CAPTCHA: Made you look

Quartz Staff
·22 min read
String with letters is an artistic interpretation of the online security test CAPTCHA
String with letters is an artistic interpretation of the online security test CAPTCHA

Those internet security tests that ask you to retype blurry numbers or pick out photos of traffic lights have an important job: They stop robots from gumming up the internet. But by using them everywhere, we’re training computers to see the world like we do, and they’re getting really good at it. What happens as it gets harder to prove our humanity online?

Sponsored by American Express

American Express logo
American Express logo

https://player.megaphone.fm/QMIA6651618066

Featuring

Kira Bindrim is the host of the Quartz Obsession podcast. She is an executive editor who works on global newsroom coverage and email products. She is obsessed with reality TV.

Nicolás (Nico) Rivero covers cybersecurity and all things tech at Quartz. He is obsessed with reading featured Wikipedia articles, watching nature documentaries, and eating mangos.

Show notes

Why AI developers love those annoying CAPTCHAs by Nico Rivero

Luis von Ahn’s web page & 2004 paper

Google’s site on reCAPTCHA

Amazon’s Turing Test via failure

This episode uses the following sounds from freesound.org:

Mouse Click by IRF1010N

Complete Chime by FoolBoyMedia

Clock_03 by knufds

Notification (8-bit) 1 by AndreWharn

Tonal beep patch_1.Select,warning,result(mltprcssng) by newlocknew

Low-battery.mp3 by queenoyster

Typing by everythingsounds

synthetic pings, light-bulb, indicator.flac by Timbre

Select01.wav by sharesynth

Clock Ticking by everythingsounds

Transcript

Kira Bindrim: Think about the last time you bought concert tickets online—which, I know, was probably before the pandemic. After refreshing the page over and over, you finally have two tickets, and three minutes to get them. Seats chosen, credit card entered—and then, bam, you’re stopped by a demand: Are you a robot? No? Prove it.

To do so, you might have to retype a series of blurry numbers or pick out photos of traffic lights in different road conditions. These internet security tests are known as CAPTCHAs. The average person takes only 10 seconds to solve one. But if you put all those seconds together, humanity spends the equivalent of 500 years of labor on CAPTCHAs every day.

CAPTCHAs do serve an important function online. They differentiate human web users from malicious bots trying to hack or spam websites. But by proving to a machine that we’re human, we’re also teaching machines to see the world as humans do. And the machines are getting really good at it.

This is the Quartz Obsession, a podcast that explores the fascinating backstories behind everyday ideas and what they tell us about the global economy. I’m your host, Kira Bindrim. Today, the history of the CAPTCHA, what happens when the tools we use to tell humans and machines apart start to become obsolete.

Today I’m joined by Nico Rivero, who covers technology for Quartz. Nico is our foremost expert on CAPTCHAs. He recently wrote an article about why they’re so beloved by AI developers. Now to verify Nico, I did ask him to identify six photos of traffic lights before we started, but he passed. So welcome, Nico, thank you for joining. Congratulations on on being human.

Nico Rivero: Thank you very much.

Kira Bindrim: So let’s start with some basics. Break down the name CAPTCHA for me—what does that actually stand for?

Nico Rivero: Okay, so CAPTCHA is this kind of tortured acronym that stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It’s kind of a mouthful, but we can break that into two pieces to make it a little easier to digest. There’s the CAP part, and there’s the TCHA part. So we can start the second half, TCHA—Turing test to tell Computers and Humans Apart. So the idea of a Turing test goes back to this British computer scientist Alan Turing, who in 1950 predicted that computers and artificial intelligence would be so advanced one day, that you could be sitting in a room having two separate conversations, one with a real live human and one with a chatbot, and you wouldn’t be able to tell which was which. So the whole idea of a Turing test is some kind of challenge that you’d be able to differentiate between the human and the computer. And then the first half, CAP—Completely Automated Public Turing test—adds a whole other layer of weirdness to this. Because if we’re automating it, it means that a computer is now being the judge of whether you’re a human or a machine, which is how we wound up in this weird situation we find ourselves in as we move around the internet, where we constantly have to prove our humanity to a computer.

