On why Captchas are fundamentally wrongArticles edit
The setting is a futuristic world where there some people own robots. They send them out to "hunt" or exploit hacks that would normally embarrass us, such as hoarding free food samples at the supermarket, getting on the stage of a stand up comedy session to scream "enlarge your penis!", filling mailboxes with pamphlets peddling viagra, or begging for money on the street to take it back to their owner.
People start off by applying corrective measures: they throw out robots from public spaces, such as cafés and libraries, based on what they say. Soon it proves inefficient; so, in order to get into a public space you have to prove you're not a robot.
When you go to the theater, the cashier shows you a card that has a particular pattern that robots find difficult to discern. Give the wrong answer and you're not allowed in. Fair enough. Problem is: people start using it everywhere. Want ride a bus? Play in the park?Go for a stroll? Prove you're not a robot. You can register at your favorite cafeteria, of course, and they will stop asking you to look at the card, but people are very touchy about giving out personal information just to enjoy a cup of coffee.
To make matters worse, rouge engineers start making robots more and more like humans, so the cards become increasingly difficult to answer. Some people are visually challenged, so a verbal pattern is asked. Engineers tweak the robots to answer verbal questions. It becomes trench war where robots gain more terrain every day.
Some small shop owners—tired of hustling their customers into answering impossible cards—try alternate methods, such as displaying a card that says "keep quiet and I'll know you're not a robot". This proves reasonably successful. However, as soon as the incentive is large enough engineers tweak the robots to accommodate these exceptions.
Phonebook, the phone company, is a monopoly where every customer is proved to be human. Almost every citizen is a client of Phonebook, so shop owners start asking for clients to produce their Phonebook card. Phonebook loves this, because they're known to collect every possible bit of personal information they can. Privacy minded individual are enraged, of course.
There seems to be no satisfying solution to this conundrum, until someone notices robots are fucking made of steel. Engineers had been so busy playing the card war to notice this, and promptly intall a metal detector at every entrance.
It gives off false positives of course, but then they are shown the card.
Some discusion out of the parable
Why are engineers so bent on winning the Captcha war? There are a series of tests you can devise to find out if somebody is human, such as:
- If the user agent is a browser, make some DOM tests
- Placing a honeypot field in the form
- Testing for human behavior (keystroke speed, mouse movement)
All these have their drawbacks and false positives, but Captchas should be displayed until they fail the tests, not before.