Image: Illustration by Thomas Fuchs
More In This Article
-
The Best Science Writing Online 2012
Showcasing more than fifty of the most provocative, original, and significant online essays from 2011, The Best Science Writing Online 2012 will change the way...
Read More »
Whenever there’s a problem in the modern world, we try to solve it by building barriers. Music piracy? Copy protection. Hacked Web sites? More complicated passwords.
Unfortunately, these barriers generally inconvenience the law-abiding citizen and do very little to impede the bad guys. Serious music pirates and Web hackers still find their way through.
Maybe all the hurdles are enough to thwart the casual bad guys. That seems to be the thinking behind the Web blockades known as Captchas. (It’s a contrived acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart.) Surely you’ve seen them: visually distorted words—sometimes real English ones and sometimes nonsense words—represented as a graphic when you try to sign up for something online. You’re supposed to type the words you see into a box.
Captchas were designed by their Carnegie Mellon University inventors to thwart bots (automated hacker programs) that might bring online services to their knees. For example, some bots sign up for Hotmail or Yahoo e-mail accounts by the thousands for the purpose of spewing spam. Some post bogus comments in hopes of raising a site’s search-results ranking.
In theory, only an actual human being can figure out what word is in the Captcha graphic. The letters are just twisted enough and the background is just cluttered enough that a person can read them, but not a computer. Good guys in, bad guys out—the perfect barrier.
In practice, Captchas have just replaced one public nuisance with another. First of all, the images are often so distorted that even a human can’t read them. That’s a particular problem in nonsense words like “rl10Ozirl.” Are those lowercase Ls or number ones? Zero or letter O? Second, there’s the vision thing. If you’re blind, you can’t do a visual Captcha puzzle.
The best Captchas (if that’s not an oxymoron) offer alternatives to fix these problems. There might be a button that offers you a second puzzle if the first is too hard to read or an audio Captcha option for blind people. Above all, though, increasing evidence shows that Captchas are losing the technology war. Researchers and spammers have both been able to get around them.
There have been efforts to replace visual Captchas with less user-hostile puzzles. Some ask you to take an easy math test, answer a simple question, identify a photograph or listen to garbled audio. All of them exclude one group or another, though—such as non-English speakers or deaf people.
Overall, the Carnegie Mellon team estimates that we spend a cumulative 150,000 hours at the gates of these irritating obstructions every single day. In a newer variant, called reCaptcha, at least that time is put to public use. You see a muddied-looking word that comes from a wonky scanned Google book; when you type what it really says, you’re actually helping out with the process of cleaning up and recognizing an actual text.
Nevertheless, we the law abiders are still wasting 17 person-years every single day. That’s a disgraceful waste of our lives. Surely there are better solutions worth exploring.
Maybe we should invent a voluntary Internet identity card so we’re already known when we sign up for something. Maybe Web sites should enforce a short-term limit of one new account or posted comment per “person.” Or the Web site should look at the speed or irregularity of our typing to determine if we’re human.
Or fingerprints. Or retinal scans. Something.
Spammer bots are a problem, yes. But Captchas are a problem, too. They’re a bother, they’re not foolproof and they assume that everyone is guilty until proven innocent. What Captcha really stands for, in other words, is Computers Annoying People with Time-Wasting Challenges That Howl for Alternatives.
This article was originally published with the title Time to Kill Off Captchas.
Already a Digital subscriber? Sign-in Now
If your institution has site license access, enter here.
Rights & Permissions
See what we're tweeting about
20 Comments
Add CommentThis article is so incredibly wrong I felt compelled to go on the internet and comment on it after reading it in print.
Reply | Report Abuse | Link to thisThis is supposed to be a scientific magazine, where is the evidence that Captcha is failing? I might as well be reading this on about.com or some other robot created website. How did you come up with that 17 years per day figure, is that really counting accurately?
Captcha is annoying, the only thing more annoying would be all of the suggestions you propose. All of your suggestions have more problems - and serious ones - instead of annoying ones.
Internet identity card? Retina scan? Fingerprint? Privacy? Free speech? Simplicity? Do you mean like a password username combo? The point of a captcha is to be something quick that doesn't require that sort of commitment. I think it is telling that this article has no other comments but mine - there is no possible quick way to post one. Such as a captcha would afford.
