Get Updates

New posts, webinar and event invitations, and more.

Could Kittens be the Future of CAPTCHA?

, Tuesday, August 7th, 2007

There was an AP piece out recently, discussing the problems and challenges of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart – yeah, it’s a stretch, but most of the good acronyms were taken), and proposing, as a possible solution, a webcam that Kitten attacks CAPTCHAcontinually takes pictures of a variety of subjects and asks users to identify them. It’s rooted in the problem that unless you have a truly gigantic database, spammers will eventually just add your pics to their library and be able to break through. By using a webcam of, as the article suggested, a kitten bouncing around a room, there would be a continual stream of new photos for users to identify – presumably, you could have multiple kittens and ask how many were in a shot or what color the one currently on screen is or something that would change but be easily identifiable by people.

While this is an innovative, not to mention fun, approach to CAPTCHA, it brings up a chance to discuss the merits of using it at all. Let’s take a look at three areas where CAPTCHA is causing debate online: blogs, webforms and email.

The AP article discusses CAPTCHA with regard to spam, where there’s a clear bad guy – no one wants spam (well, except perhaps the good folks on this list, but to be fair, they’re studying it for scholarly purposes) and we can pretty much all agree that less spam is good, right?

Unfortunately, it’s a little more complicated than that. If you’ve got a blog, using CAPTCHA to curb spam will certainly make your job easier when it comes to moderating comments. It also helps search engines avoid giving preference to sites that pay for links (as a matter of YouTube‚??s CAPTCHAfact, Google introduced the nofollow attribute to keep this from happening, something that’s been controversial for a variety of reasons, most of which boil down to “Don’t punish good links, and don’t ask us to do your job for you, search engines!” For what it’s worth, the Beaconfire Wire uses nofollow, which is automatically installed on WordPress). It does, however, slow down the conversation – the more steps in the process of commenting, the less people will comment, and people who mistype the phrase in the box are likely to just give up. So it’s up to you and your blogging software whether or not to use CAPTCHA on your blog.

But a far bigger question is the use of CAPTCHA in public and semi-public spaces. I don’t think anyone would argue that free webmail or web 2.0 services shouldn’t use CAPTCHA. After all, it’s nearly impossible to get a Hotmail address or AIM screen name without adding digits to your usual favorite handle. And it’s not that big a pain to have to enter the code when signing up for YouTube, even though it uses one of the hardest pictures I’ve seen. But what about GoDaddy’s use of CAPTCHA to protect WHOIS info on their domains? On the one hand, I appreciate that they’re protecting email addresses from being harvested by spam bots. On the other, however, this is data that’s legally required to be publicly available – is it in the public interest that it not be accessible to people who can’t read the code? There’s merit on both sides of using CAPTCHA on WHOIS, but there are no other WHOIS sites that I know of that use it.

Even tougher is the question of using CAPTCHA on Congressional contact forms. These contact forms came about as a result of the fact that constituents send so much mail that you need a way to manage it – the forms can route the mail to the appropriate legislative aide and keep down the spam to the legislative address. It also keeps staff from being overwhelmed by people who A senate contact formforward an excessive number of emails to every legislator and group they can find – there are folks who send out daily updates on particular issues, forward every story in the newspaper or are just plain jerks. Webforms keep these people from sending a single message to every legislator they can find the address for with the press of a single button, and allow staff to focus on constituents from their district.

But when webforms started adding CAPTCHA the question became a little murkier. This was largely a response to CRMs with Advocacy modules, which allowed people to send their legislators a pre-generated note with the touch of a button. Suddenly, rather than a few individual comments on an issue per day, staff would be deluged with tens of thousands (or more!) of the same message in a short period. So they responded by implementing CAPTCHA technology. The particular style they use is problematic for many groups because it uses a logic puzzle rather than a simple phrase identification. The result is that people who could not read or do math would not be able to contact their representatives online.

Of course, for most NPOs, the bigger problem is that it’s harder to run an advocacy campaign. Rather than just hitting submit, your members may have to fill out the webform on their representative’s page, leading to drop-off. Groups on both sides of the political divide (pdf) have indicated their opposition to Congressional use of CAPTCHA, due to its negative influence on the ability of citizens to voice their feelings. ASPs are also working to mitigate the effects of CAPTCHA on the advocacy process. But it remains a fundamentally philosophical question: does the legitimate desire to reduce the load on staff with regard to constituent mail outweigh the right to easily contact your legislator? It’s a debate that will likely continue for some time.

The last use of CAPTCHA I’d like to discuss is its use in email autoresponders. Anyone who manages an email list of appreciable size is undoubtedly familiar with the process of responding to the various challenges that are returned by subscribers ESPs. It can be a hassle to respond to each of these with every email, and it’s a continual question just how important it is to respond to each Earthlink‚??s Email CAPTCHAof them (personally, I would say to do so, particularly if it’s an important appeal, but you have to decide for yourself based on your staff resources and list size). In this case, the process of dealing with CAPTCHA is borne by both the sender and the recipient, instead of the ESP – your legitimate contacts have to go through an extra step to contact you, and you don’t receive messages from people who refuse to do so. There’s also a question of how effective these traps are – one Earthlink user discovered that there are only about 30 possible puzzles and built a perl script to beat it. Lastly, many have argued that a CAPTCHA solution to spam is really just a way for ESPs to throw up their hands and say “We give up – do your own filtering!”

So all this leaves us with is questions on where CAPTCHA is going – will new ways to do CAPTCHA free us from spam or just add another step to our every action online? Is there a prevailing public interest that should outweigh the desire to prevent spam? And what happens when the kittens on the webcam finally tire out and go to sleep?

One Response to “Could Kittens be the Future of CAPTCHA?”

  1. Tim Says:

    One concern I’ve always had with CAPTCHAs is their accessibility: Blind users are totally left out, and the workarounds that some sites have tried using have not done well. Yahoo has, as an alternative, the ability to directly contact — via email — someone at Yahoo who will validate that the sender is indeed a person. People have reported, however, that they have waited days for a response. There is currently a Yahoo Accessibility Improvement Petition that you can add your name to.

    I’m also interested in learning more about textTHaCAA (Text (Telling Humans and Computers Apart Automatically)) which uses a multiple choice question to verify the “humanity” of a user. It’s a work in progress, but certainly shows promise.