Kira Bindrim: Okay, so computers and humans are constantly judging each other on whether the other is a computer or a human. So why do we need to know the difference between humans and computers?

Nico Rivero: So all this is rooted in this problem that we were facing in the early internet sometime around the late 90s, where the internet was just full of bots. The bots were going around and leaving all these spam comments on our message boards, they were signing up for millions and millions of Yahoo email addresses so that you couldn’t get the email address that you wanted. And ultimately, they were just gunking up the internet with all this stuff that made our experience of using it more unpleasant. It also is pretty disruptive for our ability to do business online. You can’t run an email company if the person that you’re trying to attract to be a customer can’t get the email address they want. Or you can’t run a web forum if there’s no way you can enjoyably use this thing because it’s just full of spam bots that are trying to direct you to some store to buy something ,or more likely to some porn website or whatever.

Kira Bindrim: Got it. And now, while 13 year old me would have really appreciated the stakes of not being able to get the email address I want, carry that forward for me, like 20 years. What are the stakes today?

Nico Rivero: Well, if you think about the internet today, a lot of a lot of what internet business is built around is curating the right kinds of content that people want to see and delivering that to you as efficiently as possible. So it’s kind of a needle in a haystack problem. If you let bots run rampant, you’re just making the haystack bigger and bigger and bigger and filling the internet with more crap that no one wants to look at. So the whole challenge really with the internet is, yeah, it’s this big sea of information. You want to be able to deliver to your visitor that one specific thing they want to see. That’s how you capture their attention, and that’s how you monetize it for your web business.

Kira Bindrim: And where did the idea for a CAPTCHA originally come from?

Nico Rivero: So you start seeing these kind of proto-CAPTCHA tests in the late 90s. So I think the search engine AltaVista was the first one to actually apply it.

Kira Bindrim: That’s a throwback. That brings me back.

Nico: Yeah. So they did one of these tests with fuzzy words that you had to identify. But the origins of the phrase CAPTCHA come from this research group out of Carnegie Mellon led by this professor named Luis von Ahn, who goes by the nickname Big Lou. So Big Lou and the Carnegie Mellon crew published this paper in 2003 where they coined the phrase CAPTCHA, and they define a lot of the vision for what CAPTCHAS would go on to become

Kira Bindrim: Got it, Big Lou and the Carnegie Mellon crew. Just want to make sure—you’re sure they didn’t release an album of some sort, it was a paper?

Nico Rivero: They shoulda, yeah, disappointingly, it was a computer science paper.

Kira Bindrim: Well, good for history and research, bad for music.

Nico Rivero: So they described this idea of a CAPTCHA, they gave us the phrase. But they also did a super important thing in this original paper, where they’re laying out the vision that would come to define what a CAPTCHA is, where they tie it very specifically to the development of artificial intelligence. And what they say basically, is, when we’re thinking about how we design these tests, we should build them around really hard problems in artificial intelligence, for a couple of reasons. First, that’s going to be really hard for machines to solve, right? But second of all, what they realized later is, if you design these things around these tough AI problems—like for example, in 2003, a really hard thing for computers was looking at a picture that had some text in it and being able to read what that text was. Because the text might be at an angle distorted in some way, whatever—computers were super bad at this. So if you do this, eventually you’ll build up a big data set of images of text and the correct answer for what that text says. And you can use that through machine learning and artificial intelligence to train these machines to do it. So you will either not solve your AI problem, in which case, you have a great test for telling humans or computers apart. Or eventually you do solve it, in which case your test is broken, but great news, you’ve just solved this super hard problem in computer science.

Kira Bindrim: So tell me is there like an “aha” moment for CAPTCHAs or like a “tada?” Like a moment when they really pop out into the mainstream?

Nico Rivero: So, yeah, so the Carnegie Mellon folks, they published this paper in 2003. Three years later, 2006, they launch this company reCAPTCHA to start selling this tool to websites in the wild. And they also partner with, their first partner is the New York Times, which at the time is doing this big project to digitize their old archives of newspapers going back to 1851. And they have this problem where the software they’re using is having a lot of trouble reading a lot of the old newsprint that’s been smudged, distorted, or scanned at a funny angle or something like this. And so those CAPTCHA tests in those years were using real words out of the New York Times archives and asking human internet users to identify them and give them the answers and tell them what the words were. In 2009, however, a big moment—Google buys reCAPTCHA, and really turbo charges this big push to use CAPTCHAs to train all their AI algorithms that come to be at the core of their business and really put all this labor that we have to do to some use to train artificial intelligence.

Kira Bindrim: At the time, are they being upfront about the fact that they’re using CAPTCHAs to train AI? Or is that something that we just know or infer?

Nico Rivero: No, absolutely. They’re totally open about this. And in fact, Luis von Ahn, Big Lou, does these interviews where he says, ‘Look, people have to do all this labor all the time to fill out these CAPTCHA tests. We should use that labor for something, we shouldn’t just throw it away. So we should take the data from this and use it to advance AI.’ And this is like a big part of how Google markets reCAPTCHA actually, they have these things where like, solve a CAPTCHA, help digitize a book, or help advance the field of AI.

Kira Bindrim: Okay, so we’ve talked about like numerals, we’ve talked about words. At some point, CAPTCHAs pivoted to images. Tell me why.

Nico Rivero: So, yes, at a certain point, AI just starts to get really good at identifying fuzzy words and fuzzy numbers. So it’s time to just move on to the next challenge, which is identifying the content of images. So Google at this point, it has this image search function is not working as well as Google wants it to. So it says, ‘Okay, we’ll use CAPTCHA data to get human users to label all these pictures and tell us is there a dog in this picture? Is there a car in this picture? Is there a boat in this picture?’

Kira Bindrim: And what about all the like street signs and storefronts and you know, all that type stuff?

Nico Rivero: At this point, Google Maps has tons, a big archive of street view images that have all these pictures of buildings and storefronts and apartments and homes. And they want to be able to take those images to help them calibrate super specifically where is address number 27 on the street. But in order to do that, they need a piece of software that can look at those street view images, identify the numbers 27 on the side of the building. and say, boom, at this exact GPS location, that’s where the building is. So that’s why you start seeing captures that are these kind of fuzzy, indistinct numbers, or street signs, or they say is this a storefront because they want to be able to super specifically to define where a store starts and ends. That sort of thing.

Kira Bindrim: Got it. I feel like this is also the point at which, like, they get harder. You know, like—is it a storefront? Is that a bicycle? Like, I feel like I started having a hard time knowing what was what around this period in CAPTCHA history.

Nico Rivero: Well, they have to get harder because the AI is just getting better and better all the time at identifying these things.

Kira Bindrim: We’ll be right back.

[[ad break]]

Kira Bindrim: Okay, so when I think about CAPTCHAs today, like the ones I’m seeing when I log into stuff now, I’m picturing traffic lights, I’m picturing crosswalks, buses, all that sorts of stuff. Is that still Google Maps training?

Nico Rivero: So you would think it might be Google Maps. You might also think, well, yeah, identifying crosswalks, pedestrians, buses—that might be useful for training the algorithms that help self driving cars see streets or something like this. But Google and Waymo, which is the self-driving car company associated with Google, are very adamant that is not at all what is happening. Waymo says explicitly they do not use CAPTCHA data in any way, shape, or form to train their algorithms. Google actually says that it no longer uses CAPTCHA data at all for helping to train its AI. In fact, it’s it’s kind of weird. When I reached out to them about this, the only sentence that they would say to me on the record is: ‘Today reCAPTCHA data is only used for security purposes.’ And I pointed out that, if you go to google.com/reCAPTCHA, they had this whole website that was dedicated to all the benefits that CAPTCHA had, and the advancement of AI. It had all this stuff about how, when you solve CAPTCHA tests, you’re helping solve these really hard AI problems. And they basically said, ‘Oh, well, that’s actually out of date. And we’ll update that.’ And if you look at the website today, there is absolutely no mention of AI anymore on the website.

