Screen readers, the programs that use synthesized speech to tell us what's on the screen, cannot read images. Good captchas usually have audio equivalents (which come with their own set of problems), but this one doesn't. If you're blind and flagged by Cloudflare for some reason, you're cut off from accessing half the internet, potentially critical banking/governmental/medical/communications/educational services. We rely on the internet way more than our sighted peers, so this is very important. This has recently happened to me on a few sites, fortunately not critical ones, but it was not a pleasant experience nonetheless. CF engineers, please fix this ASAP. I'm surprised there still isn't a huge lawsuit over this, as this is clearly violating all sorts of laws.
It might be worth filing an ADA compliance notice against cloudflare. This is seriously disturbing.
As someone that works in ed tech - anyone that supports higher education is required to support screen readers etc. If any of those sites are using cloudflare that would block them from being compliant pretty seriously.
I'm not american, otherwise I would definitely do so.
This issue is mostly unnoticeable, as long as you're not considered malicious to Cloudflare, everything works perfectly and passes accessibility audits. When something weird happens and Cloudflare flags you, you cannot access the system at all.
For those doing accessibility audits out there, this kind of issues might be worth looking into, as they're very non obvious and very critical.
Cloudflare switched to using hCaptcha a couple months ago, I think and I only just noticed that they do not offer an audio-based captcha.
However, hCaptcha integrates with Privacy Pass[0], and you can top up your tokens by solving a captcha at [1] and [2]. What you could do (and I realize this is far from ideal), is getting a sighted friend to solve a couple of captchas so you have enough tokens to last you a couple months.
There's AIRA and it can do it, if you don't care that another person will see what site you're trying to access and if you're willing to go through a super complicated techy procedure to get a free american phone number, which not everyone knows about. Also, not everyone speaks english.
> Also this ask a friend solution is like telling someone in a wheelchair to ask a friend to help them up those steps instead of just installing a ramp.
I agree, and I could’ve been clearer. The Privacy Pass workaround shouldn’t be necessary and we should demand Cloudflare do better.
(To avoid any doubt: I’m not affiliated with Cloudflare in any way, other than that I’m a customer on their free plan.)
You're responding to a rando on the internet, not the CTO of Cloudflare. Your parent is just trying to offer help to OP, and you're mad because you assume he is a Cloudflare dev? Even if he was, it's not like he has unilateral control over product decisions.
Yeah, and then... a few days later... The problem is reCaptcha, just stop using reCaptcha as Google is tracking all of us.
My personal opinion is that it's better to use hCaptcha. I wasn't aware that they don't support audio. I think a better approach would be requesting hCaptcha to implement the missing bit.
Giving less control to Google is better. Given the widespread tracking they have access to right now.
Solutions can’t be implemented instantly; a work around is needed until that ramp is installed. As much as the lack of audio solution sucks, you can’t expect half the internet to just give up on a piece of technology overnight
> you can’t expect half the internet to just give up on a piece of technology overnight
People call for this all the time when a major security vulnerability is discovered. The difference is in how the community views it.
Cloudflare should weigh harm of blocking access to the Deaf community warrant the harm of removing a captcha that doesn't support them. They should have done it when they chose a captcha that doesn't support the Deaf community.
As technology comes to mediate every avenue of life, we need to recognize that technology only has value in its positive effects on people's lives. A security vulnerability is bad because owners may lose control, property may be lost, crimes may be committed. Usability vulnerabilities can deny services essential to their users. You're totally correct that there is no magic solution, but to say that we know which imperfect solution is preferable is incorrect.
We can expect developers to think about accessibility during development. You would never see a building constructed today without a ramp or with insufficient handicapped parking. I realize that you can't change culture overnight either, but the fact is that technology like this, designed for use in large applications used by a huge portion of the population of the world, shouldn't need to be retrofitted to be accessible. It should have been baked in.
I mean, yes, in an ideal world that's true. Yet, here we are.
It's not possible for a dev to go back in time to before hcaptcha was created or when CF decided to switch to them to create said ramp, so until it's built, workarounds are the only real thing a community member can offer someone in the short term.
It's not like trying to find the Fountain of Youth or something. It's a company with billions of dollars making it impossible for certain people with disabilities to access the Internet. Let's not pretend that it just has to be this way. A world where half the Internet can't be broken by one company should be the baseline.
Nobody is saying it has to be this way. As I said, in an ideal world, accessibility happens when development happens and is not an afterthought. But we don't live in an ideal world, and it's clear here that it wasn't thought out when they did the switch, or other forces caused the switch to happen without this piece in place.
So, with that in mind, knowing where we currently are, not where we'd like to be in an ideal world, what, exactly, do you want to be done right now by members of the community?
It's not like we can all go in and change the Cloudflare code to stop using hCaptcha. The most we can all do is give alternatives and workarounds while pushing on Cloudflare and hCaptcha to support this scenario. Which is all being done in this thread already.
When things are already completely broken then it's acceptable to move fast because things are already completely broken. When things are only slightly broken you need to be careful you don't expand the breakage.
Are you sure CloudFlare isn't working on this right now? Captchas are very hard (if not impossible) to do right, and audio captchas are no exception. Check out http://uncaptcha.cs.umd.edu/ As far as I know CloudFlare might have a large team that's been working on this for a while but has been unable to create something solvable by a human but unsolvable by a bot.
I use audio captchas. Google will usually only let you do 2 or 3 before banning you and making you do image-based ones. I'm pretty sure the button is just there to make it seem accessible.
I had exactly the same issue. I am surprised how neither cloudflare nor google have been sued for making most of the web inaccessible to people with disabilities.
Shouldn't that liability be with the operators of websites that use those captchas if they're required to be blind-accessible? If they get sued, it'll apply pressure up the supply chain.
I used to feel and think this way. But recent events, and the trajectory of the internet over the last decade has changed my mind completely.
We must stop giving excuses to the massive centralization, to the enormous companies that step in and rent-seek what is supposed to be a distributed system.
The most powerful tool we could have to get a proper internet back is the simple concept of accountability. If I was a bakery and I made a cake with poison because I was specifically asked to do so by a customer, I would still be accountable for the dangerous thing I made.
Stop making excuses for these companies with basically infinite money. They are the last ones who need it. What we all need from them is accountability.
This also goes for section 230 protections. We do not need Twitters and Facebooks and Hacker Newses and other such companies that would supposedly not exist without section 230 protection. It's clear now, in retrospect, that accountability is far more important than the license to grow enormous without any responsibility for the toxicity your giant bloated corpse of a business unleashes onto the world.
Anyone making a captcha product can and should be expected to make it work for anyone. And if there is basis for lawsuit, it should be the maker of the broken thing that faces it.
Hell, sue them both. Neither entity deserves a free pass. They both had a part to play in the exclusion.
This does not really make sense, it would be perfectly fine if two products existed, a cheap inaccessible captcha and a more expensive perfectly accessible one with companies offering both of them to users.
That is not happening in what I described. A webpage could decide to offer the cheapest working captcha as a default with a "Are you using assistive technologies?" / "Do you need help?" link to a more accessible service.
I don't think that is will be common in the wild, but it is an argument against regulating captcha providers rather than websites.
If we want to regulate the captcha industry there should be a law passed specifically regulating the industry. Blindsiding the industry with judgments against them when there are no laws about it will decrease confidence in the rule of law, which will hurt the economy as businesses lose confidence in their ability to predict the future.
Rules and laws are good tools and, I understand how law works in the most superficial way but, I fail to understand normalization of ignorance of some required features with the "nobody forced us to do this, so we just didn't care".
As human beings first and programmers later, we should understand that people with disabilities exist and assistive technologies need attention.
Why, as decent human beings, don't we do something nice without the push of laws, for once?
I agree we should do nice things without the push of law. But ztjio was advocating for the push of law without following the process of creating a law, which I disagree with.
I agree. You don't sue the contractor because they built to the specification you provided.
At the same time, if Google is advertising Recaptcha as accessible and it's not really, then they need to be held accountable for that, because that has a real impact on huge swaths of the internet, and especially for sites that try to do the right thing and find out Google has screwed them.
