CAPTCHA: Difference between revisions
Cunningcoder (talk | contribs) Add to overview section. |
|||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 3: | Line 3: | ||
|Category= | |Category= | ||
|Company= | |Company= | ||
|InProduction= | |InProduction= | ||
|Logo= | |Logo= | ||
|ProductLine= | |ProductLine= | ||
|ReleaseYear= | |ReleaseYear=2000 | ||
|Website= | |Website= | ||
|Description=CAPTCHA is an interactive authentication system to deter Internet bots and spamming. Its efficacy is debatable, with concerns regarding privacy and accessibility. | |||
}} | |||
==Consumer impact== | '''Completely Automated Public Turing test to tell Computers and Humans Apart''' or {{Wplink|CAPTCHA}} was invented in 2000 as a means to deter {{Wplink|Internet bot|bots}} and spam on publicly available websites.<ref name=":0">{{Cite web |last=Burling |first=Stacey |title=CAPTCHA: The story behind those squiggly computer letters |url=https://phys.org/news/2012-06-captcha-story-squiggly-letters.html |website=Phys.org |date=15 Jun 2012 |access-date= |url-status=usurped |archive-url=https://web.archive.org/web/20120617130133/https://m.phys.org/news/2012-06-captcha-story-squiggly-letters.html |archive-date=17 Jun 2012}}</ref> CAPTCHA tests aim to confirm that the visitor of a website or service is human, usually by presenting a challenge which humans can solve easily, but computer programs cannot. Primary CAPTCHAs used today are [[Google]]'s [[reCAPTCHA]] and hCaptcha. | ||
<blockquote>"It's an arms race between site owners and spammers; users lose." - Jeremy Elson<ref name=":0" /></blockquote> | |||
==Consumer impact summary== | |||
<blockquote>"It's an arms race between site owners and spammers; users lose." - Jeremy Elson<ref name=":0" /></blockquote> | |||
According to a study by Searles et al., "...it can be concluded that reCAPTCHAv2 presents no real security.".<ref name=":12">{{Cite journal |last=Searles |first=Andrew |last2=Prapty |first2=Renascence Tarafder |last3=Tsudik |first3=Gene |date=21 Nov 2023 |title=Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2 |url=https://arxiv.org/pdf/2311.10911 |journal=Preprint}}</ref> Datadome found that half of passed CAPTCHAs were completed by bots.<ref>{{Cite web |last=Tester |first=Paige |date=18 July 2022 |title=50% of passed reCAPTCHAs are completed by bots? |url=https://datadome.co/bot-management-protection/50-passed-recaptchas-completed-by-bots/ |url-status=live |archive-url=https://web.archive.org/web/20260219130955/https://datadome.co/bot-management-protection/50-passed-recaptchas-completed-by-bots/ |archive-date=19 Feb 2026 |access-date=9 Apr 2026 |website=DataDome}}</ref> In response, the latest CAPTCHAs are using aggregated data of browsing history to rate a user's "humanness", presenting concerns around tracking and privacy.<ref>{{Cite web |date=9 April 2026 |title=How CAPTCHAs work {{!}} What does CAPTCHA mean? |url=https://www.cloudflare.com/learning/bots/how-captchas-work/ |url-status=live |archive-url=https://web.archive.org/web/20260401170306/https://www.cloudflare.com/learning/bots/how-captchas-work/ |archive-date=1 April 2026 |access-date=9 April 2026 |website=Cloudflare}}</ref> | |||
===Accessibility=== | ===Accessibility=== | ||
The | The {{Wplink|World Wide Web Consortium|World Wide Web Consortium}} (W3C) releases a periodic report on the inaccessibility of CAPTCHA technology. Their 2021 report concluded that "traditional CAPTCHA continues to be challenging for people with disabilities, but also that it is increasingly insecure and arguably now ill-suited to the purpose of distinguishing human individuals from their robotic impersonators."<ref name=":1">{{Cite web |last1=Hollier |first1=Scott |last2=Sajka |first2=Janina |last3=White |first3=Jason |last4=Cooper |first4=Michael |last5=May |first5=Matt |display-authors=2 |title=Inaccessibility of CAPTCHA |url=https://www.w3.org/TR/turingtest/ |website=W3C |date=16 Dec 2021 |access-date=8 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20211216162624/https://www.w3.org/TR/turingtest/ |archive-date=16 Dec 2021}}</ref> It is important for websites to be able to keep unwanted bots from accessing their sites, however CAPTCHA may not be the best way to do so. | ||
===Data privacy concerns=== | ===Data privacy concerns=== | ||
Newer forms of CAPTCHA work by scraping a user's device and behavior for uniquely identifiable information which would indicate a unique human using the service, as opposed to a bot which would have known and repetitive information. Information collected can include screen size, IP address, mouse and touch activity, previous websites visited, etc.<ref name=":02">{{Cite web |last=O'Reilly |first=Lara | Newer forms of CAPTCHA work by scraping a user's device and behavior for uniquely identifiable information which would indicate a unique human using the service, as opposed to a bot which would have known and repetitive information. Information collected can include screen size, IP address, mouse and touch activity, previous websites visited, etc.<ref name=":02">{{Cite web |last=O'Reilly |first=Lara |title=Google's new CAPTCHA security login raises 'legitimate privacy concerns' |url=https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2 |website=Business Insider |date=20 Feb 2015 |access-date=8 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20150222100003/https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2 |archive-date=22 Feb 2015}}</ref> | ||
