Blind and Visually Impaired Community
↑
42
↓
Please help with an email campaign against the company H CAPTCHA and it's failure to acknowledge their product's terribly broken accessibility. (self.Blind)
submitted by Superfreq2
Edit: If you've never run into H CAPTCHA and want to see what I mean, go to HCAPTCHA.com and use the checkbox under the ("Try it Out") heading. Once it loads the pictures, there should be a button for finding info on the accessibility mode which will let you sign up.:
Email addresses are near the bottom.
For those who do not know what H CAPTCHA is, It is a newer technology being embraced by large and small websites alike which provides a more secure CAPTCHA than the previous solutions. Note: A CAPTCHA is that thing where you need to look at a picture and write something or click something before signing up for a website, sometimes when logging back in after a long time, and occasionally just when trying to access another page.
H CAPTCHA decided to get rid of there audio option (they say it was because of deafblind users but I'm guessing the fact that people have been developing bots to take advantage of it was a bigger factor), and they don't analyze the user's actions to determine whether they are a bot or not like ReCAPTCHA (the I'm not a robot checkbox) from google does either.
Instead they use both the pictures and analysis, and in order to allow blind and visually impaired users access they have us sign up for an account with them and send us a permanent login link where you can press a button and download a cookie to your browser. This cookie lasts 24 hours before you need to download another from the same page, and has a limited number of uses for security reasons.
All of this would be fine but for the fact that for almost every user, the thing just plain doesn't work!
If you can get the cookie to actually download, then it is still incredibly likely that when you go and try to pass the CAPTCHA again by checking the "I am human" checkbox, it will just take you right through to the pictures again.
They say you need to disabled cookie protections for their site, and allow it through your adblocker. That's a security risk but at least it's a single site... However for almost everyone who tries that, even on multiple different browsers their is no change.
They also suggest an extension called privacy pass which is supposed to allow you to bypass their system, but again, that doesn't work, even more so than the cookie from all I've heard from others and experienced my self.
Support runs you down the troubleshooting checklist again and again without any fix, the company has no phone support, and this problem has literally been happening for years.
H CAPTCHA is used on discord, yelp, and now cloudflare, a security provider for more than seven and a half million websites, along with government portals, utility payment sites, and job hiring sites among others. There reach only continues to grow in 2022.
I feel like we have a better chance of being heard if others from the community pitch in as well, so that I can't be written off as just one random angry blind guy who doesn't really matter.
I think it's probably best that people who have actually used the joke of an accessibility service they claim to offer be the ones to help out here, so that we don't give the impression that we have know idea what we're talking about.
So basically, if you have ever been screwed over by H CAPTCHA's incompetents, and it still won't work for you consistently even after understanding and following all the instructions on this support article, https://www.hcaptcha.com/accessibility then please feel free to send a (reasonable!) email to the addresses I will provide below.
Here are the emails to contact, more info below.
contact@imachines.com
support@hcaptcha.com
sales@hcaptcha.com
Imachines AKA Intuition Machines is the company that owns H CAPTCHA. You'll notice that their website makes some pretty flowery claims about diversity and lists some important people as being board members. I don't have an active Linkedin account but if you can find contact info for any of these board members, then communicating with them directly may be highly effective given that otherwise your email could easily be ignored or buried before reaching them.
H CAPTCHA's support address will almost certainly give you some kind of automated reply if you mention disability or accessibility. My advice is to send a reply to any automated email with a copy of your original message, so that maybe a human will see it.
The sales address is just a way to get someone else's attention that may not know anything about this. Someone who might be concerned about a potential undisclosed legal risk to customers that this accessibility SNAFU could present. :) But hey, emails get sent to the wrong place all the time right?
If you want to email some of H CAPTCHA's customers, like Discord, Cloudflare, and any other services on this list, https://trends.builtwith.com/websitelist/hCaptcha/Historical[ that interest you, then please do because if one of them leans on H CAPTCHA, it's likely to have more impact than just some end user.
,Please do direct interested people on other platforms to this link, I would appreciate it greatly.
Email addresses are near the bottom.
For those who do not know what H CAPTCHA is, It is a newer technology being embraced by large and small websites alike which provides a more secure CAPTCHA than the previous solutions. Note: A CAPTCHA is that thing where you need to look at a picture and write something or click something before signing up for a website, sometimes when logging back in after a long time, and occasionally just when trying to access another page.
