CAPTCHAs are a frustrating occurrence on the Web. But why are they such a ubiquitous security measure to begin with? Why are there different implementations and which problem are they attempting to solve? During this lecture you’ll learn how these “Human Interactive Proofs” came to be, how they’re still evolving, why they are an unethical solution to the wrong problem, and which solutions are preferable within a set of common scenarios.
We are all familiar with CAPTCHAs. They get in our way as we’re trying to interact with the web, and more often than not they frustrate us as we try to solve them, or they outright prevent us from completing a goal. Why are these verification mechanisms so ubiquitous and varied on the Web, even though they affect usability so negatively? Some problems are extremely hard for computers to solve. Some of these are hard for humans to solve, as well - but some are not. By citing evolutionary biology, I’ll explain what’s special about these problems, why humans are good at solving them while computers struggle, and how they have since become used as specific challenges to discern humans from computers. I will display a wide variety of “Human Interactive Proofs”, as they’re called - from examples seen on the Web, to patent prototypes that never saw the light of day. Illustrating the many ways in which humans have developed mechanisms to ask humans to prove that they are human. We will discuss why each of these different mechanisms poses an obstacle for a varying subset of the population. We will see how some of these CAPTCHAs are easily broken by modern advances in Machine Learning, how services such as Amazon Mechanical Turk make CAPTCHAs less effective, and how recent developments in Google’s reCAPTCHA result in a Web that judges the measure of our humanity by analyzing our behaviour. From there we will explore the ethical reasoning behind CAPTCHAs, why the question of “prove you are human” is not the right question to ask, and why instead we should concern ourselves with the intent of the action. What makes an action legitimate, and how can we tell the difference? We will discuss ethical security on the Web, and from there consider potential consequences of no longer using a CAPTCHA. We will discuss various examples where CAPTCHAs are used, while approaching them from a goal perspective, such as buying some concert tickets. When is an action illegitimate? When is it not? How can we know, and what should our next step be? We will further discuss a set of example scenarios where a CAPTCHA is used, but can instead be removed in favour of a user-friendly alternative. Finally, we will see how the evolving arms race of automated Human Determination results in a Web where the lines that tell human from machine are increasingly blurred, and which consequences this has for those of us placed outside this algorithmic frame. This lecture is a mixture of computer science, usability, security, ethics and philosophy.