“Select all images with chimneys.” How many times were you inconveniently interrupted and asked to look through a group of photos to prove that you’re human? Although such CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) tasks have been used for two decades to boost online security against bots, they’re annoying and burdensome to users. So, when a recent study presented at the 32nd USENIX Security Symposium suggested that CAPTCHAs are no longer effective, it garnered widespread attention.
“I am happy that the results have fueled mainstream technology discussions,” says Andrew Searles, a Ph.D. student in UC Irvine Donald Bren School of Information and Computer Sciences (ICS) who led the study. “It has been exciting to watch the propagation of news outlets covering my work!”
Evaluating Modern CAPTCHAs
Searles’ work is reflected in “An Empirical Study & Evaluation of Modern CAPTCHAs.” He co-authored it with his Ph.D. advisor, Distinguished Professor of Computer Science Gene Tsudik; recent ICS alumni Ercan Ozturk (now at META Research), Yoshimichi Nakatsuka (now at ETH Zürich), and Ai Enkoji (now at Lawrence Livermore National Laboratory) as well as Andrew Paverd (Microsoft Research).
Searles notes that prior CAPTCHA-related research by Ozturk, Nakatsuka, Paverd and Tsudik motivated this work. “CAPTCHAs aren’t glamorous,” admits Searles. “However, the root question of ‘can computers distinguish between humans and other computers?’ is fascinating and aligns with my background in computer science, psychology and philosophy.”
In this present work, researchers conducted a study with 1,400 participants who collectively solved 14,000 CAPTCHAS. As noted in the paper, results suggest that bots outperform humans, both in terms of solving time and accuracy, across a wide variety of CAPTCHA types.
Having an Impact
The results quickly gained widespread media coverage — with articles appearing in publications ranging from New Scientist and The Times to PC Gamer — and caught the attention of Elon Musk. His related tweet about the work has over 24 million views.
“Most computer security research doesn’t make it into the mainstream,” says Searles, who is grateful that, as a “small-time researcher,” he was given this “massive platform and audience for [his] work to be recognized and impactful.”
He hopes the attention motivates security researchers to explore alternatives to current CAPTCHAs. “We need to find better ways to solve the problem of human presence attestation,” he says. He plans to conduct further experiments on human behavior as it relates to computer security. “I hope this fuels the end of burdening users with data labeling labor under the guise of security.”
— Shani Murray