Captcha Action: Dialog with Manu

At the request of the chair, sharing Janina's reach out to Manu, and Manu's
response.
His response is first, followed by Janina's original mail.
- Lionel

On 4/1/22 8:24 AM, Janina Sajka wrote:
> I'm reaching out to ask after level of activity on Authentication related
> specifications and APIs in W3C. I believe you might know, but I could be
> wrong. Please feel to tell me if you're not up to speed on current
activity
> in this W3C area of work.

Hi Janina, so good to hear from you!

I know of a subset of the ecosystem and am heading up in a
pilot-going-to-production program in the US (152,000+ retail locations, 200
million user base) that achieves the "proof of personhood" bar and shifts
the
mechanism to the individual and their software instead of relying on the
publisher to provide that service.

It's a non-profit run age verification system, that performs in-person
vetting, and is truly GDPR privacy-respecting -- using
untraceable-by-the-website single-use tokens. I can go into more detail on
that if you're interested.

I believe this is the ultimate, and "controversial", goal you alluded to at
the end. It's not controversial to us -- we're deploying it into production
this year (and it's built on W3C open standards -- Decentralized Identifiers
(DID) and Verifiable Credentials (VC)).

I'm sharing all of this with you to try and convey that, yes, I get the use
case and think it's a vitally important one for a11y.

I do want to warn you that all is not solved... that the client-side stuff,
the digital wallets that people use to convey this information, have a11y
challenges. As you also know, I came to present the concept of an
"Accessibility Profile" that could be used by people to the APA, powered by
W3C Verifiable Credentials, many years ago. I have been intending to engage
the W3C a11y folks at the right moment, which I believe to still be 6-9
months
out, to ensure that we don't screw this up.

So, your email is timely as well.

> Perhaps you might know that CloudFlare has something called CAP they
> believe could protect a user's privacy/identity and yet satisfy a web
> content server that the accessing user is really a human.

I don't know about CAP, but am happy to read up on it to try and understand
how it fits into the landscape.

> Frankly, while it doesn't protect privacy, I regard Google's Recaptcha3 as
> serving a similar need from the accessibility perspective because it can
> attest the personhood of the user without interacting with that user.

Yes, well, Google has their own reasons for providing the service... and
that's ensuring their dominance in the tracking industry. While it would
solve
the automated recaptcha problem, it has a centralization and privacy
downside.

> I'm also aware of technologies like Privacy Pass, solve CAPTCHA once and
> keep reusing your tokens.

Haven't looked into Privacy Pass either, and will have to read up on it, but
these are all variations on a theme.

> Is there W3C activity around these issues? Do you know what WG?

I know that the W3C VC WG has an interest here, but it's not the same as the
initiatives you mentioned. We're in the process of being rechartered and
have
put in scope "Guidance to enhance Verifiable Credential interoperability --
Verifiable Credential Extension Vocabularies"... which is a fancy way of
saying that we are cleared to work on some of what you mention in a
non-normative capacity to start.

> I would like to reach out re updating our CAPTCHA Note, and possibly
asking
> to have it elevated to a W3C Statement per most recent W3C Process. A
> joint publication would probably be most helpful to achieve that.

I expect that you would find support in at least the Credentials Community
Group (450+ people), W3C VC WG, and W3C DID WG.

> Lastly, and possibly most controversially, I'm looking to explore whether
> there's any appetite to shift the reverse Turing test burden to the user
> agent and away from the content publishing side. My accessibility reason
is
> that users could then lock in a service provider of their
choosing--whereas
> the current content-based CAPTCHA approach essentially means every style
of
> CAPTCHA will be encountered by individual users, which is clearly not the
> best for accessibility.

Yes, this is a shared goal for the W3C VC WG.

Happy to have a chat about this if you're interested to strategise.

-- manu

--
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/


=========================

Hi, Manu:

I'm reaching out to ask after level of activity on Authentication
related specifications and APIs in W3C. I believe you might know, but I
could be wrong. Please feel to tell me if you're not up to speed on
current activity in this W3C area of work.

Our APA Working Group is reviving our CAPTCHA Note because of recent
advances that promise, very possibly, to simply kill CAPTCHA as no
longer recommended. Perhaps you might know that CloudFlare has something
called CAP they believe could protect a user's privacy/identity and yet
satisfy a web content server that the accessing user is really a human.
Frankly, while it doesn't protect privacy, I regard Google's Recaptcha3
as serving a similar need from the accessibility perspective because it
can attest the personhood of the user without interacting with that
user.

I'm also aware of technologies like Privacy Pass, solve CAPTCHA once and
keep reusing your tokens.

Is there W3C activity around these issues? Do you know what WG? I would
like to reach out re updating our CAPTCHA Note, and possibly asking to
have it elevated to a W3C Statement per most recent W3C Process. A joint
publication would probably be most helpful to achieve that.

Lastly, and possibly most controversially, I'm looking to explore
whether there's any appetite to shift the reverse Turing test burden to
the user agent and away from the content publishing side. My
accessibility reason is that users could then lock in a service provider
of their choosing--whereas the current content-based CAPTCHA approach
essentially means every style of CAPTCHA will be encountered by
individual users, which is clearly not the best for accessibility.

Hoping you're doing well,

Janina


--

Janina Sajka
(she/her/hers)
https://linkedin.com/in/jsajka

Linux Foundation Fellow
Executive Chair, Accessibility Workgroup:       http://a11y.org

The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI)
Co-Chair, Accessible Platform Architectures     http://www.w3.org/wai/apa



Lionel Wolberger
COO, UserWay Inc.
lionel@userway.org
UserWay.org <http://userway.org/>
<https://userway.org>[image: text]