Why CAPTCHA?

Are you human? Prove it.

by

Been asked to spot bicycles or click “I’m not a robot”? That’s CAPTCHA at work. Here’s why websites use them, how they’re changing, and what it means to be asked to prove you’re human.
a robot standing behind a sign that says "I am not a robot."
(Image: ChatGPT)

We’ve all seen them and been frustrated by them. Click on all the images that contain a bicycle. Or a bridge. Or stairs. Or click this slider and move it to the right until the image is properly aligned. Or pick the two things shown in different orientations that are the same.

Those are all CAPTCHAs, which is an acronym for Completely Automated Public Turing test to Tell Computers and Humans Apart. It’s even trademarked by Carnegie Mellon University.

As frustrating as they are, they exist for an important reason.

TL;DR:

CAPTCHA conundrum

CAPTCHAs confirm that you’re human, not a bot. They stop spammers from flooding websites with junk. While sometimes annoying, they keep the internet usable. As AI gets smarter, CAPTCHAs keep changing too. Next time you click “I’m not a robot,” remember it’s there to protect us all.

It all starts with spam

As with so many things these days, it’s all about spam and spammers.

There are several scenarios in which CAPTCHAs stem the tide of spam.

Without CAPTCHA, it’s easy to use a computer program to open thousands1 of free email accounts and start sending spam from them. Sure, the accounts would eventually be blocked, but the program just keeps on creating thousands more.

Without CAPTCHA, it’s easy to use a computer program to leave thousands of spammy comments on Ask Leo! and other blogs and websites. It’s easy to overwhelm just about any website that has an input form that even looks like it might be a comment-submission form.

Spammers have incurred untold millions of dollars in additional costs and burden on website owners and internet users.

CAPTCHAs are one way to keep that from growing out of control.

Ask Leo! is temporarily Ad-Free!
Help make it permanent by becoming a Patron.

Computers trying to act like humans

One of the oldest challenges in computer science is to build a computer (or software) that mimics “thinking” like a human and does it so well you can’t tell the difference. Asked a series of questions, you wouldn’t be able to tell whether the responses came from a real human or a computer.

That’s referred to as a Turing test, named after the computer scientist Alan Turing.

You’ve probably heard more about it of late with the rise of AI. Many AIs can pass various forms of Turing tests. More on that in a moment.

A CAPTCHA is a kind of Turing test. It’s a test to prove you’re human.

Why CAPTCHAs (mostly) work

Until recently, the old-style distorted letters style of CAPTCHA stymied computer programs.

And then this happened.

ChatGPT solving a CAPTCHA.
ChatGPT solving a CAPTCHA. Click for larger image. (Screenshot: askleo.com)

I didn’t even tell ChatGPT what to do. I just pasted in the image that I used to use in this article — an example of what was once impossible for computers to decipher — and it simply returned the result.

Yikes.

And I’ll bet you haven’t seen that style of CAPTCHA for some time.

Even the ones we do see — distorted image identification and matching — are slowly becoming things that current AI can figure out.

The result, of course, is an arms race. You can expect to see more and different forms of CAPTCHAs in the future.

One drawback to CAPTCHA

CAPTCHAs have one huge drawback: they assume you can see.

Blind computer users — of whom there are many — cannot complete a visually oriented CAPTCHA.

As a result, there are alternatives. Some use audio (asking the person to type a series of characters), or even simple math expressed as a sentence (“What do you get when you add two and seven?”). The goal is the same: answering these types of tests is surprisingly difficult to automate, so a correct result is reasonably possible only if you’re human.

Of late, an even simpler CAPTCHA has become popular: the “click here” CAPTCHA.

recaptcha1
A “click here” CAPTCHA. (Screenshot: askleo.com)

As simple as this seems, it’s apparently fairly effective. The “trick” is that you can’t click the checkbox right away. It’s replaced by a spinning disk until it’s ready for your input. Current automated spam bots aren’t capable of something as simple as detecting that a delay is required.

I'm No Robot
A “click here” CAPTCHA resolved. (Screenshot: askleo.com)

Some employ other behind-the-scenes tricks, such as monitoring mouse movement while they wait, to determine whether or not the entity at the keyboard is a human or not. Many CAPTCHA techniques now rely on behavioral analysis rather than on your ability to identify bicycles in a grid.

Why Ask Leo! has no CAPTCHA (today)

My website takes comments, but I currently don’t use CAPTCHA. How’s that possible? I do get a lot of spam.

Spam count so far today.
Spam count so far today. (Screenshot: askleo.com)

I pay for a service that attempts to block spam. That number above — 381 — represents a little over half a day’s worth of blocked comment spam attempts. I’m sure it’ll pass 600 attempts by the end of the day. We’re looking at something like a quarter of a million attempts to post spam comments here every year.

Because spammers aggressively and constantly change their approach, I’m not ruling out requiring CAPTCHA sometime in the future. But for now, things seem to work well.

Except things are getting worse.

Why so many sites use CAPTCHA

A few days ago, one of my servers — fortunately not the one housing Ask Leo! — bogged down to a crawl and finally crashed. The culprit? Bots and scrapers. Specifically, a new genre of spiders that are scraping websites for content to feed AI large language models. There are so many, and they are so persistent and overwhelming, that they can bring websites to their knees.

Not to mention copying all their content.

As a result, many websites now present a CAPTCHA before you can even view their content.

It’s no longer only about spam, but about protecting the servers and the content that the websites present.

In my case, I just beefed up the server specs a little, and all seems well. For now. I’m not as concerned about content “theft”, as some see it, as I am about just keeping my servers online.2

The future

CAPTCHA’s future will be interesting. AI can already automatically decipher many of today’s CAPTCHA images and techniques. Look for new approaches — hopefully still easy for humans to use — to prevent further automated abuse in the future.

But the bottom line? Don’t blame a website for using CAPTCHA. It’s a corner they’ve been forced into.

Blame the spammers, scrapers, and bots.

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Footnotes & References

1: And by “thousands”, I mean hundreds of thousands, if not millions.

2: Not as concerned, or perhaps simply resigned to the current state of AI.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Additional information is available at https://askleo.com/creative-commons-license/.