===Crowdsourcing of labor=== | ===Crowdsourcing of labor=== | ||
Services such as [[Google | Services such as [[Google]]'s [[reCAPTCHA]] have been found to be using human input to perform transcription work or train machine-learning models without user consent. On 22 January 2015, a Massachusetts class-action lawsuit attempted to argue Google should pay its users for their labor.<ref>{{Cite web |last1=Shapiro |first1=Thomas G. |last2=Vallely |first2=Patrick J. |title=''Rojas-Lozano v. Google Inc.'' (3:15-cv-10160) |url=https://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1904&context=historical |website=Santa Clara University School of Law Digital Commons |date=22 Jan 2015 |access-date=8 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20160209093438/https://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1904&context=historical |archive-date=9 Feb 2016}}</ref> Google's motion to transfer the case to the Northern District of California was granted 12 August 2015,<ref>{{Cite web |last=Mastroianni |first=Mark G. |title=''Rojas-Lozano v. Google Inc.'' (3:15-cv-10160) |url=https://www.courtlistener.com/docket/5127913/31/rojas-lozano-v-google-inc/ |website=Court Listener |date=12 Aug 2015 |access-date=8 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20260409000656/https://www.courtlistener.com/docket/5127913/31/rojas-lozano-v-google-inc/ |archive-date=9 Apr 2026}}</ref> where it was dismissed on 3 February 2016.<ref>{{Cite web |last=Corley |first=Jacqueline Scott |title=''Rojas-Lozano v. Google, Inc.'' (15-cv-03751-JSC) |url=https://www.courtlistener.com/opinion/7318166/rojas-lozano-v-google-inc/ |website=Court Listener |date=3 Feb 2016 |access-date=8 Apr 2026 |url-status=live |archive-url=https://megalodon.jp/2026-0409-0933-59/https://www.courtlistener.com:443/opinion/7318166/rojas-lozano-v-google-inc/ |archive-date=9 Apr 2016}}</ref> | ||
==Alternatives== | ==Alternatives== | ||
The W3C also outlined potential consumer-positive alternatives to CAPTCHAs:<ref>{{Cite web |title=Captcha Alternatives and thoughts |url=https://www.w3.org/WAI/GL/wiki/Captcha_Alternatives_and_thoughts |website=W3C wiki}}</ref> | The W3C also outlined potential consumer-positive alternatives to CAPTCHAs:<ref>{{Cite web |author= |title=Captcha Alternatives and thoughts |url=https://www.w3.org/WAI/GL/wiki/Captcha_Alternatives_and_thoughts |website=W3C wiki |date= |access-date=8 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20250903080807/https://www.w3.org/WAI/GL/wiki/Captcha_Alternatives_and_thoughts |archive-date=3 Sep 2025}}</ref> | ||
#Honeypot - "Another method to detect automated submissions. The idea behind the honeypot method is as follows: website forms would include a hidden field (by positioning the field off screen). Since spam robots cannot detect a hidden field in the HTML, when data is inserted into this 'honeypot' field, the website administrator would know that the data was not entered by a 'real' user." | #Honeypot - "Another method to detect automated submissions. The idea behind the honeypot method is as follows: website forms would include a hidden field (by positioning the field off screen). Since spam robots cannot detect a hidden field in the HTML, when data is inserted into this 'honeypot' field, the website administrator would know that the data was not entered by a 'real' user." | ||
| Line 31: | Line 35: | ||
#[[Biometric authentication]] - facial recognition, fingerprint, retinal scan. This would only be acceptable in an institution with very high security requirements. | #[[Biometric authentication]] - facial recognition, fingerprint, retinal scan. This would only be acceptable in an institution with very high security requirements. | ||
<blockquote>"Users should not be forced beyond what is strictly necessary to keep a site secure, e.g., | <blockquote>"Users should not be forced beyond what is strictly necessary to keep a site secure, e.g., if a honeypot suffices, use a honeypot until evidence of robotic attacks dictates something else." - W3C<ref name=":1" /></blockquote> | ||
==See also== | ==See also== | ||
*[[DataDome]] | *[[DataDome]] | ||
*[[hCAPTCHA]] | *[[hCAPTCHA]] | ||
| Line 41: | Line 44: | ||
==References== | ==References== | ||
{{Reflist}} | |||
[[Category: | [[Category:{{PAGENAME}}]] | ||
[[Category:Data collection]] | [[Category:Data collection]] | ||
[[Category:Common terms]] | [[Category:Common terms]] | ||
Latest revision as of 17:44, 9 April 2026
CAPTCHA
[[File:|200px]]
| Basic Information | |
|---|---|
| Release Year | 2000 |
| Product Type | |
| In Production | |
| Official Website | |
Completely Automated Public Turing test to tell Computers and Humans Apart or CAPTCHA was invented in 2000 as a means to deter bots and spam on publicly available websites.[1] CAPTCHA tests aim to confirm that the visitor of a website or service is human, usually by presenting a challenge which humans can solve easily, but computer programs cannot. Primary CAPTCHAs used today are Google's reCAPTCHA and hCaptcha.
