CAPTCHA: Telling Computers and Humans Apart

By PaulMartz, 29 April, 2021

Computer pioneer Alan Turing’s famous Turing Test quantified a machine’s ability to behave intelligently. In the test, a judge would communicate with a human and computer via a text-based communications medium. The computer would pass the test if the judge couldn’t’’ tell them apart. It sounds like something straight out of Blade Runner, in which Harrison Ford played a detective tracking down rogue androids posing as humans.

The Turing Test has real-world applications. The internet is rife with runaway automated processes, or robots, that continuously attempt to post spam to discussion boards, scrape email addresses, and perform other nefarious acts. If web admins had a way to tell whether a visitor were human or bot, they could eliminate a lot of spam.

CAPTCHA - Bane of Blind Users

CAPTCHA is an acronym: Completely Automated Public Turing test to tell Computers and Humans Apart. Traditionally, CAPTCHA displays an image containing numbers and text, which the user visually reads and enters into a text field. More modern versions ask users to select images based on some criteria, such as “select all images with ladders”. But computers have become pretty good at visual processing. Image-based CAPTCHA isn’t as effective as it once was.

CAPTCHA accessibility issues are obvious to the AppleVis community. Many vision impaired users depend on an audio-based challenge, in which users enter words spoken in a short audio clip. But this is not an option for anyone with a hearing impairment.

From an accessibility perspective—and even for sighted users—the ideal CAPTCHA would require no user interaction. For example, Google’s reCAPTCHA version 3 computes a probability that you’re human by examining your browsing activity and other data. You don’t even have to check a box. These systems are only as smart as the biases of their developers, and accessibility tools such as magnification and keyboard navigation can throw them off.

CAPTCHA developers see a bigger problem: AI is becoming smarter. Advances in image processing and text-to-speech have rendered image- and audio-based CAPTCHA systems worthless. Even reCAPTCHA v3 has already been cracked by intelligent internet robots. That was news to me, but it shouldn’t be. I’ve read Ray Kurzweil’s series of books on the accelerating pace of AI development. SkyNet will be online soon.

In this blog, we'll test drive hCaptcha, a solution that claims to be both accessible and robot-proof.

hCaptcha - the Cookie-Based Alternative

hCaptcha uses cross-site cookies for accessibility. Like reCAPTCHA v3, it’s intended to be a non-interactive CAPTCHA technology. But in practice, it’s not as ideal as you might expect. To use it, you must obtain a cookie. The cookie is only good for 24 hours, which means you pretty much need to refresh the cookie every time you confront a site that uses hCaptcha. You also need to configure Safari to use cross-site cookies, which Safari disables by default.

First, let’s obtain the hCaptcha cookie. Then we’ll change Safari’s settings.

Me Want Cookie

Cookie Monster has one use for cookies. They must be eaten. In the same way, your web browser consumes cookies provided by web sites. There are many uses for internet cookies, such as keeping an accurate count of site visits and visitors.

hCaptcha uses cookies to identify and clear users with accessibility issues. To obtain hCaptcha’s accessibility cookie, register on their website. When you follow the link in the email you receive, the accessibility cookie will be automatically delivered to your web browser.

Alternatively, you can wait until you encounter a website that uses the hCaptcha system. I do not recommend this. Their interface of menus and web dialogs is neither simple nor intuitive. Registering on their site in advance greatly simplifies the process.

Enabling Cross-Site Cookies in Safari

Before you attempt an hCaptcha challenge, you’ll need to modify Safari’s default settings.

Since Apple’s March 2020 update, Safari blocks cross-site cookies by default. When one site consumes another site’s cookie, that’s a potential privacy issue. Normally, one website should not be tracking what you’re doing on another website. But hCaptcha’s accessibility cookies require cross-site tracking. To use hCaptcha, you must enable cross-site tracking in Safari.

On Mac OS, launch Safari and open preferences. Select the Privacy tab, and uncheck Prevent Cross-Site Tracking. In iOS, you’ll find a similar toggle in Settings, Safari.

CAPTCHA Gotchas

Now that you’ve registered at their site and obtained their accessibility cookie, now that you’ve allowed cross-site tracking in Safari Preferences, you’re finally ready to try hCaptcha at this hCaptcha demo page. As you can see, passing the hCaptcha challenge is trivial once the cookie is in place.

In concept, hCaptcha sounds like an accessible solution:you have their cookie, you pass their challenge. In practice, having to register at the hCaptcha website and modify Safari Preferences makes hCaptcha positively inconvenient for first-time users. For subsequent visits more than 24 hours later, finding the old email and refreshing the cookie isn’t much better. If a CAPTCHA system provides a simple interface for abled users and a convoluted interface for disabled users, is it really accessible?

CAPTCHA's Future

We know why CAPTCHA is complicated: It’s the only way to stump a robot. I can only speculate that hCaptcha’s complex interface and inconvenient 24-hour expiration exists for the same reason.

How long will it be before a robot is able to navigate hCaptcha’s convoluted mechanism for obtaining an accessibility cookie? When this happens, how will the system change, and how will it impact disabled users?

I previously mentioned reading Ray Kurzweil’s series of books on AI. While they’re all good, I recommend The Singularity is Near. In that book, Kurzweil predicts computer AI will pass a general Turing Test by 2029. What happens when website can no longer tell humans and computers apart?

As bots become smarter, CAPTCHA technology must inevitably evolve. Let’s hope accessibility doesn’t become a casualty in the CAPTCHA arms race.

Options

Comments

By Lysette Chaproniere on Saturday, April 24, 2021 - 18:14

Thanks for this post, Paul, it’s a great topic. CAPTCHAs far to often become a way to tell blind and sighted humans apart, or deaf and hearing humans, or deaf-blind humans and sighted/hearing humans. It’s yet another way that accessibility gets neglected in design.

If Kurzweil is right, we’ll be merging with machines anyway, so CAPTCHAs will be rather pointless. For anyone who’s interested in Kurzweil’s predictions, he has another book supposedly coming out soon, although I woke up to an email this morning saying my Kindle pre-order had been delayed yet again, called The Singularity is Nearer (the same title as his older book but with an e r at the end) If he delays it any longer, he might have to call it The Singularity is... oh, it’s already happened. The original The Singularity is Near is a long book, though, so it’ll keep you occupied for a while, but I was looking forward to an up-to-date take on his ideas.

By PaulMartz on Monday, May 24, 2021 - 18:14

Thanks, Lizette. I just pre-ordered it on Audible. His books on AI are comprehensive, prescient, and grounded in reality. One of his books (I don't recall which) detailed his attempts to develop early OCR. Very enlightening.

By Mister Kayne on Monday, May 24, 2021 - 18:14

It's a very interesting read and a good insight to the future of Captcha and accessibility. I am of a strong opinion that accessibility will take a back seat when new options for Captcha are explored OR introduced. Coincidentally, I just published a blog on LinkedIN talking about Image Captcha; you can visit it here:
https://www.linkedin.com/pulse/my-accessibility-nightmare-part1-image-captcha-mujtaba-merchant/?trackingId=ORbQeRW6nDejbLdLcrYcpA%3D%3D

By Dawn 👩🏻‍🦯 on Monday, May 24, 2021 - 18:14

Wow! Thank you for this post!

I many times have run into this annoyance we all know as CAPTCHA. I like this solution, but I have some questions.

1. Say you lost the email you got when you registered. Could you register again, and get a new email?

2. Are you supposed to put the cookie back on Safari when ever you clear out your cookies?

4. If registering again isn't an option, and you lose the email, then how do you obtain another email? Are you out of luck?

This looks like something I'll be taking a look at. Now, if only websites I use on a daily if not regular basis would adopt this... Because I do agree, that, while the checkboxes are nice, 99% of the time, I still have to do an audio challenge. And then I'm thinking, quite angrily I admit, "If you gave me a checkbox to check, then why did I still have to do or find an audio challenge?!"

By PaulMartz on Monday, May 24, 2021 - 18:14

In reply to by Dawn 👩🏻‍🦯

Hi Dawn. You don't need to save the email. You can register again if you lose it.

I don't have any statistics about how common hCaptcha is. When I encountered it recently, I thought it would make a nice subject for a blog, especially because Safari's Preferences prevent it from working by default. Even if it were the ideal accessible CAPTCHA solution, we'd need a miracle for the entire Internet to adopt it.

By Patrick Bouchard on Monday, May 24, 2021 - 18:14

Am I the only one who finds the privacy invasion really problematic? Not only having to enable cross-site cookies, but having to identify yourself as a person with a disability by giving your email address. An entire list of email addresses exclusively belonging to people with disabilities. Why are we generally against being forced or requested to disclose that we have a disability in many public settings but fine with it here?

By PaulMartz on Monday, May 24, 2021 - 18:14

It's definitely an issue.

sending the email is ostensibly part of the process of verifying you're human. And though I didn't bother to read their privacy policy, the notion that I just put myself on some third-party's email list certainly crossed my mind.

It occurs to me that there should, in principal, be no need for a third-party. If Joe Bob's website presents me with a CAPTCHA challenge, Joe Bob's website could issue the accessibility cookie without third-party involvement. Joe Bob's website already has my email address anyway. Would this be a more acceptable implementation, I wonder?