Kira Bindrim: Hmm. Why do you think that is?

Nico Rivero: So there’s a couple of reasons that I could think of. The first is CAPTCHAs are starting to change fundamentally in ways that mean that they are less useful at this point for generating the kind of training data that would help them advance AI. And the second reason is, you know, Google might be thinking, people might get a little creeped out maybe if they start to think about the fact that Google has basically been systematically exploiting all of our collective labor over the past decade or so for, you know, thousands and thousands of hours of training data for developing their algorithms.

Kira Bindrim: And do you think you calling them and saying, ‘Hey, are you using this data for cars’ might have sparked some of that shift?

Nico Rivero: All I know is, back in May, when I first asked them about this, their website was all about how CAPTCHA helps to train AI. And after I pointed that out, it no longer makes any mention of artificial intelligence. It’s all been scrubbed.

Kira Bindrim: Got it. So Google’s had a fun summer on the CAPTCHA front. I have to say, I’m not too bummed at thinking about them going away, because they are kind of obnoxious. But I do want to be recognized as a human when I’m using the internet. So I’m hoping you can tell me a little bit about what comes next, like what’s the new CAPTCHA?

Nico Rivero: So yeah, so one of the problems is that we have trained AI to the point that all our old forms of tests are kind of obsolete, because machines are about as good as humans are at solving them. So there’s all these kind of weird proposals that have come up over the years of like, what should come next as like the next form of CAPTCHA test. And these are all ideas about, like, how do you design a question that a human would be really good at answering, but a computer wouldn’t be? So some misguided proposals included classifying images of people’s faces by expression, gender, and ethnicity.

Kira Bindrim: That would not end well. I don’t think that’s a good idea. Veto.

Nico Rivero: That was a 2012 idea. I don’t think that one’s aged too well. But other ones are like, we’ll ask people trivia questions or pop culture questions. We’ll look at their location and ask them about nursery rhymes that are popular in the area where they’re browsing the internet. You can do magic eye images, maybe—a computer wouldn’t be so good at solving magic eyes because you need physical eyes. So all these kind of things, you run into problems with all of them, because the thing is that humans are not universally good at answering these questions. Some people don’t know that much about pop culture, some people won’t know the nursery rhyme from a given area. So instead of all that, the direction Google has gone in, is in 2014, they launched this thing called noCAPTCHA. And that’s that little box that you see on a web page that says, ‘I’m not a robot,’ you check it, and it lets you right through. The way that thing works is, it’s monitoring how you behave on the webpage before you check that box. So there’s a lot of human weirdness and foibles that go into how we browse the web that machines just don’t have. One example is the way that we move our mouse is really inefficient. Machines will draw the shortest line between the points and the next thing they have to click to navigate a page without using the cursor at all. Humans do these weird arcane things and never do the same path twice. And so you can tell pretty easily who human is by how inefficiently they’re moving around the page.

Kira Bindrim: That is fascinating. Is there anything else? Now I’m going to be extremely conscious of what I’m doing when I’m using webpage.

Nico Rivero: Google doesn’t say exactly what the other things are. But they look at your browser cookies, like your web browsing history. If your history is you’ve just visited the Yahoo email signup page 50,000 times, you might be a bot.

Kira Bindrim: Or you’re just having a really bad day. Something’s going on.

Nico Rivero: But all kinds of other behaviors—machines don’t get distracted in the middle of doing something and switch to another tab and then come back. We’re moving in the direction of this sort of ambient monitoring that just determines whether or not we’re behaving on the internet more or less like a human would or more or less like a bot would.

