I am not a robot: Google swaps text CAPTCHAs for quivery mouse clicks

library
crime | hacking | security

Remember back in 2013, when Ticketmaster – the world’s largest online ticket retailer – decided to stop torturing people’s eyeballs by making them decipher blobs of melted characters in order to prove that they’re human?

Likewise, Google’s now too stabbing a fork into CAPTCHA, the aggravating test that’s supposed to determine if we’re robots or scripts used by spammers or other online misdeed-doers, or if we are instead real, live, warm-blooded simians.

CAPTCHA came out of Carnegie Mellon University and stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”.

The tests are designed to be hard for robots, easy for humans.

They typically consist of typing letters and/or digits from a distorted image.

Or, as the case may be, messages to go pleasure yourself. Or, then again, mathematical problems that make your brain bleed.

Ten years into using CAPTCHA to keep robots from engaging in dirty tricks online, the “supposed to weed out bots” has now turned into “utterly stink at weeding out bots”.

That’s because advances in Artificial Intelligence have resulted in robot creations that are now able to solve even the most difficult variant of distorted text with 99.8% accuracy, according to Google’s recent research.

Not that Google’s going to stop testing site visitors to weed out bots, mind you.

Rather, as it announced on Wednesday, Google’s going to move away from asking users to read blobby text and type it into a box, as it’s been doing, like this:

And instead will simply ask us, “Are you a robot?” with what it’s calling the “No CAPTCHA reCAPTCHA” API, like so:

Asking us to check off a box saying that “I am not a robot” will be an effective way of determining whether or not we’re robots because humans move their cursors in a humanlike way.

Specifically, the difference between bot and human can be revealed in clues as subtle as how a user (or a bot) moves a mouse in the brief moments before clicking the “I am not a robot” button, according to Vinay Shet, the product manager for Google’s Captcha team.

Without realizing it, humans also drop clues that can establish whether we’re automated or not: IP addresses and cookies show our movements elsewhere on the Web and can help prove that we’re not a bad actor.

Wired quotes Shet:

All of this gives us a model of how a human behaves It’s a whole bag of cues that make this hard to spoof for a bot.

He said that there are other variables that will help make the determination, but those have to be kept secret, lest botmasters figure out how to work around them and once again learn how to slip past Google’s filters.

Google’s been integrating automated bot-detection into its CAPTCHAs since at least 2013.

In October 2013, Google revealed that it had developed what it called its Advanced Risk Analysis backend for reCAPTCHA to filter out bots.

The backend doesn’t just look at whatever gobbledygook we type into the box. Rather, it observes our entire engagement with a CAPTCHA, from start to finish – before, during, and after we type into the box – to determine whether we’re carbon-based.

On Valentine’s Day, Google gave us a taste of what reCAPTCHA can do, presenting us with chocolates and flowers and throbbing hearts – the first two of which were rendered in text that was simple (for humans) to read.

It sounds great, but it’s not yet time to kiss the inscrutably distorted CAPTCHA blobs goodbye.

Over the past week, Google’s tests on sites that use CAPTCHA have verified most humans, but it still missed quite a few. As Wired reports, about 60% of WordPress users and 80% of users at video game sales site Humble Bundle got past the CAPTCHA with only the simple checkbox.

When Google’s Advanced Risk Analysis engine can’t figure out what we are with a mere click, it’s going to back up the test with a pop-up window that will present users with the same old distorted text we’ve been enduring for years.

For mobile users, things haven’t gotten quite so simple as a single click. But when they face a CAPTCHA on their mobile phone or tablet, they’ll now have a much easier hurdle to leap: rather than having to type in text, they’ll be asked to select all the images that correspond with a clue image.

Like Google says, it’s a lot easier to tap photos of cats or turkeys than to type in a line of text on a phone:

And if you’re worried about the privacy implications of Google analyzing where your mouse moves on a page, Shet pointed out that Google will only be tracking your movements over the CAPTCHA widget when it appears on other sites, not on the entire page.

This is how he put it to Wired:

You don’t have to verify your identity to verify your humanity.

Besides, as we’ve noted before, tracking movement is not just a Google thing.

Facebook, Twitter, Gmail or any webpage can track everything you do and could be keylogging your every pointer movement or keystroke.

Logging keystrokes is no super secret, privacy-sucking vampire sauce. It’s plain old Web 1.0. This is not news, but it’s certainly worth repeating: anybody with a website can capture what you type, as you type it, if they want to.

The reality is that JavaScript, the language that makes this kind of monitoring possible, is both powerful and ubiquitous.

It’s a fully featured programming language that can be embedded in web pages, and all browsers support it. It’s been around almost since the beginning of the web, and the web would be hurting without it, given the things it makes happen.

Among the many features of the language are the abilities to track the position of your cursor, track your keystrokes and call “home” without refreshing the page or making any kind of visual display.

Those aren’t intrinsically bad things. In fact, they’re enormously useful. Without those sort of capabilities sites like Facebook and Gmail would be almost unusable, searches wouldn’t auto-suggest and Google Docs wouldn’t save our bacon in the background.

In the case of Google’s advances with reCAPTCHA, such an ability can stop a lot of bad bots from doing things that can be worse than the annoyance of having to endure typing in text from a blobby image.

Think bots that harvest email addresses from contact or guestbook pages, site scrapers that grab the content of websites and re-use it without permission on automatically generated doorway pages, bots that take part in Distributed Denial of Service (DDoS) attacks, and more.