Consumer impact summary
[edit | edit source]"It's an arms race between site owners and spammers; users lose." - Jeremy Elson[1]
According to a study by Searles et al., "...it can be concluded that reCAPTCHAv2 presents no real security.".[2] Datadome found that half of passed CAPTCHAs were completed by bots.[3] In response, the latest CAPTCHAs are using aggregated data of browsing history to rate a user's "humanness", presenting concerns around tracking and privacy.[4]
Accessibility
[edit | edit source]The World Wide Web Consortium (W3C) releases a periodic report on the inaccessibility of CAPTCHA technology. Their 2021 report concluded that "traditional CAPTCHA continues to be challenging for people with disabilities, but also that it is increasingly insecure and arguably now ill-suited to the purpose of distinguishing human individuals from their robotic impersonators."[5] It is important for websites to be able to keep unwanted bots from accessing their sites, however CAPTCHA may not be the best way to do so.
Data privacy concerns
[edit | edit source]Newer forms of CAPTCHA work by scraping a user's device and behavior for uniquely identifiable information which would indicate a unique human using the service, as opposed to a bot which would have known and repetitive information. Information collected can include screen size, IP address, mouse and touch activity, previous websites visited, etc.[6]
Crowdsourcing of labor
[edit | edit source]Services such as Google's reCAPTCHA have been found to be using human input to perform transcription work or train machine-learning models without user consent. On 22 January 2015, a Massachusetts class-action lawsuit attempted to argue Google should pay its users for their labor.[7] Google's motion to transfer the case to the Northern District of California was granted 12 August 2015,[8] where it was dismissed on 3 February 2016.[9]
Alternatives
[edit | edit source]The W3C also outlined potential consumer-positive alternatives to CAPTCHAs:[10]
- Honeypot - "Another method to detect automated submissions. The idea behind the honeypot method is as follows: website forms would include a hidden field (by positioning the field off screen). Since spam robots cannot detect a hidden field in the HTML, when data is inserted into this 'honeypot' field, the website administrator would know that the data was not entered by a 'real' user."
- Temporary tokens - after a user passes a CAPTCHA, a token is accepted onto the user's device allowing them to use the associated webservice for a fixed amount of time.
- Multi-factor authentication - using a pre-arranged secondary device to independently authenticate identity.
- Biometric authentication - facial recognition, fingerprint, retinal scan. This would only be acceptable in an institution with very high security requirements.
"Users should not be forced beyond what is strictly necessary to keep a site secure, e.g., if a honeypot suffices, use a honeypot until evidence of robotic attacks dictates something else." - W3C[5]
See also
[edit | edit source]References
[edit | edit source]- ↑ 1.0 1.1 Burling, Stacey (15 Jun 2012). "CAPTCHA: The story behind those squiggly computer letters". Phys.org. Archived from the original on 17 Jun 2012.
- ↑ Searles, Andrew; Prapty, Renascence Tarafder; Tsudik, Gene (21 Nov 2023). "Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2". Preprint.
- ↑ Tester, Paige (18 July 2022). "50% of passed reCAPTCHAs are completed by bots?". DataDome. Archived from the original on 19 Feb 2026. Retrieved 9 Apr 2026.
- ↑ "How CAPTCHAs work | What does CAPTCHA mean?". Cloudflare. 9 April 2026. Archived from the original on 1 April 2026. Retrieved 9 April 2026.
- ↑ 5.0 5.1 Hollier, Scott; Sajka, Janina; et al. (16 Dec 2021). "Inaccessibility of CAPTCHA". W3C. Archived from the original on 16 Dec 2021. Retrieved 8 Apr 2026.
- ↑ O'Reilly, Lara (20 Feb 2015). "Google's new CAPTCHA security login raises 'legitimate privacy concerns'". Business Insider. Archived from the original on 22 Feb 2015. Retrieved 8 Apr 2026.
- ↑ Shapiro, Thomas G.; Vallely, Patrick J. (22 Jan 2015). "Rojas-Lozano v. Google Inc. (3:15-cv-10160)". Santa Clara University School of Law Digital Commons. Archived from the original on 9 Feb 2016. Retrieved 8 Apr 2026.
- ↑ Mastroianni, Mark G. (12 Aug 2015). "Rojas-Lozano v. Google Inc. (3:15-cv-10160)". Court Listener. Archived from the original on 9 Apr 2026. Retrieved 8 Apr 2026.
- ↑ Corley, Jacqueline Scott (3 Feb 2016). "Rojas-Lozano v. Google, Inc. (15-cv-03751-JSC)". Court Listener. Archived from the original on 9 Apr 2016. Retrieved 8 Apr 2026.
- ↑ "Captcha Alternatives and thoughts". W3C wiki. Archived from the original on 3 Sep 2025. Retrieved 8 Apr 2026.