What's up, bot? Google tries new Captcha method

Which way is up? Google's test relies on finding images that are easy for people but hard for computers to orient correctly.

(Credit: Google)

Google has released research results about a new test to foil computers pretending to be humans by requiring them to orient an image so it's upright.

A persistent problem on the Internet is screening out automated computer systems that can be used, for example, to sign up for spam-sending e-mail accounts or post comments designed to improve a site's search results. Google, which already devotes a lot of resources to block e-mail and Web spam, has tried a new test to keep the bots at bay.

The test is the latest variation on a screening technique called a Captcha (completely automated public Turing test to tell computers and humans apart). The idea is that people can often tell which way is up in a photo, but computers have a harder time.

Captchas are in widespread use today, usually in the form of obscured or distorted text that people can still read. But there's a lot of work in the area, including identifying 3D images and distinguishing between cats and dogs.

Here's how Google authors Rich Gossweiler, Maryam Kamvar, and Shumeet Baluja described the image-orientation technique in their paper (click for PDF):

This task requires analysis of the often complex contents of an image, a task which humans usually perform well and machines generally do not.

Given a large repository of images, such as those from a web search result, we use a suite of automated orientation detectors to prune those images that can be automatically set upright easily. We then apply a social feedback mechanism to verify that the remaining images have a human-recognizable upright orientation.

The main advantages of our Captcha technique over the traditional text recognition techniques are that it is language-independent, does not require text-entry (e.g. for a mobile device), and employs another domain for Captcha generation beyond character obfuscation. This Captcha lends itself to rapid implementation and has an almost limitless supply of images.

We conducted extensive experiments to measure the viability of this technique...Our Captcha technique achieves high success rates for humans and low success rates for bots, does not require text entry, and is more enjoyable for the user than text-based Captcha.

Images can be hard for people to orient upright, too. One 500-person test showed wide disparities in the opinion of which way was up for the left image but not the right image.

(Credit: Google)

The tricky part is finding the right balance between too easy and too confusing. Some images are hard for people to orient correctly, and some have cues--faces, text, blue skies, and green grass--that computers can use to figure out which way is up.

To get around this issue, while being able to draw from the large number of images on the Web, the technique presents people with new images as well as those known to perform well. If people have trouble consistently telling which way is up, that image isn't included in the library.

The researchers like their system in part because the image doesn't have to be obscured or distorted, as in text-based Captchas such as those Google currently employs. But image-based Captchas aren't immune from the bot vs. Web site arms race.

"As advances are made in orientation detection systems, these advances will be incorporated in our filters so that those images that can be automatically oriented are not presented to the user," the researchers said. "The use of distortions may eventually be required."

[a85]

Accessibility?

[`WarpKat]

Oh come now. The internet was not made for blind people. Good gravy...every time I hear this, I want to die and do flip-flops in my coffin. I suppose you want to make first-person shooters tell you where the enemy is and say, "a little to the left...a little more...a little more...BINGO!"

This kind of captcha research wasn't intended to serve blind people. It was intended to serve the interests of people who might use it to protect their resources that DON'T CATER TO BLIND PEOPLE. It was done to THWART AUTOMATED BOTS THAT HAVE FIGURED OUT CAPTCHA!

Do I sound mean? Yes. Does this smack of common sense? ABSOLUTELY! Want me to slap you with some?

[nashville2]

Amen.

[ralfthedog]

How about giving the option of using a spin test or an audio test. The audio test would play a question like, "What does the dog say?" The human would have choices like, "I want to go to the vet.", "I don't like Pizza, can I please have more dog food?" and "Where is the cat? I want the cat! PLEEASE give me the yummy crunchy cat!"

The challenge would be to have enough questions with enough answers to make it impractical to have a bot net try all of the answers.

[andymerrett]

I hope you never have less than perfect eyesight, WarpKat, because then you might understand the issues here.

I have less than perfect sight, though I'm not blind (perhaps the Internet was half-designed for me but will serve me less and less over time?).

"It was intended to serve the interests of people who might use it to protect their resources that DON'T CATER TO BLIND PEOPLE"

That's bollocks, WarpKat. Captchas are used to "protect" many things that blind and hard-of-sight people use a lot - email systems, blog and commenting systems, account registrations. But then, we should probably just go back and get some help from those who can actually see rather than trying to be independent. Yeah OK.

"Do I sound mean?" No, you sound like a... never mind.

"Does this smack of common sense?"

