re: CAPTCHA: I’m not a robot
Mục Lục
re: CAPTCHA: I’m not a robot
“Select all squares with crosswalks” — did it trigger a slight discomfort? You have probably seen this tricky brain teaser pop up on websites before you can press the “submit” button, and there is a special acronym for it: CAPTCHA.
CAPTCHA: Completely Automated Public Turing test to tell Computers and Humans Apart
I came across this acronym recently in Inclusive Design for a Digital World by Regine Gilbert and its relation to accessibility. I was inspired to learn more about CAPTCHAs and alternative accessible-friendly technologies for bot-detection.
History
CAPTCHAs were first created as a program in the early 2000s by Luis von Ahn and his team at Carnegie Mellon University as a way to filter out bots that were pretending to be humans on the internet (i.e., spam).
From CAPTCHA → reCAPTCHA
The earliest CAPTCHAs consisted of an image with warped and distorted text usually randomly generated word(s). However, because these words were random and consisted of no context, they neglected the human element in the word-verification process…and the goal of CAPTCHAs is to detect that the user is human and not a bot.
On top of this issue, companies such as 2Captcha and DeathByCaptcha, started creating CAPTCHA repositories — people were paid to solve CAPTCHAs for less than a cent per word.
CAPTCHA v1
Google acquired CAPTCHA in 2009 and relaunched this bot-detection technology as reCAPTCHA v1, which was similar to CAPTCHAs, but instead, translated images of words and numbers from real (physical) texts, such as archives of The New York Times, into plain digitized text. It also leveraged Optical Character Recognition within the verification process.
The original reCAPTCHAs consisted of a pair of words in the human vs. bots verification process. The “control” word was built to be decipherable by computers via Optical Character Recognition, and the “unknown” word was used as the human verifier (aggregated verification from a large database).
reCAPTCHA has since evolved to v2 and v3 — v2 (a.k.a. No CAPTCHA ReCAPTCHA), released in 2014, does not ask users to type in text from images, but instead, requests that users click a checkbox and leverages an Advanced Risk Analysis to evaluate their activity on the website during and before the verification process. Oftentimes, users were prompted to complete an activity if the risk analysis does not pass a threshold.
This version was more mobile-friendly, with the introduction of image matching prompts.
However, have you ever come across something like this reCAPTCHA below… what do you do? I just got a bit dizzy.
reCAPTCHA (v2) that looks like an optical illusion
In 2018, Google released reCAPTCHA v3, which does not contain any checkboxes or picture-matching tasks. Instead, the reCAPTCHA is invisible — there is an API script embedded in a web page and, when triggered, generates a score (0.0 to 1.0 — bot to human) based on user behavior based on adaptive risk analysis. However, it is up to the webmaster (of the website that embedded the script) to determine the safety threshold of the website. There are also concerns, as Google is collecting user data from a hardware and software perspective.
Here is a demo of → https://recaptcha-demo.appspot.com/recaptcha-v3-request-scores.php
To address the privacy issue, the HUMAN Protocol Foundation introduced hCaptcha to the public in 2021, claiming that it does not, unlike Google, sell personal user data.
All in all, critics believe that artificial intelligence can crack the bot-detection system via reinforced learning and other niche algorithmic techniques. There will likely be shifts and opportunities in this space.
What about accessibility?
Remember at the beginning of this post, I asked you to dream up an image of a crosswalk CAPTCHA? Did you feel discomfort? The discomfort is a signal of inaccessibility — are CAPTCHAs at its core, ever really accessible (i.e., built for real users)? Or were they founded from a bots-first approach (i.e., built for bots)?
Because CAPTCHAs originally relied on deciphering text from images, this prevented visually impaired people from using them. It led to the creation of audio CAPTCHAs, which are more inclusive but are still impediments for people who are blind and deaf.
An alternative for CAPTCHAs is the introduction of MAPTCHAs, where verification is based on solving mathematical problems rather than interpreting imagery; however, this alternative also creates a potential impediment for people with cognitive disorders.
In summary…
There seems to still be more work to be done on creating a type of bot-detection tool that is more a) AI-resistant b) and user flow/webmaster friendly, c) private, and most importantly, d) accessible from a human-first approach.