Can’t a robot tick a box? How a RECAPTCHA test really works
Have you ever had to type a series of distorted characters, identify a particular image or click the “I’m not a robot” checkbox to open a website? If so, you were granted access by a CAPTCHA, a test to block bots from spamming websites.
CAPTCHA stands for “Completely Automated Public Turing Test to tell Computers and Humans Apart.” The original CAPTCHA tests involved a typing test, but RECAPTCHA, a Google-owned version of the service, often uses images.
For example, you may be asked to identify all the squares with traffic lights or motorcycles. Another version of RECAPTCHA is famous for the “I’m not a robot” checkbox. These tests can tell whether or not the user is at risk of being a bot that can spread spam and viruses.
You’ve likely been tested by a RECAPTCHA before, but have you ever wondered how they can tell you’re human? After all, shouldn’t robots be able to tick boxes and recognize which images have crosswalks? Here’s everything you need to know about RECAPTCHA tests and how they work.
HOW AUTOMATED TURING TESTS FUNCTION
A RECAPTCHA isn’t just looking at your answers. The test analyzes where you came from as an internet user and how you’re interacting with the system. It uses algorithms to track patterns in web browsing behaviour to decide whether or not a user is legitimate, thus controlling access to who and what can enter a website.
Justin Petitt, the director of the Cybersecurity Center of Excellence at Edgewater Federal Solutions, said there are multiple ways that the system reads user activity to determine whether or not a user is legitimate.
“One (method) that’s usually involved in the system is tracking how you move and manipulate the mouse and keyboard on that screen,” Petitt said. “It’s looking to see if you’re moving too quickly or in an exact manner that doesn’t have any of the deviations or twitching that your hand will experience when moving a mouse or dragging your finger over a trackpad.”
Bots can move a mouse in a straight line at a steady speed. Humans are far more erratic.
“You can’t move in a straight line in the way that a computerized system would,” he said. “It’s looking for that signal to help verify that you’re a person.”
A RECAPTCHA may also require some degree of access to your Google search history while trying to differentiate you from a bot. You may have passed a RECAPTCHA without even knowing it as the latest version from Google works behind the scenes unless it already suspects you are a bot.
“Even when the average person tries to block their information, there’s still a lot of information that’s needed,” Petitt said.
WHY CAPTCHAS EVOLVED
CAPTCHAS used to come in the form of randomized letters, which were stretched and deformed to make them more difficult to read. However, as bots became more sophisticated, they started passing the tests, which then had to be made more difficult. Eventually, the text was stretched and distorted until many people weren’t able to decipher it.
According to a study by the World Wide Web Consortium, these CAPTCHAS became too difficult to solve and caused users with cognitive disabilities to complain that the visual tests were denying them access.
At a 2016 Google I/O conference, one of the speakers said the most difficult versions of a CAPTCHA test were presented to both humans and bots to test their proficiency in 2014.
This challenge revealed that humans could only solve the test 33 per cent of the time, whereas bots overcame the system 99.8 per cent of the time.
As a response to this, RECAPTCHA was updated with more methods to differentiate between humans and robots. Some of these tests include prompts to click on specific images and clicking the checkbox that reads “I’m not a robot.”
Now, the test evaluates your response alongside automatic readings of your overall behaviour and browsing history to decide whether or not to grant you access.
WHAT ABOUT PRIVACY CONCERNS?
While Petitt said that “there should be limited amounts of additional snooping in theory,” he also acknowledged that we don’t live in a “perfect” world and there are precautions users can take to protect their information when using RECAPTCHAS.
Some of these precautions include having good cyber hygiene, such as reading the end of a URL to verify its authenticity, avoiding any suspicious activity and having an overall sense of cyber awareness.