Earlier this year, HBO Max users hoping to sign in to the service had to pass an audio challenge in which they listened to a bunch of tunes and had to select the one with a repeating pattern. When I signed in to LinkedIn recently, it asked me to prove I’m human with an unusual puzzle. With a set of left and right buttons, I had to turn a 3D image of a pink dog until it faced the direction that a hand next to it was pointing.
Websites use these captchas (the name comes from “Completely Automated Public Turing test to tell Computers and Humans Apart”) to tell whether a user is human or machine. You’ve likely noticed they have only gotten more difficult and more involved. That’s because of what happens after we solve a captcha: the data from our efforts to label those blurry grids of traffic lights, text, or buses is used to train AI systems, which then get better at defeating captchas, tricking systems into thinking they are human.
The arms race between humans and machines has been progressing for a while. As early as 2016, researchers at Columbia University showed they could solve Google’s image captchas with 70% accuracy using off-the-shelf automated image recognition tools, the sort that could readily be used by bot designers.
Captchas have gotten more complex out of necessity. Because as AI gets more sophisticated, they’ve become less effective.
By now, some captchas have gotten a little surreal. A company called hCaptcha recently tasked people with identifying an object that doesn’t exist—a “Yoko,” which seems to be an AI-generated yo-yo with a roughly snail-like appearance.
Tech firms and consumers alike feel it’s time for a change. For one thing, legacy captchas (which are still in use) just don’t work anymore: “Clicking images such as buses and street signs is outdated,” Ashish Jain, the CTO of Arkose Labs, the firm behind those LinkedIn and HBO captchas, told MIT Technology Review. “Bots have evolved, but legacy captchas haven’t.” Even more convoluted mini-games may not be enough to keep AI at bay. In one instance, a chatbot (guided by humans) pretended to be visually impaired and managed to hire a human to solve a captcha for it.
Mauro Migliardi, a professor of software engineering at the University of Padua, believes captcha designers will have to go a step further in order to stay ahead of machines. Because AIs can be trained to tackle any cognitive task, he says, we may need to transition to physical challenges, like requiring users to rotate their phones or move them in a certain way as they would in a video game.
That might solve some problems, but it would create others. The more complicated the challenge, the more cumbersome it is to do what you want to do on the web. And some approaches might shut some users out. “It’s actually really hard to build a challenge like this that is friendly to the whole human population,” Jess Leroy, senior director of product management at Google Cloud, wrote in an e-mail. “There are many reasons why something that may be obvious or easy to one person may be difficult to another.” Those include disabilities and cultural differences.
In the long term, we may see captchas abandoned altogether. Companies such as Google and Cloudflare have already quietly switched to “invisible” challenges, which monitor online fingerprints of human behavior, like cursor motions or browsing behavior, to differentiate a person from a bot. If these sorts of signals convince the software you are human, you won’t have to solve a captcha.
This approach raises privacy concerns: such signals can allow advertisers and websites to track what you are doing online. An alternative could come from a coalition of companies, including Google, Fastly, Cloudflare, and Apple, that has developed a more privacy-friendly mechanism called Privacy Pass. Before we even open a browser and run into a captcha challenge, we perform numerous actions on our phones and computers—like unlocking them with our faces—that are hard for a bot to imitate. On a Privacy Pass–enabled website, our devices take all that information and attest for us—allowing us to skip the captcha altogether. This data never leaves your device and isn’t shared with the website. Apple calls these signatures Private Access Tokens (PATs) and already leaves the feature on by default on iPhones running at least iOS 16.
Most captcha providers, like hCaptcha and Cloudflare, now support PATs as well. Cloudflare’s CTO, John Graham-Cumming, said in July that more than half of requests from iOS devices used PATs. Leroy says that Google’s Chrome and Android teams are “working on similar technologies.”
But don’t expect captchas to disappear anytime soon. While Privacy Pass may prove a reliable alternative, captchas remain popular. Ting Wang, an information science and technology professor at Penn State University, predicts they will “continue to exist as a cheap, platform-agnostic, and universal verification solution.”
Shubham Agarwal is a freelance tech journalist.
Read the original press release here.
