HCaptcha, ReCaptcha and co. - there are no accessible CAPTCHA's

How accessible can graphic image codes, the so-called CAPTCHAs, be? Since even people who claim to know something about accessibility use it, there seems to be some misunderstanding here. Even solutions that claim otherwise are not accessible, examples are HCaptcha or ReCaptcha. It doesn't matter whether this is due to the solution itself or a "wrong" implementation, they are not accessible.

Article Content

Designed for bots - preventing humans

CAPTCHAs are mechanisms designed to distinguish humans from automated spam bots. They are intended to prevent spam in web forms such as contact forms or comment areas.

The use of CAPTCHAs is more likely to prevent humans from using the web form, but does not present a major hurdle for bots. I would go so far as to question the professionalism of a website owner when using CAPTCHAs. This organization has no idea about usability, let alone effective spam protection mechanisms.

First of all: There is no accessible CAPTCHA. I'll repeat that again: There is no such thing as an accessible CAPTCHA which is based on human interaction.

In the following we want to look at a few examples in detail.

The simple solution

The most simple solution that can still be found is a not changing character string hidden in a graphic. In fact, this often discourages both spammers and people who can't or don't want to solve it. The bots because the algorithm wasn't considered for the specific combination of form fields and graphics code. Bots work best on forms that look the same, no one bothers to customize them for individual pages that deviate a bit from the standard.

Another option is to solve a simple math problem. The above also applies here: Solving mathematical formulas is the purpose of computers. These solutions only work because the bot has not been customized. Once that has happened, the bots can begin their task.

ReCAPTCHA - Google's wannabe accessibility solution

ReCAPTCHA is currently the most widespread solution. In theory, you should only check the box "I'm not a robot". Even the biggest honk should be able to do that, right?

Unfortunately no: On the one hand, the insinuation that one is a robot is a bit impertinent. More importantly, the tick often doesn't work. My guess is that it partly conflicts with the privacy settings of the browser. If you're logged into Google, the checkbox usually should work, but nobody's going to get a Google account just for that. At least with the Firefox browser it does not work.

If the checkbox doesn't work, you are confronted with a picture puzzle. As a visually impaired or blind person, this can only be solved with difficulty or not at all. Now there is the audio alternative, which is actually easy to understand at the moment. In the past you got synthetic generated incomprehensible words and noise. At the moment they probably use sound snippets from TV or radio. This should be relatively easy to understand for many people who are hard of hearing. As a keyboard user, visually impaired or blind person, however, you first have to find the audio alternative in the jumble of picture puzzles and website.

There is also the problem with the time limit: ReCaptcha has a time limit set, but this is designed for solving the graphic Capchas, i.e. for non-disabled people. For disabled people, on the other hand, there is the problem that the captcha requires more steps and the time limit of usually two minutes is not sufficient.

And what do we do with people with learning disabilities and the elderly? Do they understand what is expected of them, why they should announce that they are not robots and what this picture riddle means? What do people with mental health problems do, for whom every further action is a burden?

Last but not least, there is the data protection problem: Google is the black hole of data protection, nobody knows which and how much data is transmitted to Google when such a CAPTCHA is integrated. HCaptcha is worser than Google ReCaptcha.

I am a robot

The problem with CAPTCHAs is that, on the one hand, they are supposed to be so complex that an algorithm cannot quickly and automatically solve them. On the other hand, they should be so simple that anyone can solve them quickly. It is easy to see that sooner or later the human must lose. This applies in particular to disabled people, since their sensory and cognitive abilities differ from those of non-disabled people. The second problem is the time: ReCaptcha gives two minutes by default. That's way too short for disabled people.

Algorithms for machine learning should already be able to solve the codes better than humans. If they can't do it yet, then in the near future. Google, Facebook, Microsoft, Amazon and Apple are working on such solutions, not to mention many smaller players. The AI for recognizing objects in images and recognizing speech is progressing rapidly. You could just buy access to the Google Image Recognition API and set the API to ReCAPTCHA, then you'd be beating Google at its own game.

In other words: CAPTCHAs are turned into their opposite, they are recognized better by machines than by humans.

That's all well and good - but all that spam?

Now it's true that a lot of spam comes in through web forms. Just stupid that CAPTCHA keeps human rather than botic users. I might grudgingly accept that CAPCHAs are inevitable, but they aren't. I always say CAPTCHAs are a contact avoidance tool, use them if you don't want your form to be used. Feel free to check how high the CAPTCHA drop-out rate is. But what alternatives are there?

You can probably block most of the bots by adding a time delay. Let's say the form can only be submitted after ten seconds. Certainly there are scenarios in which a person fills out the form and wants to send it off within ten seconds, but that is very unlikely.

Another possibility are honeypots: These are input fields that are only visible to the bot and are filled out by it. These submissions are automatically classified as spam and will not be delivered.

There are efficient spam filters for Wordpress such as Akismet or AntiSpamBee. There are comparable solutions for other common editorial systems.

Lists of words that are automatically blocked are also very efficient. A serious commenter or contactor is unlikely to use words found in typical spam comments. You know those words, they mostly have something to do with money or sex.

Another starting point is the e-mail inbox itself. In addition to the integrated mechanisms of the e-mail provider, you can also work here with efficient filters that sort out a large part of the spam.

A mixture of several methods appears to be most effective. This should actually stop up to 100 percent of spam. However, it should have become clear that CAPTCHAs are neither accessible nor do they contribute efficiently to spam prevention.

The problem exists with any solution that attempts to prevent spam based on user interaction. Therefore, according to current conditions, such a mechanism cannot be accessible.

Read more