W3C home > Mailing lists > Public > public-apa-admin@w3.org > February 2019

Re: 48-Hour Call for Consensus (CfC): Publish CAPTCHA Wide Review Draft

From: Janina Sajka <janina@rednote.net>
Date: Sat, 2 Feb 2019 09:16:06 -0500
To: Devarshi Pant <devarshipant@gmail.com>
Cc: W3C WAI Accessible Platform Architectures <public-apa@w3.org>, Accessible Platform Architectures Administration <public-apa-admin@w3.org>, public-rqtf@w3.org
Message-ID: <20190202141606.GA2186@rednote.net>
Thanks, Devarshi. A few more remarks below.

Devarshi Pant writes:
> Hi Janina,
> 
> +1 on support.
> 
Thanks.

> My comments follow inline.
> 
> > I think the heading titled, '3. Stand Alone Approaches' could be clearer.
> > If the intent is to list different CAPTCHA types, then that could be
> > conveyed in the heading.
> >
> Do you have a specific suggestion here?
> 
> ***Something along the lines of: *
> *"3. CAPTCHA Verification, Implications and other Analogous Techniques."*
> 
> **********
> I think saying 'Stand Alone...' could be construed to mean verification
> techniques that are not integrated with the application.
> 
> 
OK. We'll take up your suggestion with the group. My initial reaction is
that it simply describes what the entire document is discussing, though.

The intent of "Stand Alone" is to group solutions that are, or could be
deployed without involving third parties like Google, Microsoft, etc.

> Among the implicit points is the possibility to identify a human
> individual, without identifying which specific human individual. We're
> suggesting biometrics could do this, though that's not how they're used
> today to the best of our knowledge.
> 
> Is that what you're suggesting needs more elaboration?
> 
> ***Yes, and, if possible, list the type of traits to help **AT users
> leverage biometrics depending on their disabilities**. My understanding is
> that biometrics verification can be broad ranging from DNA to face
> recognition and everything in between. *
> 
I'm thinking we cover this by noting both the U.S. and E.U. requirements
for allowing users the opportunity to pick a biometric that suits
them better, i.e. disallowing restricting the biometric feature to a
single human characteristic.


Again, we'll take it up, though.

> Indeed, such dual-factor strategies are common for user authentication.
> But, as we discuss in several ways, our purpose is the identification of
> a human user without identifying the specific human user. I'm not sure
> how one would do that with SMS and/or phone calls.
> 
> ***I was looking at a specific use case where a primary phone number is
> used for identification. Refer -https://secure.ssa.gov/RIR/CaviView.action
> <https://secure.ssa.gov/RIR/CaviView.action>*
> 
Sure, but this is a very different use case. SSA needs high confidence
that it is communicating with a specific individual. In the case of
CAPTCHA we want to encourage strengthening the situation where all you
should know on the server end that the user is human and not a robot.

I think what I'm getting from this conversation, though, is that we
don't explicitly address the common use case where you do want a
specific individual identified, yet want to somehow acquire high
confidence that it's not a robot, i.e. you want someone identified by
name and email when posting to a blog. I'll look again at our text from
this perspective and bring it up with the group.

Thanks for this helpful conversation.

