Excuse Me, Are You Human?
Anti-spam schemes that force people to prove they aren’t machines won’t work.
If you have signed up for an e-mail account recently, you may have been forced to do something quite demeaning: prove that you are a human being. It’s all part of the multipronged war being waged against purveyors of unsolicited e-mail, or spam. But this is one weapon that would best be abandoned.
I saw my first spam back in the 1980s. A typical message was from a California wholesaler offering cheap batteries to everyone in my MIT research group. Many people couldn’t understand why I complained. “What’s the big deal?” they asked. “Just hit delete.’” The big deal, as I saw it, was that unsolicited commercial messages failed a simple test of ethics: if everybody did it, e-mail would become unusable.
Twenty years later, my fears are being realized. Spam has gotten so bad, in fact, that companies are trying to fight it by developing automated approaches for distinguishing humans from computers. They’re called “reverse Turing tests,” or captchas-short for the more descriptive “completely automated public Turing test to tell computers and humans apart.” What’s driving research on captchas is the realization that a lot of spam is being sent out by automatons: if you can somehow tell the difference between an unattended computer program and one that’s driven by a human, you can block the spam while letting through legitimate e-mail.
The irony that we now need to deal with computers masquerading as humans would not be lost on Alan Turing-the computer pioneer who said that a computer could be considered truly intelligent if it could indistinguishably emulate a human being. Rather than evaluating computers to see if they are smart enough, reverse Turing tests are designed to let people prove they are human.
Two popular Web-based e-mail services-Yahoo! and Microsoft’s Hotmail-now employ captchas to prevent spammers from automatically signing up for hundreds of mail accounts that can then be used as spam launch pads. A junk-mail blocking service called Spam Arrest uses the technique to filter out machine-generated e-mail. All three services are based on the ability to visually recognize words-something that humans do well and computers do poorly. Sign up for a Yahoo! or Hotmail account, or send e-mail to a Spam Arrest user, and you might be presented with a fuzzy word against a complex and distracting background. To pass this pop quiz, you need to recognize the word and type it into your Web browser.
These tests are the devil. If widely deployed, they will waste our time and confound us-without solving their intended problems. “What’s the big deal” this time? After all, Spam Arrest, Yahoo!, and Hotmail each require that you verify your humanity just once, right? After you get your Homo sapiens badge, you’re free to e-mail all you want. By definition, captchas are designed to squander time: sending mail to a Spam Arrest user takes longer than sending mail to someone who doesn’t use the service, because Spam Arrest requires that you play its little “prove you’re a human” game.
Now imagine sending a message to a mailing list that has a few hundred Spam Arrest users on it. You might need to spend an hour or two completing various tests. By design, there is no way for you to automate your response-that would violate the whole idea. Hotmail might ultimately want to verify that you are a human every morning, to be sure that you haven’t turned your account over to a machine.
Moreover, captchas based on visual puzzles discriminate against the millions of people who are blind or who have severe, uncorrectable visual impairment. Yahoo!, aware of this problem, has allowed blind people to register by providing their phone numbers: somebody from Yahoo! verifies their humanity with a phone call. But penalizing the blind with invasive workarounds is hardly an optimal solution.
If captchas really could close the spam spigot, then maybe we could accept them as a necessary evil. They won’t. That’s because captcha creators live in Western countries, where computer power is cheap but human time is expensive, so they’re creating tests that can be solved with a small application of human intelligence. But there are many places on the planet where human time is dirt-cheap. Spammers can circumvent the captchas by electronically farming the tests out to China, where a human brain can be hired for about 40 cents an hour. It would be a simple matter to sit a few hundred people down in a room and have them sign up for Hotmail accounts; they could probably register for 20 accounts an hour, or roughly two cents per account. That won’t stop the spammers.
Spammers who don’t want to hire Chinese labor can set up “free” porno Web sites, where the cost of admission is solving a captcha every few minutes. The spammer then writes a program that goes to Hotmail, signs up for an account, gets a captcha, shows that test to the porn fiend, and supplies said fiend’s response to Hotmail. Problem solved!
What’s worse, as computers get faster and recognition algorithms get better, captchas will have to get harder to keep pace. Today, you only have to recognize some words on a wavy background. In the future, the task of proving your humanity will likely entail a more convoluted test. If these tests are not nipped now, we are looking at a future where we spend a significant part of each workday proving to machines that we are not machines, too. As a human-and a humanist-I find this possibility deeply offensive.