Security Lines Get Blurry

Opinion: CAPTCHAs provide protection against blog spam at the price of discrimination against visually impaired users.

Little blurry things are infesting the Web. Youve seen them online if you shop, bank, travel, post comments to blogs or even just respond to e-mail.

Im talking about those little bit-mapped images that show a blurred or distorted term and ask the user to type what they see into a text field.

This technology is called CAPTCHA, which stands for (take a deep breath) Completely Automated Public Turing Test to Tell Computers and Humans Apart.

CAPTCHA images are used by sites to determine if that "person" trying to comment on a blog or buy concert tickets is really a person, and not a bot determined to spam or use up vital resources.

CAPTCHA works, for the most part—simple bots cant read the term in the distorted image—which is why so many sites use it. But it isnt foolproof. Advanced OCR [optical character recognition] technologies can defeat CAPTCHAs, as can low-paid workers hired by spammers and other shadowy groups who sit for hours parsing through CAPTCHA- protected sites.

But the real problem with CAPTCHA isnt that it can be beat. The problem with CAPTCHA is that it discriminates against some Web users, and, if used in certain government sites, its illegal.

To use a CAPTCHA-protected resource, a user has to be able to see the distorted term in the image, which means that users with visual disabilities are unable to access CAPTCHA-protected resources.

If a government site or a site under government regulations uses CAPTCHA, it is violating Section 508 of the U.S. Rehabilitation Act, period. Section 508 covers accessibility requirements for public resources, and, yes, Ive seen government sites that use CAPTCHA images.

/zimages/6/28571.gifClick here to read about Microsofts new cross-platform accessibility model.

Now, some people might be thinking, "Hey, that really stinks, but these sites need to protect themselves against fraud and rampant spam. And, anyway, having a disability often means not being able to do certain things, such as drive a car. And, of course, there are always other ways to access these resources, such as via a telephone or going to a bank or ticket office in person."

But, increasingly, use of the Web isnt a choice. Every day, more and more services and resources become Web-only ventures, whether youre talking about an online-only bank or buying and selling on eBay or Craigslist. At any rate, using an online resource to perform a task or seek information is almost always more efficient than trying to do the same things using a telephone.

Thats why Web sites need to come up with a more accessible alternative to CAPTCHA—something that either would replace CAPTCHA or run in conjunction with it. A recent working group note at the World Wide Web Consortium does an excellent job of breaking down the problems and challenges of CAPTCHA.

But this document also makes it clear that a purely technological solution to the problem of inaccessible CAPTCHA tests may not be arriving any time soon and that possible fixes have problems of their own.

Thats why I think site developers cant wait for a fix and need to start putting into place other mechanisms to allow for accessibility. In many areas where CAPTCHA is used, such as in preventing comment spam on blogs, it is unnecessary and basically overkill.

/zimages/6/28571.gifRead details here about Googles problems with blog spam.

Most blogging platforms now offer very capable filtering and spam-blocking plug-ins or features that do a good job at blocking comment spam without blocking users who have a visual impairment. If your blogging platform doesnt offer these basic security features, you should consider moving to one that does.

For commerce sites, its a bit tougher, as they clearly need to protect their resources against scammers, thieves and fraud. But these sites need to have some CAPTCHA fallback mechanism that keeps users online, whether its an e-mail response, a chat or a quiz question.

As much as some companies hate to admit it, the Web is now part of the real world. And on the Web, as in the real world, its not right to treat some users as second-class citizens.

Labs Director Jim Rapoza can be reached at

/zimages/6/28571.gifCheck out eWEEK.coms for more on IM and other collaboration technologies.