No, it's lazy. Work on identifying and eliminating spam and spammers rather than hurting legitimate users. The fact that CAPTCHA has to evolve because it can be cracked automatically (or, at least, spammers are using humans to solve them) means that the system isn't working.

"Want me to slap you with some?"

Some what? Try using complete sentences and you might make sense.

Same for you Nashville2.

[mikeburek]

There is no text entry and the image is not distorted. So people who have a hard time typing will like this better. And people who only have limited vision will like this better. And this works across all languages.

People who automatically just push a button, or who just like to type "Accessibility," or who don't read the article / directions will probably fail.

This is an improvement on the image distortion of text test. You might as well say "What about people who don't know how to use a mouse?" This is not the end-all-be-all of test scenarios.

If you only use a text / screen reader, then going through lots of spam is very time consuming and very annoying. This will reduce the amount of spam that you get.

[Lerianis3]

CAPTCHA is absolutely worthless, and this kind of captcha will be another impediment to blind people that the federal government should step in and tell these companies "You cannot use that!"

Really, the BEST captcha...... a valid e-mail address. There should be a requirement on ALL these systems that you have to sign up for them, and that you HAVE TO VALIDATE WITH A LINK IN AN E-MAIL SENT TO YOU!

That is what most of the internet forums I look at do: CAPTCHA AND a validation e-mail before you can post.

[r0ssar00]

Most? Name one forum where you don't need both a captcha and validation email.
I remember using file2hd.com once last year, they had a terrible captcha. It took my ~30 tries to get it because it was so distorted that the letters were beyond recognition. At least they took images from a pool of around 20 or so(they didn't generate them!) which meant I had a second chance at some. Still gives me nightmares :P

[monkeyfun14]

Because we just have so many blind people on the internet?

Lets ban colors to its unfair that blind people can't enjoy them and games as well.

[Anders94]

The problem here is that Google wants to let people who don't have email addresses sign up for a Gmail account. They need a way to protect that form or spam sites will just create millions of Gmail accounts and use them to automate posting to the sites you claim are protected by the "email me a link to click" method instead of CAPTCHA.

There is no way around using some sort of a test to see if you are a human or not. Another proposal is to require users to pay real money to submit forms, but that isn't as palatable as CAPTCHA.

[shardsofmetal]

Email is not the best captcha. One reason captchas are needed is to prevent bots from signing up for email accounts to use for spamming. Therefore, a lot of these bots know their way around email. It wouldn't be that hard to make them check their mail and click verification links.

[ZetaZeta_]

"Really, the BEST captcha...... a valid e-mail address"
Yes!! To sign up for an email address you must first have an email address! It's genius!

On a serious note, if you're blind, ask for some human assistance.

[Atomic1fire]

Actually Bots seem to get around activation emails just fine too, hence the reason for activation AND captcha

[AYNON]

Blind people can browse the internet. But the internet is not governed by a government. A Swedish government can not step in and say to google that it's CAPTCHA is illegal. The e-mail system is faulty, and it is easy for a computer to access a registration link from a email address it created.


FYI
The Web is not accessible. Sorry.

[DaRealGreek]

The problem with this technique is that it can be hacked easily "...we use a suite of automated orientation detectors to prune those images that can be automatically set upright easily." How long do you think it will take before said "detectors" can: a) recognize what is in the image; b) compare it to other (correctly oriented) images to make a match?

[monkeyfun14]

Images are probably distorted at times as well or modified randomly.

[DaRealGreek]

the images of words in Captchas are also "distorted" and now every easily recognizable nonetheless, it took all of a few months for hackers to prove that

[DaRealGreek]

Interesting stuff from the paper:

"...It is important to note that computer-vision techniques have not yet been successful at unconstrained object detection; therefore, it is infeasible to recognize the vast majority of objects in typical images and use the knowledge of the object?s shape to orient the image."

Fundamentally I think the limitation in the technique is that... there is no real limitation for object detection. Google itself if I recall already has a primitive tool for doing this, and it is only a matter of time, not machine intelligence, before it becomes accurate enough for this purpose. A true CAPTCHA has to rely on some inherent machine-human limitation that cant' be rectified by brute force. Spoken language, for example, is much tougher because a machine must imitate a human by splicing words/phonemes to articulate sentences. The key distinction now is, no matter how good the machine gets at such imitation, another machine can be trained to detect these splices. Sort of like using a thief to catch a thief.