> You don't sue the contractor because they built to the specification you provided.
In the world of licensed contracting you absolutely do. If you provide a contractor specifications that result in a code violation, they have to tell you no. If they don't tell you no then you, the non expert, are reasonable to assume what you asked for is acceptable. If they actually build the thing, they are liable for the violation of code.
The last thing we need is to hand out more excuses to evade accountability and responsibility for making the world worse.
Yeah, contractor is a bad metaphor. I started with Home Depot, but that didn't really fit either. It's more that you bought a ramp that's designed to fit over a two step rise. Was it advertised as accessible in your state/county (which will likely have specific gradient and handrail rules? If not, you should have looked. If the salesperson assured you it was, well that sucks, but I'm not sure you'll get more than your money back.
> The last thing we need is to hand out more excuses to evade accountability and responsibility for making the world worse.
I'm definitely not advocating that. I'm more advocating that you can't leave all this to someone else entirely. Even if you pay someone for a turn-key custom website and make sure it's accessible, there's no guarantee it still meets standards a year from now, just as if you pay a contractor to build a ramp for you that perfectly meets standards. Things change, and people need to pay attention to the things that matter to them to make sure they follow the law. Whether that's occasionally checking it yourself or paying someone else to do so (and thus ensuring it happens), it still needs to happen.
As sad as it is, there seems to be a CAP situation when it comes to captchas. It's accessibility, security or privacy. Choose two.
You can go the Google route and choose accessibility and security, do massive user tracking, and don't even show CAPTCHAs at all for normal users. HN users probably see a lot, because they use some anti-js or anti-tracking stuff, but normal users don't.
You can go the Cloudflare route, requiring users to solve visual challenges, sacrificing accessibility, but keeping security and privacy.
You can also implement audio CAPTCHAS, which are easy to solve for robots, get accessibility and privacy, but less security.
> You can go the Google route and choose accessibility and security
This is not the case. After just a few captchas the audio challenge will be locked off no matter what browser you use.
> and don't even show CAPTCHAs at all for normal users
You see them in firefox from the start as well as on chrome after around the 2nd or 3rd captcha, this is with the default settings + ublock origin on both browsers.
The "human detector" of the modern internet doesn't accept disabled people as sufficiently human. That's... the most dystopian thing I've heard in a while!
In the other direction, Google thinks I'm a bot if I use complex search queries (exclusions, site:, quotes, etc.) in an attempt to find what I'm looking for. Apparently it thinks I'm too intelligent to be a human.
I get that you meant that sardonically but it's worth pointing out that it would be even more unprofitable implementing ways to catch and redirect you.
Hi! I work at hCaptcha (we handle the CF captchas), and to respond specifically: audio is inaccessible for those with visual and auditory processing issues, as well as being broken by ML techniques. Not to project, but we suspect this is why Google turns it off if your browser looks at all suspicious.
While Privacy Pass is not perfect, we are working towards getting better. I'm not in the product flow for accessibility, but if you have ideas outside of audio that you believe would be able to distinguish between yourself and a robot, I'd be happy to discuss via email to ensure that we can get a solution for you and anyone who can reasonably interact with a computer.
eta: you can email me directly at work via: josiah@intuitionmachines.com
Audio captchas are considered broken completely (search for various papers over the past decade, including one from CMU), so it has limited usefulness only in a very narrow context in practice. I suspect this is a harbinger of things to come - as we close the gap on passing the Turing test, captchas are likely to get less effective, and we will need to transition to a very different solution for bot detection.
often it's easier to just use a website as api instead of using some broken xml nightmare that requires knowledge of the database tables.
If the concern is rate limiting then just rate limit the website. And if you don't like people operating websites with bots then I don't know, maybe stop making websites.
Easy proxying means rate limiting doesn’t really help all that much to defeat bots. And then if you do something like blocking or severely restricting something like Tor (the world's largest open proxy and hence, primary abusive traffic source; something which it would make sense to throw extra bot walls in front of), privacy and accessibility advocates jump down your throat.
