VII. A Few Questions
7.1. Accessibility and Security, the Case of CAPTCHA
With its development and adoption by the general public, the Internet has become a new action mean for scammer and spammer of all kinds. Those unsolicited message are generally send through emails, but more and more, website offering contact or comments forms are being affected. The Email Metrics Program states that between 81.1% and 86.7% of received emails are spam (Messaging Anti-Abuse Working Group, 2007, p2) while the French messaging security company evaluates this percentage to 95% for 2006 (Secuserve, 2006). It is more difficult to evaluate to number of spam messages sent through forms on website, but anyone who runs a blog website knows that without protection the number of spam message received everyday can be very high.
One of the best solutions to block spam on website is the use of CAPTCHA (Completely Automatic Public Turing test to tell Computers and Humans Apart). CAPTCHA can take various forms: images, sound, or even a question. However, if the use of CAPTCHAs is a good way to block spam, it can also block honest users who are not able to either see, decipher the CAPTCHA or who does not have the necessary knowledge to answer to the given question.
To understand the difficulties that can be encounter by users face to a CAPTCHA, let’s have a look at the different types of existing CAPTCHA and their characteristics.
Figure 7.1: Example of image CAPTCHA: reCAPTCHA
Image CAPTCHA the most used type of CAPTCHA actually, it is composed of an image presenting one or more words, or a series of numbers; these words are distorted in order for robots to not be able to recognise the words, backgrounds or foreground can also be added to make this recognition even more difficult. The major problem with those is that sometime humans are not able to decipher them neither.
Figure 7.2: Example of indecipherable CAPTCHA: Rapidshare.
On this image, the user has to enter only the letter having a precise type of cat with them; however, with the letters’ distortion, it is very difficult for any user to identify the good letters.
In addition to the decipherability of CAPTCHA, another problem exists: how can a blind person see these images? If an alternative text comes along with the image, giving its content, the CAPTCHA is useless, as robots will be able to read this alternative content. A common solution implemented is to add a sound file built from the CAPTCHA’s content that blind or short-sighted people can play. But not all website that have CAPTCHAs implemented do implement this sound alternative.
Several alternatives to the image CAPTCHA are being used nowadays. The first one consists in asking a very simple question that a robot will not be able to understand and process. These questions are generally of the form: “What is to sum of 135 plus 1?”, “What is the colour of the white horse?”, or “Is fire cold or warm?”. The efficiency of this solution can be contradicted as the question asked is generally static and thus offers a lesser protection than a completely dynamically generated CAPTCHA. However, on low risk website this technique is generally sufficient.
Other alternatives do not involves the users, either by hiding a field that should remain empty (but that robots will fill in) or by counting the number of link present in the message (spam message on websites tends to contain a lot of links) and blocking it if the number is high. These solutions are again not as strong as an image CAPTCHA but are effective against most robots.
The type of solution to be implemented will depend on the level of security required for the website. For very critical website, it may be better to preserve the security at all cost, even if it means to exclude a few users. But for most websites, security will be a second priority after the interests of the users; there, it is wiser to implement a less secure alternative that will not penalize any users.