Paid Advertising
web application security lab

Spammers Hurt The Blind

There’s an interesting link talking about the lawsuit that Rite Aid just settled regarding their accessibility issues. In part it was in regards to their in-store issues, but it was also about their online accessibility, specifically around CAPTCHAs. So I spent a little time doing some more research into other issues around CAPTCHAs and the blind and in fact there are even concerns around the audio CAPTCHAs for the deaf-blind users.

One thing that was interesting is that many of the sites that have been targeted for law suits and angst have been either online retailers or websites that are heavy text based websites (Typepad, Livejournal, etc…). I guess that makes perfect sense, I just hadn’t thought about it before. I would expect there to be a lot more of this in the future, so if you use CAPTCHAs I’d consider at least getting an audio version, as I’ve discussed countless times. An interesting thought though: spammers have made it harder on the blind. Yet another reason to hate spammers, I guess.

12 Responses to “Spammers Hurt The Blind”

  1. Carl Says:

    But at the end of the day, how much harder have they made it?;758253922

  2. Istari Says:

    Yet another reason to break CAPTCHAs ;-)

  3. Stephen Thorne Says:

    I had a blind programmer on my team in my job doing r&d for anti-spam appliances.

    So, in a small way, blind people hurt spammers too. :)

  4. RSnake Says:

    @Stephen - hahah! I love it.

  5. Angel one Says:

    Honestly I hate CAPTCHAs. They used to be simple to read, but as text recognition got better, they became harder and harder to read. Even as a “sight abled” person I sometimes have to go through 2 or 3 before I can get one I can read.

  6. RSnake Says:

    @Angel one, I think you’ve got to the heart of the matter - by definition those aren’t CAPTCHAS because they aren’t valid Turing tests. A Turing test is supposed to be able to tell a human and a computer apart. What you are describing clearly cannot.

  7. Felstatsu Says:

    I have to second Angel One on this, just last Saturday I had to help my youngest brother figure out a supposed CAPTCHA because it was that difficult to make out. The blurring, extra lines, and other techniques that mess with the text have gotten out of hand sacrificing people to try and stay one step ahead of spammers, not that they actually succeed at staying ahead of them given the state of my inbox on any day.

  8. Rafal Los Says:

    First off, holy crap I actually agree! Second, I saw a wonderful post to the Web Security mailing list regarding a captcha that simply distorted a portion of the image and asked you to click on that piece of the image and submit it. I’m not sure how the mechanics behind that worked, but Stephan Wehner sent this in to the list as well ( which is pretty ingenious… I wonder if it’s subject to the same problems? Of course, def & blind is a whole ‘nother problem.

  9. chris Says:

    ive seen a new trend replacing the non-readable text GIF, of people asking simple questions such as ‘what is five plus six?’ or ‘what colour is the sky?’

    this seems to me to be an better way of weeding out spammers.

    And it also solves the problem of CAPTCHA’s for the blind.

  10. crackmigg Says:

    I don’t think you need a test that tells computers and humans apart, I think what you really want is a test that tells robots and browsers apart WITHOUT disturbing the user. I am not disabled visually, but I still hate to puzzle with CAPTCHAs, even if they are easy to read, because they place a burden on the task, that doesn’t even work well enough to justify the effort.

    A much better way is a combination of CSS and JavaScript. One method is to use CSS to hide 2 or 3 form-input fields, and use JavaScript to randomly fill one of the hidden fields with a (random) key value. The form is accepted iff the key value is correct, in the correct field, and the other field(s) are empty. This eliminates all robots that fill all fields, and even those that leave all hidden fields empty.

    A normal user with a browser with activated JavaScript does not even recognize the test, so it does not interrupt him/her. A robot would have to implement a CSS- and a JavaScript-Interpreter to get by. You can go further and combine this with a JavaScript browser-switch to specify the browser, stop the time the user needs to fill in the form, etc.

    The big difference to CAPTCHAs is that 99% of the users will not be disturbed and annoyed by this method, and 99% of the actual robots will not be able to pass the test.

  11. lcarsos Says:

    Just to chime in a little late here, you don’t even have to be fully blind to have some CAPTCHAs be unreadable. I’m color blind (medium intensity red-green, I can tell street lights, but keeps me out of the web design business) and I’ve run into a few CAPTCHAs where there’s a hidden letter (usually in “aquamarine”) which is indistinguishable from the white background. Rarely there’s an audio CAPTCHA button next to it, so I usually have to grab a seeing-eye-human (yeah, cute title, that’s what all my friends say) to help me get into the site, or just keep googling to find one with the same information, but inaccessible to my handicap.

  12. RSnake Says:

    @lcarsos - Hey, I cannot tell you how thankful I am that you wrote this. In the three + years I’ve been talking about this, never once has any visually handicapped person of any variety come forward and said anything to defend themselves, so largely it’s a bunch of people agreeing with themselves that it’s not a problem. Anyway, thank you. Trust me, your frustration is very much something I care deeply about.