[ralfthedog]

Lets say that Google starts with 100,000,000 images. They auto cull out nine out of 10. That gives them ten million images to work from. Lets assume that humans have trouble with one half of these images. Google has five million images in the test database. They will add new images to the library faster than the black hats can learn the old ones.

I think the real problem will be the occasional porn that may slip through. :)

[DaRealGreek]

My other observation is that - despite citing several articles on CAPTCHA - they never mention this reference by D. Lopresti which is the most germane and also suggests rotating images for a CAPTCHA: Leveraging the CAPTCHA problem. In Proc. of the Second International Workshop on Human Interactive Proofs, pp. 97{110. Springer Verlag, 2005

[JSwad]

Take a look at Apple's iLife '09 series with iPhoto '09 which does face recognition. The technology is very close. Google sits on the Board for Apple. Hmm....
At least Google is testing this and evaluating it to improve it.
And there are people who have vision problems, but are not blind. Let's keep them in mind, too.

[monkeyfun14]

@jSwad

The problem with face recognition is not everyone owns a webcam and some won't support the face recognition.

[aMUSICsite]

The problem is that as machines get more powerful eventually all the bots will be able to perform any validation task better than humans. We need another way of working out how to stop bots, Captchas are just a short term fix.

[YSLGuru]

What about an image with depth/ 3D where the user is asked to identify which is closest? If you place 3 different sized balls in 3 levels of depth in an image so that when measured on the flat 2D surgfce the balls are the same size but when viewed with the human eye you can tell their depth, at least as far as which is cloest and then have the user provide the answer of which object is closest?

Even with image recognition, unless the bot/computer software has a way to compare the orginal image as a reference, I doubt it would be capable of determining depth perception.

[EPICMASTER]

pretty cool

[ralfthedog]

Does anyone else have trouble with image C or did I just drink too much last night.

[fletchb]

Not just you, something is wrong with the C image.

[shootthecops]

you must be a spambot then

[Shankland]

Image C actually illustrates a class of images that are bad: bots can't figure them out, but neither can humans. Type A can be figured out by both, which also is bad. Type B is just right--only people can get it, generally.

[Gabey8]

I have numerous blind and deaf-blind friends who access the internet. (I have more years' experience as an interpreter-guide than some people posting here have years of age.)

As long as there is a valid alternative for users with vision loss to get through the captcha code entry, as far as I'm concerned anything that makes it harder for spammers to spew their garbage online is a good thing.

For the people who think their snide comments regarding blind/low-vision users are funny... not all my blind friends were born blind. If, God forbid, you suffer vision loss later in life, let me know how funny you think your comments are then.

[ZetaZeta_]

If I became blind I'd probably be pretty sad, I'm sure. But I'm definitely going to ask for some assistance from my family with a ton of things. Making an email account would be the least of my worries.

[topgunb2]

@ZetaZeta_ , with your attitude towards disability, it will be well deserved for you

[myles taylor]

I agree; there needs to be an alternative. Thankfully, the creators of CAPTCHA aren't as narrow-minded as some of the commenters on here and there usually is an alternative.

[fjpoblam]

Accessibility's an issue, of course. Another problem? GoOgle notably, and other sites too: webmasters aren't always so diligent as to have their "captchas" (in whatever form) designed for ALL browsers. I've encountered three-word captchas in which two words are visible in some browsers (guaranteed failure). I've had audio captchas in which, with speakers at full blast, no two people in a group of four came up with the same result!

In the words of Tom Raftery, captchas are lame because "1. they force the burden of work back on your [user]r and pushing extra work on your [users] displays a lack of respect;" and "2. they show you are too lazy to properly secure your [site] against [attacks]" using other methods.

[monkeyfun14]

Alot of forums don't give the forum hoster the choice if its using free hosting.

[BRobyn]

Actually a great mechanism I have come across that looks pretty good is called ArdeunVerified http://www.ardeunverified.com

It uses things like biometrics Finger Face and Voice verification, and even a special biometric smart card. It also has other methods as well. The face verification uses a standard web cam. So seems to be better than just entering random so the site can actually verify it is the valid user.

A site can easily implement this, and once a user has installed it at their end, they can verify to any web site that has implemented it.

It is highly secure and simple to use and can be for registering, logging on, even payment approval.

Worth taking a look.

[monkeyfun14]

Because everyone has a webcam?

[Ilgaz]

Lets send the picture of our face to every random site? Come on really

[nelsonoff]

i like the proposal made by ralfthedog (April 18, 2009 11:17 AM PDT)
coocurrence in a small context is really hard for a computer to deal with.