Time limit? Single post only? Heuristics of words used or typing style? Have you ever failed those things? I have. It is a heck of a lot worse than having to redo an illegible captcha. Because it is mysterious. I have no idea what is causing me to be flagged by mistake - is it a link? Am I too fast a typer? Too slow? The mechanism is not transparent and they are totally intolerant of false positives. At least with a captcha the system is transparent. I know why I pass or fail. I know what I have to do to pass. (at least for a properly implemented captcha system like reCaptch - which is also the most popular and easy for websites to install)
Just because you are annoyed by using captchas you can't just write an article about something you haven't really thought through. I'm thankful when I see a Captcha as I know that the security mechanism is going to be transparent and honest. The alternatives (so far) are far worse and might even bring up more serious concerns of privacy, free speech and censorship if they were to be implemented.
Your opening line about making too many barriers on the internet is right on. However I think that, upon closer examination, something like captcha that is transparently enforced - is the better way to avoid real barriers including spam - compared to the highly questionable alternatives you have (so far) proposed.
The Internet is an amazing thing. Just because it can
I am guessing David Pogue does not have first-hand experience with any of the internet entities (blog, forum, etc) that are being hit the hardest by spammers. If he did, he would not think of -- let alone suggest -- doing away with captcha unless he had an actual, functioning alternative ready to take its place.
Reply | Report Abuse | Link to thisI am part of a team that runs an online forum (bulletin board). It is both tiny and obscure, and yet it averages over three dozen registration attempts per day by both human spammers and spambots. We go through phases when we are hit hundreds of times each day. Captcha is one of three methods we employ to keep them out.
The article states, "Spammer bots are a problem, yes. But Captchas are a problem, too." I am a little agog at this. I feel like a front-line combat soldier listening to a rear echelon desk jockey compare artillery shells to the hassle of wearing a helmet. The latter is occasionally uncomfortable. The former can drop your site by overloading your server, and once the spambots are gotten in, the amount of work to get rid of them is many times greater than the brief nuisance of asking people to decipher some twisty letters.
I eagerly await a better alternative; but for the moment, captcha remains a highly effective element in the defenses required to fend off the spambarian hordes.
Yes, Mr. Pogue's article is a bit light from the "Scientific" point of view. The figure of 150,000 hours per day comes directly from the home page for Google's captcha product, reCaptcha. (http://www.google.com/recaptcha/learnmore) Simple math divides 150,000 by 24 and then by 365, to yield 17 days.
Reply | Report Abuse | Link to thisProof of CAPTCHAs decreasing usefulness is easy to find. Google's own actions are prime evidence. On Feb 16, 2012 they changed Blogger's CAPTCHA technique from something almost usable to a much more complex reCaptcha scheme. Why would they annoy millions of readers? Likely because the older CAPTCHA was no longer useful! All across the Internet we see service providers upgrading their CAPTCHAs to ever more complex versions. It is implicit evidence that the spammers are effective. The CAPTCHA arms race is on and the innocent humans are losing.
For a more concrete example, researchers at Newcastle University in the UK have developed automated methods that solve even the latest reCaptchas easier than humans. Read "The Robustness of Google CAPTCHAs" at http://homepages.cs.ncl.ac.uk/jeff.yan/google.pdf. One need not be a geeky doctoral candidate in academia to do this. We see evidence of it's reality in that war of escalation.
Solutions? The best are behind-the-scenes engines that use massive collaborative filtering to recognize and reject spam. Once these systems reach a viable size, in terms of network deployment and sampling scope, they become extremely effective. Two that have reached that high level of effectiveness are AKISMET and the Spam-Be-Gone feature of Disqus commenting systems. (hint: search easily finds these tools.)
A small business, an individual blogger, the community bulletin board owner can all fare well with Akismet. Larger firms often replace their content management system's entire commenting facility with Disqus. Neither of these systems challenge readers / visitors / customers with annoying CAPTCHAs. They allow security to be implemented by the service provider, not a task left to the end user.
Other solutions? For those who develop their own code, there are a number of useful "client side" techniques that spammers can't see or subvert. Too little space to describe here, so search for "hidden input field."
