Where's the Completely Automated" in CAPTCHA? from Janina Sajka on 2021-12-29 (public-apa@w3.org from December 2021)

From: Janina Sajka <janina@rednote.net>
Date: Wed, 29 Dec 2021 09:30:58 -0500
To: public-apa@w3.org
Cc: public-rqtf@w3.org
Message-ID: <YcxxIrXghUzwZTfH@rednote.net>
Now that we're again working on updates to our 2019 Note on CAPTCHA, I'm
finding some 35,000 foot observations we didn't comment on in previous
drafts of this document:

1.) We need to acknowledge that the user performs as the site
provider dictates. Whether more or less accessible, the site chooses the
work the user is to perform. I would now argue this is backwards. I
would like now to suggest that we move toward systems that allow users
to choose the technology that works for them. Obviously this would need
to be a technology sites could rely on. My point is that users shouldn't
have to deal with every variant of CAPTCHA on the planet--which is the
case today.

2.) I'm finding myself wondering about the perspective of the
inventors of this technology. As our document has always explained,
CAPTCHA stands for "Completely Automated Public Turing Test, to Tell
Computers and Humans Apart." So here's my question: What part of CAPTCHA
has every been "Completely Automated?" At least until Google's Recaptcha
3, this strikes me as a bogus claim that we should have called out long
ago. Is a process "completely automated" because it's automated for the
server? As thought the human in the process doesn't really matter? How
sad a world view that bespeaks!

Best,

Janina

Janina Sajka writes:
> Thanks for your question, John. 
> 
> I would agree with Jason's response especially to the point that the
> various wCAG SC aalso appear unclear to me as regards the distinction
> between authentication of login vis a vis authenticating one's
> personhood. These are not the same thing.
> 
> Also, we'd be unlikely to point to a proposed anything in a document we
> hope to move to W3C Statement Status. So, if the confusion between
> logging in and authenticating one's humanity is cleared up when WCAG 2.2
> goes TR we might indeed point to it--but by no means in a pre CR status.
> 
> hth
> 
> Janina
> 
> White, Jason J writes:
> > Thank you for the question, which raises interesting issues. To answer it directly:
> > 
> >   1.  The proposed WCAG 2.2 success criteria 3.3.7 and 3.3.8 didn’t exist, at least in their current form, when the CAPTCHA Note was last significantly revised circa 2019; and they were controversial at that time. They presently remain proposals only, as WCAG 2.2 is not yet in Candidate Recommendation or beyond. We can consider whether to refer to them in a subsequent draft of the CAPTCHA Note, as the proposals are relevant in this context.
> >   2.  More substantially, it is not clear that 3.3.7 or 3.3.8 addresses the CAPTCHA phenomenon. In particular, if we read 3.3.7 and 3.3.8 in conjunction with the “CAPTCHA” item in success criterion 1.1.1, then it makes sense to interpret 1.1.1 as allowing perception-based CAPTCHA challenges, as long as alternatives relying on different senses are available. One can then interpret “authentication” in 3.3.7 and 3.3.8 as referring only to verifying the identity of the user – and not to determining whether the user is human, which is the distinctive function served by CAPTCHA challenges. In addition, it is not clear that tasks requiring the user to recognize objects or characters in images, spoken words, etc., involve “memorization” in the sense in which this term is used in the definition of “cognitive function test” in the WCAG 2.2 proposal. Thus, WCAG 2.2 is arguably best interpreted as not changing the status quo with respect to CAPTCHA, as established by success criterion 1.1.1 in WCAG 2.0.
> > If the intention of the Accessibility Guidelines Working Group is to override the explicit statements about CAPTCHA in 1.1.1, then this will need to be made very clear, in my opinion. The only consistent reading of the draft as a whole at the moment appears to be to interpret 3.3.7 and 3.3.8 as not addressing CAPTCHA, at least of the kind which is expressly permitted under 1.1.1.
> > 
> > From: Rochford, John <john.rochford@umassmed.edu>
> > Sent: Tuesday, 28 December 2021 6:29
> > To: public-apa@w3.org
> > Subject: [EXTERNAL] [turingtest] Accessible Authentication
> > 
> > CAUTION: This email originated from outside of our organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> > Hello Editors,
> > Great Inaccessibility of CAPTCHA doc<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fturingtest%2F&data=04%7C01%7Cjjwhite%40ets.org%7Cc6fa2d3ea0a04d33c3ec08d9c9f54c1b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C637762878719041952%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=gQylYoY%2Fspk5jDlPFtGGGP5xgeulL9gQzbjKKF%2FGsQI%3D&reserved=0>! Very thorough.
> > 
> > Why is there no mention of the proposed Accessible Authentication SC 3.3.7<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwcag%2Fguidelines%2F22%2F%23accessible-authentication&data=04%7C01%7Cjjwhite%40ets.org%7Cc6fa2d3ea0a04d33c3ec08d9c9f54c1b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C637762878719041952%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=4cuHHJ5bSdbDac1MaE4whwlIxqqXaGUR8mlsbsgGDUo%3D&reserved=0>?
> > 
> > 
> > John
> > 
> > John Rochford
> > University of Massachusetts Medical School
> > Eunice Kennedy Shriver Center
> > Director, INDEX Program
> > Faculty, Family Medicine & Community Health
> > DisabilityInfo.org<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.disabilityinfo.org%2F&data=04%7C01%7Cjjwhite%40ets.org%7Cc6fa2d3ea0a04d33c3ec08d9c9f54c1b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C637762878719041952%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=jJX0eogZo%2B7jQf3wbKtkvy%2FdpP%2FQ4rOuSEKD5fiSdgk%3D&reserved=0>
> > EasyText.AI<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Feasytext.ai%2F&data=04%7C01%7Cjjwhite%40ets.org%7Cc6fa2d3ea0a04d33c3ec08d9c9f54c1b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C637762878719041952%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=xZPx%2B3z8eH2zQxnQIS6wsZOxrz%2FEu2OOlp0m231LQX4%3D&reserved=0>
> > LinkedIn<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fjohn-rochford%2F&data=04%7C01%7Cjjwhite%40ets.org%7Cc6fa2d3ea0a04d33c3ec08d9c9f54c1b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C637762878719041952%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=x2C1wxLbAMD3p1u9OsFNhG6E5SV%2BkDZct5F295Ja4Jw%3D&reserved=0>
> > About Me<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fabout.me%2Fjohnrochford&data=04%7C01%7Cjjwhite%40ets.org%7Cc6fa2d3ea0a04d33c3ec08d9c9f54c1b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C637762878719041952%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3LMgZHUUDtFR8tQ7ugG3AKW7UVtsdev%2Bvpd22Zju6gQ%3D&reserved=0>
> > Schedule a meeting with me.<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fbit.ly%2FCallJR&data=04%7C01%7Cjjwhite%40ets.org%7Cc6fa2d3ea0a04d33c3ec08d9c9f54c1b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C637762878719041952%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=ykx8Px1lkwwbfddzmTh5NAJZj0YL%2Fg%2BYTaKaOkKJRI0%3D&reserved=0>
> > 
> > Confidentiality Notice:
> > This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential, proprietary, and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender immediately and destroy or permanently delete all copies of the original message.
> > 
> > 
> > ________________________________
> > 
> > This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.
> > 
> > 
> > Thank you for your compliance.
> > 
> > ________________________________
> 
> -- 
> 
> Janina Sajka
> (she/her/hers)
> https://linkedin.com/in/jsajka
> 
> Linux Foundation Fellow
> Executive Chair, Accessibility Workgroup: http://a11y.org
> 
> The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI)
> Co-Chair, Accessible Platform Architectures http://www.w3.org/wai/apa
> 

-- 

Janina Sajka
(she/her/hers)
https://linkedin.com/in/jsajka

Linux Foundation Fellow
Executive Chair, Accessibility Workgroup: http://a11y.org

The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI)
Co-Chair, Accessible Platform Architectures http://www.w3.org/wai/apa
Received on Wednesday, 29 December 2021 14:31:43 UTC