Comments on Inaccessibility of Visually-Oriented Anti-Robot Tests

WORKING DRAFT

Introduction

Accessibility is a major concern for us, and for most of our users. This is why we want and need that some authority establish a standard on this particular subject.
Not surprisingly, we are looking forward the W3C Web Accessibility Initiative.

Our will is to help the community to build a standard and to do so, we response to this 'Inaccessibility of Visually-Oriented Anti-Robot Tests Problems and Alternatives' paper, published in November 2003.

We will comment this paper folowing the table of content

About : the problem : a false sense of security

We agree, the value of a simple visual verification is low, but the value of a global anti robot system is very high.

About : A hierarchy of needs

In our point of view, web sites implement visually oriented anti-robot tests to preserve their ressources for human users, and therefore, we think checking user humanity is the major issue.

About : privilege

We understand preserving priviledge and preserving ressources as the same notion. This echoes back to the global need, which is to preserve ressources by checking on user humanity.
Security without privilege is useless, preserving privilege implies implementing security.

About : identity and humanity

Our opinion on those two notion is that they are orthogonal.

 

robot

human

Identified

using a mail client to pop my mail account every 5 minutes

buying something on line with a Credit Card Number

Anonymous

using a feed reader to pull news every 5 minutes

consulting the NY state unified court system

This concerns two very different problems and thus should be treated as is.

Robots can have identity, and yet consume web site ressources (ex: having identified bots make several hundred reservations per minute on a train ticket reservation site)
These two notions seem different. We view captchas as a response to the need for preserving priviledges and ressources for human users.
Accessibility of humanity tests (Turing tests) is the subject we are interested in, not accessibility of identity systems.

Note : some identity systems also provide humanity certification, especially the biometric identity system.

About : possible solutions

As we already mentioned, identity systems cannot be proposed as solutions, because they do not concern humanity.

  • As a result, we discarded the folowing solutions
    • 7 : Federated Identity Systems
    • 3: Credit-card validation

We distinguish two types of solutions :

  • Automated solutions like CAPTCHA or non public automated turing tests, also known as reverse Turing tests
    These kind of solutions include the following:
    • 2 : sound output
      This may be the best of bad options :
      • It allows access to blind people, and can easily be generated by a machine.
        But :
        • This type of test is not accessible for deaf people!
        • Speech recognition research is very advanced, and human has poor speech recognition faculties compared to image recognition.
    • 6 : heuristic checks
      This solution is a curative solution, and is not preventive.
      Indeed, heuristic check can point out that a user is not human only after this user has caused damage, and non-human patterns have been identified.
  • Manual solutions also known as Turing tests.
    These kind of tests include:
    • 1 : logic puzzles
      We completly agree with Matt May on this point. We also consider that designing logic puzzle that are not cultural or language
      dependant is only possible throught mathematical puzzles. But on this particular field, calculation, robots have already proved their superiority...
      Plus, generating automatically a large number of independant logical tests does not seem feasable. This is why we classified this solution as manual.
    • 5: Limited-use accounts
      This is the manual version of the heuristic checks.
    • 4 : live operator, by phone or chat
      This is the best option : real Turing tests. The only limiting factor is economic : providing operator for all requests without delay is surely a very expensive solution.

So what ?

  • About security
    • a system security level is less or equal the lower security level of its sub components, so implementing a solution system (visual and sound captcha) would be as vulnarable as the most vulnarable solution.
    • Being able to easily change the tests is crucial see proof of concept
  • Automatic : Coupling sensorial tests (speech or image recognition) with trivial logic puzzle
    As we have already mentionned, building complex cognitive puzzle automaticaly is too complicated.
    We also see that bots are almost as good as human on sensorial tests (specialy on sounds based tests).
    We think that coupling sensorial tests and trivial logic puzzle is a simple way to add complexity and thus to trasnform a nearly trivial AI problem (sensorial only test) to a Complex AI problem.
    See this brillant article : Proposal for an Accessible Captcha