November 5, 2011
Not The Blog Post I Was Going To Write Today
This was not the blog post I was going to write today. That post was going to be about my experiences this past week at the W3C Technical Plenary (TPAC). That one still needs to be written, but as is often the case, my blog writing is usually triggered by something I am confronted with on the web, and something I need to just get out there.
In other words, another JF rant.
Today, I am setting my sights squarely on what has got to be one of the most stupid and evil things I’ve encountered on the web in a very long time: 4D Captchas. Seriously?
The user-pain inflicted by CAPTCHAs on persons with disabilities are well known and documented. Not only are CAPTCHAs impossible to decipher for non-visual users (the entire premise of CAPTCHAS is that you can see something that a computer cannot), but they also are difficult-to-impossible for users with cognitive disabilities, low-vision users, your Mom, my Dad and very often you and me. Their usefulness in adding any level of security has been shown to be negligible (the Vappic 4D blog post confirms that current 2D CAPTCHAs are being cracked for $0.80 per thousand), and the pain-to-value proposition to your users is often too high: there is one thing to set some form of door-check to your site, but a huge sign that screams go stuff yourself is hardly a smooth business move. To be actively seeking to try and harden CAPTCHAs is a mind-boggling waste of effort that will only add more pain to end users, and will be as easy to crack as “save image as animated GIF, decipher, and then enter against the input” – oh sure, it might drive the price of CAPTCHA cracking from 1000 for eighty cents to 1000 for a buck-five but so what, this is not going to stop CAPTCHA crackers from doing this work: these are usually poorly paid Third-world workers who are thankful for the work and the 2 or 3 dollars a day they get for doing this.
Let’s be perfectly clear: we need to do everything we can to discourage site owners from using CAPTCHAs. There are many other solutions users can deploy besides using CAPTCHAs to keep blog-spam to a minimum (the most common use-case), and if you really are going to subject your users to the pain of filling out a CAPTCHA to simply post a comment on your blog, you may as well just not bother seeking comment feedback. At Stanford, where I work, most web developers on campus know that if you use a CAPTCHA on your site I will personally walk over to your office and smack you – quite literally (OK, maybe not, but I’m on record for saying that). Sadly, on the web this doesn’t scale.
But let’s use the scale of the web to tell VAPPIC 4D to shelve this lousy idea, and now. The developer of this little bit of misery (an ex-Google employee no less – he should know better) has posted his email address (firstname.lastname@example.org) and so one thing you can do is write this guy and give him some appropriate type of feedback on this project: I’m not advocating an email equivalent of a DOS attack, but hearing from tens or hundreds or even thousands of end users encouraging him to go pursue another type of project might get his attention. (So feel free to pass this idea on)
Death to CAPTCHAs – do your part.
Addendum: Ruth Ellison pointed out yet another horrible CAPTCHA example at MotionCAPTCHA where this one shuts out both users who are visually disabled, as well as users who are mobility impaired. Wonderful!!
I want to tie this developer’s hands behind his back and punch him in the eyes, but instead, because he doesn’t seem to have a public email address, I’ll post his twitter handle and you can tell him you thoughts that way: @josscrowcroft, or use his web-site comment form at http://www.josscrowcroft.com/contact/.