H CAPTCHA decided to get rid of there audio option (they say it was because of deafblind users but I'm guessing the fact that people have been developing bots to take advantage of it was a bigger factor), and they don't analyze the user's actions to determine whether they are a bot or not like ReCAPTCHA (the I'm not a robot checkbox) from google does either.
Instead they use both the pictures and analysis, and in order to allow blind and visually impaired users access they have us sign up for an account with them and send us a permanent login link where you can press a button and download a cookie to your browser. This cookie lasts 24 hours before you need to download another from the same page, and has a limited number of uses for security reasons.
All of this would be fine but for the fact that for almost every user, the thing just plain doesn't work!
If you can get the cookie to actually download, then it is still incredibly likely that when you go and try to pass the CAPTCHA again by checking the "I am human" checkbox, it will just take you right through to the pictures again.
They say you need to disabled cookie protections for their site, and allow it through your adblocker. That's a security risk but at least it's a single site... However for almost everyone who tries that, even on multiple different browsers their is no change.
They also suggest an extension called privacy pass which is supposed to allow you to bypass their system, but again, that doesn't work, even more so than the cookie from all I've heard from others and experienced my self.
Support runs you down the troubleshooting checklist again and again without any fix, the company has no phone support, and this problem has literally been happening for years.
H CAPTCHA is used on discord, yelp, and now cloudflare, a security provider for more than seven and a half million websites, along with government portals, utility payment sites, and job hiring sites among others. There reach only continues to grow in 2022.
I feel like we have a better chance of being heard if others from the community pitch in as well, so that I can't be written off as just one random angry blind guy who doesn't really matter.
I think it's probably best that people who have actually used the joke of an accessibility service they claim to offer be the ones to help out here, so that we don't give the impression that we have know idea what we're talking about.
So basically, if you have ever been screwed over by H CAPTCHA's incompetents, and it still won't work for you consistently even after understanding and following all the instructions on this support article, https://www.hcaptcha.com/accessibility then please feel free to send a (reasonable!) email to the addresses I will provide below.
Here are the emails to contact, more info below.
contact@imachines.com
support@hcaptcha.com
sales@hcaptcha.com
Imachines AKA Intuition Machines is the company that owns H CAPTCHA. You'll notice that their website makes some pretty flowery claims about diversity and lists some important people as being board members. I don't have an active Linkedin account but if you can find contact info for any of these board members, then communicating with them directly may be highly effective given that otherwise your email could easily be ignored or buried before reaching them.
H CAPTCHA's support address will almost certainly give you some kind of automated reply if you mention disability or accessibility. My advice is to send a reply to any automated email with a copy of your original message, so that maybe a human will see it.
The sales address is just a way to get someone else's attention that may not know anything about this. Someone who might be concerned about a potential undisclosed legal risk to customers that this accessibility SNAFU could present. :) But hey, emails get sent to the wrong place all the time right?
If you want to email some of H CAPTCHA's customers, like Discord, Cloudflare, and any other services on this list, https://trends.builtwith.com/websitelist/hCaptcha/Historical[ that interest you, then please do because if one of them leans on H CAPTCHA, it's likely to have more impact than just some end user.
,Please do direct interested people on other platforms to this link, I would appreciate it greatly.
Fridux 8 points 1y ago
I agree with the sentiment as someone who's run into H-Catcha on Discord before, but wonder about the effectiveness of complaining without providing a solution. It's not like everyone has access to your browsing history to train a neural network for risk assessment like Google does, and unfortunately artificial intelligence is now more capable of solving shallow captchas like understanding distorted text or speech than we are.
One solution that I've been thinking about lately is to invert the process, that is, instead of making a human recognize speech, do it the other way around and train an artificial intelligence model to guess whether there's a human on the other side by, for example, examining a recording of a person reading a short phrase out loud. The key here is that the number of voices available to speech synthesizers is rather limited, the cadence of modern text-to-speech synthesizers is also very distinguishable from a human's, and finally it's very easy for a machine to tell whether the audio is being produced from short samples as is the case with speech synthesizers. One caveat is that this process consumes a lot more resources than a traditional captcha, potentially opening the door to denial of service attacks.
