Laptop on white desk with CAPTCHA code on laptop screen. CAPTCHA has long been the golden standard to prevent bot submissions on website forms.Despite often being a source of frustration to users, CAPTCHA has long been the “golden standard” to keep website form submissions relatively spam-free. Now, some privacy advocates are questioning whether CAPTCHA is still the best option.

A Brief History of CAPTCHA

CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. It was introduced about 20 years ago as a tool to limit spam submissions to website forms. At first, users were asked to decipher letters and numbers from randomized distorted text. Next, came reCAPTCHA in which users were asked to translate images of real words and numbers from various archival sources – images that were naturally faded, distorted and blurry. But, as computer algorithms became “smarter”, the distorted images used by CAPTCHA lost their effectiveness in keeping bots out. This led to the creation of ”No Captcha reCAPTCHA” which utilized other user signals to determine if the website user was human. In most cases, actual users (humans) simply had to check a single box next to “I’m Human”. Finally, Google rolled out “invisible reCAPTCHA”. In its most recent version, reCAPTCHA v3 claims to use adaptive risk analysis to observe the user navigating through the site and compare their journey to the typical patterns of attackers. In most cases, users can progress through the site without clicking on any checkboxes or validation items. A webmaster can set specific rules on how to deal with users who have a high-risk score (those with actions that look spammy).A user with a high score may be asked to provide additional information or may need to correctly identify and click on a number of images (cars, streetlights, crosswalks, etc.).

Privacy And Profiling

Some researchers are concerned about the privacy implications of Google’s most recent version of reCAPTCHA. For example, for users who are signed into a Google account, Google will have a record of every page they visited on sites employing this latest version of reCAPTCHA.

Another potential cause for concern among security-sensitive customers is that some CAPTCHA services may be used for website profiling. The non-personafiable data that CAPTCHA services have access to (e.g. site visitor location, number of site sessions, relative popularity of one site over another) is valuable intelligence that could be used to infer data trends.

Other Solutions

As bots continue to evolve, no solution will block 100% of spam submissions. The best solution is one that provides a good user experience while respecting and protecting user data. There are some services, like MTCAPTCHA, that anonymize user IP addresses and do not sell or share customer data. Another option to thwart bot submissions is to use a “honeypot” consisting of a field that is hidden to users but “visible” in the code to bots. If a bot cannot differentiate the field from the others on the form, it will fill it out and the submission can be tagged as spam.

periscopeUP’s Advanced Webmaster Services is your website’s go-to problem solver and maintenance provider. Call periscopeUP today at 443.475.0787 or Contact Us online for a better website user experience.