Research privacy-minded captchas

[smcalilly]

Background

We're moving away from Google Analytics with privacy as one of the motivators. We should consider the same for recaptcha.

Proposal

I propose we try alternative strategies for preventing malicious traffic.

Some alternatives:

1. https://mcaptcha.org/ (what spurred this R&D issue. the tech that drives this is different than recaptcha and we should learn about how it's different and what that means to users before adopting)
2. research other captcha solutions
3. research non-captcha solutions (i.e., doesn't cloudflare do this?)

Deliverables

An Django web application with a simple form that is protected by an alternative to recaptcha. The app should be deployed to heroku so we can test on the live internet. Find some online service that tests the captcha.

Timeline

This could take a full investment day if somebody wanted to do some deeper research and try more than one solution.

• 2-4 hours for mcaptcha PoC
• 1-3 hours for researching other solutions

[smcalilly]

questions about mcaptcha:

• how does it actually work? is there another server involved?
• is privacy even a concern for recaptcha?
• how many projects will a change like this impact?

[smcalilly]

closing for now, it's not a big priority for us.