[Irl-dean] Accessibility of visual challenge response systems

Paul Walsh, Segala paul at segala.com
Fri Sep 8 02:14:00 IST 2006

Finally, someone with longer emails than me! ;)

Sorry I couldn't make the meeting, it would have been good to put faces to
new names. 

Would anyone be interested in attending more regular meetings? Perhaps
attract non-accessibility savvy people to attend?


-----Original Message-----
From: irl-dean-admin at list.eeng.dcu.ie
[mailto:irl-dean-admin at list.eeng.dcu.ie] On Behalf Of Gez Lemon
Sent: 08 September 2006 01:38
To: irl-dean at list.eeng.dcu.ie
Subject: Re: [Irl-dean] Accessibility of visual challenge response systems

On 07/09/06, Laurence Veale <laurence.veale at iqcontent.com> wrote:
> First, thanks to Hugh for organising yesterday's event.

I second this. It was a pleasure to meet you, Hugh, along with other
members from this group.

> I've just blogged on the "Accessibility of visual challenge response
> systems" and am interested in your comments on it.

The fundamental problems with Completely Automated Public Turing test
to Tell Computers and Humans Apart (CAPTCHA)s is that they attempt to
distinguish between humans and robots by testing for ability. Whether
it's sensory, mobility, or cognitive ability, testing for the user's
ability will always create barriers that are insurmountable to some

Microsoft's approach of providing both a visual and audio CAPTCHA is
better than providing a single method, but still falls a long way
short of being accessible. Some robots have sophisticated algorithms
that are able to distinguish obscure patterns, which mean extra noise
must be introduced to these patterns so that even people without
sensory impairments are unable to distinguish the data from the noise.
For the elderly, it is not possible to use services that determine
humans from machines by sensory ability alone, as sensory abilities in
humans diminish over time, but not in robots.

Another approach that is quite common is to ask questions that are
intended to be incredibly simple for humans, but difficult for a
robot. An example might be, "what colour is an orange?" along with an
edit box to type the answer. On the surface, this seems quite a
reasonable approach, but free-format text does cause problems for
people with cognitive disabilities, as well as visitors who aren't
native speakers of the natural language of the web page. Questions
that have to remain simple also have obvious patterns, and are
relatively simple for a robot to crack.

Another technique that is surprisingly popular is obscurity. Any book
on security will quite rightly suggest that obscurity is no defence
against an online attack. Despite this advice, methods that involve
obscurity usually receive a lot of attention because they appear to be
successful at a glance, although their success is usually short lived.
For example, a submission form might contain an edit box where the
user just has to enter, "banana". No robot would automatically know to
do that (but could easily be trained to do so), and for a short time,
that technique would remain successful. Of course, some people would
have no idea what data they were meant to provide, yet it would be
incredibly simple for a robot to provide that data. There was an
example of this approach recently on another mailing list where
someone came up with the idea of using RSS feeds as a method of
identifying a person from a robot. The example asked the visitor to
enter the most recent post by a blogger that was selected randomly
from a list of bloggers. This is an example of obscurity that would be
incredibly simple for a robot to crack, yet requires the person
wanting to use the service to jump through all kinds of hoops (go to
the blog of the person in question, identify the last post, memorise
the title of the article along with punctuation, and enter it in an
extraneous form field) that could easily confuse visitors to the
website. Most ideas that people come up with for distinguishing humans
from machines are usually far simpler for machines to process than it
is for a human.

Personally, I think developers aren't asking the right questions.
Realistically, they don't want to know what capabilities the person at
the other end of the connection has, but whether or not they are
trustworthy. Testing for ability is not the same thing as testing
trustworthiness, yet all these types of services want to know is
whether or not they can trust whoever is at the other end of the
connection. Unfortunately, trustworthiness is a difficult trait to

One possibility would be to use some kind of social networking service
that worked on an invitation only basis based on the six degrees of
separation theory [1]. For example, an invitation-only service might
reward points for people who have shown themselves to be trustworthy.
At first, the person may only have limited access to sites that don't
afford much security, but in time, the user could become know as
trustworthy online, which in turn allows them greater access to other
online services. If ever the person breaks that trust, they would
become known as being untrustworthy. Being offered through an online
service, it has the benefit of making this type of information
available to everyone immediately. Anyone recommended by the person in
question, along with the person who originally recommended them could
immediately be suspended in the event of untrustworthy behaviour,
pending an enquiry (which would also ensure that people were
particular about who they recommended, as there would be a penalty
should they recommend someone who was unsociable). The service would
also need to include a list of people who provided online services
that were eligible to provide feedback on people's performance to
avoid malicious attacks against individuals. There will be a lot of
work required to make this foolproof, and it would also take time to
establish a trustworthy community, but I think it's a more reasonable
approach than testing for a person's ability.

[1] http://en.wikipedia.org/wiki/Six_degrees_of_separation

Best regards,


Supplement your vitamins

Irl-dean mailing list
Irl-dean at list.eeng.dcu.ie

More information about the CEUD-ICT mailing list