One solution that I've been thinking about lately is to invert the process, that is, instead of making a human recognize speech, do it the other way around and train an artificial intelligence model to guess whether there's a human on the other side by, for example, examining a recording of a person reading a short phrase out loud. The key here is that the number of voices available to speech synthesizers is rather limited, the cadence of modern text-to-speech synthesizers is also very distinguishable from a human's, and finally it's very easy for a machine to tell whether the audio is being produced from short samples as is the case with speech synthesizers. One caveat is that this process consumes a lot more resources than a traditional captcha, potentially opening the door to denial of service attacks.
Superfreq2 [OP] 3 points 1y ago
In general I agree about providing a solution, but frankly I'm not the corporation with the money and resources to research proper alternatives; it's amazing how fast a problem can go from unsolvable to "here's something that might work" when people actually care to look into it. If that Privacy Pass extension worked then it could solve the issue right there, and while I like the way you're thinking about it, your idea would not work for many non native speakers, those with speech difficulties ETC.
Either way, I don't want them to continue lying to potential customers about having a working accessibility solution when they don't. If a customer cares about accessibility they should know about this, so that they can choose to go with someone else. It's not just bad for the users who need the access, it's bad for the customers if they get enough ADA compliance complaints. It's like "Accessibee" all over again.
Either way, I don't want them to continue lying to potential customers about having a working accessibility solution when they don't. If a customer cares about accessibility they should know about this, so that they can choose to go with someone else. It's not just bad for the users who need the access, it's bad for the customers if they get enough ADA compliance complaints. It's like "Accessibee" all over again.
mdizak 2 points 1y ago
Browser plugin with 4096 bit RSA key-pairs would do the trick. Check out what MetaMask does for the Ethereum network -- same type of thing, and until they come up with quantum computing, bots can piss off.
Fridux 1 points 1y ago
How does that help verifying that the user is a human being?
mdizak 3 points 1y ago
Well...
1. Verify with a service such as HCaptcha you are indeed human, and register a public RSA key with them.
2. When you visit a site that wants to verify you are human, there will be a little widget installed on that page ala HCaptcha / reCaptcha now.
3. That widget will send your browser a random string of characters via Javascript.
4. Plugin within your browser will pick up that string, sign it using your RSA private key and send the signed message back.
5. HCaptcha or whatever service will verify that signed message they received was indeed signed by the private RSA key that owns the public RSA key they have on file for you.
That's it, and your a verified human.
giggitygoo2221 1 points 8m ago
should it happen automatically once the cookie is running?
[deleted] 5 points 1y ago
[deleted]
sorressean 5 points 1y ago
It's been a while since I've seen you post anywhere!
So I've seen this off and on, but when it shows up it's really annoying. The last place I saw it was when trying to access Drizly, I had to use HCaptcha before I could even get to the website a couple weeks ago and eventually just gave up. I went through all the steps and got my privacy-invasive cookie and everything but it wouldn't take it, or after it did it would say "thanks" and then ask me to select the boats in the image. It was great fun and I left the experience needing more alcohol than I started with.
So I've seen this off and on, but when it shows up it's really annoying. The last place I saw it was when trying to access Drizly, I had to use HCaptcha before I could even get to the website a couple weeks ago and eventually just gave up. I went through all the steps and got my privacy-invasive cookie and everything but it wouldn't take it, or after it did it would say "thanks" and then ask me to select the boats in the image. It was great fun and I left the experience needing more alcohol than I started with.
Superfreq2 [OP] 1 points 1y ago
Nice to see you too man! I've been busy with blindness training, and now job shadowing, so I've been kinda dead on social media for the last while.
CloudyBeep 4 points 1y ago
Here is the guidance note from the W3C about accessible CATCHA alternatives: https://www.w3.org/TR/WCAG20-TECHS/G144.html
Superfreq2 [OP] 3 points 1y ago
The funniest part about this is that in the FAQ on their accessibility support page, they have...
Q: Is hCaptcha Section 508 + WCAG 2.1 AA compliant?
A: We believe so: all users with any form of impairment who are able to browse the web and enter text on forms can access services protected by hCaptcha upon registration. However, this is not legal advice: you should perform your own evaluation, taking into consideration your particular implementation to ensure this is the case for your deployment.
