actions and uses in different ways. Gmail, for instance, demands that users make an account to send an email, and refuses access to an account if the correct password isn’t entered.
Traditional CAPTCHAs demand that users engage with and solve the CAPTCHA interface in order to proceed to the site, and they refuse access if a user has not satisfactorily done so.
This poses a number of problems: first, that certain users who shouldn’t be able to access the site are still able to do so, and second, that certain users who should be able to access the site are unable to solve the CAPTCHA and thus cannot access the site.
As with all most features that refuse a certain activity, the refusal is not absolute — it’s often possible to circumvent the refusal and shift it into merely a discouraged activity. For instance, a locked door may ostensibly refuse access to individuals without keys, but this refusal can be morphed into a discouragement — it may be possible to pick the lock on the door with a binder clip but no key, or to physically batter and remove the door itself.
This is true for CAPTCHAs as well. Not only can some computer programs successfully solve them independently, but human CAPTCHA mills have sprung up in low- and mid-income countries like China. These mills employ mass scale human labor — humans spend the entire work day solving CAPTCHAs within seconds, on behalf of individual programs, and then hand control back over to the program so they can focus on the next program’s request. A single human CAPTCHA cracker can solve thousands of CAPTCHAs a day at a marginal cost and for resultantly low wages. Retail prices for solved CAPTCHAs can be as low as $1 USD per thousand solves—and that doesn’t include the middleman’s cut.
Setting that aside for a moment, CAPTCHAs can also pose a serious accessibility barrier to young users, old users, users from other cultural backgrounds, and particularly users with disabilities. Such users are often entirely incapable of solving visual, auditory, or problem-solving CAPTCHAs — for instance, if they have a seeing impairment, hearing impairment, or intellectual or learning disability. If they are able to solve and pass the CAPTCHA at all, it is likely to be a serious and time-consuming imposition rather than the ten-second diversion that CAPTCHAs pose for ordinary users. CAPTCHAs need to be modified for their use, yet rarely are.
This paradigm may seem contradictory, but it’s not. Users with the knowledge and means to maliciously bypass CAPTCHA aren’t necessarily the same users who are unable solve CAPTCHAs on their own and in the conventional way—in fact, they’re almost wholly separate groups. CAPTCHAs, then, ultimately prevent access by qualified human users who ought to have access, and yet are not impregnable to malicious infiltration that ought to be blocked. They also enable exploitation of workers in low-income countries with insufficient labor protection, which is hugely problematic.
Here’s a novel solution idea — what if we were to utilize outsourced human computation and intervention, in the same way that malicious profiteers do, to address the disability CAPTCHA barrier? No doubt, individual users already outsource — for instance, they may call over a friend or family member to their desk to help— but strangers introduce new flexibility and efficiency into the matrix, allowing immediate assistance at any hour and in any place. Apps like Be My Eyes allow visually-impaired users to video call an unimpaired user for help — for instance, the impaired user can point their phone at a carton of milk and the seeing user on the line can identify whether the expiration date has passed or not. The company reports that, to date, 6,359,926 human volunteers have signed up to assist vision-impaired users, and that assistance can be provided in over 180 distinct languages. Testimonials on the App Store reflect grateful seeing-impaired users and fulfilled volunteers—one person reported enthusiastically that, despite being hard of hearing and using automatic captioning on his phone, they were able to successfully assist a seeing-impaired user.
One thing I was worried about while registering was the fact that I am actually quite hard of hearing, but my fears were completely unfounded! This app synchronized perfectly with my iPhone’s subtitles feature and I congratulate Be My Eyes on enabling the deaf to lead the blind! 5 stars for sure!!! —Liz4rd8991.
This sort of service could be easily utilized for CAPTCHA solving, where the seeing user solves or assists in solving the CAPTCHA for the impaired user, either through an existing app or through a new CAPTCHA-specific designation. If computer programs outsource, why not humans with disabilities?
In the long term, web accessibility experts recommend shifting to have multiple CAPTCHA options or, ideally, have CAPTCHA programs that run in the background analyzing overall behavior and engagement — how long a user spends on a page, which page they came from, how long it takes them to fill out the page—rather than those that require user engagement with and response to input, known as challenge-response tasks.
New programs, like Google’s reCAPTCHA v3, comply with the new web accessibility standards and require no user interaction to verify personhood. Google is market-dominant, giving them tremendous influence over CAPTCHA’s future direction, and developers have responded by shifting to new reCAPTCHA versions and adopting other programs that comply with guidelines.
However, researchers caution that atypical users may have atypical behavior in this regard as well, and take longer to parse information or move at an irregular pace. Disabled users share the concern.
Companies like Google, who have long provided commonly-used CAPTCHA services, have been working hard on a next-generation approach that combines a broader analysis of user behaviour on a website. Called reCAPTCHA v3, it is likely to use a mix of cookies, browser attributes, traffic patterns, and other factors to evaluate ‘normal’ human behaviour — although Google are understandably being cagey about the details.
So hopefully by now you get the bigger picture. Hopefully you’re saying to yourself, “Ah, but will the clever analysis cater for users who aren’t so average or will they once again be excluded by not being ‘normal’ enough?” Excellent question — I’m glad you’re on your game and on-board.
For example, will I, as a blind keyboard-only user of a website, be flagged as a bot and banished? Will a similar fate befall switch users (like the late and much missed Prof Stephen Hawking) who use certain software settings to methodically scan through a page. Dragon users issue voice commands that instantly move the mouse from one position to another in a very non-human way. I could go on. —Robin Christopherson.
The CAPTCHA situation continues to improve as technology evolves and web accessibility experts make headway. However, progress is slow, and in the meantime, out-of-the box solutions like human computation offer a lifeline.