Listed on

Campaign to Kill Captcha

Most of us would like to see CAPTCHA gone - and now there is a petition calling for it (http://www.change.org/en-AU/petitions/it-s-time-to-finally-kill-captcha-2). CAPTCHA is inconvenient if you have full use of your senses and impossible for people with some disabilities. However, at least one of the alternative solutions is worse than the disease. The e-mail activation link.
The idea behind e-mail activation is that a web site sends a link to an e-mail address and the recipient clicks on it to prove that they are who they say they are. When this is used to verify an e-mail address as part of verifying the identity of a new user this is acceptable, sensible and doing what it is designed to do.

CAPTCHA attempts to do something entirely different. CAPTCHA is an attempt to set a problem that humans are much better at than machines. CAPTCHA is a tool to determine whether you are more capable than a computer algorithm. It is a tool for classifying the user not identifying the user.

Algorithm’s can have e-mail addresses; in fact it is very easy for them to have e-mail addresses and ‘click’ the links in them.

E-mail activation is not a drop in replacement for CAPTCHA when CAPTCHA is used for its original purpose. CAPTCHA can also be used when people do not want to reveal their identity or where a service does not want to collect identity information - it is hard to have stolen what you don’t have in the first place.

Finally, e-mail activation lends itself to attacks on your system’s e-mail reputation. An algorithm can easily request validation of a lot of e-mail addresses generating spurious e-mails to 3rd parties. Regardless of whether these e-mails are complained about they are likely to become entries in anti-spam algorithms - and then your mail server becomes a candidate for black listing. Getting off these black lists is hard - firstly you may not even know you are on one and secondly finding the procedure to get off the list depends on knowledge that is often hard to acquire.

This campaign (http://www.change.org/en-AU/petitions/it-s-time-to-finally-kill-captcha-2) targets one of the few access control technologies that take any note of accessibility in the first place, having both audio and visual alternatives as part of its design. This campaign sends a poor message to the designers who had to work harder to make something more accessible for - from the designers’ point of view - a relatively small percentage of users.

We need a better and well thought out alternative to just killing CAPTCHA - it has to be easy to deploy, reasonably resistant against algorithms, not result in undesirable identity leakage and not have hard to rectify side effects. Improved accessibility is a laudable goal, but it takes time and effort to do well, merely killing CAPTCHA is likely to result in a worse mess.




There is an underlying article from the World Wide Web Consortium (http://www.w3.org/TR/turingtest/). Unfortunately my experiences with spam reduction technologies are at variance with theirs. This is probably based on a difference in perspective coming from a mail server operators rather than a users.