Q: Is hCaptcha Section 508 + WCAG 2.1 AA compliant?
A: We believe so: all users with any form of impairment who are able to browse the web and enter text on forms can access services protected by hCaptcha upon registration. However, this is not legal advice: you should perform your own evaluation, taking into consideration your particular implementation to ensure this is the case for your deployment.
[deleted] 3 points 1y ago
[removed]
mdizak 3 points 1y ago
Count me in, will send e-mails later tonight or tomorrow. Busy atm...
But yes, I've had the same problems. It just simply doesn't work. It's not that I'm using it wrong or anything, as it's a very binary process. It either works or it doesn't, and on many sites, it simply does not work.
Superfreq2 [OP] 1 points 1y ago
Hey, thanks, I really appreciate that!
AlexKLMan 2 points 1y ago
From tweeting them a few years back they do not care 😔
Superfreq2 [OP] 2 points 1y ago
This is just to let people know that I've added information on how you can try h CAPTCHA out for your self on HCAPTCHA.com to the first post. Sorry, I didn't realize earlier that they had a demo.
I'll put it here as well though.
If you go to HCAPTCHA.com and find the ("Try it Out") heading, you can check the checkbox there. Once the CAPTCHA loads, you'll find a button that will take you to the info and signup section for the accessibility system.
I'll put it here as well though.
If you go to HCAPTCHA.com and find the ("Try it Out") heading, you can check the checkbox there. Once the CAPTCHA loads, you'll find a button that will take you to the info and signup section for the accessibility system.
quanin 2 points 1y ago
I wonder how many of the supposed clients on that list are BS. I just logged into my existing account on Discord, and created a new throwaway account, and didn't get a CAPTCHA either time. Same with Cloudflare. Am I missing something?
Superfreq2 [OP] 5 points 1y ago
Yeah, with discord it happens when you've been inactive for a while, like months, and you try to get back in. It's also more likely to happen when trying to access Discord from the website rather than a client, and when adding bots to a server. I've heard that turning on 2FA fixes this problem, which is good, but also doesn't make this any less stupid.
With Cloudflare it can happen if for whatever reason, the system thinks you need a little (Extra) scrutiny, for instance when using a VPN to browse a site using it.
With Cloudflare it can happen if for whatever reason, the system thinks you need a little (Extra) scrutiny, for instance when using a VPN to browse a site using it.
quanin 2 points 1y ago
It must be an algorithmic thing now, because there's no CAPTCHA code in the source code for either Discord's login or registration pages.
Superfreq2 [OP] 3 points 1y ago
Weird, audiogames.net is full of people screeching about it over months, and I got it yesterday which is why I got fed up and did this. LOL
quanin 1 points 1y ago
Audiogames.net tends to screech about a lot of non-issues. It's why I don't post over there much.
[deleted] 1 points 1y ago
Fortunately never ran in to them, but yeah, hopefully you’ll get enough people.
CloudyBeep 5 points 1y ago
You should still write to them IMO. You may encounter them when you least expect it, and wouldn't you like for there to be a better alternative CAPTCHA by then?
[deleted] 2 points 1y ago
Sure I would, just wouldn’t know what I am talking about heh! Will have to look more in to trying it.
Superfreq2 [OP] 1 points 1y ago
Thanks for the encouragement! If you'd like to see for your self, go to HCAPTCHA.com and use the checkbox under the ("Try it Out") heading. Once the CAPTCHA loads, there is a button that will take you to an info and signup area for the accessibility system.
[deleted] 1 points 1y ago
Yeah! Not a problem. I may at some point
lightsrage85 1 points 1y ago
I use them. i just gave them my email and put the email they sent me back to get my cookie in a folder in my outlook so its safely tucked away. now i have it. so all i have to do is click that link to get my cookie.
This nonprofit website is run by volunteers.
Please contribute if you can. Thank you!
Our mission is to provide everyone with access to large-
scale community websites for the good of humanity.
Without ads, without tracking, without greed.
scale community websites for the good of humanity.
Without ads, without tracking, without greed.
©2023 HumbleCat Inc • HumbleCat is a 501(c)3 nonprofit based in Michigan, USA.