I am also blind. hCaptcha is the worst. Their stupid cookie expires so I have to go through their getting an email to set the cookie almost every time I encounter one. It's a horrendous UX, especially when using different devices and browsers. I imagine others just give up instead of dealing with the crap. They shouldn't use the word accessibility when their whole service is the exact opposite.

The bots can probably solve them easier than blind people anyway, or they can outsource them to third world workers for next to nothing. E.G. Anticaptcha [0]:

> Starting from 0.5USD per 1000 images, depending on your daily spending volume

[0] https://anti-captcha.com/

The title kind of makes it appear far less of a problem than it actually is, because according to the article, hCaptcha made multiple rude and evidence-free accusations of lying despite the author actually being blind.

Some captchas are getting pretty discriminatory, not everyone lives in the West and can identify the objects they are asking you to. Another recent one sticks out where they asked me to pick a shape as the same number of conoids on screen. If you ask people on a street what a conoids I bet a significant amount will give you blank looks

Also at least now I know some people call those markings crosswalks

Lesson 1 about competing with Google should be "don't be even more disrespectful to your users than Google is". Otherwise people will just use Google.

Relying on the goodwill of a small number of "never-Googlers" to carry your business, in spite of the way you do business, is not a path to success.

While hCaptcha trashes its reputation, the rest of the world will go on using reCaptcha and not giving the faintest whiff of a fart about hCaptcha's existence.

(Side note: the spelling is "intentional", not "intensional". Think "intent" + "-tion" + "-al", not "in-" + "tension" + "-al").

The author was essentially too smart to be blind.

I hope we can end the CAPTCHA experiment soon. It didn't work.

Phone verification isn't good either, but for as much as I hate phone verification at least it actually raises the cost of spamming somewhat. CAPTCHA does not. Almost all turnkey CAPTCHA services can be solved for pennies.

Solving the problems of SPAM and malicious traffic will be challenging... I am worried it will come down to three possible things:

- Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.

- Closing the platform: approaches like Web Environment Integrity and Private Access Tokens pave the way for how the web platform could be closed down. The vast majority of web users use Google Chrome or Safari on a device with Secure Boot, so the entire boot chain can be attested. The number of users that can viably do this will only increase over time. In this future, the web ceases to meaningfully be open: alternatives to this approach will continue to become less and less useful (e.g. machine learning may not achieve AGI but it's going to kick the ass of every CAPTCHA in sight) so it will become increasingly unlikely you'll be able to get into websites without it.

- Accountability of network operators: Love it or hate it, the Internet benefits a lot from gray-area operators that operate with little oversight or transparency. However, another approach to getting rid of malicious traffic is to push more accountability to network operators, severing non-compliant providers off of the Internet. This would probably also suck, and would incentivize abusing this power.

It's tricky, though. What else can you do? You can try to reduce the incentives to have malicious traffic, but it's hard to do this without decreasing the value that things offer. You can make malicious traffic harder by obfuscation, but it's hard to stop motivated parties.

Either way, it feels like the era of the open web is basically over. The open web may continue to exist, but it will probably be overshadowed by a new and much more closed off web.

I think, unfortunately, most accessibility options are not intended to actually be used.

If you are a governement or bigco, accessibility is part of your baseline requirements. You must be able to say: Yes, we are accessible. Otherwise, the public will cause a stink.

So you take your list of vendors, and remove any that don't say they enable accessibility. Vendors know this and make sure they say they are.

Meanwhile, it is a hard to get right feature, only applicable to a small part of your userbase. Multiple disabilities require different affordances. No developer on the team really understands the actual requirement.

The people requiring accessibility will go somewhere else, or grumble and make do. Neither will be detected on any metrics board.

This combination promotes shelfware: Things you buy and put on a shelf somewhere but never really use.

> I emailed back a day or so later, requesting an unban because, y'know, I actually* am blind, but they gave a pretty canned response of no, your account is remaining banned.*

Do I understand correctly that hCaptcha has created an accessibility problem that's denying this blind person access to all sorts of Web sites?

Is there an ADA angle here, for many customers of hCaptcha?

This has got to be an open-and-shut lawsuit if the author wants to pursue it. T&C doesn't shield you from the ADA.

Why are captchas even a thing still? If folks want to scrape something or build an automation around something, then why not let them do it? They still have to respect the system they're logging in. Not to mention the privacy perk of not exposing your visitors to some captcha service with a dozen or more data subprocessors.