Lastly, as for being "thankful" when I see a CAPTCHA, I get about the same feeling as when I see a blue uniformed TSA agent. They both share two traits: the ability to stop one's travel, and an unnecessary level of annoyance.
Bob Easton, author of the blog "CAPTCHAs Must Die"
I agree with the other commentors here. An internet ID card. I know Sci Am is an establishment magazine and while I enjoy the knowledge imparted here, please don't try to condition the public into big brotherism. While captchas are annoying, I haven't found one that I couldn't decipher after a few reloads. I too question the statistics quoted, a quick footnote of his sources would clear that up. My main complaint is the social concerns he raises. I know liberals would love the gov't to ensure all is safe, just let me opt out of that totalitarianism, we still live in a free america (maybe).
Reply | Report Abuse | Link to thisI find it ironic that SA should attack Captcha use by other sites, when this site was infuriatingly cursed by advertiser spamming of its comments for many, many months! Personally, I would have gladly endured the inconvenience of Captcha use to have prevented that prolonged spamming of scientificamerican.com.
Reply | Report Abuse | Link to thisI'm really surprised that the awesome crowd-sourcing side of Captchas haven't been mentioned yet! reCaptcha is a book digitization project that's helped digitize 20 years of the New York Times, among other things. Whenever I do one of those, I get a little warm and fuzzy inside.
Reply | Report Abuse | Link to thisIt is worth noting that comment giant craigslist.org has recently eliminated captcha when posting. At least they did for me.
Reply | Report Abuse | Link to thisYou are not accounting for the facts that,
Reply | Report Abuse | Link to thisfirst - not all internet users are Americans
second - not all internet users want their real identities on record
Third - most spammers are not Americans either. The vast majority are from the Far East.
The captcha process could probably be improved. A good test would be very easy for a human and hard for a computer. I think most people find that the average captcha is both hard for a human AND hard for a computer. I remember hearing about a new idea under development at Microsoft (of all places) called a 'catcha'. The idea was to present, for instance six pictures, 5 are puppies and 1 is a cat. The user's job is to select the cat from the group. Hence 'catcha'. While realizing that technology will likely (hopefully)catch up I think this idea is closer to the easy for humans hard for computers mark.
Reply | Report Abuse | Link to thisInstead of criminalizing spam and going through the tedium of prosecuting spammers, there's a simpler approach. Tax it. A buck a message. Per addressee.
Reply | Report Abuse | Link to thisBut that will penalize legitimate e-mail ads? Too bad. If people want something, they can take the initiative to find out about it. The advertising business model needs to die - period.
Yeah yeah yeah Dave -- er -- we all waste time everyday- What's new?
Reply | Report Abuse | Link to thisTaking the key out of my pocket unlocking my door, my file cabinet etc.Locking the keypad on my NOT iPhone etc.
Come to think of it reading the column was a waste of time and so was typing this..............
«Third - most spammers are not Americans either. The vast majority are from the Far East.», Perhaps, silvrhairdevil, you would care to produce some evidence for this interesting claim (in which, I suspect, the term Far East is a metonym for China) ? According to the latest figures from ICSA Labs' Spam Data Center (https://www.icsalabs.com/technology-program/anti-spam/spam-data-center#top10), which relate to the week from 13 to 19 February 2012, the country of origin at the head of the list of the top ten was the US, at 10.1 % of the total, with India second at 7.5 %. While geography seems to be poorly taught today (consider, for example, how the term «the West» is employed), I think we can agree that neither of these two countries are located in the Far East. The first East Asian country to appear on the list is South Korea, in fourth place at 4.8 %. Taiwan is seventh (3.5 %) and Vietnam (3.0 %) ninth. China, with its huge internet population doesn't even make the top ten....
Reply | Report Abuse | Link to thisGenerally speaking, it is wise to do one's research before posting, rather than afterwards....
Henri
I am amazed at the arrogance of posters on this topic. Captchas are not an inconvenience for me. They are an insurmountable obstacle.
Reply | Report Abuse | Link to thisThe hundreds of captchas that I have run across over the years have blocked my access on every occasion except two. I refresh them dozens of times to no avail. The audio alternatives are even worse.
I have no issue with those people who design their sites in such a way as to exclude people because the programmers are not capable or not inclined to program their site to be inclusive. However, I do have an issue with those designers who say it is not a problem at all because it is not a problem for them.
