To CAPTCHA, or not to CAPTCHA?

Recently, I was asked to weigh in on the topic of CAPTCHAs as my organization sought to improve user experience on our online donation page. The site was using Google’s reCAPTCHA system, a great resource I’ve used before in appropriate situations, to combat fraudulent transactions organizations like ours are especially prone to and our marketing department was (rightfully) concerned about its effect on the page’s conversion rate. Being tasked with frontline support, staff had anecdotal evidence that the CAPTCHA was adding unwanted complexity to the user experience and possibly leading to contribution abandonment.

So what the heck are CAPTCHAs, what do they look like, and when should you use them (and when shouldn’t you)? Thousands have written on this topic, but I wanted to put together my thoughts specifically about the use of CAPTCHAs on online contribution pages for nonprofits.

What are they?

Completely Automated Public Turing test to tell Computers and Humans Apart. That’s what the acronym stands for, at least. They are a kind of Turing test that attempts to distinguish a human being from a computer, specifically in the form of a bot, by issuing a challenge-response test that only humans are expected to be able to solve. While computers are becoming increasingly powerful, we humans still hold significant advantages over them (for the time being, at least) in the realm of object recognition. For a reasonably capable human, being able to look at a furniture catalog and discern/distinguish chairs, tables and sofas is a trivial task. For a computer, it’s extraordinarily complicated on the verge of impossible. This fact is what CAPTCHAs seek to exploit: that humans are dramatically better at complex object recognition than computers. Thus, these kinds of challenges are an effective way to distinguish humans from computers when processing routine HTTP requests (such as form processing).

What do they look like?

I guarantee you’ve seen them. They’re generally used when a system is vulnerable to automated abuse. You see them most often when you’re signing up for an account for the first time or registering to comment on an internet forum.

Other distorted character examples

And here are some less common examples:

Essentially, a CAPTCHA can be any kind of challenge-response request in which the user is asked to perform a task (or answer a question) that the system assumes only a human can perform whether that’s identifying characters, moving an object across a defined path, choosing a kitten from a gallery of animals, etc.

reCAPTCHA is one specific CAPTCHA implementation. It’s hugely popular on the internet because it’s free, well documented, easy to implement and backed by Google. It’s also pretty unique in a very interesting way. Unlike other CAPTCHA implementations that rely on some form of character distortion from a generated string of characters, Google is trying to kill two birds with one stone with reCAPTCHA. If you weren’t aware, Google has long been on a quest to digitize the world’s libraries. They want obscure, 18th century newspapers indexable and searchable (using their technology and services, of course). One problem: this is an ENORMOUS amount of content we’re talking about. Google’s practically unrivaled computer infrastructure can do some of the heavy lifting, but remember what I said about humans holding tremendous advantage over humans in the realm of object recognition. In order to convert a Minneapolis Tribune newspaper article from 1906 into a searchable format, they need to translate each printed character into a digital equivalent, and while computers are getting better at OCR, they still just aren’t as good as a human. And while Google has invested considerable resources into doing this work, paying an army of people to do this work around the clock wouldn’t be very cost effective. Instead, they’ve designed a rather ingenious way to get you and me to do this work for them: by offering a free CAPTCHA service, and having us solve the tricky OCR challenges for them.

reCAPTCHA’s website lays this out pretty well.

Note a major difference between reCAPTCHA and other distorted character CAPTCHAs: the presence of two “words” instead of just one single string of characters. This is critical to how reCAPTCHA works. One of the two words is known to the system, and the other is not. The system will place a known word next to an unknown word. If you type in the known value correctly, it assumes you’ve typed in the unknown word correctly as well. After giving the same challenge to a few more people, the system knows with a reasonable degree of confidence (I don’t claim to know all the details here) how that previously unknown word (the one it had trouble figuring out) reads to humans. Recently, Google started pulling house numbers from their Street View project and has begun including those in the reCAPTCHA service as well.

It’s free, it’s secure, it works, and you’re helping digitize the world’s libraries. Humans helping computers, computers helping humans. Sounds great. But what about that donation page? Unfortunately, by virtue of how the system is designed, it doesn’t lend itself to providing the best possible user experience.

So… should we use them on the contribution page?

Now we get to heart of the matter and the meat of this post.

