WebAIM - Web Accessibility In Mind

E-mail List Archives

Re: reCAPTCHA

for

From: J. B-Vincent
Date: Jun 1, 2012 12:03PM


Here's a longish article about strategies for CAPTCHA-free spambot protection from yesterday's Etre newsletter. The first two options he proposes make sense to me in an accessibility context; with the last one, the phoney field ("phield"?) would need to be hidden from assistive tech too. --Jane Vincent, University of Michigan

------------------------------------------------------------
Design tip #079: Bear this in mind
------------------------------------------------------------
I don't know about you, but my favourite bear-related
problem is the Bearproof Trashcan Problem. (I bet you
haven't even got a favourite bear-related problem, have
you? That's okay; living on the edge isn't for everyone.) I
first learned of this devilish dilemma while living in
California. Every time I visited one of the area's
beautiful national parks (to steal pic-a-nic baskets), it
seemed that the trashcans (or "sidewalks " as we call them
here in the UK) had been redesigned. The opening mechanism
had become a little more complicated and a little better
concealed; and the list of instructions printed on the side
had, accordingly, grown a little longer. Why did the
trashcans become progressively harder to open? Because
bears kept on figuring out how to open them.
The idea behind the bearproof trashcan is to make it as
hard as possible for bears to get at the trash within.
(Turns out that trash is to bears what Tom Cruise is to his
lovers: Irresistible, yet at the same time extremely bad for
their health. Just joking Maverick!) The problem with the
bearproof trashcan is that the harder you make it for bears
to get at the trash within, the harder you make it for
people to deposit their trash. Make the trashcan too hard
to open and people will place their trash beside it instead
of within...thereby giving the bears free access (and
defeating the purpose). Make the trashcan easy to open,
however, and while people will then deposit their trash
within, the bears will figure out how to get at it.
Alas, no one has been able to design a trashcan that is
simple enough for all of mankind to use and yet complicated
enough to keep out all of bearkind. As a park ranger once
explained, the problem is thorny because "the smartest
bears are smarter than the dumbest people." I think he got
it wrong though. For me, the problem has little to do with
intelligence and everything to do with motivation. A more
accurate interpretation is that bears are more committed to
learning how to open trashcans than people.
When you're designing any kind of system - be it, a
frequent flyer program, an investment scheme or a web
application - you face exactly the same problem. The
desirable audience will be willing to invest much less time
in learning how to use it than the undesirable audience.
Designers are often unaware of this problem and thus end up
creating systems that do a great job of deterring the
highly-committed, undesirable audience...while
simultaneously driving away the less committed, desirable
audience.
A good example is the use of CAPTCHAs on websites. CAPTCHAs
ask interweb users to "type the fuzzy text shown in the
picture above" before allowing them to do something more
interesting (such as send a message to the site's owner).
Lots of sites implement CAPTCHAs in an attempt to deter
spammers - as many spambots can't decipher fuzzy text.
However, just as bears are more committed to figuring out
how to open trashcans than most park-goers, spammers are
more committed to cracking CAPTCHAs than most internet
users. Some spammers, for example, are prepared to pay
armies of developers to work on improving the spambots'
ability to decipher the fuzzy text. By contrast, many
internet users will take one look at a CAPTCHA and think,
"Sod this for a game of skittles. I can't be bothered to
continue". Thus, add a CAPTCHA to, say, your contact form
and you'll receive fewer spam messages...but also fewer
genuine messages from your site's users. Don't add a
CAPTCHA and you'll receive more genuine messages from your
site's users...but also more spam messages. It's CAPTCHA 22.
How do you solve such Bearproof Trashcan Problems? Well, as
you've seen, increasing the complexity of a design is
counterproductive. As such, your best bet is usually to
abandon it and look for a better alternative.
In the case of bearproof trashcans themselves, you might
ditch 'em in favour of regular (easy-to-use) trashcans -
placing these regular trashcans outside of the park gates,
by the exits, where the bears can't reach them. Sure, this
probably means that some people will dump their trash in
the bushes while wandering around the park (rather than
wait until they reach an exit); however, you could handle
this issue (to some extent, at least) by imposing heavy
penalties upon those caught engaging is such heinous
behaviour. You could even start by placing regular
trashcans outside of the park and keeping bearproof
trashcans within the park, so as to give potential
litterers extra opportunity to dispose of their trash
responsibly. (Alternatively, you could give each bear a
copy of the Michelin Guide so as to encourage them to
develop a more cultured palate. I know what you're
thinking: It's this sort of blue sky thinking that won Etre
the Rolex account! Damn right, my friend.)
In the case of our web spam problem, you might drop your
CAPTCHA in favour of the "confirmation page trick". This
trick works like so: When a user clicks on your contact
form's Send button in an attempt to send her message to
you, instead of blindly accepting it, you take her to a
confirmation page, where you ask her to confirm that her
message is correct and that she really does want to send it
to you. This stops the aforementioned spambots in their
tracks, because they aren't expecting the additional step.
Unfortunately, it may also stop some of your users in their
tracks, because they won't be expecting the additional step
either. Good design—for example, warning the user of the
additional step upfront—can help address this problem
though.
Another alternative is to employ the "timing trick". The
premise of this trick is that people take longer to fill in
a form than spambots - since people need a while to consider
and input their responses; whereas spambots don't (the
clever little synthetic barstewards) and therefore fill-in
a form instantly. What this means is that you can measure
the amount of time that it takes a form-filler to complete
your form and where suspiciously brief, reject their
(spammy) submission.
Yet another alternative still is to employ the "hidden
field trick" (aka "The honeypot"). This works like so: You
add a text box to your form with a flirtatious label like
"Email address" and make it invisible using CSS. People
will never see this text box and, as such, will always
leave it empty; spambots, however, will see it and assume
that they need to fill it in. Thus, you can reject any form
submission that includes information obtained via the hidden
field safe in the knowledge that it's spam.
Anyway, by now, you get the idea: To overcome such
problems, you need to think outside of the trashcan. If not
you'll just have to grin and "bear" them. Oh dear, that's a
terrible pun to end on...er...Play me off Johnny!
» How was it for you? Email the author, Simon Griffin, at
<EMAIL REMOVED> or tweet @sigriffin
(http://twitter.com/sigriffin).