CRW

Home Wiki

CAPTCHA

View on consumerrights.wiki ↗

Contents7
  1. Consumer impact summary
  2. Accessibility
  3. Data privacy concerns
  4. Crowdsourcing of labor
  5. Alternatives
  6. See also
  7. References
CAPTCHA
[[File:|200px]]
Basic Information
Release Year 2000
Product Type
In Production
Official Website


Completely Automated Public Turing test to tell Computers and Humans Apart or CAPTCHA was invented in 2000 as a means to deter bots and spam on publicly available websites.[1] CAPTCHA tests aim to confirm that the visitor of a website or service is human, usually by presenting a challenge which humans can solve easily, but computer programs cannot. Primary CAPTCHAs used today are Google's reCAPTCHA and hCaptcha.

Consumer impact summary

"It's an arms race between site owners and spammers; users lose." - Jeremy Elson[1]

According to a study by Searles et al., "...it can be concluded that reCAPTCHAv2 presents no real security.".[2] Datadome found that half of passed CAPTCHAs were completed by bots.[3] In response, the latest CAPTCHAs are using aggregated data of browsing history to rate a user's "humanness", presenting concerns around tracking and privacy.[4]

Accessibility

The World Wide Web Consortium (W3C) releases a periodic report on the inaccessibility of CAPTCHA technology. Their 2021 report concluded that "traditional CAPTCHA continues to be challenging for people with disabilities, but also that it is increasingly insecure and arguably now ill-suited to the purpose of distinguishing human individuals from their robotic impersonators."[5] It is important for websites to be able to keep unwanted bots from accessing their sites, however CAPTCHA may not be the best way to do so.

Data privacy concerns

Newer forms of CAPTCHA work by scraping a user's device and behavior for uniquely identifiable information which would indicate a unique human using the service, as opposed to a bot which would have known and repetitive information. Information collected can include screen size, IP address, mouse and touch activity, previous websites visited, etc.[6]

Crowdsourcing of labor

Services such as Google's reCAPTCHA have been found to be using human input to perform transcription work or train machine-learning models without user consent. On 22 January 2015, a Massachusetts class-action lawsuit attempted to argue Google should pay its users for their labor.[7] Google's motion to transfer the case to the Northern District of California was granted 12 August 2015,[8] where it was dismissed on 3 February 2016.[9]

Alternatives

The W3C also outlined potential consumer-positive alternatives to CAPTCHAs:[10]

  1. Honeypot - "Another method to detect automated submissions. The idea behind the honeypot method is as follows: website forms would include a hidden field (by positioning the field off screen). Since spam robots cannot detect a hidden field in the HTML, when data is inserted into this 'honeypot' field, the website administrator would know that the data was not entered by a 'real' user."
  2. Temporary tokens - after a user passes a CAPTCHA, a token is accepted onto the user's device allowing them to use the associated webservice for a fixed amount of time.
  3. Multi-factor authentication - using a pre-arranged secondary device to independently authenticate identity.
  4. Biometric authentication - facial recognition, fingerprint, retinal scan. This would only be acceptable in an institution with very high security requirements.

"Users should not be forced beyond what is strictly necessary to keep a site secure, e.g., if a honeypot suffices, use a honeypot until evidence of robotic attacks dictates something else." - W3C[5]

See also

References

  1. 1.0 1.1 Burling, Stacey (15 Jun 2012). "CAPTCHA: The story behind those squiggly computer letters". Phys.org. Archived from the original on 17 Jun 2012.
  2. Searles, Andrew; Prapty, Renascence Tarafder; Tsudik, Gene (21 Nov 2023). "Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2". Preprint.
  3. Tester, Paige (18 July 2022). "50% of passed reCAPTCHAs are completed by bots?". DataDome. Archived from the original on 19 Feb 2026. Retrieved 9 Apr 2026.
  4. "How CAPTCHAs work | What does CAPTCHA mean?". Cloudflare. 9 April 2026. Archived from the original on 1 April 2026. Retrieved 9 April 2026.
  5. 5.0 5.1 Hollier, Scott; Sajka, Janina; et al. (16 Dec 2021). "Inaccessibility of CAPTCHA". W3C. Archived from the original on 16 Dec 2021. Retrieved 8 Apr 2026.
  6. O'Reilly, Lara (20 Feb 2015). "Google's new CAPTCHA security login raises 'legitimate privacy concerns'". Business Insider. Archived from the original on 22 Feb 2015. Retrieved 8 Apr 2026.
  7. Shapiro, Thomas G.; Vallely, Patrick J. (22 Jan 2015). "Rojas-Lozano v. Google Inc. (3:15-cv-10160)". Santa Clara University School of Law Digital Commons. Archived from the original on 9 Feb 2016. Retrieved 8 Apr 2026.
  8. Mastroianni, Mark G. (12 Aug 2015). "Rojas-Lozano v. Google Inc. (3:15-cv-10160)". Court Listener. Archived from the original on 9 Apr 2026. Retrieved 8 Apr 2026.
  9. Corley, Jacqueline Scott (3 Feb 2016). "Rojas-Lozano v. Google, Inc. (15-cv-03751-JSC)". Court Listener. Archived from the original on 9 Apr 2016. Retrieved 8 Apr 2026.
  10. "Captcha Alternatives and thoughts". W3C wiki. Archived from the original on 3 Sep 2025. Retrieved 8 Apr 2026.
Filed under