17.1.06

The Usability And Accessibility Problems With CAPTCHA

I’d never considered this problem before as anything other than a frustrated user. And that’s why working in usability and customer experience gives you a different outlook on problems to just wandering the web passing comment.

Then a few months ago I (like many others) started experiencing problems on this blog. Rogue comments were appearing, I was getting fed up with being spammed and I turned to Blogger for help. They recommended I turn on the verification feature whereby users have to complete a challenge-response question based on a distorted image above it. And I did, and the rogue comments have been almost stopped.

The ‘almost’ comment is very important because it means it hasn’t fixed it. The common belief is that it solves 95% of the problem.

This CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) system is designed to ensure that only humans are completing forms online. Apparently it’s a simple process to develop a program (internet bot) that automatically completes and submits forms and these are used to abuse this functionality on a range of sites. Blog comments is one, insurance quotes is another, loan applications, search engines, online banking and so on. These malicious scripts can then pass data back to attempt work out insurance ratings, banking passwords or even set-up thousands of free email accounts to send spam with.

The problem for the user is that it requires them to do an additional task – and one that does not, at first, appear to benefit them in anyway. Of course, deeper reflection might allow them to realise that the additional server load and security issues that automated form completion causes does actually affect them in the long run but that really is still the form owners’ problem – not theirs. Anything that requires the user to perform increasingly more complex assessments of visual or linguistic perception (other implementations ask natural questions such as Q: what type of food is a banana? A: fruit.) is open to serious accessibility issues. How are the visually impaired supposed to complete such tasks, or individuals with low levels of literacy of linguistic comprehension. When a site requires this sort of challenge-response for every visit, this provides an insurmountable obstacle – potentially leaving the site developers open to litigation for non-compliance with local accessibility law (UK: Disability Discrimination Act and Web Accessibility) . As countermeasures technology improves and the CAPTCHAs get ever more complex, even sighted and educated users can find themselves up against an undecipherable task. There is an excellent document on the inaccessibility of CAPTCHA by the W3C (World Wide Web Consortium).

Finally, the problem can be (if not particularly easily) circumvented. Sophisticated Artificial Intelligence and peculiar schemes whereby people are employed to solve them have been suggested by the W3C alongside more straightforward automated attacks like PWNtcha as methods of bypassing this type of test.

Given that the implementation is clumsy for the user, breakable and therefore ineffective in at least 5% of malicious attempts and that it presents serious (potentially litigious) issues of accessibility, it is my opinion that CAPTCHA is not a viable solution to the problem of automated form completion.

UPDATE:
15:32 17.JAN.2007 Audio versions of CAPTCHA have recently been spotted. But (as the comments on that post show) they do have other associated problems.


Technorati Tags

No comments: