Stopping CAPTCHA Farmers

Why Technological Solutions Ultimately Fail

We believe that VouchSafe, powere by our HIVE AI is one of the most effective and secure reverse Turing tests in existence, but no reverse Turing test, or piece of software - regardless of how perfect it is - can completely address the problem of spam. While you might be able to design a system that is completely effective at stopping spam software and automated scripts, there's nothing to prevent an ordinary person from completing a Human Interactive Proof, and then simply typing spam in by hand. In fact, there's a burgeoning industry devoted to doing just that. There are crowdsource companies - commonly called "CAPTCHA farms" - that advertise openly on the Internet, offering to provide access to thousands of people who spend their entire day completing CAPTCHAs to help spread spam.

Most CAPTCHA farms rely on two facts that work in their favour: The first is that most CAPTCHAs pose the problem of vulnerability to "man in the middle" or proxy attacks, because they are rendered out at the same time as the form they are intended to protect. They have to have a session life that's long enough to allow users to complete the form. This gives spammers plenty of time to capture the CAPTCHA image and then send it off to a bypass queue for assignment to a crowdsource worker who will solve it and send the solution back to the CAPTCHA farm.

The second fact that works in favour of CAPTCHA farm operators is that most CAPTCHAs require little in the way of literacy or cultural familiarity to solve - you're simply matching up letters on a keyboard. This allows them to exploit the cheapest, least educated, and most vulnerable people in developing economies.

Because of this, CAPTCHA farms can easily recruit small armies of virtual workers or "mechanical turks" for very little money.

* Crowdsource workers are often referred to as "Mechanical Turks", because, like gremlins in a machine, they are used to produce results that appear to originate spontaneously within an automated system. The original Mechanical Turk was a famous 18th century scam, in which a German impresario exhibited what he claimed was a mechanical chess playing computer. The whole thing was actually an elaborate fake, with the machine being operated by a diminutive chess master and co-conspirator, who was concealed in a hidden compartment.


Our Plan to Stop CAPTCHA Farmers

When we created VouchSafe, we had the problem of crowdsource spam firmly in mind, and we're implementing a two part strategy that we believe will go a long way toward addressing the problem. We are tackling the issue on two fronts: the technological front, and the human front.

On the technologial front, we can make it more difficult for spammers to use proxy attacks to queue up challenges and assign them to crowdsource workers. We have made a number of simple innovations to discourage some of the common approaches used by spammers to farm reverse Turing tests out to a distributed workforce.

The human problem is more difficult: there's no quick fix for it. Our plan is to make the business of CAPTCHA farming too expensive to be economically viable.

Due to economic factors, most spam is targeted at western Europe and North America - especially the United States, even though most of it originates in different countries all over the world.

From the perspective of addressing spam, we need to raise the barriers of entry to make it more difficult for people from developing economies to directly attack websites and applications that are intended for use by other markets. This doesn't mean that we want to make it more difficult, for example, for someone in Karachi to use a social media application to talk to a friend in San Francisco, or to order a book from Amazon. Global companies maintain localized content to make it as easy as possible for people all over the world to do business and communicate.

What we want to do is make it more difficult to employ crowdsource workers to attack foreign websites.

We intend to raise the barrier to entry to doing this by means of a specialization of our localization system. Since VouchSafe is an adaptive system, we're teaching it to evolve different image associations for different market regions.


Using Localization to Facilitate Cultural Divergence

VouchSafe is set up so that in addition to localizing the instructions that are provided to users, we are creating completely localized image and metadata collections. This is how we intend to frustrate crowdsource spammers.

VouchSafe challenges are based on the associations humans intuit between objects. While many of these associations are universal to all humans, they're informed by a cultural perspective. What this means is that people will sometimes create associations that are unexpected or unrecognizable to people of different cultural backgrounds

The fact is, that while the human race share a lot of common conceptions, there's an equal amount that's different. And we can use this to our advantage. ;A crowdsource worker who has never seen snow would find it puzzling solving a challenge that required matching a toque to a toboggan.

This means that in order to target spam at consumers in the United States, a CAPTCHA farmer would have to employ workers who not only have excellent reading comprehension in English: he would also need to find people with an excellent cultural appreciation of that market. There are plenty of people like that in developing economies all over the world, but these are generally not the poor, or exploitable workers who are willing to work as spambots for pennies a day.

If we make CAPTCHA farming uneconomical for spammers, we will have taken a big step in eliminating the practice altogether. This process will take time, but we believe that it is the most effective approach to the problem.