January 2, 2007

CAPTCHA Gotcha

CAPTCHAs, for those who don't know the term, are those annoying little visual tests one often encounters when registering for an online service or community or when posting to blogs or message boards. CAPTCHAs ("Completely Automated Public Turing test to tell Computers and Humans Apart") typically consist of a brief series of distorted letters and numbers set against a patterned background. It's your job to type the characters into a form field to prove you're not a spam bot. Ever wonder why the images are so distorted? It's because spammers, who are a fearful combination of evil and smart, can and have used optical character recognition to decipher non-distorted characters.

The catch here is that CAPTCHAs are inaccessible. As Matt May, the author of the WC3's report on the inaccessibility of CAPTCHA, has put it: "This isn't a test to prove you're human. It's a test to prove you're human, have very good eyesight, and are not dyslexic."

Developers have tried to create accessible CAPTCHAs, without much success. Blogger's auditory CAPTCHA is a good example. In similar fashion to visual CAPTCHAs, auditory distortion is added to the sound file to prevent spammers from creating a program that can decipher the actual content. The result: Many people, including those with perfect hearing, can't understand a word being said. This would be funny if it weren't so sad.

I became interested in CAPTCHAs when a client asked me to include them on their site (a site likely to receive hundreds and possibly thousands of comments a day) and when I began to receive comment spam on Luminous. I knew CAPTCHAs were inaccessible, but the intractability of the problem came as a surprise.

In his WC3 report, May identified five broad types of solutions to the problem—although these are less solutions than attempts at solutions, for each in its own way is limited (please refer to May's report for details).

The five solution types include:

Logic puzzles

Simple word puzzles, trivia questions, and the like.

Sound output

Limited-use accounts

Here sites establish limits to the frequency of interaction for users of free accounts.

Non-interactive checks

This category includes spam filtering, which evaluates the content of a transaction, and heuristic checks, which attempt to detect the presence of a robotic user based on its behavior.

Federated identity systems

Broadly, these networks would allow users to create accounts and store payment information, etc., so that the information is accessible across member sites.

For my client's site, which is implemented with Movable Type, we now plan to use Jay Allen's Comment Challenge plugin. I've also installed the plugin on Luminous, and have yet to receive a single comment spam. However, as Jay acknowledges, Comment Challenge is only a partial solution. It asks the visitor to type a particular word into a form field (the default word is "blissful"). As simple as this seems, it can still prove difficult for non-native speakers and those with cognitive disabilities. If this seems too fine an objection, note that Jay's approach can be easily cracked by spammers, and doubtless will be, once enough people adopt it. This said, I believe that Comment Challenge, together with Movable Type's built-in spam filter (Brad Choate's excellent SpamLookup), is the best approach going for sites built with Movable Type.

But what if you're not using Movable Type? Here I recommend Mike Cherim's Secure and Accessible PHP Contact Form. Like Comment Challenge, this form poses a simple request to the user, although Mike also includes several non-interactive spam traps and checks. I've implemented a customized version on the Luminous contact page, and it works beautifully and even includes a few "value-added" features such as a user option to be emailed a copy of the submitted message. It's cool.

Comment spam, by contrast, is not cool. If you build websites, it's a serious problem that's likely to get worse. And if you care about accessibility, it's a scary state of affairs, as the most popular "solution," visual CAPTCHA, locks out the users of screenreaders and the visually impaired (or in some cases, the not-so-visually-impaired).

CAPTCHA is not the right solution to comment spam.

Published in Accessibility