W3C home > Mailing lists > Public > public-html-a11y@w3.org > March 2010

CAPTCHA alternatives/pitfalls (was Re: keep CAPTCHA out of HTML5)

From: Gregory J. Rosmaita <oedipus@hicom.net>
Date: Thu, 18 Mar 2010 18:42:01 +0000
To: "Charles McCathieNevile" <chaals@opera.com>, public-html-a11y@w3.org
Cc: "Silvia Pfeiffer" <silviapfeiffer1@gmail.com>, "Steven Faulkner" <faulkner.steve@gmail.com>, "John Foliot" <jfoliot@stanford.edu>
Message-Id: <20100318183614.M77662@hicom.net>
aloha, chaals!

you make several excellent points about:

a) the need for an effective means of determining whether a user is a 
   machine or human;

b) the need for multi-modal CAPTCHA alternatives (not simply the boolean 
   visual and audio options)

c) the efforts of others to surmount the human-or-machine challange;

however, what is a simple equation to you or me, may not be so simple to 
users with various forms of cognative issues...  the best example of such 
a challange (and the first of its kind i encountered) is the quote simple 
unquote mathematical equation which norman walsh (member of the TAG) 
uses to verify that commentors on his blog are humans

http://norman.walsh.name/

when i first tried norm's solution i had a screaming migraine at the 
time, and couldn't figure out a simple multiplication equation -- 
hence, my comments never made it to norm's blog feedback section, 
and i became "sensitized" to the cognative issues inherent in a 
logical/mathematical query...

the other thing that worries me about the use of equations as an 
alternate to CAPTCHA, is that sooner, rather than later, equations 
will be expressed as a series of graphics, in order to (a) stop a bot 
from screen-scraping, and (b) sell graphical equations under the rubric 
that they provide double protection - protection from a text-readng bot, 
because the graphical components of the equation will not be ALT texted, 
as that would make it possible for a bot to obtain the equation, and, if 
smart enough, solve it...

i discussed approaches to human-verification tests in 2006 with daniel 
dardailler, who believes that a simpler solution is to use logical 
questions that are based on human experience and not on mathematical 
eequations, which computers are quite able to compute...  for example:

Q: what happens when you touch a hot stove?

Q: what do you do when someone tells you a funny joke?

and other human-related quote real world unquote challanges...  these,
however, are culturally-based queries, and many have more than one 
correct answer (for example, when i touch a hot stove, i swear a 
blue streak, whereas the answer the question may simply be a variation
on "get burnt" "burn hand" "burn myself"; moreover, any natural language
challange presents an immediate internationalization problem, which is
why implementors such as norm walsh chose the quote universal unquote
language of mathematics...

dave poehlman also had an interesting idea -- express the equation in 
words; for example:

Q: seven minus five equals:

a good idea to ward off bots, but there is still the problem of one 
person's simple equation being another person's nightmare...

for more information on CAPTCHA discussions which have transpired 
since the publication of the Turing Test note, please refer to the 
CAPTCHA note update wiki page, located at:

http://www.w3.org/WAI/PF/wiki/CAPTCHA_v2

gregory.
---------------------------------------------------------------------
A conclusion is simply the place where someone got tired of thinking.
                                                      -- Arthur Bloc
---------------------------------------------------------------------
   Gregory J. Rosmaita - oedipus@hicom.net AND gregory@ubats.org
        Camera Obscura: http://www.hicom.net/~oedipus/
 United Blind Advocates for Talking Signs (UBATS): http://ubats.org
---------------------------------------------------------------------

---------- Original Message -----------
From: "Charles McCathieNevile" <chaals@opera.com>
To: "Silvia Pfeiffer" <silviapfeiffer1@gmail.com>, "Steven Faulkner" 
<faulkner.steve@gmail.com>
Cc: "John Foliot" <jfoliot@stanford.edu>, "Gregory J. Rosmaita" 
<oedipus@hicom.net>, public-html-a11y@w3.org
Sent: Thu, 18 Mar 2010 17:44:34 +0100
Subject: Re: keep CAPTCHA out of HTML5

> On Wed, 17 Mar 2010 23:28:17 +0100, Steven Faulkner  
> <faulkner.steve@gmail.com> wrote:
> 
> > Hi laura, I am happy to modify the example to include warnings about 
the
> > essential inaccessibility of captcha and recommend it not be used, 
but  
> > think that for cases when it is used, advice on how to make it 
accessible
> > as possible is still a good thing.
> 
> Agreed. CAPTCHAs are bad. But they also solve a real problem,
>  and working  out an alternative solution is important. Rather 
> than removing the example  
> (which I think will lead to people assuming that you can just 
> leave alt  off CAPTCHA images) it should explain what sort of 
> alt can improve the  accessibility of the CAPTCHA. 
> http://cssquirrel.com shows one example  technique - making the 
> question one based on processing a question. A  related example 
> is mathematical questions.
> 
> (More detailed thoughts:
> 
> Although they are not foolproof, we find that CAPTCHAs are, in 
> certain  important cases (generally the ones involving broad 
> exposure to the  public, like commenting on blogs) actually 
> reasonably succesful in  reducing spam. (I.e. they don't stop it,
>  but they reduce it by orders of  magnitude, which allows the 
> human filtering processes we add to have a  chance of keeping up 
> with the work).
> 
> There are some CAPTCHAs which are tests of cognition - asking 
> questions.  We have used simple mathematical questions. Kyle 
> Weems' CSSquirrel  cartoons ask readers to identify a certain 
> image from a set - they do  contain alt text explaining what 
> they are, but increase the cognitive leap  and required 
> background knowledge. All of these schemes are vulnerable to 
>  eventual cracking, and authentication solutions are great - but 
> it turns  out that a lot of authentication solutions, in order 
> to allow scalability,  need a shortcut to determine whether 
> someone is a human - so they use a  CAPTCHA.
> 
> cheers
> 
> Chaals
------- End of Original Message -------
Received on Thursday, 18 March 2010 18:42:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 04:42:06 GMT