Best,

Janina

> 
> thanks!
> 
> On Fri, Feb 1, 2019 at 12:31 PM Janina Sajka <janina@rednote.net> wrote:
> 
> > Hi, Devarshi:
> >
> > While you did not indicate either support or opposition to the proposed
> > publication, I do thank you for your comments. I'm responding inline below
> > and copying this email to the main APA list and to the RQTF list where this
> > updated CAPTCHA note was developed.
> >
> > Devarshi Pant writes:
> > > my 2 cents:
> > >
> > > I think the heading titled, '3. Stand Alone Approaches' could be clearer.
> > > If the intent is to list different CAPTCHA types, then that could be
> > > conveyed in the heading.
> > >
> > Do you have a specific suggestion here?
> >
> > > Also, the section '3.3 Biometrics' seems more like an alternative than a
> > > CAPTCHA type.
> > >
> > Indeed. However please note the second paragraph of the introduction:
> >
> > "Since our concern here is the accessibility of systems that seek to
> > distinguish human users from their robotic impersonators, the term
> > "CAPTCHA" is used in this document generically to refer to all
> > approaches which are specifically designed to differentiate a human from
> > a computer. We also include fully noninteractive approaches in our
> > categorization."
> >
> > Also, the discussion of biometrics includes this statement:
> >
> > Where biometrics are used as an alternative to CAPTCHA, systems should
> > be designed to allow users to choose among multiple and unrelated
> > biometric identifiers. It should also be noted that biometrics can
> > reliably and uniquely identify individuals making these identifiers
> > highly attractive as login authentication mechanisms.  This alternative
> > is unsuitable, however, for applications in which it is necessary to
> > preserve the user's anonymity (i.e., the application is required to
> > verify solely that the user is human, without obtaining identifying
> > information)."
> >
> > Among the implicit points is the possibility to identify a human
> > individual, without identifying which specific human individual. We're
> > suggesting biometrics could do this, though that's not how they're used
> > today to the best of our knowledge.
> >
> > Is that what you're suggesting needs more elaboration?
> >
> > > Perhaps there could be another list for CAPTCHA alternatives, for
> > example:
> > > access verification through SMS or an incoming call (automated service
> > > provides a PIN).
> > >
> > Indeed, such dual-factor strategies are common for user authentication.
> > But, as we discuss in several ways, our purpose is the identification of
> > a human user without identifying the specific human user. I'm not sure
> > how one would do that with SMS and/or phone calls.
> >
> > Best,
> >
> > Janina
> >
> > > Thanks,
> > > Devarshi
> > >
> > >
> > > On Thu, Jan 24, 2019 at 8:05 PM Janina Sajka <janina@rednote.net> wrote:
> > >
> > > > Colleagues:
> > > >
> > > > This is a Call for Consensus (CfC) to the Accessible Platform
> > > > Architectures (APA) Working Group seeking consensus to publish the
> > > > "Inaccessibility of CAPTCHA" document for wide review.
> > > >
> > > > The draft to review for this CfC is here:
> > > >
> > > >
> > > >
> > https://raw.githack.com/w3c/apa/f257fe3930a483f3205b128211c1cb122c2180ca/captcha/index.html
> > > >
> > > > This draft has undergone extensive revision since our FPWD last year in
> > > > response to comments received, and in response to additional analysis.
> > > >
> > > > Please note that no substantive nor editorial changes
> > > > will be applied during the CfC to the above URI.
> > > >
> > > > *       ACTION TO TAKE
> > > >
> > > > This CfC is now open for objection, comment, as well as statements of
> > > > support via email. Silence will be interpreted as support, though
> > > > messages of support are certainly welcome.
> > > >
> > > > We particularly welcome questions and suggested edits, though this
> > could
> > > > delay publication. It's important we get this draft right.
> > > >
> > > > If you object to this proposed action, or have comments concerning this
> > > > proposal, please respond by replying on list to this message no later
> > > > than 23:59 (Midnight) Boston Time, Sunday 3 February.
> > > >
> > > > NOTE: This Call for Consensus is being conducted in accordance with the
> > > > APA Decision Policy published at:
> > > >
> > > > http://www.w3.org/WAI/APA/decision-policy
> > > >
> > > > Thanks to our Research Questions Task Force (RQTF) for their extensive
> > > > work on this revision draft.
> > > >
> > > > Janina
> > > >
> > > >
> > > >
> > > >
> > ------------------------------------------------------------------------------
> > > >
> > > > Janina Sajka
> > > >
> > > > Linux Foundation Fellow
> > > > Executive Chair, Accessibility Workgroup:       http://a11y.org
> > > >
> > > > The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI)
> > > > Chair, Accessible Platform Architectures
> > http://www.w3.org/wai/apa
> > > >
> > > >
> > > >
> >
> > --
> >
> > Janina Sajka
> >
> > Linux Foundation Fellow
> > Executive Chair, Accessibility Workgroup:       http://a11y.org
> >
> > The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI)
> > Chair, Accessible Platform Architectures        http://www.w3.org/wai/apa
> >
> >

-- 

Janina Sajka

Linux Foundation Fellow
Executive Chair, Accessibility Workgroup:	http://a11y.org

The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI)
Chair, Accessible Platform Architectures	http://www.w3.org/wai/apa
Received on Saturday, 2 February 2019 14:16:33 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 2 February 2019 14:16:33 UTC