Accessible, GDPR-compliant captchas: a utopia?

What is a Captcha?

You probably do them every day, they’re everywhere. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) are tests that we have to pass to check that we are human, and not bots trying to send forms or access certain sensitive parts of a website.

For years, we’ve been asked to click on boxes representing pedestrian crossings, fruit or napping animals every day to prove that we’re really human. By the way, it would be interesting to estimate the hours wasted in a lifetime clicking on these boxes.

The problem with captchas is that they are not necessarily easy to carry out, even for human beings, and even less so for people with certain disabilities (particularly visual disabilities). Captchas also pose problems for the privacy of Internet users, as personal data can be collected and passed on to private companies during the operation.

The three main captcha solutions on the market

Before getting to the heart of the matter, I wanted to give you a quick overview of the most commonly used solutions. You know them, because you see them all the time.

ReCaptcha

This is Google’s solution. It’s undoubtedly the most widely used captcha on the web. If, like me, you’ve become an expert at identifying bicycles and traffic lights, you know what I’m talking about.

The first obvious problem with ReCaptcha is that it’s not an GDPR compliant solution. GDPR for a quick reminder, is the General Data Protection Regulation that came into force in 2018 in Europe to prevent your personal data from being transmitted, stored and used by third parties without your consent.

Recaptcha, as well as making you work for free (yes, because when hundreds of millions of people are asked to recognise pedestrians every day, that’s no mean feat), collects and transfers your personal data to Google’s servers.

If you have given your consent, no problem. But you are not usually asked for your consent. Why not? Because the GDPR is a European constraint (there are other regulations of the same style elsewhere, such as the California Consumer Privacy Act (CCPA) in California), and compliance measures are not native. Many web developers⋅ses still haven’t got up to speed.

For more information on Recpatcha’s GDPR non-compliance, please read these articles:

• reCAPTCHA & GDPR : How to stay GDPR compliant? by Friendly Captcha (a competing solution)
• Is the GOOGLE reCAPTCHA solution illegal?

hCaptcha

This is another very popular solution. It’s the one I’ve been using systematically for years to protect my clients’ sites from spambots.

Hcaptcha boasts GDPR compliance and a 100% affordable solution. Perfect on paper.

However, several visually impaired people have reported having major problems when filling in this captcha. The problem has caused a bit of a stir with the current exodus to Bluesky, which uses this captcha solution. I’ll tell you more about it later in this article.

Cloudflare Turnstile

This is the other captcha we come across quite frequently, developed by Cloudflare.

This technology has the advantage of working in the background without altering the user experience by asking them to click on boxes.

Note that the advanced versions of Recaptcha and hCaptcha can also run in the background.

But as with previous solutions, Cloudflare’s tool poses problems for GDPR compliance, as data is collected and sent to their servers located in the United States.

Consent and Captcha

For several years now in Europe, and even more so in countries such as Austria and Germany, we have been seeing the prosecution of companies that do not comply with the GDPR. The fines are higher than you might think. While it affects web giants such as Google and Amazon (see this article in Le Monde on the subject – in French), other companies are also under threat.

That’s why ensuring GDPR compliance on your website is not a luxury, but a genuine legal obligation that needs to be taken very seriously.

Obtaining user consent for Captcha is complicated. Firstly because it’s tedious, but also because if you refuse, you risk depriving your users of access to essential functions, such as your contact form…. Or your entire site!

So some⋅es are banking on this, arguing that since captchas are essential protections for the security and smooth operation of a site, consent does not have to be explicitly requested. This is also the case for the installation of the strictly essential cookies found, for example, on ecommerce sites (so that you don’t lose the contents of your shopping basket every time you change pages).

But the argument doesn’t hold water, and solutions such as Captcha.eu and Friendly Captcha have emerged in Europe to offer truly GDPR-compliant solutions.

The problem of captcha accessibility

This brings us to the big problem with captcha, which prompted me to write this article.

Despite the claims made by these solutions, captcha resolution by visually impaired people is very tedious, if not completely impossible.

I tested the hcaptcha accessibility solution. For me, forcing a user to provide their email address and installing a cookie in their browser is not an acceptable solution.

The process is too tedious and involves transferring information that is too personal for the purpose: validating a simple form.

The problem of captcha and accessibility is not new, and was brilliantly illustrated in this video produced by the Valentin Haüy association, which works for blind and partially-sighted people.

When clicked, this video is loaded from YouTube servers. See our Privacy Policy for details.

Accessible, GDPR-compliant solutions

Faced with this observation on Captcha technology, it seems to me that there are two main solutions emerging to continue to combat malicious robots, without having a negative impact on the user experience and accessibility.

Do without CAPTCHAs altogether

There are other ways to combat bots. With the rise of AI, it is becoming increasingly questionable to continue offering users⋅trices to click on boxes with images, with advances in AI enabling bots to solve many captchas today, as shown recently by a study.

There are other techniques for limiting bots. Of course, none of them is infallible, but they can be sufficient in many cases. These include

• the honey pot, which consists of adding a field invisible to the human eye to a form and blocking submissions that have filled it in. The problem is that the bot can choose to leave this field empty and thus avoid the trap.
• ask a simple question (such as a simple mathematical calculation) at the end of the form and only send the form if the answer is correct.
• filter and block suspicious IP addresses.
• set a limit on the number of requests per unit of time.

It is also possible to dispense with the need for a form, for example if you just want to get in touch. In this case, providing an email address is sufficient.

The problem, of course, is that this is extremely precious information, and if a bot captures your address, you risk a lot more than if you have a poorly protected form. Typically, you’re exposing yourself to waves of spam if your email provider doesn’t identify them correctly beforehand.

The solution is to use what is known as obfuscation. The idea is to hide or modify the value of your email address from robots, while making it intelligible to a human. Several techniques exist, but some pose accessibility problems (for screen readers, for example), or can be easily circumvented. You can find a list of obfuscation techniques here, my favourite being the one that simply uses CSS.

We should also point out that sites using CloudFlare can take advantage of their javascript obfuscation system to protect the email addresses displayed on the site from bots.

Turning to invisible solutions

Rather than asking users to click on boxes, the CAPTCHA will analyse a series of data about the user⋅trice’s behaviour in order to give them a final score.

If this score is good enough, then the test is considered to have been passed. The advantage is that the test is done in the background, without asking the user to click anywhere, let alone solve any puzzles.

Tools developed by Captcha.eu, FriendlyCaptcha and Human Presence work in this way. Of course, there are many others.

The disadvantage of these tools is that they generally have to be paid for commercial use, particularly above a certain volume of queries.

But the question of protection, GDPR compliance and the accessibility of your website is worth looking into.

How do you choose between safety and accessibility?

In this post I wanted to share with you my personal thoughts on the use of CAPTCHA to block malicious bots roaming the web. It is estimated that around 40% of Internet traffic is made up of bots, most of which are malicious.

That said, I don’t think you can put the accessibility of a site before its security.

We need to assess the risk involved and find the appropriate means of action without negatively impacting the user⋅trice experience. Blocking both bots and some of the humans visiting a site is not an option.

For sites with moderate traffic, the risks involved are lower and alternative techniques without CAPTCHA, such as those described above, may be more than sufficient.

If it becomes difficult to deal with frequent bot attacks without resorting to more sophisticated means, I would encourage the use of completely invisible CAPTCHAs. Be careful, however, as some of these solutions may display CAPTCHAs that are not accessible if the proof of work carried out in the background has not been considered sufficient.