search

w3c / captcha-accessibility

Inaccessibility of CAPTCHA
https://w3c.github.io/captcha-accessibility/
Other
3 stars 4 forks source link

Google ReCAPTCHA and it's ability to predict if someone is human #39

Open Mattcessability opened 6 years ago

Mattcessability commented 6 years ago

Hi Scott, Janina and Michael,

Thanks for putting this together, I've been hearing about this research from Dr.Scott and it's great to finally have it in writing.

Google's ReCAPTCHA (Anecdotally seen as the "Best" option for CAPTCHA) was touched on in this draft, and one note was that there was no definite research if it is the best CAPTCHA. I would like to see more research to determine if it actually is the best option in every scenario, but I do have some additional concerns about ReCAPTCHA that wasn't mentioned.

Google's ReCAPTCHA of course has characteristics similar to other inaccessible CAPTCHA's which can make it inaccessible, but Google's ReCAPTCHA has some additional concerns:

  1. How can it tell from an assistive technology user and a robot?

Some users may use a keyboard to navigate the website and therefore will not rely on mouse movement, I have a theory that this could make Google ReCAPTCHA flag assistive technology users as a robot, assuming that robots navigate in a similar manner to a keyboard-only user. Has there been any research as to how robots actually interact with a website, and whether or not this is could be confused with someone with a disability?

This would be particularly bad as it would mean assistive technologies users are more likely to receive the inaccessible CAPTCHA rather than the nice and easy checkbox.

  1. Privacy

The draft says that Google ReCAPTCHA will look through heuristics to figure out if someone is a human or not (such as browser history). Doesn't this present a privacy issue which could be added as another reason why Google's ReCAPTCHA has some concerns? Privacy is mentioned when discussing Public-key infrastructure solutions but how Google ReCAPTCHA does things is just as concerning.

Cheers, Matthew Putland

LJWatson commented 6 years ago

@Logarek wrote:

The draft says that Google ReCAPTCHA will look through heuristics to figure out if someone is a human or not (such as browser history). Doesn't this present a privacy issue which could be added as another reason why Google's ReCAPTCHA has some concerns? Privacy is mentioned when discussing Public-key infrastructure solutions but how Google ReCAPTCHA does things is just as concerning.>

This is a really good point, and one that deserves more investigation. There are several things happening at the moment, that will make disability fingerprinting a common thing on the web (it's already possible in native apps on mobile devices). This is a huge concern.