W3C home > Mailing lists > Public > public-html-a11y@w3.org > March 2010

Re: keep CAPTCHA out of HTML5

From: Charles McCathieNevile <chaals@opera.com>
Date: Thu, 18 Mar 2010 17:44:34 +0100
To: "Silvia Pfeiffer" <silviapfeiffer1@gmail.com>, "Steven Faulkner" <faulkner.steve@gmail.com>
Cc: "John Foliot" <jfoliot@stanford.edu>, "Gregory J. Rosmaita" <oedipus@hicom.net>, public-html-a11y@w3.org
Message-ID: <op.u9rvgkwrwxe0ny@widsith.local>
On Wed, 17 Mar 2010 23:28:17 +0100, Steven Faulkner  
<faulkner.steve@gmail.com> wrote:

> Hi laura, I am happy to modify the example to include warnings about the
> essential inaccessibility of captcha and recommend it not be used, but  
> think that for cases when it is used, advice on how to make it accessible
> as possible is still a good thing.

Agreed. CAPTCHAs are bad. But they also solve a real problem, and working  
out an alternative solution is important. Rather than removing the example  
(which I think will lead to people assuming that you can just leave alt  
off CAPTCHA images) it should explain what sort of alt can improve the  
accessibility of the CAPTCHA. http://cssquirrel.com shows one example  
technique - making the question one based on processing a question. A  
related example is mathematical questions.

(More detailed thoughts:

Although they are not foolproof, we find that CAPTCHAs are, in certain  
important cases (generally the ones involving broad exposure to the  
public, like commenting on blogs) actually reasonably succesful in  
reducing spam. (I.e. they don't stop it, but they reduce it by orders of  
magnitude, which allows the human filtering processes we add to have a  
chance of keeping up with the work).

There are some CAPTCHAs which are tests of cognition - asking questions.  
We have used simple mathematical questions. Kyle Weems' CSSquirrel  
cartoons ask readers to identify a certain image from a set - they do  
contain alt text explaining what they are, but increase the cognitive leap  
and required background knowledge. All of these schemes are vulnerable to  
eventual cracking, and authentication solutions are great - but it turns  
out that a lot of authentication solutions, in order to allow scalability,  
need a shortcut to determine whether someone is a human - so they use a  
CAPTCHA.

cheers

Chaals

> regards
> steve
> On 17 March 2010 18:24, Silvia Pfeiffer <silviapfeiffer1@gmail.com>  
> wrote:
>
>>  On Thu, Mar 18, 2010 at 8:34 AM, John Foliot <jfoliot@stanford.edu>
>> wrote:
>> > Silvia Pfeiffer [mailto:silviapfeiffer1@gmail.com]
>> >>
>> >> Very interesting indeed. It seems to indeed be a big accessibility
>> >> challenge.
>> >>
>> >> Do images get transferred onto braille at all? Could it be done
>> >> pixel-wise? I'm wondering if there could be a technical solution,  
>> even
>> >> if it doesn't exist yet.
>> >
>> > I've seen some interesting experiments with tactile processing of  
>> maps,
>> > etc., but the detail is also limited in some ways due to the amount of
>> > visual data required to be conveyed. Most of those experiments relied  
>> on
>> > some basic form outline's over-laid with image-map like area data. In
>> > situations such as where we normally see CAPTCHA's used that  
>> additional
>> > data would likely not be provided by the author.
>> >
>> > The problem with any kind of OCR-like solution here is that it is a  
>> race
>> > to the bottom - if OCR does get better, CAPTCHA's will continue to get
>> > increasingly complex to frustrate that improvement - a vicious circle
>> with
>> > no end in sight. At some point, the CAPTCHAs also become increasingly
>> > difficult for sighted users to negotiate, further frustrating your  
>> user
>> > base.  The foundation of the solution is flawed, thus any  
>> implementation
>> > of that solution will also be flawed: being able to discern what a  
>> series
>> > of glyphs represent does not represent cognition, which is what  
>> CAPTCHAs
>> > are trying to determine (man vs. machine).
>> >
>> > I personally hold out more help for distributed authentication schemes
>> > such as OAuth, etc. which requires a one-time determination of
>> > 'authenticity' of your human-ness, after which you have a social key  
>> that
>> > can be used inter-changingly. We are already starting to see solutions
>> > like this emerge, where you can 'log-in' to locations using your  
>> FaceBook
>> > account, G-Mail account, your twitter username etc.
>> >
>> > Establishing disabled-user support groups as CA like entities could  
>> help
>> > here (for example, the RNIB could assist non-sighted users in the UK  
>> by
>> > confirming them with an OAuth profile, which they then could use) -
>> > ultimately what we have here (I believe) is a social issue, which will
>> > require a social solution
>>
>>
>> I understand Gregory's concerns now.
>>
>> I checked the spec and CAPTCHA is used as an example of an img element
>> that doesn't have a @alt description. I guess that is a fair enough
>> example.
>>
>> Maybe we could propose to add a sentence underneath that example to
>> state that the use of CAPTCHAs is not encouraged by the W3C for all
>> the reasons mentioned here? Namely it's just "security by obscurity",
>> people have problems deciphering them and deaf-blind users have no
>> means of dealing with them (at least until the introduction of a
>> braille dimension to CAPTCHAs).
>>
>> Cheers,
>> Silvia.
>>
>>
>
>


-- 
Charles McCathieNevile  Opera Software, Standards Group
     je parle français -- hablo español -- jeg lærer norsk
http://my.opera.com/chaals       Try Opera: http://www.opera.com
Received on Thursday, 18 March 2010 16:45:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 04:42:06 GMT