Don’t Let Captchas Catch You Out
Spotted over at Mark’s place today - a link to a piece written by W3C WAI guy Matt May - Inaccessibility of Visually-Oriented Anti-Robot Tests. There’s nothing necessarily new about the piece (a working draft, actually), but it’s essential reading for anyone who is even thinking about implementing a ’solution’ that aims to stop automated submissions. As Matt points out, your best efforts will still be for nothing on the basis that many people who have the will to circumvent these tests will simply pay someone to do the menial tasks:
It is important to note that, like seemingly every security system that has preceded it, this system can be defeated by those who benefit most from doing so. For example, spammers can pay a programmer to aggregate these images and feed them one by one to a human operator, who could easily verify hundreds of them each hour. The value of visual verification systems is low, and their usefulness will diminish rapidly once it is commonly exploited.
Mark Pilgrim spells it out more fully on his weblog:
Spam works and it is big business, and spammers are increasingly organized and increasingly business-savvy. It�s not some guy in the garage who bought a CD of email addresses from MicroWarehouse (yes, they used to sell them, I have old MacWarehouse catalogs to prove it) who thought it would be �cool� to tell a million people about his Beanie Baby collection. It�s organized crime rings who hire programmers to automate everything they possibly can (domain registration, ISP registration, free email account registration) and hire menial workers for pennies an hour halfway around the world to do all the manual things they can�t automate (like get past image-based login systems). They hire virus writers to write extremely sophisticated viruses that exploit all known holes in everything, install spyware, malware, adware, and remote control programs with which they can both send more spam and launch distributed denial-of-service attacks… against anti-spam advocates.
The bottom line? Accessibility and security are always going to be somewhat at odds with each other. There are real issues to address here, and it’s encouraging that the W3C are at the very least recognising this, although Matt May’s draft document only really confirms that there is no single good solution at present. At what point does the need for security and usabilty for the majority become greater than the need for a solution that is accessible for all. Now there’s a conundrum for you …