CAPTCHA and BBC iD
Hi I'm Rowun. I work in the UX&D Prototyping team.
CAPTCHAs are a big issue for websites. Using them has the potential to exclude disabled and non-disabled users alike. Our users often tell us that they don't want to see CAPTCHAs on BBC Online and they will be pleased to see that when they use BBC iD, our single sign on service, that this is still the case. I've decided to write this post to explain why this decision was made.
Captcha image from Wikipedia
Late in 2009 Judith Garman, Pekka Toppi, Lucy Dodd and I began looking into CAPTCHA technology for BBC iD and how it might affect users. We researched into cracking, implementing and the future of CAPTCHAs. We performed user tests to document the experience of using our services with CAPTCHA and tested various solutions that could be suitable for our needs.
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It's a technology that assists in discerning between human and non-human users with the goal of preventing unwanted usage of services (e.g. posting ads or spam) by non-humans.
You've probably already seen one on a registration or comment page. It's often an image of distorted text that must be typed into a box next to it. However, it could be a logic based puzzle that has to be solved or an image of an animal that needs to be selected based on a question. There are many different types of CAPTCHAs and many different variations of those types. We needed to find out which, if any, were acceptably accessible for the BBC and were a good fit for the requirements set out by BBC iD.
We started the research by looking at the CAPTCHAs most commonly available and potentially the best suited to BBC iD. The CAPTCHAs covered were distorted text and distorted images, 3D, logic and sound. We needed the research finished before BBC iD launched and with enough time for the BBC iD team to implement a solution if opted for.
We found that most image CAPTCHAs, including "select image type" and "select the one that is a..." could be cracked by existing software or would need a database of images so numerous to prevent logging as to be impractical. There are also the obvious accessibility issues such as vision impairment that needed to be taken into account for image CAPTCHAs. The accessibility issues and the need for constant database updates discounted this CAPTCHA type.
It appears that as a technology, 3D CAPTCHA is not mature enough. More information is needed over what the easiest models to interpret are, what is the optimal position of those models, what are the best textures and positioning of lighting. Many of these questions will be answered as the technology matures. 3D CAPTCHA has potential as it requires interpretation, life experience and spatial awareness. All things that software in the near future will continue to have difficulty with.
Next we looked at distorted text and logic puzzles. We recognised that not all distorted text was appropriate and we weren't sure about logic puzzles. Distorted text has an advantage over most other CAPTCHAs. There is community support for users with accessibility needs in the form of browser plug-ins and websites that can either decipher CAPTCHA text or send it to a human volunteer to decipher and send a result back. This is a double-edged sword, it shows that it can be cracked but with the secrecy around the plug-in technology, the need to register for access and submittal limits it is an acceptable compromise.
This mock up of what Captcha might look like on BBC iD was never used
The results were not unexpected. Many users did not know what a CAPTCHA was or understand why they were needed. Most users found them annoying. Visually impaired participants expected full accessibility from the BBC and felt it would affect our reputation to use them. Elderly users had issues with the distorted text. The logic puzzles were found to be odd and patronising. The audio was struggled with. Overall, extremely negative feelings were expressed towards CAPTCHA technology.
From a cracking standpoint, we found a single factor that negated all the advanced and expensive cracking software and the most advanced and resistant CAPTCHAs: Companies for hire whose business it is to crack CAPTCHAs with human operators.
The negative user experience that a CAPTCHA creates and the CAPTCHA cracking companies are two factors too great for us to ignore.
With all this in mind we have decided, at least for now, not to use CAPTCHA on BBC iD.
Rowun Giles is Junior Web Developer in UXD prototyping, BBC Future Media & Technology