Austin Ziegler wrote:
[...]
> OCR isn't *that* easy. Humans--even young children--far exceed
> machines in discerning even relatively clean machine-print characters.
Yes, I understand that. However, CAPTCHA is also proving to be
relatively ineffective and against accessibility standards. If you have
to follow US Federal 508 guidelines, you shouldn't use CAPTCHA. As noted
on the various discussions that I linked to, the large sites that
spawned CAPTCHA have now abandoned it.
I don't disagree with this in theory. I missed the part about the
"sites that spawned CAPTCHA", but I did just verify that both Hotmail
and Yahoo are still using them.
> The research at Lehigh is interesting.
> Henry Baird's Research on HIPs and CAPTCHAs
Interesting, but I believe it will be ultimately fruitless. If I am
visually impaired but do not, for example, have audio attached to my
computer, then an audio CAPTCHA is just as limiting as a visual CAPTCHA.
Even the logic puzzle CAPTCHAs -- the most promising of CAPTCHAs -- are
often culturally or linguistically exclusive.
>> Basically, my advice is to forget CAPTCHA and go with double
>> verification. You can even provide multiple levels of user
>> accessibility, allowing immediate access but nothing that could be
>> construed as spam until they have verified their identity in some way
>> that is accessible.
> I guess you're talking about email, but that is considerably less
> difficult for a machine to pass than CAPTCHA. Verifying that some
> thing that gave you an email address has the ability to view messages
> sent to that address doesn't prove much.
Not necessarily email. Google has solved this for GMail and Google Talk
with SMS, as the number of people who own computers and the number of
people who own cellphones has a high correspondence.
I disagree with the implications that (a) people with visual
imparements have easy access to SMS, and (b) software doesn't have easy
access to SMS. I'm not exactly sure what Google thinks they are doing
with SMS, aside from tying your phone number to your search history,
but I do know that it is fundamentally different from curbing wiki and
blog spam. I don't claim to be completely up on the economics of wiki
spam, but I can certainly imagine the existance of cheapish pre-pay
cell phones that have USB/IR/Bluetooth connectivity, and who cares if
that one number is blocked after the fact.
Other systems can solve it with multiple levels of privilege. If you
have a bulletin board, then someone who has signed up but not yet
verified might have command set X (maybe posting new messages to the
support forum once every four hours and replies to any forum once every
fifteen minutes). After they've verified, they might have the base
restrictions lifted and get command set X + Y (posting new messages
to any forum every thirty minutes, replies every five minutes). After
they've participated on the site for ten days continuously or thirty
days sporadically, they get full posting and reply priveleges. Or maybe
they don't get PM capabilities until thirty days.
But it's the verification step that you've devoted only 3 words to
that's hard. Your scheme, taken as a whole, might sound reasonable for
a forum, but doesn't seem really practical for blog comments or wikis.
I'm certain that Google has not solved the problem. Sufficient albeit
fewer numbers of people will walk through the Google process in
exchange for pornography just like they do with CAPTCHAs.
CAPTCHA don't work nearly as well as people think and they're
inaccessible. There is a reason that Ruwiki will never support them.
I don't want to sound like a big proponant of CAPTCHA. I've never even
implemented one. I was just drawn in by the claim that free OCR
programs were cracking them with any success. I do think they may be a
part of a solution in certain situations, and that the alternatives so
far have equal problems with accessability.
Steve
···
On 9/20/05, Steven Lumos <steven@lumos.us> wrote: