This particular issue (AI performance on captchas) is really quite fascinating. It's an arms race, but the problem is, only one side can win. Google is claiming they have improved their system in some (understandably) unspecified way, but there's only so far this can go. Captchas need to detect whether someone is human, but it has to work for everyone, ideally, even those with disabilities. Any simple task a human can do will eventually be able to be automated. Tasks that aren't currently feasible to be automated, say some natural language processing tasks, have another problem: scalability. To prevent simple databases of problems -> solutions, the problems need to be generated en masse, and for cheap, which means a computer needs to generate the solutions in the first place. And of course, paying people to just do captchas all day already happens.
The street address/book scan approach that Google uses is interesting in that the exact solution is not known, so they presumably have to be somewhat forgiving in accepting answers (as their machine learning might have gotten it wrong). Perhaps this is what their "risk analysis" refers to--whether their response seems "human" enough according to their data, not necessarily whether it's correct.
I don't see a way around this problem for free services that still preserves privacy (so directly using some government-issued ID is off the table). Maybe some Persona-like digital signature system, where a person can go to a physical location with a government ID, and get a signature that says "Trusted authority X affirms that person Y is in fact a person". Obviously this still has problems, as you need to trust X, and it's a big pain in the ass.
There are parallels to the realm of passwords, which are also becoming obsolete (not that there's a good replacement...). Anything that a human can feasibly remember for a bunch of sites is becoming easier and easier for computers to guess.
So basically, computers are taking over the world, and we can't do anything to stop it. God help us all.
> It's an arms race, but the problem is, only one side can win.
I don't disagree, but although this specific problem can be automated, the arms race will continue as newer problems (requiring uniquely human intelligence) are presented. We can keep moving the bar until the singularity.
For example, a captcha: "Pick the most unsafe environment", followed by pictures of a house, a park, a volcano, a bed. To solve this, AI would have to have a mastery of language, a mastery of object identification, and a mastery of the metadata of those objects as they apply to human safety.
That runs into the scalability problem that I mentioned--someone (say, a Mechanical Turk user) can solve that problem once, and put it in a database. To avoid this, there needs to be a way to generate them cheaply, so you pretty much need a computer that can solve the problem in the first place.
Basically, my point is that there's no such thing as "uniquely human intelligence". There's lots of problems that fall into that category now, but with the continuing rise of computational power, it's getting harder and harder to find new problems of this sort without excluding a lot of real people.
So that begins to look a bit like the RSA problem, doesn't it? Find a problem which can only be solved efficiently given some "secret" knowledge – where, instead of that knowledge (the prime factors) being secret, the knowledge is something it's easy for a computer to use but hard for it to recognize.
I'm probably overgeneralizing, but it's an interesting framing.
>To avoid this, there needs to be a way to generate them cheaply, so you pretty much need a computer that can solve the problem in the first place.
I don't see how that follows. Many captchas are just text with a confusing grid overlayed - that's incredibly trivial to produce, and producing one tells you next to nothing about how to solve them. Or if that's too easy, throw in some random distortion - still easy to produce, even harder to read.
But one requirement of a captcha system is that it be easy for a computer to generate. The system you describe seems to require that humans build up a list of things with obvious-to-human answers, which doesn't scale, especially when they have to be designed under the assumption that "the enemy knows the system" (i.e. a worker on some "library of common knowledge" project could defect).
But if you could have an AI generate those problems, it would be capable of solving them too!
Current captcha systems exploit the one-way nature of problems, mainly "character distortion". This is what permits easy computer-generation but not computer-solution, and does not seem to be present in the class of problems you describe: it's just as easy to go from "noun -> adjective" as "adjective -> noun".
"Pick the most unsafe environment", followed by pictures of a house, a park, a volcano, a bed.
My sense is that IBM's Watson could tackle this particular question. Also interesting to note that the question introduces external considerations, such as whether or not there's someone dangerous near the house, bed, park, etc. A human respondent will have to ignore the matter of whether there's additional context and second-guess the captcha author to get the problem right -- presumably the most unsafe environment is the volcano.
"Pick the most unsafe environment", followed by pictures of a house, a park, a volcano, a bed.
if you're a spammer is to choose randomly and make four times as many attempts. Which is why catchpas make you type six or more letters giving millions of combinations so you can't do it randomly. To get up to a similar resistance to random attempts with 'pick the unsafe environment' type questions you'd need of the order or eight of them (giving 4^8 or approx 65k combinations). Would you as a user want to fill in 8 of those things?
Like Deep Blue, Watson represented a major advance in the state of weak AI. However at its core, it's still just a text-based statistical search engine. It has no ability to "learn" new abilities. Its algorithms will use previous answers to adjust ranking of answers, but once a category is finished, that data is lost. For new data, its database needs to be re-indexed. For new behavior like recognizing pictures or playing a game, it needs to be programmed.
