Skip to content

How Captcha kills the romance of the WWW (except spammer wins)

The ‘World wide web’ is a romantic concept –

  • World: belongs to everyone
  • Wide: no boundary
  • Web: links everyone together.

But my romantic interpretation has been interrupted by the not so romantic everlasting online abuse problem and hence the proposed CAPTCHA feature in a work meeting.  Now here’s my view (supported by some research)…

1. Captcha punishes a vast amount of people

…(and money they make) who deserve extra consideration on web accessibility

Isofarro has helped me dug out some useful stats:

Between 15% and 30% of the population have functional limitations that can affect their ability to use technology products (50 million in US, 750 million worldwide). It is estimated that people with disabilities control a discretionary income of over $175 billion annually in US alone.

US$175 billion discretionary income?? Now accessibility is not a fancy ‘feature’, it matters to your business and you can tell your boss that quoting CSUN, in case they have ‘no time’ for egalitarian beliefs :)

2. All in all – I just see that CAPTCHA should not be a feature requirement

…or at least clear warning should be given to the publisher before they decide to implement for two key reasons: (1) accessibility: it keeps good users away and (2) CAPTCHA is easily solvable by those who want to: it does not stop the evil spirite to contrary to most people’s belief.

(1) Accessibility:

Users hate CAPTCHA. In our user research many told us that they would not bother to comment if they have to go through CAPTCHA. So CAPTCHA essentially turns away the light contributors who are pivotal in enriching the community with a more general, diversified tone of voice, while retaining the more troll/spam-ish users who would do anything to make themselves heard. In all, CAPTCHA turns users away as an extra step to contribute when sometimes your product already requires a sign-in system to comment.

(2) CAPTCHA would NOT help the problem of spam:

Multiple research has demonstrated that CAPTCHA is known to not helping in deterring spam. I am citing two academic research to illustrate.

(I) Inaccessibility of CAPTCHA

‘It is important to note that, like seemingly every security system that has preceded it, this system can be defeated by those who benefit most from doing so. For example, spammers can pay a programmer to aggregate these images and feed them one by one to a human operator, who could easily verify hundreds of them each hour. The efficacy of visual verification systems is low, and their usefulness is nullified once they are commonly exploited.’

I easily found something is hiring CAPTCHA solving team,, for instance.

(II) A Low-cost Attack on a Microsoft CAPTCHA

‘It took on average ~80 ms for the attack to completely segment a challenge on a desktop computer with a 1.86 GHz Intel Core 2 CPU and 2 GB RAM. As a result, we estimate that this Microsoft scheme can be broken with an overall (segmentation and then recognition) success rate of more than 60%. ‘

60% success rate in hacking the system is almost as same as success rate from average users, so again, CAPTCHA does not keep spammer away while making our sites inaccessible to.  My own sucess rate of CAPTCHA is probably 50% haha.  I’m worst than a bot you see.

But What are we gonna do without CAPTCHA??? Recommendations:

Why do we need CAPTCHA? It’s because we want to get rid of spam. With all the research I have put together and discussing with engineers from all cross of life, I’ve distill the following potential routes:

  1. We’d need some sort of reputation system that will surface trusted users content (algorithm based, factoring in variables such as membership length, history of abuse/content removed, human-filters such as community manager assigning special reputation levels).  Askimet does this rather well and they offer both commercial and free to use API for private use.
  2. Comments with similar syntax and semantics should be analysed with a variable confidence level for spam filtering

Of course this is a filtered version that I can share openly.  At work I have been documenting everything to a point where I am called the ‘abuse lady’.  How I love my job! :)

Okay finally I have noticed new strands of suspected WordPress spam:

‘Dear there! how are you?
thanx for such opportunities to readers.They are with very appriciable advantage in changing readers mind and makes them the same time I want to appriciate for the one who gave comment in no3 above.I hope such persons stand to be globalistic and fully rational.
Thanx once again’

‘Hi there !how are you ? are you fine? I hope so .Here below is the comment I want to give for your advise shared me>these words of the wisemen shared to readers are realy valuable.They are just like daily shool room concepts like a good teacher giving you course in the class.I understand this in such a way that i am happily saying you are realy great men and make this your custom to share us as daily breakfast so that we can have global concepts.’

It took me a few serious moments to consider if they are actual comments or not, but my conclusion is that they look too much like machine generated text based on my blog content, similar to those generated by Dada Engine (created by Andrew C. Bulhak at the Monash University)* – an engine that randomise phrases to create post-modernist text.

Hmm.. now that get me into thinking how an open source, global, scalable solution would be like…. /headache

*Nassim Nicholas Taleb. (2004) Fooled by Randomness. p73. Penguin Press


  1. Interesting arguement against CAPTCHA, thanks! I think governments need to crack down more and find and prosecute spammers.

    Also, there are more CAPTCHA and Accessibility resources here on a recent blog post of mine. Cheers -Dennis

  2. Thanks Web Axe, as you can see I am very IMPRESSED by how you can find out the most horrid CAPTCHA of all time on your post.

    /hat’s off


Leave a Reply

Your email address will not be published. Required fields are marked *