Skip to main content

Yes, #Mastodon supports #HCaptcha, but HCaptcha mines details of some of us with disabilities by asking us to sign up with an email address to, as they put it, 'get an accessibility cookie.' If you use that service, it is a bad time for many. HCaptcha is not my friend.
Edit: For reasons why I categorically state HCaptcha is evil, see this post I made in response to someone else. People have quite rightly asked me to clarify my stance, so here it is: https://universeodon.com/@FreakyFwoof/111956924313468553

Andre Louis

2024-02-19 07:18:12


@craftxbox It's evil, because *only* if you're blind or unable to complete the visual captcha, do they require your email address.
'Oh, let's be another corporation, but we're niche and specific. We only want email addresses of those who are blind/visually impaired, so we could, at our discretion, spam them with blindness-specific products or services that our visual users would never see, as they never had to provide an email address.'
When you go to the chemist (drug store or whatever it's called today) to buy, oh I dono, tampons, do you have to give them your email address because you're a woman?
Nope. Very, very definitely nope, but because I'm blind, I have to give some nameless, faceless company my address, to have a cookie that hardly ever works anyway at the best of times, and even when it does, is now tracking me across any site with *their* version of so-called captcha?
No. Absolutely not. Get the hell out with that.

#Mastodon #hcaptcha
This entry was edited (2 months ago)

reshared this

in reply to Andre Louis

modulux
modulux
Moreover, 1) hCaptcha doesn't even work for (many of) us, or requires lowering the safety settings on browsers, and 2) captchas are not an especially useful way to stop bots. Find another way.
in reply to Andre Louis

Andre Louis
Andre Louis
Spam is bad, HCaptcha is just as bad. Please do not advocate for this evil, evil captcha solution. Please.
in reply to Andre Louis

John Ulrik
John Ulrik
Why is it evil specifically? Some of our clients keep advocating for hCaptcha because of their self-declared accessibility. A pointer to some kind of analysis would be much appreciated.
in reply to John Ulrik

Andre Louis
Andre Louis
@craftxbox It's evil, because *only* if you're blind or unable to complete the visual captcha, do they require your email address.
'Oh, let's be another corporation, but we're niche and specific. We only want email addresses of those who are blind/visually impaired, so we could, at our discretion, spam them with blindness-specific products or services that our visual users would never see, as they never had to provide an email address.'
When you go to the chemist (drug store or whatever it's called today) to buy, oh I dono, tampons, do you have to give them your email address because you're a woman?
Nope. Very, very definitely nope, but because I'm blind, I have to give some nameless, faceless company my address, to have a cookie that hardly ever works anyway at the best of times, and even when it does, is now tracking me across any site with *their* version of so-called captcha?
No. Absolutely not. Get the hell out with that.
@craftxbox
in reply to Andre Louis

Mikołaj Hołysz
Mikołaj Hołysz

I get your point, I really do, but what alternative do you suggest?

Sure, ReCaptcha works with no email requirement, but that's only because they're Google and have it already. Audio captchas are a terrible idea, I've helped out non-english speakers over the phone with ReCaptcha enough times to know this first hand. Everything else (including audio) is trivial to solve in the age of LLMs and provides basically 0 protection. You can use weaker solutions and rely on IP reputation, but then blind people on "shadier" networks are completely out of luck, Google has this problem too.

HCaptcha is the worst system of all, except for all the others.

in reply to Mikołaj Hołysz

Andre Louis
Andre Louis
@miki Anything that isn't HCaptcha. A numeric problem, what is the number before four, plus two numbers after six? Add these together and type your answer. should be 11.
@Mikołaj Hołysz
in reply to Andre Louis

Mikołaj Hołysz
Mikołaj Hołysz
These are trivial to defeat by LLMs and heavily discriminatory, this time against those who don't speak English, aka the vast majority of the global population.
in reply to Mikołaj Hołysz

modulux
modulux
Just tried that one and chatgpt can't solve it. And there's no reason why it can't be internationalised.
in reply to modulux

modulux
modulux
There are lots of other options: "What is the third word in this sentence?" "How many letter a does this sentence have?" "Which is the shortest word in this sentence?" All internationalisable as well.
in reply to modulux

Mikołaj Hołysz
Mikołaj Hołysz

@modulux Just tested with textcaptcha.com. GPT 3 is surprisingly bad at this, about 25% success rate, but GPT-4 gets it all on the first try, with a minimum amount of tokens used, probably less than 20 per request overall.

All that with a 4-line bash script as follows:

Q=$(curl -s http://api.textcaptcha.com/myemail@example.com.json | jq -r .q)
echo $Q
llm -m4 --system 'You are a helpful assistant. Answer the question given in the briefest way possible, provide just the answer, no explanation. Write numbers as digits, not words.' "$Q"

@modulux
in reply to Mikołaj Hołysz

modulux
modulux
Can't try with that system as I don't have access to it, but it is possible to contrive problems it's not good at. In any case, visual captchas are also soluable so not sure how that's an advantage.
in reply to modulux

Mikołaj Hołysz
Mikołaj Hołysz

@modulux Visual captchas, especially the "pplease click x" are far harder to solve, their entire point is that these images are hard to classify by AI, and you're doing the work for them. Besides, it's not just the clicking that matters, but also other things, like the how natural and human-like the path your mouse travels on is.

Then there's also the Chinese-style "put the scissors inside the square" captcha which modern vision models can't really help with due to their inability to provide coordinates and manipulate image objects.

@modulux
in reply to Mikołaj Hołysz

Andre Louis
Andre Louis
@miki @modulux So is your conclusion then, that just because every spammer is going to have access to an LLM of some sort, we should continue giving HCaptcha our email addresses and putting up with the singling out that such a thing provides? If so, my answer's still an emphatic no. Don't like, don't care for it, won't do it.
@Mikołaj Hołysz @modulux
in reply to Andre Louis

Mikołaj Hołysz
Mikołaj Hołysz
@modulux My conclusion is that whatever choice we make, it's a choice and it has consequences, and many other systems are straight up inaccessible to large groups of users (the deafblind / those who don't speak English / those who ended up on the wrong side of an IP reputation list).
@modulux
in reply to Mikołaj Hołysz

Andre Louis
Andre Louis
@miki @modulux Still leaves the issue of HCaptcha having your email address, maybe you have throw-away addresses you don't care about but many don't.
@Mikołaj Hołysz @modulux
in reply to modulux

Mikołaj Hołysz
Mikołaj Hołysz
@modulux tbh I wouldn't have been able to solve it either, I'd go with Chat GPT's answer and add the two numbers after six, not the number that is larger than six by two.
@modulux
in reply to John Ulrik

Drew Mochak
Drew Mochak
@ujay68 Their solution was developed entirely on their own without outreach to the blind community. It forces us to disclose our disability, which allows us to be tracked by Intuition Machines, and across the internet by whoever has a business relationship with them, and/or knows to look for the cookie. It also allows them to deny us access to any service that uses them, for any reason or none.
@John Ulrik
This entry was edited (2 months ago)