Data Privacy Day, 28 January – CAPTCHA: who is it there for?

It’s Data Privacy Day, so we wanted to look at an issue we come across time and again on websites when users are submitting details via forms, namely that they require the use of a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart).

CAPTCHAs are often used in an effort to protect a site’s servers from being overwhelmed with comments or malicious spam. However, CAPTCHAs that rely on recognition of an image or sound also ‘protect’ the form from people who are blind, deaf, deaf-blind, or who have low vision or hearing impairments.

CAPTCHA image example

CAPTCHA image example

At Dig Inclusion we don’t recommend traditional CAPTCHAs for the following reasons:

  • They essentially impose what is a server administrator problem onto the user
  • They don’t work very well

CAPTCHA and accessibility

CAPTCHA has a high impact on disabled web users: visually impaired people often have enormous difficulty deciphering the text. Blind people using screen readers are normally provided with an audio alternative that is equally difficult to figure out (we encourage you to try it yourself sometime). But the biggest barrier is to people who are deaf-blind, who rely on text which is converted by software into Braille. The lack of any programmatically readable text means that CAPTCHA effectively halts progress for this group of users.

Refreshable Braille displays have no way of interpreting traditional CAPTCHA

Refreshable Braille displays have no way of interpreting traditional CAPTCHA

Alternatives to CAPTCHA

One of my visually impaired friends put it best when he said: “Your company’s spam shouldn’t be my problem”. That’s a fair view. But we appreciate that no organisation is immune to spam and its effects, so here’s some other things to consider:

If you aren’t already doing so, we would recommend using server admin tools, such as IP blocking. It’s easy for spammers to generate new email addresses and user data, but less easy to generate new IP addresses.

If appropriate, consider using ‘human logic, question/answers’, such as the example given at the following:

Finally, if the level of spam is manageable and not compromising your server, then consider deleting it from the inbox or server manually. Yes, it’s a little tedious and annoying, but spam is generally easy to spot and the omission of a CAPTCHA will make every customer’s experience of dealing with your organisation just that little bit better.