You know this: Every time you fill out a webform or sign up for a service, you have to type out some words which are displayed in terrible handwriting. Otherwise the webpage does not let you continue. Those are called “Captchas”:
You see them every day, you can’t get around them, most people hate them but somehow you need them: Consequently they are called the “Kardashians of the Internet” (only I call them this). But unlike the Kardashians Captchas don’t break the internet but are essential to today’s web. What do they do and why do we need them?
Captcha is an acronym and stands for:
Turing test to tell
A Turing test is a way to distinguish between humans and computers based on the given answers to questions or challenges.
The main purpose of a Captcha is to protect the internet from spammers and bots. Spammers are people who flood a web service with (most of the time) useless information. You might have some of them in your friends list on Facebook. In this context bots are computer programs which automatically use a web service in a repetitive manner. Bots can, for example, be used to crash a webserver by cluttering it with requests or to find out a password by trying all possible combinations. Bots are sometimes used by spammers to spread their trash more rapidly. People even write bots to scoop all tickets for a concert the second it goes on sale. As you can see it makes sense to protect the web infrastructure from such threats.
That’s where Captchas come in: They challenge the user of the service with a task which is easy to solve for humans but hard for bots.
An example for this is the well-known “Type this to prove you are human” - Captcha.
If the text is distorted enough, Computers using optical character recognition software have a hard time figuring out the word, because they are programmed to understand typed text or normal handwritten text. Humans on the other hand can solve this problem fairly easy. Unless this human is in a hurry. Or drunk.
You are an unpaid employee of Google
Hunderts of millions of Captchas are solved every day. That is a lot of useless work we are doing just to prove that we are not computers. The company reCAPTCHA (which Google acquired in 2009) changed this: They used captcha-solving humans to help Google’s book-scanning project by reading words their software could not understand in order to digitize those books. Those Captchas look something like this:
On the left side of this particular Captcha, reCaptcha shows you the real “Turing Test” to find out whether you are a human or a bot. reCaptcha knows the solution for this challenge and can check your answer. On the right side the Captcha shows you a word which was scanned from a book but Google’s software could not figure the word out with absolute certainty. The user inputs both words as well as possible, reCaptcha checks if you typed the left word correctly and sends your transcription of the right word back to Google’s book-scanning project. If the left word is correct, it lets you continue.
Of course this is a simplified version of the progress: Really, a word has to be transcribed identically by many users to count as correct for Google. Furthermore this word then moves back into reCaptcha’s pool of “challenges”: Now the correct transcription is known and it can be used in the Turing test. This consequently means that you still have to type both words of a Captcha even if you are sure that one of the words was scanned from a book. You don’t know if the word is being transcribed right now or just used as a challenge.
Google didn’t stop there: Now reCaptchas are used to improve addresses in Google Street View. By prompting users with photos of street number signs their algorithm could not read, they are collecting information to make Google Maps more accurate when you search for a particular address.
Not my type – Captchas that don’t require spelling
As I mentioned before a lot of people don’t like Captchas. Usually it’s the difficulty to read the whirly text which bugs them. That’s why there are alternative Captcha Methods: One of my favorities are these little games the guys at areyouahuman.com make, which are very hard to win for bots but easy for people. Check out this one for instance:
But the most amazing new Captcha technology emerged again at Google’s labs. Their new Captcha method is called “NoCaptcha” and is… well… no Captcha! To prove whether you are a human or not you simply have to click a checkbox:
Wait... What? Writing a program or script which clicks a checkbox is so easy that even your little sister could do it? Well that’s where the magic comes in: NoCaptcha decides if you are a human based on your behaviour before and while you are using that checkbox. That means that if, for example, your mouse moved really fast and only in perfectly straight lines, NoCaptcha gets the notion that you might not be a human being. Humans usually don’t use their mouse in a straight line. Another aspect taken into account is how often you accessed a resource protected by NoCaptcha. If you are using it too often, you are probably a bot! This even works across different websites. So, if you write a program which relentlessly creates new email addresses on the websites of different Email Providers which all use NoCaptcha, it can see (even if the program only accessed each website once) that you are trying to spam. But what happens if NoCaptcha is wrong? What if it thinks you are a bot breaking in to a system, just because you needed 10 tries to remember your password correctly? When NoCaptcha concludes you could be non-human (and only then), it shows you a good old ‘Turning-Test’:
As you can see: No more whirly text! Today’s Captcha solver just has to pick the right images. A big advantage of this is the much easier use on mobile devices!
And even more genius: Google uses the data you generate by solving the Captcha to better categorize pictures. You basically support machine-learning, which is then used in projects like Google’s Picture Search and other apps.
Another problem with conventional Captchas is that they do not work for visually impaired people. This is usually overcome by providing a second option for solving the Captcha which does not require reading. Most of the time those are solved by typing out text which is read to you. To stop the bots, the audio is scrambled and distorted. The result can be something like this, which is an actual audio Captcha I recorded. It sounds unbelievably scary and is really hard to understand:
There is definitely some progress to be made in this area.
The Spampire strikes back
Captchas have to be made better regularly to keep up with improving OCR Software. The problem the industry has to face is to make the Captchas safer but keep it frustration-free for users. If it takes a human more than a few seconds to solve a Captcha, the programmers did a bad job - regardless of how safe it is.
But there is a different approach for hackers, spammers or anyone who has a lot of captcha-solving to do: Letting others solve your Captchas by hand. On websites like 2Captcha.com you can hire human Captcha-solvers, who do your typing for you. The prices start at 0.50$ for 1000 solved Captchas. You will still have to write your own bot however: You implement their API in your code and the Captchas your bot encounters will get sent to and solved by your captcha-solving minions. By the way: If you search for a job where you will NEVER EVER get replaced by a machine, you can just work for 2Captcha and solve other people’s problems. Well at least their Captchas.