Watson played a simplified version of Jeopardy with no video or audio questions. This was a key compromise to allow a text based system to compete with humans. The AI problem of recognizing pictures is practically unsolved. It took Google's best researchers, a massive database of cat pictures, and a supercomputer just to train a computer to recognize when a cat was in a photo. So your sense of Watson's present abilities is a little skewed and unrealistic.
While probably not 99% reliability, I think google software could often solve this one too: Reverse image search could provide an image description, which combined with number of search queries for eg 'unsafe $image_description' to give a ranking. Google can already mostly handle synonyms; it does not need a mastery of the area as it can just use correlations and usage patterns.
Also, being solvable for humans and not computers is not the only criteria for a captcha. For example it must be quick and relatively easy for humans, and provide a definitive consistent answer. The brilliance of recaptcha is that it was making the work that humans excelled at actually useful beyond just 'proof of humanity'.
The odd thing with a question like that is how "most dangerous" is determined. Logically the volcano is the most unsafe environment, and people do die on them, but statistically far more dangerous, at least by death count, is the bed.
This is the kind of problem that would still cause issues for some people, especially if you had to scale them to produce identical captcha's relatively rarely (if the same one shows up too many times it can easily be hard-coded, requiring the most basic detection to solve it reliably) in that as you come up with more of these types of questions the expected answer gets rapidly more nuanced.
Dangerous does not necessarily mean fatal. The posed question specifically states environment, and the bed as an environment is typically a flat, soft, blunt, rectangular prism.
Whereas volcanoes, and more specifically, active volcanoes can be unpredicable and spurt out hot lava and ash.
The question is worded fine and your attempt to poke holes into this is invalid.
Even if a question is worded well, it can always be interpreted incorrectly. The question should not be blamed for a person's inability to process information.
At the same time, though, a human would have to have familiarity with all of those objects in the context of their environment. A house doesn't look the same to everyone, nor does a park, bed, etc. People's life experiences can also affect their responses.
The problem we would then experience is unintentional prejudice and Western-mindedness in our "are you human" queries, similar to a problem that SATs and other standardized testing methods have been criticized for.
>To solve this, AI would have to have a mastery of language, a mastery of object identification, and a mastery of the metadata of those objects as they apply to human safety.
Actually for a captcha to work, you have to have a problem that is easy for an AI to pose and verify the solution to, but hard for AI to solve. This could potentially rule out some classes of working turing tests.
As to your questions, I think the way it's going with these convolutional neural nets, the idea of being able to tell a human from a computer with something like captcha isn't going to work. I'm thinking a captcha that still would work would be a randomly generated natural language instruction that a user has to interpret with some top down reasoning (possibly with a natural text answer). We've still got a ways to go before we can do that really effectively with software.
And then anyone who doesn't have extra resources is prevented from using your service... As if it is a trivial amount, spammers will pay it, and if it is non-trivial, then some people won't be able to afford it. Doesn't seem like a great idea.
MetaFilter is a web forum that charges $5 to create an account. Between that and aggressive but professional moderation, spam basically doesn't happen since a couple of obvious spam comments and you're permabanned.
However, it limits the user population to people with a debit card and $5 to spend. A bitcoin-based solution right now would be even more restrictive, since apart from buying bitcoin in person, you pretty much need a bank account to acquire them.
Humans have had an easy time for a while. Good to finally see some competition. :)
On the other hand, why is that we insist on humanity? None of the systems can block a captcha-solving team based in Nigeria. What we need to block is bad behavior by users and not their humanity.
Good point. I imagine that detecting such behavior will also be pretty difficult. It's one thing in a forum, where you'd maybe want to discriminate against idiots (but that would still leave you open to the problem of shills/sock puppets). But for big companies like Google, would they really want to open that can of worms?
I think a big problem is Sybil attacks. Let's suppose I make a bot that posts thousands of reports of my computer crashing after using product X. To determine if such a post is bad behavior or not, you have to know if the claim is genuine. That can't be determined by the content of the post itself.
> The street address/book scan approach that Google uses is interesting in that the exact solution is not known, so they presumably have to be somewhat forgiving in accepting answers
reCAPTCHA presents a known problem and an unknown problem to the user. If the user answers the known one correctly, it assumes that the answer to the unknown problem is correct too. I believe the text-based reCAPTCHAs will accept an answer within a character or two as correct.
All captchas I have seen were used to stop spam. The problem with spam is that 1) it's noise and 2) appears in large amounts.
Captchas approach the problem 1), by assuring only people can post and then hopefully increase the signal quality. It sucks because it requires mental effort, is hard on people with disabilities, blocks potentially useful bots (see reddit bots) and leads to an arms race.
What if we tried to solve the problem 2)? One possible solution is requiring a proof of work. Some computation that requires a few seconds, easily disguised while the user is typing the comment or filling the fields. It's an old idea but I've never seen an implementation in the wild. (yes, it would fail for mobile devices. fall back to captcha or something)
Isn't most spamming done by botnets these days, to avoid IP bans? So they have a plentiful supply of CPU cycles?
