←back to thread

I was banned from the hCaptcha accessibility account for not being blind (2023)

(michaels.world)
408 points blindgeek | 2 comments | 18 Nov 24 10:13 UTC | HN request time: 1.457s | source
Show context
jchw ◴[18 Nov 24 15:17 UTC] No.42173090[source]
I hope we can end the CAPTCHA experiment soon. It didn't work.

Phone verification isn't good either, but for as much as I hate phone verification at least it actually raises the cost of spamming somewhat. CAPTCHA does not. Almost all turnkey CAPTCHA services can be solved for pennies.

Solving the problems of SPAM and malicious traffic will be challenging... I am worried it will come down to three possible things:

- Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.

- Closing the platform: approaches like Web Environment Integrity and Private Access Tokens pave the way for how the web platform could be closed down. The vast majority of web users use Google Chrome or Safari on a device with Secure Boot, so the entire boot chain can be attested. The number of users that can viably do this will only increase over time. In this future, the web ceases to meaningfully be open: alternatives to this approach will continue to become less and less useful (e.g. machine learning may not achieve AGI but it's going to kick the ass of every CAPTCHA in sight) so it will become increasingly unlikely you'll be able to get into websites without it.

- Accountability of network operators: Love it or hate it, the Internet benefits a lot from gray-area operators that operate with little oversight or transparency. However, another approach to getting rid of malicious traffic is to push more accountability to network operators, severing non-compliant providers off of the Internet. This would probably also suck, and would incentivize abusing this power.

It's tricky, though. What else can you do? You can try to reduce the incentives to have malicious traffic, but it's hard to do this without decreasing the value that things offer. You can make malicious traffic harder by obfuscation, but it's hard to stop motivated parties.

Either way, it feels like the era of the open web is basically over. The open web may continue to exist, but it will probably be overshadowed by a new and much more closed off web.

replies(15): >>42173427 #>>42173571 #>>42173573 #>>42173636 #>>42173652 #>>42173854 #>>42174051 #>>42174079 #>>42174452 #>>42174502 #>>42174730 #>>42174882 #>>42175601 #>>42175632 #>>42175764 #
1. miki123211 ◴[18 Nov 24 18:51 UTC] No.42175601[source]
> for pennies

"for pennies" is a lot more expensive than 0, and that matters at scale.

Scam isn't about one person performing one request, for that you can indeed just hire a human, it's about thousands of bots constantly interacting with a service.

If you need to scrape 10m records and there's no anti-fraud protection, you pay $0 (excluding typical bandwidth / server costs). If every query requires a captcha, and you have to pay $.01 per captcha, the operation costs you $100k.

Going from 0 to 100k is often "good enough" to make these things uneconomical.

replies(1): >>42176212 #
2. jchw ◴[18 Nov 24 19:52 UTC] No.42176212[source]
Actually, I oversimplified. In most cases you don't have to pay $.01 per CAPTCHA. It's usually a fraction of a penny per CAPTCHA.

So basically it's good enough to protect something that is arguably barely worth protecting. I don't find this compelling. Protecting things that barely need it is already easy using existing techniques.