Putting my business analysis hat on, it’s important to first take a step back and define the problem we’re trying to solve here. One doesn’t need advanced training in psychology to understand that the easier things are to do, the more likely people are to do them. If we’re looking to maximize contributions on this page to advance our mission (which we most certainly are), then we are looking for a process that is as straightforward and painless as possible. From a user experience (UX) standpoint, it is our job is to design a process that is completely free of unnecessary friction to make sure the transaction is completed and not abandoned.

There are many ways to enhance UX in form design including gentle client-side validation (if all Visa credit card numbers begin with “4” and are at least 13 digits in length, what’s the point of wasting 15 seconds of the user’s time sending “678913423423” to the payment gateway just to tell them that they miskeyed in their card number?), JavaScript to reduce redundant data entry, and effective overall form design, but this conversation is focused on CAPTCHAs. And because it is, we’re focused here on how to design the most unobtrusive “CAPTCHA” possible.

And what is the most unobtrusive CAPTCHA? The CAPTCHA that doesn’t exist, of course! Indeed, many minds committed to this topic are quick to point out that CAPTCHAs are simply a way of forcing our problems on the user, a horrible strategy in the retail business. Having previously worked loss prevention for a major national retailer, I know this is delicate balance retailers are constantly trying to figure out. Shoplifting and other forms of loss cut into margins but are a reality and ultimately a cost of doing business; retailers want to mitigate the effects they have on their bottom lines, but not in a way that is counterproductive by reducing purchases by honest customers in a competitive environment by unduly burdening them with invasive and disruptive business practices. Most CAPTCHA implementations are pretty dang disruptive if you ask me. And, it’s important to note that even the best CAPTCHAs won’t be 100% effective in stopping the fraud we’re trying to protect ourselves against.

So should we just rid of the CAPTCHA all together? Maybe, but not so fast. Again, let’s take a stop back to define the goal. Drawing from my experience in safety/security, I know that an optimal security practice is one that appropriately balances the barrier or impediment it imposes with the benefit it provides (by mitigating or eliminating the incidence and impact of harmful/unwanted outcomes) given the threat environment. In the case of a nonprofit donation page, with sufficient time and resources this could be effectively measured (in dollars and cents). This is to say that, unlike many design issues that ultimately are matters of subjective opinion, there *is* one correct answer here. If we consider the formula “online donation revenue – cost of fraudulent transactions = net income,” the correct answer is the proper mix of factors that maximizes net income by increasing donation revenue (solid UX) and decreasing the cost of fradulent transactions (defeating bots). Lost revenue that results from implementing the CAPTCHA must be less than the cost of the fraudulent tranasctions it’s designed to prevent if the solution is to be considered acceptable.

There is a correct answer. Unfortunately, the variables needed to make our computation are where things get murky. It’s like the “how many M&M’s are in this candy jar?” question. There is only one correct answer, but ultimately it’s an exercise in conjecture and approximation. Guessing the number of M&Ms in the candy jar is both a matter of skill and disciplined approach (and even a little dumb luck).

So how do we proceed? By understanding as much as possible the cost of fradulent transactions and the negative impact of the CAPTCHA on donation revenue. It’s the only way we can.

In our case, I learned that the risk (cost) factor wasn’t so much about chargebacks or interference with finance staff as it was about our payment gateway temporarily suspending payment processing on our site when suspected fraudulent transactions have taken place. Depending on the time of day (and, more importantly, time of year) this happens, this could be major bucks we’re talking about.

Conclusion

Ultimately, I have concluded that CAPTCHAs should be avoided on contribution pages if at all possible. They are, I’ve come to believe, one of the most significant barriers between you and your donor’s contribution when it comes to web forms. Only when the cost of fraudulent transactions becomes prohibitive should a solution as drastic as reCAPTCHA be implemented. If resources and cost-benefit permit, an adapted challenge-response task or smart deployment may be an acceptable compromise.

Alternatives

One of the more interesting approaches I have considered is a more user-friendly CAPTCHA that simultaneously reinforces the organization’s message and mission. The other day, I saw a friend’s Facebook post about human rights group having a similar idea. Whereas Google’s efforts to digitize the world’s library are laudible (if we trust their intentions, of course), reCAPTCHA’s usability is problematic and we should ask ourselves how relevant those goals are to our specific mission. I love the two-birds-with-one-stone idea, and while the first bird (defeating bots) is the heart of the CAPTCHA, the second (or third?) bird is an opportunity for creative minds. More on that later?