Also, regular users who visited your site without wouldn't install any software, so they'd be running the proof-of-work as slow javascript, while spammers could use GPU or even ASIC acceleration if proof-of-work became widespread.
Blacklisting would soon force him to get hundreds or thousands of signatures, which would slow down the operation.
This said, i don't think "trusted authorities" are the way to go - we've seen the failure of that model with x.509, there is no need to repeat it elsewhere.
Presumably a service would only allow one (or a few) accounts per actual person. The end user will still need some amount of security. I had in mind some challenge-response mechanism, like:
Person signs government ID number with public key, presents it to authority
Authority signs public key and asserts it belongs to a real human
Service presents random number at signup time
Person signs the random number with the same public key, and presents the key signed by the authority
That's what I was referring to with services only allowing one (or N) accounts per person. A spammer could use the signature multiple times, but would need new email providers for every single account.
And as an uncle (?) comment points out, there could possibly be blacklists of signatures of spammers shared between providers. That definitely would cause some new problems, of course, but who knows what the future may hold...
1. Unlike e-mail accounts or such, a botwriter wouldn't be able to get thousands of such signatures to go on as soon as the first one is identified and blocked; if he puts his own key in the bot - bam, you (and everyone else you know) can exclude him from your services permanently, and he wouldn't be able to come back with a fresh account unlinked to that one, ever.
2. The signature is linked to a specific person, so if the private key is stolen, then you (a) revoke it; and (b) punish the thief - because obtaining that signature most likely be treated as a felony, unlike spamming comments or other uses for breaking captcha's.
If multiple signatures from the same key are recognizably the same person, wouldn't this have the unfortunate implication that your identity can be linked across different services? There'd be no way to have multiple email addresses anonymously without being able to trust the provider.
> The street address/book scan approach that Google uses is interesting in that the exact solution is not known, so they presumably have to be somewhat forgiving in accepting answers (as their machine learning might have gotten it wrong).
In the original captcha algorithm there are two images shown, one where the answer is known and one where the answer is not known. The unknown - the street sign or that extract from an old newspaper - is guessed at by those filling in the captcha.
If 90 people say it looks like '11' and 5 people say it looks like '71' and another 5 say it looks like '77' then you can be 90% certain that it is '11'. The machine has therefore 'learned' what that number is, it is '11'. This can continue being used in the captcha however, now that it is known, people will have to type '11' for it.
That is how it fundamentally works and why the two snippets of information 'to get right'. You can try it for yourself, get the first one of the street sign deliberately wrong and see if it lets you through.
I can not remember the name of the paper, but researchers have recently discovered that neural networks can fairly easily be disrupted by carefully perturbing the pixels in incredibly slight amounts. Completely invisible to a human, but can ruin the ability of neural networks to classify it.
If the recognition algorithms for numbers and faces in StreetView are so wonderful, why are there so many randomly blurred out bushes and bus stop signs? In a typical frame you can find a row of No Parking signs or parking meters and randomly one of them is blurred out, as if they thought it was a face. Machine learning has plenty of learning left to do.
Agreed, cheap labor isn't hard to find, and there are countless people that would answer captchas all day long for a few dollars. How many captchas could you answer in a day? Let's say you work 8 hours, and answer one every 20 seconds. That's 1,440 captchas answered for $3/day. You get 5 captchas for a penny. If you can make more than a penny off 5 captchas and whatever you're trying to post or accomplish, you have a business.
It is only a security problem is somebody keeps track.
You can be issued a secure key ('a passport') to make new ids ('HN registration') but nobody needs to know who ('the passport') generated the website specific ids once your key has been used. The passport only gives access to generate further keys.
I wonder about the computer's ability to figure out what's spam and to manage the visibility of posts from new accounts dependent on its confidence in that. If captcha proves unwinnable, which I agree with you it very well may be, then all isn't necessarily lost.
The street address/book scan approach that Google uses is interesting in that the exact solution is not known, so they presumably have to be somewhat forgiving in accepting answers (as their machine learning might have gotten it wrong). Perhaps this is what their "risk analysis" refers to--whether their response seems "human" enough according to their data, not necessarily whether it's correct.
I don't see a way around this problem for free services that still preserves privacy (so directly using some government-issued ID is off the table). Maybe some Persona-like digital signature system, where a person can go to a physical location with a government ID, and get a signature that says "Trusted authority X affirms that person Y is in fact a person". Obviously this still has problems, as you need to trust X, and it's a big pain in the ass.
There are parallels to the realm of passwords, which are also becoming obsolete (not that there's a good replacement...). Anything that a human can feasibly remember for a bunch of sites is becoming easier and easier for computers to guess.
So basically, computers are taking over the world, and we can't do anything to stop it. God help us all.