Kira Bindrim: I’m particularly fascinated because whenever I see that I’m not a robot box, I always think that feels like a less secure thing. Because if I were a robot, I would just check this box.

Nico Rivero: That’s what you would say.

Kira Bindrim: I’m not a robot. But it sounds like it’s the most secure thing we’ve got going because of all this other stuff going on behind the scenes.

Nico Rivero: Right, exactly. I mean, if you were a hacker and you’re trying to design a bot to fool this, you’d have to design it to start being less and less efficient and behave more and more like a human. At a certain point, you start to lose some of the efficiency that is the whole point of having a bot in the first place.

Kira Bindrim: Got it. Now, it’s extremely fun to think about things that humans are good at, and computers are bad at and vice versa. But I feel like there’s probably bigger implications I’m not thinking about if everything we tell computers or everything we give computers that they suck at, we train them to do better, and then they kill it, and then they kill it, and then they kill it. What is the endgame of that? Like, what are the bigger questions I should be maybe freaking out about?

Nico Rivero: Well, I feel like, yeah, it does bring up all these big sorts of questions about how you define humanity. And I think if you were to ask like what makes us all human, your gut response would be to reach for these kind of soaring beautiful answers about, you know, we’re human because of our capacity to introspect, to understand ourselves, to have a theory of mind, and nobody else has a deep inner life just like we do. Or you might say, it’s about our ability to create art or music or to reason and solve kind of logic things. But CAPTCHAs force us to define these things in really specific ways and come up with definitions that are so concrete that we can actually test for them. And when we do that, we realize a lot of these lofty ideas that we have about humanity, they’re kind of practically no good, we can’t really actually say what that means in practice, or test for them. And so we’re left with a small and dwindling set of tasks that are like, okay, yes, every single human being can do this and it differentiates us from machines. And it’s not the really cool, beautiful things. It’s like, when I look at this picture, I know there’s a dog in it. I feel like you know—

Kira Bindrim: Why didn’t the philosophers get into that? I identify the dog in the picture, therefore I am.

Nico Rivero: They didn’t have the benefit of bajillion spam bots.

Kira Bindrim: Sad.

Nico Rivero: I feel like it’s kind of reassuring in some ways because it means that there is still something about our humanity, about like what fundamentally it means to be human that is undescribable, or is inscrutable, or is weird—it is ours, that machines just can’t grasp, that we can’t even fully explain, that there’s this mystery left to it.

Kira Bindrim: That’s really beautiful, Nico. Can I give you my slightly more cynical take? I feel like we could end up in a future where our ability to distinguish between humans and machines is just less and less and it’s harder and harder to do that. Or, you know, maybe there’s a future where a CAPTCHA itself is like read this piece of literature or look at this piece of art and tell me about it. And that’s the mechanism by which we display that we’re human.

Nico Rivero: It’s actually like my nightmare…

Kira Bindrim: Maybe we just put the SATs into CAPTCHAs and bam. Final question for you, Nico: What is your favorite fun fact about CAPTCHAs? What is the thing that like, I’m stuck in small talk hell and I just want to BAM out there with a random fact. What would you give me?

Nico Rivero: Okay, my favorite proposal for a possible future capture is one that Amazon patented and 2017, which they call a Turing test via failure. And basically it’s giving us all these logic puzzles or games that humans would be really bad at but machines would be really good at. So the whole way that you prove your humanity is by sucking at this game.

Kira Bindrim: That is so Amazon I can’t even. How do we advance the world while also just like bringing humanity down just a little bit? Amazing. Thanks so much for joining us, Nico.

Nico Rivero: Absolutely. Thank you for having me.

Kira Bindrim: That’s our obsession for the week. If you liked what you heard, please leave a review on Apple podcasts or wherever you’re listening. Tell your friends about us. And head to qz.com/obsession to sign up for Quartz’s weekly obsession email and to browse hundreds of interesting backstories.

Sign up for the Quartz Daily Brief, our free daily newsletter with the world’s most important and interesting news.

More stories from Quartz: