A Eulogy For CAPTCHA
How do we know we’re human?
What is CAPTCHA? It’s demonic. It’s goofy. It’s at the center of a booming overseas cottage industry. It’s the most basic existential crisis. It looks cool in Russian. It’s the hold up between you and 1,000 pairs of Yeezy Boost 750s. And if it’s not keeping you from buying something en masse, it’s selling you something else: a Dr. Pepper or a Dish Network subscription or a Toyota RAV4. Also, it’s dying.
CAPTCHA, the Completely Automatic Public Turing test to tell Computers and Humans Apart, is something that should be simple but isn’t. Stepping away from any of its cultural or aesthetic significance, CAPTCHA is just a program that helps to stop spambots from spamming everything. It does this through kind of a cool trick: by mangling letters or numbers or both in a way that humans can read but computers can’t. Once the human types in the mangled words, the CAPTCHA is solved, and they can continue on to the spambot free web. And, okay, that’s a simplification, or at least a summary of a much earlier time.
At present, there are other, newer types of CAPTCHAs, and they work in slightly different ways. Some are like, “select all the pictures with a turkey.” Some are part of a larger, somewhat controversial crowdsourcing project. Some don’t show any words at all and rely heavily on your cookies. Some are actually ads. These variations (except the ad one) mostly reflect improvements in artificial intelligence, specifically in OCR, or machine vision, which type-in CAPTCHAs don’t protect against.
So it’s the old CAPTCHA, the type-in CAPTCHA, that’s going away. “Dying” if, like me, you’ll miss it, or see something important in the way it is now. “Evolving” and “improving” if not. Unlike much of what goes on in the day-to-day workings of our browsers, these type-in CAPTCHAs make themselves known to us. They’re visible, they’re interactive, by nature. Every CAPTCHA is a sort of conversation, albeit a very brief, often fraught one. And if other systems are more secure, or cleaner, or safer, It’s the act of questioning that differentiates CAPTCHA from other attempts to separate humans from bots. Even if, on the surface, the answer should be easy.
Are you a robot? No. See? Simple.
But CAPTCHA is a backronym, and like its developers realized way back in 2003, it’s hard not to ascribe some greater meaning to this wonky program after the fact. Plenty of people see CAPTCHA as a minor annoyance, get stumped and move on. But plenty more come back to it, take it out of context, scrutinize the interaction. There’s a feeling, often, of having been had. Maybe because of the look of it. Maybe because of the name, which seems to deviously combine “capture” with “gotcha.” But most of what you read about CAPTCHA online hinges on its central question: Are you a robot? Well, no. But what if you can’t read the text? Well, simple! The CAPTCHA regenerates and you try again. But what… if you still can’t read the text? OK. You fail, refresh, try again, fail, refresh, etc. Hm. Are you a robot?
It’s the implication of this impasse, more than the impasse itself, that makes CAPTCHA the source of so many things online. There are CAPTCHA memes, CAPTCHA rants, CAPTCHA comics, CAPTCHA creepypastas, CAPTCHA conspiracies, and CAPTCHA-critical fan fictions. Some of them play up the CAPTCHA’s look — the odd pastels, the slashed-up letters. Some, its content — total nonsense or cryptic phrasing like “nudism directed.” But this sort of general buzz gets at something bigger. Creepier. Something creepier, even, than the skimpy, spectral numbers CAPTCHA has you decode.
Take my favorite, “Scumbag CAPTCHA”:
And then look at this:
And this, on the newer, one-click CAPTCHAs:
Sure, these are pretty lame. But they’re scratching at something important. “Are you a robot?” And then, “Prove it.”
There are other examples, other things people take from their CAPTCHAs, illuminating in their own way. There are the “Robots are People Too” posters, mostly seen in fan fiction and memes. Read Le Penguin’s “A Captchaed Heart”. There are the CAPTCHA-as-demon uploads to YouTube. “Audio CAPTCHA — Performed by Demons from Hell”; “Ultimate Demon — Captcha Service Review”; “Demonic Hanicap-Accessible Gmail Audio Captcha”; and “Facebook Demon,” about an audio CAPTCHA on Facebook.
All of these things, through humor, fear mongering, or frustration, get around to questioning the things we’ve questioned always. How do we know we’re human? How do we get other people to know that, too? Is our life just some cheap, freaky simulation?
And how can you not wonder all that, looking at something like this:
So this is how we prove our humanity, by TYPEing-IN the dirty-sock arithmetic on a Tide-branded CAPTCHA. “Prove you’re human.” It’s so blah, so crass—not even a please. And the worst part: CAPTCHA was supposed to be a good thing! Reducing spam? Good! Halting the internet bot takeover? Good! Improving AI technology? Good, hopefully! Stopping one bot from buying up all the whatever and reselling it 500%? Yes! Good again! But CAPTCHA isn’t so straightforward. And through it’s question, and our often incorrect answers, a darker, more dysfunctional portrait of the internet and the economy behind it seems to tip its hand.
