NPR’s Scott Simon speaks with Amanda Fennell, a cybersecurity expert, about CAPTCHA tests that verify if a website visitor is human or bot. They are getting harder.


Just sec here. I’m trying to prove I’m not a robot. Which squares have trees? Wait, is that a tree or a bush? Or Is that BJ Leiderman, who does our theme music? In fact, CAPTCHA tests are getting harder to answer. Amanda Fennell, chief information security officer for Prove, a cybersecurity firm, and an adjunct professor at Tulane University, joins us. Thanks so much for being with us.

AMANDA FENNELL: Yeah. I’m glad to be here.

SIMON: First, with all respect and courtesy, are you a robot?

FENNELL: I might be. We’re going to have to do a couple of tests to find out.

SIMON: (Laughter) You took my next question. Now, CAPTCHA stands, I’m told, for Completely Automated Public Turing test to tell computers and Humans Apart.

FENNELL: That is correct.

SIMON: That very name is chilling.

FENNELL: Well, the name actually kind of came before the test a little bit. They knew they needed to do something, and there were a lot of really smart people out there who were working on it.

SIMON: So how did they develop – who said, I know what we can do?

FENNELL: Well, there were three researchers at the time who were on kind of the forefront of machine learning and decided – pretty much since computers have come out, it’s like “Blade Runner.” The next thing they said was, how do we prove it’s not a computer? And so that was pretty much from the beginning. Started in probably about the ’90s. There was a patent put out in ’97, and then these three researchers kind of coined the term in 2003.

SIMON: Why are CAPTCHA tests getting harder?

FENNELL: Well, because computers are getting smarter, probably. So we’re trying – we’re just doing the constant arms race, if you will. The computers get smarter because humans are getting, you know, more applicable with their computers, so they’re just trying to build a better mousetrap.

SIMON: What are some of the hardest CAPTCHA tests out there that you’ve seen?

FENNELL: Well, I actually am one of those people who’s challenged by them. There’s a percentage of the human population, about 3%, actually, that have a literal issue whenever they see these kind of stimulant tests. And so, for me, personally, they’re horrible. And it doesn’t matter if I do the audio or the visual. I have a high probability of failing it.

SIMON: And you’re a cybersecurity expert.

FENNELL: I know. That’s what they say. Yeah. But there are some better alternatives to what they’ve been using for CAPTCHA, the version 1, 2, 3, ReCAPTCHA with Google. There are better ideas that are coming out in more recent years.

SIMON: And they are coming out, right? There are things on the horizon?

FENNELL: You may have seen some of them. My personal favorite is actually gamification. It’s, you know, some kind of an image that’ll say, can you plant a garden? And you have to move the images that make sense. Simple questions, you know, what’s one plus one? Things like that. Sliders, which all of us Apple users love to see when we see a slider across the screen. But a lot of things are actually happening behind the scenes. This is actually concerning. And I don’t want to get on a soapbox, but this…

SIMON: Yeah.

FENNELL: …Is the concern with reCAPTCHA. Google acquired reCAPTCHA in 2009, and it is the behind-the-scenes way of doing CAPTCHA where the human does not have to interact, and it takes all the knowledge of your internet browsing. So they actually have a lot of data privacy concerns, because how else are they proving you’re a human? They’re using behavioral analysis of your internet search.

SIMON: Oh, my gosh.

FENNELL: I know. I don’t mean to scare everyone, but yeah, it’s a thing that you just have to be in front of, understand, do some private web browsing, don’t allow cookies, things like that – just some healthy hygiene.

SIMON: But, I mean, as chilling as some of us might find that, would history suggest that if it means we can get our toothpaste delivered in eight hours, we’ll do it?

FENNELL: Right. And that’s really the problem we’ve been having with CAPTCHA, is that they’re trying to be smarter about deterring bots, but they’re trying to make it also a frictionless experience for humans, and that’s not working, which is why people have found these alternatives.

SIMON: Amanda Fennell is chief information security officer for Prove, a cybersecurity firm, and adjunct professor at Tulane University. Thanks so much for being with us, and may all your CAPTCHAs be easy to solve.

FENNELL: That was adorable.


FENNELL: I appreciate you having me. This was a lot of fun.

SIMON: And we should note Google is a funder of NPR, but we cover them like we cover everybody and anybody else.

Copyright © 2024 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.

Source link