Essays draft
This is a work in progress and is not officially published yet.

series: Login Bingo

by Matthew Lyon

It’s time to log in to the system to do the thing. Alongside the area to enter your credentials is a box with a logo: Prove you’re human

Oh great, you think, not again. What’s it going to be this time?

Maybe you’ll be asked to click the images of birds, and somehow failing because one of the things that looked like a bird, well, wasn’t. Maybe you’ll be asked to click the squares containing traffic lights and have to judge individual pixels. Maybe there are images behind the letters, or the text is so warped you can’t read it. Maybe you have vision issues and need to use the aural equivalent, but are in a noisy environment and can’t hear it. Maybe it’ll just keep sending you new things.

You’ve wasted five minutes, and your blood pressure is up. Maybe it’s time to install a browser extension.

Whatever the excuse, forcing people to complete a CAPTCHA is simply dehumanizing. There are many problems with them: they are fundamentally inaccessible, many require cultural intelligence (deliberately, inadvertently, or nonsensically), are incredibly difficult or obtuse, and ethically questionable, as you’re providing free labor to train algorithms.

Adding injury to insult, they’re also ineffective.

What?!? CAPTCHAs are the only thing stopping the onslaught of nefarious attackers against our system! you might say. Are they, though? Much like how Jason Scott of the Internet Archive argues that robots.txt is a suicide note, a “stopgap fix for a temporary problem, a problem that has long, long since been solved”, because they rely on adversaries playing nice, a CAPTCHA is a stopgap fix that signals you’re not taking the problem of automated use seriously.

While the cutting edge uses machine learning to solve CAPTCHAs, a technique that’s been around for some time longer could automate the involvement of humans using something like Mechanical Turk, but why go to all that trouble when there are specific services for already?

If you think this is a new thing, I can assure you it’s not: one of the first projects of my career — in the mid 2000s — involved automating scraping interactions for a very large company. If we encountered a CAPTCHA (they were still somewhat novel back then), the client had a service we could send an image to, and we’d get a response back within about 20–30 seconds. They weren’t using machine learning, they weren’t using Mechanical Turk — those things didn’t exist yet. Instead they presented the CAPTCHAs we needed solved to their own numerous website visitors and returned the response.

If you are serious about stopping automated uses of your system, there are better methods which are beyond the scope of this series. Your use of a CAPTCHA accomplishes exactly three things:

  1. Broadcasting to parties wishing to automate use of your system that since you consider this method worth the frustration cost, you probably haven’t invested in more effective techniques.

  2. Providing free labor to train machine learning models.

  3. Making the people using your site incredibly frustrated.

It is long past time for the CAPTCHA to die. If you are using them as part of your authentication process, you are doing a disservice to the world.