I was banned from the hCaptcha accessibility account for not being blind (2023)

(michaels.world)

405 points blindgeek | 2 comments | 18 Nov 24 10:13 UTC | HN request time: 0.432s | source

Show context

jchw ◴[18 Nov 24 15:17 UTC] No.42173090[source]▶

I hope we can end the CAPTCHA experiment soon. It didn't work.

Phone verification isn't good either, but for as much as I hate phone verification at least it actually raises the cost of spamming somewhat. CAPTCHA does not. Almost all turnkey CAPTCHA services can be solved for pennies.

Solving the problems of SPAM and malicious traffic will be challenging... I am worried it will come down to three possible things:

- Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.

- Closing the platform: approaches like Web Environment Integrity and Private Access Tokens pave the way for how the web platform could be closed down. The vast majority of web users use Google Chrome or Safari on a device with Secure Boot, so the entire boot chain can be attested. The number of users that can viably do this will only increase over time. In this future, the web ceases to meaningfully be open: alternatives to this approach will continue to become less and less useful (e.g. machine learning may not achieve AGI but it's going to kick the ass of every CAPTCHA in sight) so it will become increasingly unlikely you'll be able to get into websites without it.

- Accountability of network operators: Love it or hate it, the Internet benefits a lot from gray-area operators that operate with little oversight or transparency. However, another approach to getting rid of malicious traffic is to push more accountability to network operators, severing non-compliant providers off of the Internet. This would probably also suck, and would incentivize abusing this power.

It's tricky, though. What else can you do? You can try to reduce the incentives to have malicious traffic, but it's hard to do this without decreasing the value that things offer. You can make malicious traffic harder by obfuscation, but it's hard to stop motivated parties.

Either way, it feels like the era of the open web is basically over. The open web may continue to exist, but it will probably be overshadowed by a new and much more closed off web.

replies(15): >>42173427 #>>42173571 #>>42173573 #>>42173636 #>>42173652 #>>42173854 #>>42174051 #>>42174079 #>>42174452 #>>42174502 #>>42174730 #>>42174882 #>>42175601 #>>42175632 #>>42175764 #

mapt ◴[18 Nov 24 16:02 UTC] No.42173652[source]▶

>>42173090 #

There is another option.

CAPTCHA is useful only when it is costly to solve. It is a costly signal that this is a real person, or at least is more than 1/10^9th of a real person (you're not running a fully automated spam system).

The postal service also has costs - everybody that wants to move something through the postal service needs to buy a stamp. Transport fees are a 'natural' way to moderate traffic and deter spam.

Various combinations of network architecture and cryptocoinage permit you to invoke transport fees per attempted transmission/login. Sensible ones, if every spam email or login guess costs even 1 penny it becomes prohibitive for most fully automated spam applications. The cryptocoin aspect is specifically about preserving anonymity of private wallet access while permitting the cash-like transactions that stamps enable.

replies(6): >>42173730 #>>42173910 #>>42173934 #>>42174028 #>>42174563 #>>42188474 #

jchw ◴[18 Nov 24 16:22 UTC] No.42173910[source]▶

>>42173652 #

Cryptocurrency micropayments have been proposed and even attempted as a solution to various problems. Hell, there's also Hashcash, an early proposed anti-SPAM measure for e-mail using just proof-of-work. (Since this is just burning CPU though, it probably isn't effective in the modern world of most people using low-power mobile computers and many SPAMers having access to cheap very high power computers. Might serve as a good hurdle for people trying to implement malicious bots, but it will eventually become useless if it is shown to be effective IMO.)

I'm skeptical though. It puts a literal price on abusing a service, but how do you set that price? Is there a guarantee that there's a value high enough to meaningfully disincentivize SPAM but low enough that users, especially users in areas that may have an economic disadvantage, are able to pay it?

