The Independent's journalism is supported by our readers. When you purchase through links on our site, we may earn commission.
Tired of proving you’re not a robot? Say goodbye to Captcha boxes
Shira Ovide has some good news for humans: AI technology may finally kill the diabolical internet puzzles
You have probably seen Captchas in some form – puzzles that ask you to pick out all the bicycles in an image or to decipher letters that are written in squiggly lines.
These riddles are designed to let you buy concert tickets or sign up for Netflix, but to keep out someone who is using computers to hammer a bank’s website with bogus credit-card applications or employing rapid-fire software to buy video-game consoles before you have a chance.
The problem is that Captchas don’t do a great job of stopping bots. And for the rest of us, they waste time and harvest our personal information.
Captchas persist partly because there haven’t been better options to stop fraud or automated software. Finally, though, there are more technologies on the horizon that could render Captchas redundant.
One basic premise behind the Captcha-killers, backed by companies including Apple, is that instead of you solving a puzzle, your computer must solve challenges to prove you’re human. You don’t have to do anything.
Captchas are a tiny annoyance, but they’re also one more stodgy bit of technology that’s making your life harder, not easier. Like online passwords and app stores, Captchas have a good reason to exist, but they have clung to life long after the drawbacks outweighed the benefits.
Let’s talk about why Captchas persist in annoying you and why there’s hope that they might slowly die.
The goal of Captchas is to prove that you’re a human by doing a task that (in theory) only a person can do. The simplest version of a Captcha is a box you check that says “I am not a robot.” The complicated versions of a Captcha are diabolical.
While Captchas can be tough for humans, they aren’t so effective at proving humanness. Artificial intelligence has solved many types of Captcha for years. Recently, ChatGPT has cracked some of the puzzles or tricked people into solving Captchas. Businesses also pay armies of workers to fill out Captchas in bulk.
The more people and machines find ways to get around Captchas, the harder companies have made them. This creates a doom loop of irritation that might drive you away from buying stuff or accessing your accounts.
Forter, which helps retail websites stop fraud, says that for every dollar a business loses to bogus transactions, it turns away $30 (around £23) by mistakenly blocking or discouraging legitimate customers, including through the use of Captchas.
“Captchas have been broken to some extent for a long time,” says John Graham-Cumming, chief technology officer of the security firm Cloudflare.
Cloudflare’s data shows that people take 25 seconds on average to solve a Captcha. “They’re a hell of a waste of time,” Graham-Cumming says.
Captchas also compromise your privacy. When you run across a Captcha, the technology might keep a permanent record of your phone or computer identity that can track everywhere you go online. They also tend to be difficult for people with low vision or other disabilities.
The newer approaches don’t make you prove to a computer that you’re human – which, let’s face it, is a silly idea. Instead, machines back-channel to one another to sort out who is a legitimate web visitor and who isn’t.
If you’re trying to buy tickets to a football game, for example, throwing a Captcha at you is a traditional way to stop people from using software to hoard tickets. Instead, Graham-Cumming says, the ticketing company’s computer systems might challenge your web browser to draw a random piece of text.
It might then look for clues in the small differences in fonts between the Chrome web browser on a Mac and a Windows computer that signal a browser is being controlled by automated software and not a real person.
Humans also fiddle with a computer mouse or move around a touchscreen phone in a “very human way”, Graham-Cumming says, so the ticketing computer might scope out how the cursor is moving.
Apple says a ticketing app might also detect whether you’re logged in to your Apple account, meaning that the ticket-buyer is more likely to be an individual rather than automated software.
The best-case scenario is that all this happens without you doing anything. The computer on the ticketing end is making a yes-or-no assessment about whether the computer on your end is exhibiting bot-like behaviour. There’s also a separation between you and the ticketing website to keep your identity and information private.
These approaches use a technology standard called privacy pass that’s backed by companies such as Apple, Google, Cloudflare and its competitor Fastly.
Carlos Alvarez, the chief technology officer at Ticketmaster, says the ticket seller also uses machine-to-machine scoring systems to sort out legitimate ticket buyers from scalpers using software.
Alvarez won’t spill details on exactly what computer signals the ticketing service uses to distinguish bots from the rest of us. He says no technology on its own will stop ticket bots.
There will be ways around these non-Captcha technologies, too. As long as locked gates have existed on the internet, people have found ways to go around or through them.
The challenge is to strike a balance between making it easy for you to buy tickets while putting up roadblocks to fraudsters or hoarders. Captchas aren’t striking the right balance any more.
“Captchas are such a nightmare for people that something better had to come along,” Graham-Cumming says.
If you’re wondering whether there’s anything you can do to see fewer maddening Captchas... sorry, not really. The websites and apps you use are the ones that determine whether you see a Captcha and what form it takes.
Experts in online security tell me that if you’re using technologies intended to shield your online activity, such as a virtual private network (VPN) or Apple’s iCloud Private Relay, you might see more Captchas.
You might also be more likely to hit Captchas on less sophisticated websites than on large sites that have smarter ways to verify that you’re a legitimate customer.
And if you’re wondering, as I did, why the image-picking Captchas always seem to ask you to identify snapshots of the same handful of items, like bicycles, buses and motorcycles, it’s because those images are taken from Google’s Street View (Google owns popular Captcha-generating technologies).
Bicycles and motorcycles are seen on public streets, and people (mostly) recognise them no matter what country they’re from, says Dan Woods from online security firm F5 Inc. (Woods once worked on a Captcha-solving click farm and wrote about it.)
And when we solve Captchas like the ones that ask us to identify images of buses, we are training corporations’ AI systems.
© The Washington Post
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments