It’s not you. Those ‘I Am Not a Robot’ tests are getting harder.
Summary
Captchas that aim to distinguish humans from nefarious bots are demanding more brain power; ‘things are going to get even stranger’Scott Nover was trying to log in to a website on his laptop when he found himself staring at a bizarre portrait of a woodland creature wearing a jacket and vest with flowers and watermelon slices floating about.
“Please click on the raccoon’s bow tie," came the instruction.
Nover, a freelance journalist, wasn’t dreaming. He had entered the strange new world of Captchas—those annoying computer quizzes cooked up by web security experts to distinguish humans from nefarious bots.
For years, people trying to shop online or log into social-media accounts might be pressed to complete bothersome but largely simple tasks—deciphering words in distorted type, clicking on pictures of buses, adding up numbers. Now those tasks are getting odder and require a few notches more brain power.
“Select two objects that are the same shape." “Match the number of rocks with the number on the left." “Click on the one that can NOT live underwater." “Please click on the red object in front of the object that appears once."
“I was trying to log in and it gave me this insane-looking fruit, like a [bowl of] fruit that would be sitting on a table, but it’s growing off a tree," said Mustafa Al-Hassani, 38, a Houston-based game developer. The Captcha asked him to “click each image containing an apple on a tree," he said. “It looked realistic, but also so wrong—it was like, hurting my brain."
Captcha is the acronym of Completely Automated Public Turing test to tell Computers and Humans Apart. It was developed at the turn of millennium as a way to prevent bots from disrupting websites and their databases by pretending to be well-intentioned human users. It places the burden of proof on people by posing challenges that only humans can solve.
Companies used them to protect against bot attacks that can crash their websites and compromise user security. Bots aim to mimic human behavior, but faster—meaning those Taylor Swift concert tickets you were waiting to purchase might get scooped up in less than a second by a tech-savvy scalper.
Early Captchas asked users to type out words rendered in distorted letters that automated programs couldn’t decipher. Before long, users got used to searching for fire hydrants and bridges, and getting irritated when they failed the simple tests.
Eventually they began sounding off in expletive-ridden Reddit posts, in a website called “The Museum of Annoying Experiences," in rants on TikTok. In 2020, Bedposts, an emo band based in the Netherlands and the U.K., released an album called “songs to get it out of my system." Track three: “I F—ing Hate Captchas!"
Such frustrations have caught the eye of comedians.
“Is it just me, or have those ‘I am not a robot’ tests started getting harder?" asked British comedian Jack Whitehall in his most recent Netflix special, before launching into an account of how they once tipped him into an existential crisis. “Has anyone had that moment recently where you have failed the I-am-not-a-robot test so many times that you have that moment where you stop and go…Maybe I am a robot?" he said. “I haven’t been able to spot 10 [stop]lights in a row. I’m either a robot or a cyclist!"
The companies and cybersecurity experts who design Captchas have been doing all they can to stay one step ahead of the bad actors figuring out how to crack them. A cottage industry of third-party Captcha-solving firms—essentially, humans hired to solve the puzzles all day—has emerged. More alarmingly, so has technology that can automatically solve the more rudimentary tests, such as identifying photos of motorcycles and reading distorted text.
“Software has gotten really good at labeling photos," said Kevin Gosschalk, the founder and CEO of Arkose Labs, which designs what it calls “fraud and abuse prevention solutions," including Captchas. “So now enters a new era of Captcha—logic based."
That shift explains why Captchas have started to both annoy and perplex. Users no longer have to simply identify things. They need to identify things and do something with that information—move a puzzle piece, rotate an object, find the specter of a number hidden in a roomscape.
Compounding this bewilderment is the addition to the mix of generative AI images, which creates new objects difficult for robots to identify but baffles humans who just want to log in.
“Things are going to get even stranger, to be honest, because now you have to do something that’s nonsensical," Gosschalk said. “Otherwise, large multimodal models will be able to understand."
Arkose Labs employs a staff of artists, former game designers and cybersecurity experts to craft some of the weirder tasks popping up during logins. Arkose says that even its hardest challenges—presented to users deemed, often erroneously, to present a “high threat"—have a first-time solve rate of 94.6%.
Not all of its ideas make the cut. The team once developed a Space Invaders-style game for users to get through, but it was too hard for humans to complete on their first try.
Every Captcha on the internet right now will one day be solvable by a bot, Gosschalk said.
“But the intention isn’t to design something that machines can’t do," he said. “The intention is to design something that’s really expensive for developers to try and train software to do."
As for the humans, some are charmed by the new style of Captchas floating around the internet. Alyssa DeHayes, a senior marketing manager, recently was asked to click on a cow’s nose. “It was pretty cute!" she said.
Nover considers the bizarre challenges a welcome change.
“I have such a long history of being frustrated by the traditional ones that I’m happy to see a different kind of prompt," he said. “I’d rather do that than identify stoplights."
Write to Katie Deighton at katie.deighton@wsj.com