If you don't want me to visit or use your site then fine. Just don't say it's me that has a problem.
Wow.. 17 person-years wasted every single day which could've been spent on Facebook!
Reply | Report Abuse | Link to thisMay be we should come up with Captchas that are fun and brain-teasers.. so people will just want to solve them again and again, instead of Scrabble, or Sudoku.
When you told silvrhairdevil: "Generally speaking, it is wise to do one's research before posting, rather than afterwards...." you forgot to mention something important upfront from your reference to "the latest figures from ICSA Labs' Spam Data Center (https://www.icsalabs.com/technology-program/anti-spam/spam-data-center#top10)..." That is, that ICSA Labs is not a non-profit organization (.org) like some labs which do (anti)virus and other (anti)malware testing, but rather a commercial for-profit company (.com), an independent division of Verizon Business. They do efficiency tests for customers that produce anti-spam products. This information and that below comes from the report "ICSA Labs Anti-Spam Testing Revealed" dated 18 May 2011 [Copyright 2011 by Cybertrust, Inc.] (https://www.icsalabs.com/sites/default/files/AntiSpamTestingExplained_110518x.pdf).
Reply | Report Abuse | Link to thisCustomers can choose from either daily live testing or certification testing. I saw no prices listed, but why would two different choices be offered otherwise and why would there be any comparisons between ICSA Labs and its competitors? I saw no endorsements or list of user companies to use as a guide. So, why should we trust just one company's statistics over another's? Do you have some similar percentages from another company to help prove your point? Some security products (free and paid) are rated much higher or lower than others, so couldn't the same be true for some of the paid labs?
The ICSA Labs material describes how it gets its data from a honeypot, which sources of email it samples and which sources it doesn't use at all. I don't feel completely comfortable with their sampling techniques, some of which they called negotiable for the future.
Also, I don't believe they or their competitors test spam found in comments on various forums, blogs, etc. Those may not be emails that we have to remove from our Inbox or Junk/Spam folders, but they're still spam (not just stupid comments) which we users have to waste time reading (and hopefully flagging).
Percentages by country MIGHT differ if this other spam were counted, based on samples other users and I have tracked back manually using linguistic analysis, Whois, user comments, etc. That's probably where some impressions of higher Chinese amounts arise, but I know of no plausible way to get accurate stats on that manually or otherwise. The U.S. and Russia are bad spammers (both kinds), but no area has a majority, so silvrhairdevil's actual claim isn't supportable and my estimates would only be unprovable guesses.
My "guesstimates" are derived from empirical experience cleaning spammers out of an online forum, not the ones that put Viagra offers in your email.
Reply | Report Abuse | Link to thisFar Eastern spammers, to which I loosely ascribe China, India, Indonesia, Pakistan are the ones that join a forum and dump a load of spam. They are mostly spambots, churned out by the thousands.
Russia and Germany both contribute a lot of spam and African spammers are usually email harvesters who will sell your email to the Nigerian lawyer who wants to give you your inheritance.
Very little of the spam I deal with is from the US or Canada.
I did my research - YMMV
I once made the mistake of establishing a non-captcha forum. Within a day it was deluged with over 250 spam entries.
Reply | Report Abuse | Link to thisIronic: In order to post this comment, I had to:
- Register
- Go to my e-mail to verify
- Return here to log in.
That required a great deal more time than a captcha.
Here's an alternative to CAPTCHA that I really like: http://demo.confidenttechnologies.com/captcha/
Reply | Report Abuse | Link to thisJust click the "Click Here" button to launch it and then follow the instructions to click on the correct pictures. It's so much faster and easier than trying to decipher warped letters.
They say it's more secure than using words because bots aren't able to make a judgement about what the subject matter of each picture is.
Yeah Craigslist, instead of using CAPTCHAS now won't let me post to classifieds "too quickly." That is MUCH more annoying than entering a CAPTCHA! Sometimes I have a bunch of quick things to post and I get through a few and then have to wait hours to continue with the rest. Awful!
Reply | Report Abuse | Link to thisAs some colleagues have already mentioned here, there are better technologies that can substitute CAPTCHA, and I'd add another one called KEYPIC. No interaction from users is needed, and it's free of charge.
Reply | Report Abuse | Link to this