CAPTCHA: Difference between revisions
created page, still needs work |
Undo revision 12734 by 193.42.99.137 (talk) Tag: Undo |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
"Completely Automated Public Turing test to tell Computers and Humans Apart" or [[wikipedia:CAPTCHA|CAPTCHA]] was invented in 2000 as a means to deter [[wikipedia:Internet_bot|bots]] and [[wikipedia:Spamming|spam]] on publicly available websites.<ref name=":0">https://phys.org/news/2012-06-captcha-story-squiggly-letters.html</ref> | "Completely Automated Public Turing test to tell Computers and Humans Apart" or [[wikipedia:CAPTCHA|CAPTCHA]] was invented in 2000 as a means to deter [[wikipedia:Internet_bot|bots]] and [[wikipedia:Spamming|spam]] on publicly available websites.<ref name=":0">{{Cite web |last=Burling |first=Stacey |date=15 Jun 2012 |title=CAPTCHA: The story behind those squiggly computer letters |url=https://phys.org/news/2012-06-captcha-story-squiggly-letters.html |website=Phys.org}}</ref> | ||
== Consumer impact == | ==Consumer impact== | ||
<blockquote>"It's an arms race between site owners and spammers; users lose." - Jeremy Elson<ref name=":0" /></blockquote>Overall, CAPTCHA technology has been shown to waste human time with only marginal security improvement.<ref>https://arxiv.org/pdf/2311.10911</ref>{{Citation needed}} | <blockquote>"It's an arms race between site owners and spammers; users lose." - Jeremy Elson<ref name=":0" /></blockquote>Overall, CAPTCHA technology has been shown to waste human time with only marginal security improvement.<ref name=":12">{{Cite journal |last=Searles |first=Andrew |last2=Prapty |first2=Renascence Tarafder |last3=Tsudik |first3=Gene |date=21 Nov 2023 |title=Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2 |url=https://arxiv.org/pdf/2311.10911 |journal=Preprint}}</ref>{{Citation needed}} | ||
=== Inaccessibility to humans === | ===Inaccessibility to humans=== | ||
The [[wikipedia:World_Wide_Web_Consortium|World Wide Web Consortium]] (W3C) releases a periodic report on the Inaccessibility of CAPTCHA technology. Their 2021 report concluded that "traditional CAPTCHA continues to be challenging for people with disabilities, but also that it is increasingly insecure and arguably now ill suited to the purpose of distinguishing human individuals from their robotic impersonators."<ref name=":1">https://www.w3.org/TR/turingtest/</ref> | The [[wikipedia:World_Wide_Web_Consortium|World Wide Web Consortium]] (W3C) releases a periodic report on the Inaccessibility of CAPTCHA technology. Their 2021 report concluded that "traditional CAPTCHA continues to be challenging for people with disabilities, but also that it is increasingly insecure and arguably now ill suited to the purpose of distinguishing human individuals from their robotic impersonators."<ref name=":1">{{Cite web |date=16 Dec 2021 |title=Inaccessibility of CAPTCHA |url=https://www.w3.org/TR/turingtest/ |website=W3C}}</ref> | ||
=== Data privacy concerns === | ===Data privacy concerns=== | ||
Newer forms of CAPTCHA work by scraping a user's device and behavior for uniquely identifiable information which would indicate a unique human using the service, as opposed to a bot which would have known and repetitive information. Information collected can include screen size, IP address, mouse and touch activity, previous websites visited, etc.<ref>https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2</ref>{{Citation needed}} | Newer forms of CAPTCHA work by scraping a user's device and behavior for uniquely identifiable information which would indicate a unique human using the service, as opposed to a bot which would have known and repetitive information. Information collected can include screen size, IP address, mouse and touch activity, previous websites visited, etc.<ref name=":02">{{Cite web |last=O'Reilly |first=Lara |date=20 Feb 2015 |title=Google's new CAPTCHA security login raises 'legitimate privacy concerns' |url=https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2 |url-status=live |archive-url=https://web.archive.org/web/20150222100003/https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2 |archive-date=22 Feb 2015 |website=Business Insider}}</ref>{{Citation needed}} | ||
=== Crowdsourcing of labor === | ===Crowdsourcing of labor=== | ||
Services such as [[Google|Google's]] [[reCAPTCHA]] have been found to be using human input to perform transcription work or train machine learning models without user consent. In 2015, a class-action lawsuit attempted to argue Google should pay its users for their labor.<ref>https://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1904&context=historical</ref> | Services such as [[Google|Google's]] [[reCAPTCHA]] have been found to be using human input to perform transcription work or train machine learning models without user consent. In 2015, a class-action lawsuit attempted to argue Google should pay its users for their labor.<ref>{{Cite web |date=22 Jan 2015 |title=Civil Action No. 15-10160-MGM |url=https://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1904&context=historical |website=United States District Court for the District of Massachusetts}}</ref> | ||
== Alternatives == | ==Alternatives== | ||
The W3C also outlined potential consumer-positive alternatives to CAPTCHAs:<ref>https://www.w3.org/WAI/GL/wiki/Captcha_Alternatives_and_thoughts</ref> | The W3C also outlined potential consumer-positive alternatives to CAPTCHAs:<ref>{{Cite web |title=Captcha Alternatives and thoughts |url=https://www.w3.org/WAI/GL/wiki/Captcha_Alternatives_and_thoughts |website=W3C wiki}}</ref> | ||
