Completely Automated Public Turing test to Tell Computers and Humans Apart (CAPTCHA) is a technique that attempts to differentiate between humans and machines on ability alone. Whether it's sensory, mobility, or cognitive ability, testing the user's ability will always create barriers that are insurmountable to some people, particularly when you consider than many people with sensory impairments rely on machines such as screen readers to overcome their sensory impairments.
What online services that attempt to protect their resources actually want to know isn't the ability of the person at the other end of the connection, but whether or not they are trustworthy. This article looks at social networking to see if the problem of trustworthiness can be solved without relying on the user's ability.
Author: Gez Lemon
Many thanks to Roberto Castaldo for providing an Italian version of this article.
- Why CAPTCHA Fails
- Social Networking Web Service
Why CAPTCHA Fails
Websites that want to protect resources often use a CAPTCHA to prevent robots from abusing their services (see the Web Accessibility Initiative's report on the inaccessibility of CAPTCHA). They attempt to distinguish between humans and robots by testing for ability, such as requiring a human to be able to distinguish letters in a distorted image, or words from distorted sound files. The distortion is required because the robots that are used to try and break these defences have sophisticated algorithms, and often have better success than humans in deciphering them.
Multiple CAPTCHA Tests
Recognising that CAPTCHA has serious accessibility problems, some companies employ more than one method, such as a visual CAPTCHA and an auditory CAPTCHA. Although this solution is better than a single method of checking the user's ability, it fails to recognise that it's common for people to have more than one disability. For the elderly, it's extremely unlikely they will be able to use a service that determines humans from machines by sensory ability alone, as sensory abilities in humans diminish over time, but not in robots.
Some services might even go so far as to ask simple questions that are intended to be incredibly simple for humans, but difficult for a computer. An example might be, "what colour is an orange?" along with an edit box for the user to provide their answer. On the surface, this seems quite a reasonable approach, but free-format text does cause problems for people with cognitive disabilities, as well as visitors who aren't native speakers of the natural language of the web page. Questions that have to remain simple also have obvious patterns, and are relatively simple for a robot to crack.
Obscurity as a means of Defence
Another technique that is surprisingly popular is obscurity. Although obscurity could never be considered a serious defence against an online attack, these type of techniques usually receive a lot of attention because they appear to be successful at a glance, although their success is usually short lived if the technique gains enough attention, as by their very nature, they're incredibly simple to crack. Although these types of techniques are simple to crack, the services generally require the user to jump through all kinds of hoops in order to use the service.
If the service you are providing isn't in high demand, then obscurity will afford a limited amount of success. If someone wants to use your service, obscurity is about as effective as a saucepan made of chocolate.
Personally, I think developers that have looked into distinguishing humans from machines aren't asking the right questions. Realistically, they don't want to know what capabilities whoever or whatever has at the other end of the connection, but whether or not they are trustworthy. Testing for ability is not the same thing as testing trustworthiness, yet all a service attempting to protect its resources wants to know is whether or not they can trust whoever or whatever is at the other end of the connection. Unfortunately, trustworthiness is a difficult trait to test.
Social Networking Web Service
One possibility would be to use some kind of social networking web service that worked on an invitation only basis, based on the six degrees of separation theory . For example, an invitation-only service might reward points for people who have shown themselves to be trustworthy. Organisations that use the web service ping the service using the user's unique id (not attached to any personal data), and receive a calculated score of the user's trustworthiness based on the services that person has used. At first, the person may only have limited access to sites that don't afford much security, but in time, the user could become known as trustworthy online, which in turn allows them greater access to other online services. The
User table might look as follows:
As the system is based on recommendations, the system has a tree-like structure. If ever someone abuses that trust, they should become known as being untrustworthy. Being offered through an online service, this has the benefit of making this type of information available to everyone immediately. Anyone recommended by the person in question, along with the person who originally recommended them, should immediately be identified in the event of untrustworthy behaviour based on heuristics that could be determined from a history table. If someone in a branch is untrustworthy, everyone in that branch could have their ability to recommend removed up to a core level in the branch, which would ensure that people were particular about who they recommended, as there would be a penalty should they recommend someone who was unsociable. The
UserHistory table might look as follows:
The service would also need to include a list of organisations that provide online services that were eligible to provide feedback on people's performance to avoid malicious attacks to discredit people's trustworthiness. If a service provider reports someone of being unsociable, but that report is unfounded, then the service provider could continue to use the service, but wouldn't be able to report anti-social behaviour.
To help with heuristics, a
Usage table would track users against services, which includes any reported incidents.
Entity Relationship Diagram
User table relates to zero or more
UserHistory records. Both the
User table and the
Service table relate to zero or more
There would be a lot of work required to make this foolproof, and it would also take time to establish a trustworthy community, but I think using a web service based upon social networking is a far more reasonable approach than testing for a person's ability, whilst respecting the user's privacy online. Current CAPTCHA techniques test the user's ability, which will always cause insurmountable problems to some users; that cannot be ignored.