Announcing BotBouncer.com
In talking with potential customers and early adopters of OpenID, we’ve gotten some great feedback on how we can improve the protocol and deliver value-added services. One such service that people have been interested in seeing is something that will help verify an OpenID as being a human (and not a robot).
I’m excited to announce BotBouncer.com which is a free service that we’re releasing today. BotBouncer allows sites to verify that an OpenID has successfully entered a CAPTCHA. BotBouncer works as web service that sites can subscribe to with a unique API key. As users login to an OpenID enabled site that site can query BotBouncer to see if that OpenID has entered a CAPTCHA. If they have, it quietly logs in the user via the existing OpenID process. If it doesn’t, the user is sent to a page where they must enter a CAPTCHA. Once they have successfully entered the CAPTCHA, they are redirected back to the page from where they came from.
Future releases will include an audio CAPTCHA as well as the means for sites to set preferences on frequency of the successful CAPTCHA entry (i.e. has the users verified this CAPTCHA in the last 30 days?).
Please let us know if you have any questions/comment/ideas.
Why not impement a captcha that only humans can answer, rather than the current machine-readable version? Something like, “type the text and click the puppy”
We wanted to get something out that would be usable today. If the need arises, we can tweak the CAPTCHA itself to be more complicated or go the route that you mention. That sounds like a slick way of doing it.
As great an idea as this might look at first, I believe it to be contradictory to the spirit of OpenID.
If you look at the original definition of OpenID, you’ll see the second word after (open) is “decentralized”. If you have openid.server, why not a openid.authority?
Once you added a requirement for all OpenID users to register on a single specific website, you effectively turned OpenID into InfoCard.
Amusing that Seth Godin had a similar idea about centralizing captchas on the same day as this announcement. His suggestion though adds the twist of commercializing catchas, not just centralizing them.
http://sethgodin.typepad.com/seths_blog/2006/12/commercializing.html
Dmitry: I don’t think it is contradictory to the spirit of OpenID.
First of all, it answers a specific question that we’ve been hearing from possible adoptees of OpenID: they want a central service that says “this is a human” to help avoid possible bot problem.
Secondly, the OpenID protocol does not do anything to help address this problem. If it does in the future, then we’ll either modify the service or discontinue it. In the mean time, it solves a specific problem for the eco-system.
Finally, you don’t have to use the service if you don’t want to. Sites that adopt it will be doing it because they feel strongly that they want to stop bot spam. I see this much like Akismet is for comment spam on blogs today. Its centralized nature is what makes it powerful. Same would be true here.
Brant: that’s hilarious … thanks for the link … we’ve figured out how to monetize our free service! :-)
I employ Akismet on my blog. Not because I like it, but because I’m out of options.
It’s funny that you mention Akismet, since, as you surely remember, just a couple of days ago I submitted a comment on this very blog, which then has been filtered out by Akismet. I had to exchange several emails with their support before I was able to comment on WordPress blogs again. What if BotBouncer suddenly decides I’m a bot?
As for the immediate need, I haven’t heard of any OpenID spam so far. It surely will pop up as OpenID gains popularity. However, by then we should have an openid.authority tag, as I already suggested.
“something that will help verify an OpenID as being a human (and not a robot).”
You mean “something that will help verify an OpenID as being a sighted human (and not blind).”.
If I were deafblind, this system would completely fuck me over. Something like Eric Meyer’s wp-gatekeeper (http://www.meyerweb.com/eric/tools/wordpress/wp-gatekeeper.html) would be a better system.
Also, using a “javascript:foo(bar)” hyperlink for the “accessible” option (or indeed any hyperlink) is not wise.
Please, read http://www.w3.org/TR/turingtest/ and don’t make the web any less accessible than it already is.
Dmitry: The one thing we have heard time and again from potential adopters of OpenID is “how do I protect against rogue OpenID servers that come up and just spam away?” How would you determine which sites you would trust in the openid.authority? Would you manage a list for each site? Would you subscribe to an RBL-for-OpenID-servers service? I’m just trying to determine how the openid.authority attribute would solve the potential spam problem.
Yours was the very first post that has ever been wrongly rejected. I’ve had over 6000 rejected spam posts since I moved to this blog in September. That’s a pretty good ratio IMHO. What did the Akismet people have to say the problem was?
