Stop using CAPTCHAs. It’s time to switch to DLT: Design, Limit and Trapdoor.
“[a certain website] has the evil bad wrong Google reCaptcha on the edit page to stop disabled users, so screw it. Google’s reCaptcha seems to be spreading again, obstructing more people when accessing more websites. Is there a reason for that? The re in reCaptcha stands for replace with real anti-spam, please!“
I wrote the above about two years ago and it’s not getting any better. I’ve written similar things over the last ten years, as have many others, and I’ve always sought to avoid using physical ability tests as a way to cut down spammers.
Why do people keep reaching for the reCaptcha non-captcha or things that use similar bad eyetests like Mollom? So most online messages may be spam, but those physical ability tests do nothing to test for spam. They’re trying to detect computer submissions (the TCHA in CAPTCHA is meant to be Telling Computers and Humans Apart), but that’s really bad when the computer is helping someone with a disability to access the internet.
People from the home of the CAPTCHA describe access for sight and hearing-impaired users as “an important open problem for the project” (Luis von Ahn, Manuel Blum and John Langford. Telling Humans and Computers Apart Automatically. In Communications of the ACM). Until that problem is closed, CAPTCHAs should be considered defective and removed whenever possible.
What webmasters should do instead is DLT:
- Design it well: Set up sites so the spammers cannot get a quick win in the first place. Configure permissions and things like that so people have to do some work before they are trusted to post links. This is similar to the basic theory behind my Open Activism paper Fighting in the Shadows. This is much easier to do if the system is Free and Open Source Software (FOSS), too.
- Limit the damage: include rate limits to stop one person causing you lots of work: even with computer-assistance, few people need to post 10 forum messages every minute. Join up in co-operative anti-spam networks like blogspam.net so if they hurt you, others can see them coming. Again, it’s easier to hook into a network if you’re using FOSS.
- Trapdoor: keep a way for people to contact you if they are really blocked by your design decisions and limitation and keep a way to exempt them from the limits if needed. Make it welcoming because disabled users are tired of reporting barriers to webmasters who don’t care and will never fix the web. A good multi-step eyetest-free contact form is a basic way to do this.
Have you tried this? Have your experiences been as good as our co-op’s? Are there sites you don’t think it would work for? A comments form is on the original of this article, as ever.
A public email form I’ve done for a company sends messages straight through, _unless_ they contain links, in which case the sender needs to verify its “humanity” by solving a CAPTCHA. It seems to work well, since it is non-intrusive unless links are found (and there are few to none legitimate uses of links here).
In this case, there is no real way to ensure a user has “done some work” (point 1) before link posting is allowed (or, seen in another way: the work is solving the CAPTCHA).
I’m not saying CAPTCHAs are golden, I’m just stating that I believe they still have applications.
@Daniel – I hope the public email form warns people that they mustn’t send links if they want to avoid a physical ability test (if that’s what you’re using).
I’ve discarded one anonymous comment (http://www.news.software.coop/comments-policy/) which basically asked what’s wrong with reCaptcha and suggested it was better than others. In short: reCaptcha is not a CAPTCHA because it tests physical abilities (a hearing test is not an accessible alternative to an eyetest, just like a pull-yourself-up-a-rope strength test is not an accessible alternative to a flight of stairs); also, the text served by Google to some browsers is rather offensive (“We need to make sure that you are a human. Please solve the challenge below, and click the I’m a Human button”) to people who fail it and it can’t be changed by webmasters. Would any good webmaster really put a message that basically says disabled=inhuman on a website?
http://textcaptcha.com is better than most, but still shouldn’t be used if you can find another way.
Perhaps reCAPTCHAs are used because they are easy to use (for the site) and deemed good enough (no, I don’t have experience on either claim). Being good enough probably involves minimizing a cost function where work needed to set up the system costs quite a bit, each spammer causes a small cost and each user prevented from using the site causes a major cost. Still, there may be a sweet spot in terms of whatever the grand objective the site is optimizing (profits? Social effect?) That excludes some of the disabled. I agree that it’s a sad thing, injustice and an error in the universe if this happens, but what can you do? It may still be the rational thing to do, and basically I can see only two ways out: Invasive legislation or someone building and making available an alternative system for which the value of the cost function for the site in question is even smaller.
We are graduates from UC Berkeley, and we recently launched an alternative to text-CAPTCHAs. Our image-identification CAPTCHAs are very user-friendly and highly secure. We do rate-limitation etc internally.
As Daniel pointed out, we might not remove them completely — but we could make them better in usability and also ready for the post-pc devices, so the friction is reduced.
@Satish – isn’t image-identification still impossible for (for example) blind people, so inherently evil, bad and wrong?
@Sami – what you can do is fight the injustice. I believe it is never rational to discriminate unnecessarily, but I agree on the two ways out: we already have legislation (the Equality Act) which should be enforced more strongly (thereby increasing the cost of reCAPTCHA-like systems to users – some five- and six-figure fines would change some minds) and there are better alternative systems such as blogspam and textcaptcha which I have outlined above. How else can we promote them?
Having to do some work before posting links won’t help the problem – spammers don’t stop if links don’t work, and the administrators still have to remove the spam by hand…
In the couple of very low-traffic websites I run, I am using a simple system that is invisible if the browser has Javascript and otherwise it requires the user to add to 1-digit numbers correctly to post. Since my websites are insignificant, no spammer has spent time working around this (the system rejects tens of posts per day, if not more), but the nice thing about the solution is that to thwart it totally, spambots need to run some Javascript that I control, which gives me some leverage in case they ever wanted to get smarter about it.
But there must be something I am missing, since everybody isn’t using that simple scheme 🙂
@Adam – I don’t understand: if spammers haven’t done work, so aren’t allowed to post links, their link-filled posts will be rejected and there’s nothing for administrators to remove.
I suspect spammers would attack the number puzzles if your sites became popular enough for them to target, but mixing it with textcaptcha.com might be a viable approach and make them run the javascript. Not quite as good as DLT because it makes some legitimate users do extra work every time and it’s still basically an arms race with the spammers, but I can see some interesting possibilities if you can make spambots run programs that you specify!
I was reminded of my own idea for solving the spam problem for email and web comments after reading this article.
I’ve written it up and posted it here if you are interested.
Essentially, the idea is to make writing a comment computationally expensive in a way that the recipient can verify quickly. A non-spammer can afford that expense as they are only writing one comment. The spammer, writing millions, cannot afford that expense.
@Onus Probandy – I’d leave this as a comment on your website except you use the broken Google blogger which doesn’t allow me to comment (why aren’t you using your own system?). Basically, how does that work without javascript permission? I use noscript.net to stop dodgy code running in my browser and I also have low-power mobile devices that don’t run javascript (to reduce power consumption and prolong battery life).
I also disagree that computations are a sufficient deterrent: a non-spammer may afford that expense, but the spammers are being paid real money, so if the target site is worthwhile and there’s no cheaper alternative to spam, they’ll pay this expense (or steal the computation effort from a botnet). I think you need to Design in a requirement for work that is useful to your site, not throw-away computations… and you still need to test for spamminess in order to Limit the damage if they do get through the design.