I hope AI stuff makes captchas completely obsolete soon. I am sick of them. The cure is worse than the disease.

As a blind person, I genuinely believe that hCaptcha, being as terrible as it is, is still the best solution among the ones that we can physically achieve in the world as it exists right now.

Audio captchas don't work for people with hearing issues and/or who don't speak your n supported languages, where n is usually <10. I've had to help people out with these over the phone, it was not fun.

Even for people for whom they do work, it's worth keeping in mind that bots can solve them by now, and so users whose activity looks too fraudulent, who are still given access to the visual captchas, have to be blocked from using the audio ones. I have also seen this happen.

Text captchas are a non-option by now, they're very easy to solve with LLMs, and the way they have to be phrased makes it impossible to align LLMs not to solve them, like you can do with the visual ones.

Google's ReCaptcha can get away with having no actual challenge for most users, blind or otherwise, but that's because they're Google, they do enough user tracking that they don't actually need a captcha. Google is the only company that can get away with this, and even for them, it doesn't work in all situations, even when the user fully trusts Google and has not adjusted any privacy preferences.

Sure, you could stop using captchas entirely, if you're fine with receiving dozens of viagra ads on every single platform each day, abolishing all "contact us" and comment forms on the internet, having a significantly higher credit card fraud rate (which translates directly to higher prices and a much worse experience for consumers), and getting all your semi-public records and social media activity immediately scraped by shady companies and sold to anybody who expresses any interest. Unsurprisingly, most users are, in fact, not fine with this.

And the very angry email that I (probably unwisely) just dashed off to support@hcaptcha.com:

"So I've been trying to sign in repeatedly to set the accessibility cookie since last night. Every time I click the submit button, I get the useless error message "an error has occurred, please try again".

My friend, who shares my roof and my static IP, got banned from hcaptcha's accessibility service last year for being too smart to be blind. And I suspect you all have banned our IP and not just his account.

For the record, my static IP address is (redacted).

See https://michaels.world/2023/11/i-was-banned-from-the-hcaptch... for his story. I have been broadcasting this to websites frequented by technically capable people: https://news.ycombinator.com/item?id=42171164 https://lobste.rs/s/qbkd0u/i_was_banned_from_hcaptcha_access...

Please let your bosses know that I plan to pursue legal action against hCaptcha and/or amplify the truth to destroy its reputation in the public square. I will also be reaching out to websites who utilize hCaptcha, letting them know that the captcha provider they employ is refusing to provide reasonable accomodations to blind people.

Whether it be with the force of law or the force of satyagraha, your bosses are going to get a message and we will win.

It's quite unpleasantly often that I hear stories about accessibility accommodations being removed by someone considering themselves the sole arbiter of disability.

That smells illegal.

hCaptcha is worse, than reCaptcha.

I pass the captcha (I am not blind and not using accessibility account) and get response like

Your response to the CAPTCHA appears to be invalid. Please re-verify that you're not a robot below. (Reference ID: 4035128747213959)

And you are given captcha again (passing which will have the same result).

reCaptcha had similar issue, but choosing 'accessibility' would transform the captcha from visual to auditory one and passing it had no such problems.

In the end I just gave up.

Please just let my link some kind of government-backed ID to an email account and then clients can ask "hey government, is this email account a real human being in your country"? And government can say "yes" and they can go forward knowing that if I turn out to be a bot and they ban me it will be a huge pain in my ass because I've got to go through government enrollment process again.

CAPTCHA: Completely Automated Public Turing test to tell Computers and Humans Apart.

These things have one job. Any time they fail to identify a human, they have failed at their job. How they go about administering the test, and (to a large extent) what the human does in response, should be irrelevant. I know that's hard, no-one said the job was easy, and the companies developing them are the ones making claims about their efficacy.

If you want to block 100% of bots, don't put your stuff on the Internet. If you want to block bots and allow humans then you're going to have false negatives. Failing to acknowledge them is dishonest.

None of which stops me filling them out when I encounter them, but I don't have to like it.

If you're in Europe, consider filing GDPR complaint to your local data protection authority. One of the rights recognised in GDPR is right to rectify information about you, and it was clearly not afforded by the provider here.

reCaptcha is better than hCaptcha