That's on top of the other practical problems, such as actually implementing it. I mean, if someone implements it and tries to solve the usability issues involved I would be open to this future, but as it is now, cryptocurrency has disappointed me. In a world with increasing scrutiny towards credit card processors, I was hoping that the silver lining would be that cryptocurrency could at least help mitigate some of the concerns, but there are just too many hurdles right now. (Some of them may be caused by regulation, but to be fair, I think at this point it's hard to blame governments for trying to regulate cryptocurrency exchanges. I'm not happy about silly KYC policies or anything like that, but I am not surprised at all.)

replies(1): >>42175275 #

1. AnthonyMouse ◴[18 Nov 24 18:21 UTC] No.42175275[source]▶

>>42173910 #

> It puts a literal price on abusing a service, but how do you set that price?

Start with a nominal one and increase it until the spam problem goes away.

Create escape hatches for people who can't afford it, e.g. you can either pay/mine a couple dollars worth of cryptocurrency, or you can have someone who paid vouch for you (but then if either of you spam you both get banned), or you can do some rigorous identity verification which is inconvenient and compromises privacy but doesn't cost money, or (for smaller communities) you ask the admins to comp you and if you're known in the community from other sites then they do it etc.

> I mean, if someone implements it and tries to solve the usability issues involved I would be open to this future, but as it is now, cryptocurrency has disappointed me.

This doesn't seem like an insurmountable problem to solve. To give someone some cryptocurrency you can either send it directly (useful option for advanced or privacy-conscious users) or use a service and then it should be no different than using Paypal et al.

The real problem is the regulations are currently designed to make using it an unreasonable amount of paperwork:

> Some of them may be caused by regulation, but to be fair, I think at this point it's hard to blame governments for trying to regulate cryptocurrency exchanges.

There's a difference between regulating exchanges and regulating users. If you're holding millions of dollars in cryptocurrency then the government is reasonably going to expect you to file paperwork and pay taxes on gains etc. If you're only holding three and four digit dollar amounts worth then they should leave you alone and you shouldn't have to do anything.

In theory you can strike a reasonable balance here where the crypto scammers go to jail but Joe Average doesn't have to file any more tax paperwork to use Bitcoin Cash to buy a pack of gum than to pay in physical cash. We'll see what the new administration does with it.

replies(1): >>42175646 #

2. jchw ◴[18 Nov 24 18:55 UTC] No.42175646[source]▶

>>42175275 (TP) #

Well, for solving both the UX and regulatory issues with cryptocurrencies... I'm not optimistic, but I am open to being pleasantly surprised.

On the UX side, I think a huge problem is making it possible for users to participate using a non-custodial wallet with as little risk of data loss or compromised credentials as possible. So it needs to be hardened against ignorance, stupidity, house fires, malware, and social engineering. That is hard. Irreversible transactions greatly up the stakes while increasing the incentive to attack. Do you ever feel a bit nervous about the send address being wrong when you use cryptocurrency?

A thing I didn't mention but is equally important to solve is developer experience. I wish there was a turnkey SDK that took care of most of the technical stuff and just let you use cryptocurrency like it's PayPal. If we had on-chain subscriptions (I think Ethereum can do this?) it could be even more powerful. The technologies offer a ton of possibilities but taking advantage of it correctly and securely feels like a tall order. Dealing with cryptocurrencies feels more serious than dealing with traditional payment processors: you can't undo when you fuck up.

Some of this can be resolved. On the user side, users can keep less value stored in wallets long term... Though this is more cumbersome and less usable. On the developer side, developers can make nodes that can verify transactions but not spend currency... But this can be challenging (I think it's weird to do with Monero for example?) and it closes off some use cases ("escrow" style transactions; Skeb-style commissions would be a good use case.)

If it gets solved I will celebrate as it seems like it would have a lot of positive upsides, but I think you might need to pardon my skepticism: it's been a lot of years and it hasn't gotten that much better. (Granted, it's still pretty new, but the momentum is slower than I would have hoped.)

↑