# Honeypot - "Another method to detect automated submissions. The idea behind the honeypot method is as follows: website forms would include a hidden field (by positioning the field off screen). Since spam robots cannot detect a hidden field in the HTML, when data is inserted into this 'honeypot' field, the website administrator would know that the data was not entered by a 'real' user." | #Honeypot - "Another method to detect automated submissions. The idea behind the honeypot method is as follows: website forms would include a hidden field (by positioning the field off screen). Since spam robots cannot detect a hidden field in the HTML, when data is inserted into this 'honeypot' field, the website administrator would know that the data was not entered by a 'real' user." | ||
# Temporary tokens - after a user passes a CAPTCHA, a token is accepted onto the user's device allowing them to use the associated webservice for a fixed amount of time. | #Temporary tokens - after a user passes a CAPTCHA, a token is accepted onto the user's device allowing them to use the associated webservice for a fixed amount of time. | ||
# Multi-factor authentication - using a pre-arranged secondary device to independently authenticate identity. | #Multi-factor authentication - using a pre-arranged secondary device to independently authenticate identity. | ||
# Biometric security - facial recognition, fingerprint, retinal scan. This would only be acceptable in an institution with very high security requirements. | #Biometric security - facial recognition, fingerprint, retinal scan. This would only be acceptable in an institution with very high security requirements. | ||
<blockquote>"Users should not be forced beyond what is strictly necessary to keep a site secure, e.g.,/ if a honeypot suffices, use a honeypot until evidence of robotic attacks dictates something else." - W3C<ref name=":1" /></blockquote> | <blockquote>"Users should not be forced beyond what is strictly necessary to keep a site secure, e.g.,/ if a honeypot suffices, use a honeypot until evidence of robotic attacks dictates something else." - W3C<ref name=":1" /></blockquote> | ||
== See also == | ==See also== | ||
* [[DataDome]] | *[[DataDome]] | ||
* [[hCAPTCHA]] | *[[hCAPTCHA]] | ||
* [[Privacy Pass]] | *[[Privacy Pass]] | ||
* [[reCAPTCHA]] | *[[reCAPTCHA]] | ||
== References == | ==References== | ||
<references /> | <references /> | ||
[[Category:Articles in need of additional work]] | [[Category:Articles in need of additional work]] | ||
[[Category:CAPTCHA]] | [[Category:CAPTCHA]] | ||
[[Category:Data | [[Category:Data collection]] | ||
Latest revision as of 04:41, 17 April 2025
"Completely Automated Public Turing test to tell Computers and Humans Apart" or CAPTCHA was invented in 2000 as a means to deter bots and spam on publicly available websites.[1]
Consumer impact[edit | edit source]
"It's an arms race between site owners and spammers; users lose." - Jeremy Elson[1]
Overall, CAPTCHA technology has been shown to waste human time with only marginal security improvement.[2][citation needed]
Inaccessibility to humans[edit | edit source]
The World Wide Web Consortium (W3C) releases a periodic report on the Inaccessibility of CAPTCHA technology. Their 2021 report concluded that "traditional CAPTCHA continues to be challenging for people with disabilities, but also that it is increasingly insecure and arguably now ill suited to the purpose of distinguishing human individuals from their robotic impersonators."[3]
Data privacy concerns[edit | edit source]
Newer forms of CAPTCHA work by scraping a user's device and behavior for uniquely identifiable information which would indicate a unique human using the service, as opposed to a bot which would have known and repetitive information. Information collected can include screen size, IP address, mouse and touch activity, previous websites visited, etc.[4][citation needed]
Crowdsourcing of labor[edit | edit source]
Services such as Google's reCAPTCHA have been found to be using human input to perform transcription work or train machine learning models without user consent. In 2015, a class-action lawsuit attempted to argue Google should pay its users for their labor.[5]
Alternatives[edit | edit source]
The W3C also outlined potential consumer-positive alternatives to CAPTCHAs:[6]
- Honeypot - "Another method to detect automated submissions. The idea behind the honeypot method is as follows: website forms would include a hidden field (by positioning the field off screen). Since spam robots cannot detect a hidden field in the HTML, when data is inserted into this 'honeypot' field, the website administrator would know that the data was not entered by a 'real' user."
- Temporary tokens - after a user passes a CAPTCHA, a token is accepted onto the user's device allowing them to use the associated webservice for a fixed amount of time.
- Multi-factor authentication - using a pre-arranged secondary device to independently authenticate identity.
- Biometric security - facial recognition, fingerprint, retinal scan. This would only be acceptable in an institution with very high security requirements.
"Users should not be forced beyond what is strictly necessary to keep a site secure, e.g.,/ if a honeypot suffices, use a honeypot until evidence of robotic attacks dictates something else." - W3C[3]
See also[edit | edit source]
References[edit | edit source]
- ↑ 1.0 1.1 Burling, Stacey (15 Jun 2012). "CAPTCHA: The story behind those squiggly computer letters". Phys.org.
- ↑ Searles, Andrew; Prapty, Renascence Tarafder; Tsudik, Gene (21 Nov 2023). "Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2". Preprint.
- ↑ 3.0 3.1 "Inaccessibility of CAPTCHA". W3C. 16 Dec 2021.
- ↑ O'Reilly, Lara (20 Feb 2015). "Google's new CAPTCHA security login raises 'legitimate privacy concerns'". Business Insider. Archived from the original on 22 Feb 2015.
- ↑ "Civil Action No. 15-10160-MGM". United States District Court for the District of Massachusetts. 22 Jan 2015.
- ↑ "Captcha Alternatives and thoughts". W3C wiki.