[shootfirst]

The use of biometrics still needs an initial stage, just like setting up a free gmail and the captcha is it. Basically a Turing test is needed for an initial stage to prove that you are not a bot and a captcha will serve for that. Are captchas invincible? No they are not, as technology gets better and methods of detection get better they start failing. Also any biometric data can be synthesized on the other end and due to cost is not practical in all areas. I had a boss that wanted to use a fingerprint reader for door entry, and you would be surprised at how easily these can be hacked or confused and the cost of keeping them so they can read correctly. As processing power becomes better and better, brute force becomes easier and easier. The trick with captchas is to make them understandable by the masses, which will be its ultimate failure point.

[daiverpedemonte]

Seems like an interesting and still simpler than webcam or figerprint methods.

[Blooraccessibility]

I started reading this post because I write about accessibility and have had issues with Google CAPTCHAs before.
However I do not think the problem with this one is its accessibility but how easy it will be to crack it. The problem is not how easy it will be for a bot to crack the image but the small size of the answer set. The user will have given a valid answer if it is orientated a few degrees either side of what is considered the correct orientation. This means that there are only 20-30 correct answers, a bot will happily keep trying and a one in thirty hit rate guaranteed with little processing power required is really no protection.
Putting my accessibility hat on again. Accessibility is not just about people with vision impairments but about people with other disabilities including disabilities that limit the use of the mouse or keyboard. Question how would someone who used voice recognition respond.

[wildthought]

Cool concept. Horrible idea. How many of these are they going to show. If they show two images, well then randomness is going to be right half the time. If they show 5 images randomness will still be right 3 times. I would think this would make it a lot easier to defeat these capthas through brute force.

[medezark]

The idea of captcha is to recoginze humans vs. bots. With some firms selling human cracking of captcha's at rates of pennies on the thousand, and using techniques such as copying the CAPTCHA images and using them as CAPTCHAs for high-traffic sites owned by the attacker, (which can be accomplished through scripting), I don't see captcha as being a safety net regardless of the images used.

[eastmanweb]

It seems to me that an approach that should be considered is one based around the idea that humans do a significantly better job at recognizing sarcasm than bots do. Create statements based on sarcasm and have the human discern the actual meaning.

[bubazoo]

monkeyfun14, first of all, speaking from the opinion of a blind user, the problem with your sarcasm, is that seeing colors on the screen aren't required to navigate around the website. A site with a captcha on it, you are required to answer that question in order to navigate around the site, and thats the difference!! Also, a blind person asking for sighted assistance isn't always available. Not all blind people are married, not all blind people have someone just standing behind them at all times. Blind people are no different then sighted people, in that, each person is different. Myself for instance, I am single, I have no friends, and don't have sighted assistance. Sites that require complicated captcha, I don't bother signing up for at all, because half the time the problem, is these sites add audio captchas, like recaptcha for example, but the developers forget to actually test the audio captcha to see if it works, because the last time I tried to use a recaptcha audio captcha thingy, the input only accepted the visual captcha, not the audio captcha, so for the blind user the audio captcha is useless, and thats the same problem I have with all audio captcha, lack of testing and accepting of the audio input. This world is a sighted world, and people just don't care about the blind, all they care about is themselves. I know they'd be working hard at it if the shoe was on the other foot...

[bubazoo]

another problem with captcha's, most of the time even SIGHTED people have problems seeing them!!! You don't know how many times I've been on a site and haven't been able to see a captcha, so I turn and ask like 12 different people, and there not able to see it either!!! It isn't just the blind that has problems seeing captcha's folks... I mean, not everybody has teenager eagle eyes....its just that people don't care about anyone but themselves, they look out for #1 and thats it, thats the whole problem with this world, nobody cares about anyone but themselves.

I personally like the idea that discussion forums have used for years. I mean common, who doesn't have an email address?!! Let me put it this way, who DOESN'T have an email address!! I mean common my 12 year old nephew has an email address, don't give me that. I've got probably 50 of 'em at least I'm sure. lol forums even go a step further by not accepting email addresses from places like yahoo, hotmail, etc. thats a good idea, because a spammer can break into yahoo or hotmail quite easily, so to accept a verizon or comcast or aol address is a very good idea, that way you know the person is legit...and like I said, even my 8 year old nephew has an aol email address. I mean common. lol kids even have email in grade school now.