BotBouncer couldn’t “suddenly” think you’re a bot. Either you fill out the CAPTCHA, or you don’t.
Greg: your post ended up in my moderation queue because of the language you used. That’s why it didn’t end up on the site immediately.
I appreciate your suggestions and we can make the audio CAPTCHA even more usable by avoiding the Javascript. The link to Meyer’s wp-gatekeeper doesn’t seem to be available right now but I’ll check it out when it does come back.
Thanks for the comment.
Could Akismet?
Greg, profanation doesn’t contribute to the discussion. The language you’re using could make others disagree, no matter how good your arguments are (and they are).
I was trying to express anger and frustration and that turn of phrase was the only adequate way I could find. “I would be completely unable to use this system” would have been factually equivalent but wouldn’t have conveyed the same strength of meaning.
Besides, anyone discrediting an argument because one expression of it contained a use of The F-Word™ (even used only as an intensifier and not in its literal sense) is not someone I can be bothered to try to convince.
Yeah, gatekeeper was down for me as well, but I think in hypertext and so I felt obliged to link to it nonetheless. Essentially it involves posing logic questions rather than sensory-input-based challenges, i.e. “muse upon this” rather than “look at this and decode it”.
An example Eric uses is “What colour is an orange?”, to which the correct response is “orange”. The user has to not only read the question but also understand it, which computers find hard to do. What with having no mind and all.
As the W3C note points out, some people with cognitive disabilities would still have a problem with this. For some reason I find discriminating against mentally disabled people more justifiable than discriminating against physically disabled people. The latter is certainly more easily avoidable (although still a pretty subtle problem). Maybe I’m just evil.
Greg: I wasn’t offended by the language, the Wordpress moderation system was … :-)
court3nay in the first comment on this post had somewhat the same reply but more focused around pictures again.
What would stop a spammer from simply cataloging all of the possible questions and then responding accordingly? I don’t have a good answer for it, I’m just mentioning it.
What would most likely be ideal would be to have several options. Prove via CAPTCHA, prove via audio CAPTCHA or prove via some sort of sensory input challenge. If you can do any one of those, you’re most likely a human. If we’re going to do a centralized “you’re a human” service, it makes sense to have multiple options.
Thanks for the thoughts on this Greg.
Yeah, I figured you weren’t offended by the language since you OKed the comment. :)
Nothing would stop a spammer cataloguing the questions and corresponding answers. It’s just that images can be decoded programmatically (e.g. OCR) whereas understanding-based tasks can’t (yet).
So to beat a funky-text CAPTCHA, the spammer only has to teach the computer to decode the text. To beat an understanding-based test, the spammer has to feed the computer each question and its corresponding answer.
You could use “What colour is an orange?”; “An orange’s colour is…?”; “The colour of an orange is what?” and numerous other variants and each would confuse a robot anew. And then you could spell “colour” without a U, if you must.
Speaking of which, unlike robots, humans are very good at understnading the real meaning of something. (That was a demonstration.) Human minds are fuzzier. So, you could randomly omit a letter from the middle of one or two words, or transpose a couple of letters. This would multiply the number of equivalent questions a spammer would have to teach their robot.
“Prove via CAPTCHA, prove via audio CAPTCHA or prove via some sort of sensory input challenge.”
*Non-sensory* :) The audio/visual CAPTCHAs are sensory. An “any one of multiple options” system would be a pretty accessible solution actually. However it might increase the likelihood of a robot being able to win, as they’d only have to beat one of multiple tests.
If you could implement something like this, that’s really quite accessible and well-thought-out, and then become the web’s de facto standard humanity detector, that would make people less likely to implement their own, less accessible system. This would be a Good Thing™.
Actually, “You’re A Human” might’ve been a catchier title. Your tagline could have been “Are *you* a human?”, to which people would have responded “Yes! Yes, I’m a human! Yay!”. Might’ve offended the dolphins though.
Maybe it is an extra MUST we have done for our OpenID. But anyway I do believe there should someboy to guard our OpenID.
I do understand that BotBouncer is an addition to OpenID and not part of the OpenID-Effort itself. I personally like the idea of having an additional way to tell the difference between a bot and a real human user. I was merely pointing out that this isn’t the sword to kill them all :-)
Keep on working on this path though, as it leads in the right direction.