Broken CAPTCHAs and Fractured Equity: Privacy and Security in hCaptcha's Accessibility Workflow

hCaptcha, a commercial CAPTCHA product, currently protects 12-15% of websites against automation, including the talk submission website for this conference. It presents humans a picture-based puzzle to solve and uses the results to label datasets. Therefore, it only provides a visual CAPTCHA. In order to comply with accessibility requirements, hCaptcha provides a special "accessibility workflow," which requires additional information from users. However, this workflow has two major issues: it could be used to de-anonymize users and can be fully automated.

In this talk, I will examine how such a system was created. I begin with a brief background on CAPTCHAs, an overview of relevant assistive technologies for people with disabilities, and how the two interact. Next, I will discuss the disparate user experiences between the mainstream workflow and the accessibility workflow – as well as the privacy implications of their differences. I will discuss the design factors and requirements hCaptcha used when designing the accessibility workflow and then summarize the automation attack, including my responsible disclosure of the attack. Finally, I will conclude with a discussion of hCaptcha’s future plans for a more inclusive and privacy-friendly CAPTCHA, as well as asking some larger questions about the future of the CAPTCHA. These include: Is the era of the CAPTCHA at an end? If so, do we replace them and with what? How do we ensure inclusive access without creating security gaps?