clock menu more-arrow no yes

Filed under:

Google is killing CAPTCHA as we know it

New, 124 comments

If you've signed up for an account recently, you've probably seen it: a quick test that gives you a few distorted words and asks you to type them back in plaintext. The official name is CAPTCHA, a test designed to weed out the automated scripts used for spam, but it's been broken for a long time. Google recently showed off a system that could crack it 99.8 percent of the time, and most spammers are happy to run their scripts knowing just one in ten will slip through. But even though everyone knows CAPTCHA is broken, there hasn't been a clear idea of what might replace it.

This morning, Google is unveiling the best answer yet. It's called No-CAPTCHA, a new approach built on a new API, and it's already been adopted by Snapchat, Wordpress and Humble Bundle, among other partners. Instead of asking users to pass a test, Google's new system pre-screens each user's behavior and filters out anyone who's easily identifiable as human. Most users will simply see a check mark — click the box and you've passed the test — while anyone marked as suspicious will be given a more elaborate test.

Sometimes, that test will be the same old text-recognition problem — but sometimes it will be something new. Google is experimenting with more mobile-friendly forms of CAPTCHA, like a test that would show you a picture of a cat and asked you to select similar photos from a grid. (Data collected in this way would also be used to improve Google's Image Search, continuing the practice from previous tests.) As the project progresses, we'll see even more versions of the test, built on top of the new, more flexible API.

Google engineers said the pre-screening would look at factors like IP addresses and time spent on page, but were cagey about exactly what information would be used, citing concerns that spammers would manipulate algorithms in response. The pre-screening also varies widely from site to site: just over 80 percent of Humble Bundle visitors were cleared in advance, but for WordPress at large, that number dropped to 60 percent. It depends on the visitors, but also on the site's general arrangement and how clear a signal it's sending along to Google.

The old API will remain active, and many sites may decline to upgrade, but the overall effect will be a lot less deciphering text for the average web user -- and hopefully less spam. It's also an interesting take on the modern web, where widespread monitoring has made passive behavioral identification more effective than active testing. These days, the easiest way to tell a user is human isn't to ask them questions, but to see how they act.