Jump to content

CAPTCHA

From Consumer_Action_Taskforce
Revision as of 23:05, 14 February 2025 by NDN (talk | contribs) (created page, still needs work)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

"Completely Automated Public Turing test to tell Computers and Humans Apart" or CAPTCHA was invented in 2000 as a means to deter bots and spam on publicly available websites.[1]

Consumer impact

"It's an arms race between site owners and spammers; users lose." - Jeremy Elson[1]

Overall, CAPTCHA technology has been shown to waste human time with only marginal security improvement.[2][citation needed]

Inaccessibility to humans

The World Wide Web Consortium (W3C) releases a periodic report on the Inaccessibility of CAPTCHA technology. Their 2021 report concluded that "traditional CAPTCHA continues to be challenging for people with disabilities, but also that it is increasingly insecure and arguably now ill suited to the purpose of distinguishing human individuals from their robotic impersonators."[3]

Data privacy concerns

Newer forms of CAPTCHA work by scraping a user's device and behavior for uniquely identifiable information which would indicate a unique human using the service, as opposed to a bot which would have known and repetitive information. Information collected can include screen size, IP address, mouse and touch activity, previous websites visited, etc.[4][citation needed]

Crowdsourcing of labor

Services such as Google's reCAPTCHA have been found to be using human input to perform transcription work or train machine learning models without user consent. In 2015, a class-action lawsuit attempted to argue Google should pay its users for their labor.[5]

Alternatives

The W3C also outlined potential consumer-positive alternatives to CAPTCHAs:[6]

  1. Honeypot - "Another method to detect automated submissions. The idea behind the honeypot method is as follows: website forms would include a hidden field (by positioning the field off screen). Since spam robots cannot detect a hidden field in the HTML, when data is inserted into this 'honeypot' field, the website administrator would know that the data was not entered by a 'real' user."
  2. Temporary tokens - after a user passes a CAPTCHA, a token is accepted onto the user's device allowing them to use the associated webservice for a fixed amount of time.
  3. Multi-factor authentication - using a pre-arranged secondary device to independently authenticate identity.
  4. Biometric security - facial recognition, fingerprint, retinal scan. This would only be acceptable in an institution with very high security requirements.

"Users should not be forced beyond what is strictly necessary to keep a site secure, e.g.,/ if a honeypot suffices, use a honeypot until evidence of robotic attacks dictates something else." - W3C[3]

See also

References

  1. 1.0 1.1 https://phys.org/news/2012-06-captcha-story-squiggly-letters.html
  2. https://arxiv.org/pdf/2311.10911
  3. 3.0 3.1 https://www.w3.org/TR/turingtest/
  4. https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2
  5. https://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1904&context=historical
  6. https://www.w3.org/WAI/GL/wiki/Captcha_Alternatives_and_thoughts
Retrieved from "https://consumerrights.wiki/index.php?title=CAPTCHA&oldid=8955"