It was Halloween last week, and a company called Vicarious has indeed come up with something scary, for those of us who care about content quality: they announced that they’ve developed a tool that can solve 90% of all CAPTCHAs displayed by Google's reCAPTCHA service.
Why is this so scary? According to this academic paper, a good rule of thumb is to consider a CAPTCHA system to be broken if an automated attacker can reach a precision of 1%. Vicarious is claiming 90% precision. If their claims hold up, it means that reCAPTCHA has been broken pretty severely.
The good news: the team at Vicarious says they are not planning to release this technology into the wild.
The bad news: if Vicarious can do it today, the bad guys will also be able to do it soon.
If CAPTCHA-breaking technology like this became widely available, the results would be disastrous for the hundreds of thousands of websites that rely on a CAPTCHA system to fend off content spammers. Sites with user engagement components would be so overrun with spammy comments and fake registrations that they would likely have to resort to shutting off user engagement altogether, unless they came up with an alternate security system.
A New CAPTCHA?
Anti-CAPTCHA tech is advancing, but so are attempts to build a better “are you really a human?” tests. A team at Carnegie Mellon is working on a new test they are calling a GOTCHA test, which asks users to describe patterns seen in inkblots.
It’s great to have technology like this in the queue, but it’s not ready for primetime yet, so what can sites do today to proactively protect themselves?
Text Analysis + CAPTCHA
If you’re familiar with how Mollom works, you know that CAPTCHA is part of the solution. So where does Mollom fit in a post-CAPTCHA world? CAPTCHA is just part of our approach to content quality, and in fact, it’s actually the backup plan.
Mollom’s primary tool in fighting bad content is sophisticated Text Analysis. Mollom’s Text analysis utilizes Artificial Intelligence to classify each piece of content based on its quality, not on whether it was submitted by a human or a bot. 92.5% of the time, Mollom can do this without needing to show any CAPTCHA at all (which is nice for all the humans out there). It’s only when Mollom is unsure that it will trouble anyone with a CAPTCHA. Most users never have to bother with a CAPTCHA on sites protected by Mollom.
But what about that 7.5% of the time Mollom uses CAPTCHA? In a post-CAPTCHA world, Mollom would have to adapt new techniques. The Mollom team is always working to tune Mollom’s Text Analysis to block a larger percentage of bad content. But there will always be some uncertainty. For those cases, without CAPTCHA, Mollom could possibly implement effective (but burdensome solutions) like email or SMS user verification. These solutions generally lead to a much lower completion rate, and if you were relying on them all the time you’d probably see a big dip in usage on your site, but as a fallback option they may be workable.
- A new technology seems to have broken the Internet’s most prominent CAPTCHA solution
- Sites that rely strictly on CAPTCHA are going to need to prepare for a post-CAPTCHA future
- AI-based Text Analysis is one way to avoid the need for CAPTCHA altogether in many cases
Readers, do you think CAPTCHA in its present form will still be playing an important role three years from now? If not, what will replace it? We’d love to hear your thoughts.