The problems with CAPTCHA, the reasons behind its demise, go beyond the poetic. They go straight down to the code, to the way the puzzles are written and our ability to solve them. For one, CAPTCHA isn’t serving people equally. It’s measurably harder on some than on others. In one 2010 study, “How Good are Humans at Solving CAPTCHAs?” a team of Stanford researchers finds that some people are pretty bad at solving CAPTCHAs if they’re non-native speakers. Solving time shifts around based on education levels, too. And audio CAPTCHAs — remember, those demon things? — a supposedly reasonable alternative for the blind, prove the most confusing, as the solving time jumps up to nearly half a minute. That some people have such difficulty solving type-in CAPTCHAs makes the confrontation even ickier, when you consider what’s being asked (“are you a human?”) and what might get in the way of answering it.
As hard as CAPTCHAs are on some, they’ve become much easier for the bots they’re meant to keep out. Christopher Romero, a software developer, spoke with me about CAPTCHA’s history and a bit about the program’s possible future. Romero sees a shift by the major companies towards two-factor authentication to filter out sign-up spam. This is not, again, because the tech companies are questioning the broader implications of the “are you a robot” shtick, or even because of the problems they pose for people who have trouble seeing, or reading English. The robots are just getting smarter. They can read those dumb squiggly lines better than we can.
CAPTCHA is disappearing, if not into obscurity, then at least deep behind our screens, out of sight. Take Google’s little box-click system, called “No CAPTCHA ReCAPTCHA.” Here, there are no letters. No numbers. There’s nothing to type in. No CAPTCHA looks instead at your cookies, IP address, and the movements of your mouse when you get to the screen. The program still asks the same question, but there’s no longer a satisfying answer. The conversation is gone. Are you a robot? *click*. What makes type-in CAPTCHA so poignant, so perplexing, is how in your face it is. How you’re forced to look at it, and to grapple with it. Soon, we won’t be able to see CAPTCHAs at all.
The other thing killing CAPTCHA has less to do with a machine’s drive to learn and more to do with the old adage that some people never will. These are the giant CAPTCHA-solving labor farms. Worker exploitation! Dubious legality! Flimsy and obvious industry-wide lies, promising that these companies exist to benefit OCR technology, and, uh, are for “research purposes.” Research, which does play a legitimate role in CAPTCHA development, is almost definitely not the reason “ImageTyperz” exists. So what are these companies really for? Who uses them? Really, anyone in the business of low-level, automated spamming on a large scale: pushing a product or link over and over again in comments, purchasing hundreds of tickets or shoes for resale, or opening lots of accounts for click fraud. CAPTCHA cracking is a numbers game, both in process and reward.
Popular sites like DeathByCaptcha, Anti Captcha, DeCaptcher, Captcha Sniper and ExpertDecoders offer “CAPTCHA bypass done right,” have 24/7 support, and “process” tens of thousands of CAPTCHAs per day, charging between 2 and 40 dollars per 1000 CAPTCHAs solved. (Interested in starting your own? There are plenty of resources to show you how.) The sites, which, again, are very professional and offer important “research” support to machine-learning developers, have lots of pictures that look like this:
The addresses are mostly foreign—anywhere from Edinburgh to Dhaka to Rostock—are and bolstered by a work-from-home labor base that extends even further. The higher-ups are just called “admins” and they aren’t quick to respond for comments. So I took advantage of the 24/7 support systems to try to figure out what goes on in the CAPTCHA farms — how they operate, and, really, to see if they’d answer.
Here’s me, talking to support at DeathByCaptcha.
During our chat, which lasted almost exactly an hour (3:18 p.m. to 4:20 p.m.), I was a bit worried that my live support might, herself, be a bot. But the change in tone when it became clear I wasn’t signing up for anything convinced me otherwise.
The conversation ended, abruptly, and then I couldn’t access live support anymore.
This same thing happened at a few other sites. I was iced out of ImageTyperz pretty quickly, and got an “unusual sign in” warning from Microsoft after trying to Skype with DeCoders. What drew so many people to these classic CAPTCHAs that these farms exist? It’s the look, sure, but it’s also what’s behind it. All the ways people make money from the technology and its hacks, all the ways people scam it, only make the question feel more urgent. What is the proof of our humanity? And who wants to know?
But the question now is more one of what will replace it. Invisible CAPTCHAs are next, the logical step after No CAPTCHA. And other forms of authentication, beyond CAPTCHA or two-factor, are cropping up, which also look to answer the human question through data, instead of conversation. Areyouahuman.com is one of the companies offering a vision for the future of “Human Detection.” The flow-chart explanation for how this works is pretty opaque, but seems to be a more long-term tracking service, not designed to keep bots out entirely, but to keep them from influencing Google Analytics. Their banner ads read, “Be certain you’re addressing a Verified Human before you serve content, services or ads.” Then they boast: “Analyzing each user’s behavior in many different environments every day helps us verify and re-verify that verified humans stay human.”
Verify and re-verify that verified humans stay human. Is that better than “Prove you’re not a robot?” Worse? There’s something skeevy in answering a question you didn’t know you were being asked. And worse in not even knowing you answered. And worse still in doing it again, and again, “every day.” “In many different environments.” Exhausting. CAPTCHA, flawed as it is, is one of those special parts of the internet, like chum, that can’t help but reveal something profound in its peskiness. Better to appreciate it now, notice it now, and to critique it now, while it’s still here. While we can still see it, and talk to it. And while we can still think, in those few seconds they take to solve, about what, exactly, we’re proving.
So, CAPTCHA is dying. Here’s a video to remember it by.