WORKING DRAFT
Introduction
Accessibility is a major concern for us, and for most of our users. This is why we want and need that some authority establish a standard on this particular subject.
Not surprisingly, we are looking forward the W3C Web Accessibility Initiative.
Our will is to help the community to build a standard and to do so, we response to this 'Inaccessibility of Visually-Oriented Anti-Robot Tests Problems and Alternatives' paper, published in November 2003.
We will comment this paper folowing the table of content
About : the problem : a false sense of security
We agree, the value of a simple visual verification is low, but the value of a global anti robot system is very high.
About : A hierarchy of needs
In our point of view, web sites implement visually oriented anti-robot tests to preserve their ressources for human users, and therefore, we think checking user humanity is the major issue.
About : privilege
We understand preserving priviledge and preserving ressources as the same notion. This echoes back to the global need, which is to preserve ressources by checking on user humanity.
Security without privilege is useless, preserving privilege implies implementing security.
About : identity and humanity
Our opinion on those two notion is that they are orthogonal.
|
robot |
human |
Identified |
using a mail client to pop my mail account every 5 minutes |
buying something on line with a Credit Card Number |
Anonymous |
using a feed reader to pull news every 5 minutes |
consulting the NY state unified court system |
This concerns two very different problems and thus should be treated as is.
Robots can have identity, and yet consume web site ressources (ex: having identified bots make several hundred reservations per minute on a train ticket reservation site)
These two notions seem different. We view captchas as a response to the need for preserving priviledges and ressources for human users.
Accessibility of humanity tests (Turing tests) is the subject we are interested in, not accessibility of identity systems.
Note : some identity systems also provide humanity certification, especially the biometric identity system.
About : possible solutions
As we already mentioned, identity systems cannot be proposed as solutions, because they do not concern humanity.
- As a result, we discarded the folowing solutions
- 7 : Federated Identity Systems
- 3: Credit-card validation
We distinguish two types of solutions :
- Automated solutions like CAPTCHA or non public automated turing tests, also known as reverse Turing tests
These kind of solutions include the following:
-
- 2 : sound output
This may be the best of bad options :- It allows access to blind people, and can easily be generated by a machine.
But : - This type of test is not accessible for deaf people!
- Speech recognition research is very advanced, and human has poor speech recognition faculties compared to image recognition.
- It allows access to blind people, and can easily be generated by a machine.
- 2 : sound output
-
- 6 : heuristic checks
This solution is a curative solution, and is not preventive.
Indeed, heuristic check can point out that a user is not human only after this user has caused damage, and non-human patterns have been identified.
- 6 : heuristic checks
- Manual solutions also known as Turing tests.
These kind of tests include:
-
- 1 : logic puzzles
We completly agree with Matt May on this point. We also consider that designing logic puzzle that are not cultural or language
dependant is only possible throught mathematical puzzles. But on this particular field, calculation, robots have already proved their superiority...
Plus, generating automatically a large number of independant logical tests does not seem feasable. This is why we classified this solution as manual.
belou, je pense que cette partie est à revoir. Le fait de ne pas avoir aujourd'hui la solution pour automatiser les tests logique ne suffit pas pour classer la logique en tant que solution non automatisable, tu ne penses pas?
- 1 : logic puzzles
-
- 5: Limited-use accounts
This is the manual version of the heuristic checks.
- 5: Limited-use accounts
-
- 4 : live operator, by phone or chat
This is the best option : real Turing tests. The only limiting factor is economic : providing operator for all requests without delay is surely a very expensive solution.
- 4 : live operator, by phone or chat
So what ?
- About security
-
- a system security level is less or equal the lower security level of its sub components, so implementing a solution system (visual and sound captcha) would be as vulnarable as the worse solution.
- Being able to easily change the tests is crucial
- Automatic :
Coupling sensorial tests (speech or image recognition) with trivial logic puzzle
- Central humanity system?
- The blade runner game