Computer pioneer Alan Turing’s famous Turing Test quantified a machine’s ability to behave intelligently. In the test, a judge would communicate with a human and computer via a text-based communications medium. The computer would pass the test if the judge couldn’t’’ tell them apart. It sounds like something straight out of Blade Runner, in which Harrison Ford played a detective tracking down rogue androids posing as humans.
The Turing Test has real-world applications. The internet is rife with runaway automated processes, or robots, that continuously attempt to post spam to discussion boards, scrape email addresses, and perform other nefarious acts. If web admins had a way to tell whether a visitor were human or bot, they could eliminate a lot of spam.
CAPTCHA - Bane of Blind Users
CAPTCHA is an acronym: Completely Automated Public Turing test to tell Computers and Humans Apart. Traditionally, CAPTCHA displays an image containing numbers and text, which the user visually reads and enters into a text field. More modern versions ask users to select images based on some criteria, such as “select all images with ladders”. But computers have become pretty good at visual processing. Image-based CAPTCHA isn’t as effective as it once was.
CAPTCHA accessibility issues are obvious to the AppleVis community. Many vision impaired users depend on an audio-based challenge, in which users enter words spoken in a short audio clip. But this is not an option for anyone with a hearing impairment.
From an accessibility perspective—and even for sighted users—the ideal CAPTCHA would require no user interaction. For example, Google’s reCAPTCHA version 3 computes a probability that you’re human by examining your browsing activity and other data. You don’t even have to check a box. These systems are only as smart as the biases of their developers, and accessibility tools such as magnification and keyboard navigation can throw them off.
CAPTCHA developers see a bigger problem: AI is becoming smarter. Advances in image processing and text-to-speech have rendered image- and audio-based CAPTCHA systems worthless. Even reCAPTCHA v3 has already been cracked by intelligent internet robots. That was news to me, but it shouldn’t be. I’ve read Ray Kurzweil’s series of books on the accelerating pace of AI development. SkyNet will be online soon.
In this blog, we'll test drive hCaptcha, a solution that claims to be both accessible and robot-proof.
hCaptcha - the Cookie-Based Alternative
hCaptcha uses cross-site cookies for accessibility. Like reCAPTCHA v3, it’s intended to be a non-interactive CAPTCHA technology. But in practice, it’s not as ideal as you might expect. To use it, you must obtain a cookie. The cookie is only good for 24 hours, which means you pretty much need to refresh the cookie every time you confront a site that uses hCaptcha. You also need to configure Safari to use cross-site cookies, which Safari disables by default.
First, let’s obtain the hCaptcha cookie. Then we’ll change Safari’s settings.
Me Want Cookie
Cookie Monster has one use for cookies. They must be eaten. In the same way, your web browser consumes cookies provided by web sites. There are many uses for internet cookies, such as keeping an accurate count of site visits and visitors.
Alternatively, you can wait until you encounter a website that uses the hCaptcha system. I do not recommend this. Their interface of menus and web dialogs is neither simple nor intuitive. Registering on their site in advance greatly simplifies the process.
Enabling Cross-Site Cookies in Safari
Before you attempt an hCaptcha challenge, you’ll need to modify Safari’s default settings.
Since Apple’s March 2020 update, Safari blocks cross-site cookies by default. When one site consumes another site’s cookie, that’s a potential privacy issue. Normally, one website should not be tracking what you’re doing on another website. But hCaptcha’s accessibility cookies require cross-site tracking. To use hCaptcha, you must enable cross-site tracking in Safari.
On Mac OS, launch Safari and open preferences. Select the Privacy tab, and uncheck Prevent Cross-Site Tracking. In iOS, you’ll find a similar toggle in Settings, Safari.
Now that you’ve registered at their site and obtained their accessibility cookie, now that you’ve allowed cross-site tracking in Safari Preferences, you’re finally ready to try hCaptcha at this hCaptcha demo page. As you can see, passing the hCaptcha challenge is trivial once the cookie is in place.
In concept, hCaptcha sounds like an accessible solution:you have their cookie, you pass their challenge. In practice, having to register at the hCaptcha website and modify Safari Preferences makes hCaptcha positively inconvenient for first-time users. For subsequent visits more than 24 hours later, finding the old email and refreshing the cookie isn’t much better. If a CAPTCHA system provides a simple interface for abled users and a convoluted interface for disabled users, is it really accessible?
We know why CAPTCHA is complicated: It’s the only way to stump a robot. I can only speculate that hCaptcha’s complex interface and inconvenient 24-hour expiration exists for the same reason.
How long will it be before a robot is able to navigate hCaptcha’s convoluted mechanism for obtaining an accessibility cookie? When this happens, how will the system change, and how will it impact disabled users?
I previously mentioned reading Ray Kurzweil’s series of books on AI. While they’re all good, I recommend The Singularity is Near. In that book, Kurzweil predicts computer AI will pass a general Turing Test by 2029. What happens when website can no longer tell humans and computers apart?
As bots become smarter, CAPTCHA technology must inevitably evolve. Let’s hope accessibility doesn’t become a casualty in the CAPTCHA arms race.