This is a no-win situation. I’m not convinced it’s possible to have ones cake and eat it too, here. Someone upthread said “security, privacy, accessibility, pick any two”, and I have yet to see any evidence of a third option.
I think you do not understand why website owners use captcha. Website owners use captcha services, because doing so saves money for them.
Captcha will stop saving money, if the captcha becomes so ineffective that the short-term and the long-term downside (annoying users who are subjected to captcha) exceeds the cost saving ("cost" here is potentially many different things - it could be quality of service for normal users, it could be opportunity cost, it could be the cost of serving the traffic like network bandwidth or cpu or database capacity).
Yes there are subset of people with visual problems who also have auditory problems, that does not mean you should not support the ones with vision only problems.
Are there not "ML techniques" for visual captchas too ?
With more and more powerful models like GPT-3 coming along every few months, Even if the accuracy levels are less for visual over audio today how long do you think that is going to last ?
I believe they meant that audio captchas have become inaccessible to humans in general. Bots have gotten so good at audio captchas that the difficulty level has to be high enough that humans are also unable to complete them.
Visual captchas too can be quite very hard these days for the same reasons, there are many other ways to verify bot or human, many of them may not allow you to remain anonymous while doing so, pretty much any 2FA method could work for example.
I would say given the choice for a number of people the accessibility is more important than loss of privacy. At least it is choice they should have instead of shutting them off the internet.
Hi HCaptcha-er here. You don't lose all your privacy with our accessibility option. Also we always abide by DNT style protections even for accessibility. That being said our privacy pass solution is totally private and safe.
> Are there not "ML techniques" for visual captchas too?
There are.
> how long do you think that is going to last?
I don't know. So far it hasn't been difficult to recognize the garbage traffic when we take the time to look. And attackers always make it easier by releasing github source and / or announcing their results on Twitter.
Ugh. That accessibility login solution sounds awful, but at least it's available. I can definitely understand why you don't want to have an audio option, given that by all accounts they're next to useless.
ETA: two different people have tested on Chrome and Safari on iPhone 6S locally, and can't reproduce. Please take a screenshot and provide more information to: https://www.hcaptcha.com/reporting-bugs if you want to get this fixed.
Just like Google, it is also horrible for those who use more "nonstandard" configurations. I don't remember if it's CF or Google or someone else but I recall coming across sites that would block you if you have JS disabled, claiming that you're a bot, and the ban-page was the same across those sites, so it was a common "provider".
The a11y problem is super urgent for the majority of products out there. Not only it prevents blind/non hearing people of using systems. People also tend to forget that having a11y in place elevates UX on another level. It enables using apps/web with shortkeys, makes everything more readable, changes entire UX flows into simpler ones.
I have no affiliation with CloudFlare at all, but my interactions with them have all been kind, professional, and courteous.
I might recommend reaching out to the CEO, Matthew Prince, with a succinct explanation of your problem and I would be surprised if that by itself does not kick off some serious positive action!
As a founder of HCaptcha with a legally blind sister I take accessibility very seriously. We implemented this solution when we were still a tiny startup and I think our accessibility is by far the best of all the captchas. Please email support@hcaptcha.com if you are having any issues and we will find a solution. I'm sorry for the confusion and difficulty you may have suffered.
I'd love to read more about the economics of captchas - what is the "labor" of classifying images worth? What is the marginal cost per captcha of human solver farms, etc. Can anyone point me to some resources?
Seems like if this issue could easily be solved, a startup would have formed to solve it. Are there any alternatives to recaptcha and hcaptcha that are effective and also accessible?
Screen readers, the programs that use synthesized speech to tell us what's on the screen, cannot read images. Good captchas usually have audio equivalents (which come with their own set of problems), but this one doesn't. If you're blind and flagged by Cloudflare for some reason, you're cut off from accessing half the internet, potentially critical banking/governmental/medical/communications/educational services. We rely on the internet way more than our sighted peers, so this is very important. This has recently happened to me on a few sites, fortunately not critical ones, but it was not a pleasant experience nonetheless. CF engineers, please fix this ASAP. I'm surprised there still isn't a huge lawsuit over this, as this is clearly violating all sorts of laws.