Smiling Dogs? Horses Made of Clouds? Captcha Has Gone Too Far

Users face increasingly impossible challenges to prove they are not bots.
An illustration of a captcha identifying bats.
Illustration: Elena Lacey

When Jared Bauman was asked to look at nine dog pictures and identify which ones were smiling as part of a captcha test to log in to a website a few weeks ago, he was stumped. “To be honest, I had a bit of a moment,” the founder of a creative marketing agency in San Diego, California, says. “Do dogs really smile?” Most of the dogs looked neither happy nor sad—some were grimacing, or simply had their mouths open. No one is sure whether dogs can actually smile, meaning that correctly identifying smiling dogs in a captcha is a near-impossible task.

This kind of conundrum is becoming a bigger issue as captchas—tests designed to weed out robot web surfers from humans on websites—have grown increasingly cryptic. The smiling dogs were the final straw for an increasing number of people posting their disbelief on social media in recent months.

The increasingly complicated tests are the work of hCaptcha, a privacy-protecting alternative to Google’s captcha system, which claims to run on around 15 percent of the internet as of January 2022. And it’s not just asking you to identify which canines are bearing their own canines. A week after he was prompted to pick smiling dogs, Bauman was given a more mind-boggling task: to click images of horses made out of clouds. The marketer struggled in large part because two of the pictures had cloud-made elephants, perhaps designed to throw him off the scent. (Bauman managed to get it right the second time.)

Most people aren’t that persistent. “Something about the dogs broke me a little,” admits Eileen Ridge, who offers tech advice for generally older clients based near her in Virginia.

Ridge regularly fields calls from clients who struggle to discern the difference between a scuff of paint on a sidewalk and a formalized crosswalk that’s often requested in a traditional image-based captcha, and worry that one wrong answer may lock them out of an account. When confronted with something as intangible as whether a dog is smiling or not, she worries many will simply give up. She’s not the only one.

Captchas, which were designed to introduce an element of friction to the web browsing experience that would put off an automated system but would be basic enough not to put off humans, are fast becoming unusable, rendering the internet a wasteland of difficult puzzles which users must decipher to do the most basic things. “We’ve literally all been there through gritted teeth muttering: ‘Those were all the pictures with traffic lights,’” says Effie Le Moignan, research associate in social computing at Newcastle University, who calls the captcha era of the internet a “human-computer interaction atrocity.”

But while we’re at the nadir of the technology, captchas—short for Completely Automated Public Turing test to tell Computers and Humans Apart—have long rendered the internet impenetrable to the average user. “This has been the arms race since the beginning of the internet,” says Eli-Shaoul Khedouri, CEO of Intuition Machines, the company behind hCaptcha. Captchas served two purposes: They clamped down on bot behavior while training AI to understand the world, from text to images. (This is why we’re asked to identify traffic signals and sidewalks.) Google got into the captcha game in 2009, buying reCAPTCHA—developed by Duolingo founder Luis Van Ahn—for tens of millions of dollars.

However, after several decades, it appears as if captcha’s dominance over the internet could be waning. Apple has decided to give the technology the boot, and its impact on things like email analytics and ad tracking have already had an impact. At its Worldwide Developers Conference (WWDC) in June, the company announced it would be replacing captchas with Private Access Tokens. “Sometimes a captcha is just a button to press,” says Apple engineer Tommy Pauly. “But others can be a challenge to fill out.”

Apple’s alternative, Privacy Access Tokens, tackle the underlying issue captchas try to solve—identifying inauthentic behavior—but in a more user-friendly way. “Captchas often lead to a slower and more complex user experience,” says Pauly. “When I do the exact same thing on the iOS 16 phone that supports Private Access Tokens, I get right through. This is going to save a lot of people a lot of time, and your customers will appreciate being trusted.” The Privacy Access Token concept was developed in collaboration with Google, Cloudflare, and Fastly.

Khedouri says the Privacy Access Token isn’t the end of the captcha—far from it. “Privacy Access Tokens are basically just a rebranding of the Privacy Pass, of which we are one of the creators,” he says. “We’ve been working on this for many years now.”

Instead, he believes that the future of captchas is bright, in large part because hCaptcha is trying to rework it from users feeling like they’re doing unpaid labor for Big Tech companies to a moment of fun. “We don’t want to bore you to death,” he says. “We actually would like the experience to be pleasant.” To try and achieve that, Khedouri and Intuition Machines are taking the tests out of the realms of the ordinary and into the extraordinary. “It’s like a game,” he says. hCaptcha is testing a number of different puzzle variants for users to solve, and among the most popular are animal-based ones—unsurprisingly, he says. “The internet is primarily used to transmit pictures of animals.”

Although that’s the goal, users’ frustrations around trying to identify which dogs are smiling and which aren’t suggest we’re not there yet. The new generation of captchas may be more fantastical, but they’re still solutions to which we don’t always know the answer, and which we resent having to do. But we’re thinking about it the wrong way if we’re actually trying to find the ground truth of smiling dogs, says Khedouri. “Think about it this way: The goal of a captcha is that you do what people do,” he explains. We’re not actually meant to find the right answer: We’re just meant to answer the question in the same way as other people. “If people are mostly making the same kinds of errors, that’s fine,” he says. hCaptcha’s solve rate meets a 99 percent benchmark, according to Khedouri, meaning that out of 100 users, 99 can solve the query within two tries.

But for those with disabilities who already struggle with the existing generation of captchas, adding a whimsical, fictionalized element to the problem-solving is another frustration to pile on top of an already tricky challenge to daily browsing. Preexisting captchas have been shown to be harder to solve for people with learning difficulties. People with learning difficulties struggle enough to identify which parts of an image contain a sidewalk and which don’t; asking them to pick out the horses made of clouds from the elephants made of clouds could be a step too far.

Despite that, and despite Apple’s attempt to sidestep them, captchas will remain on the internet, Khedouri predicts. “As long as there are things that people can do quickly and easily that machines cannot do easily, then you will see some form of humanity verification,” he says.

In many ways, trying to rid the internet of the baffling mini-tests is fighting a battle we already lost long ago. “It’s very hard with these kinds of processes to backtrack and eliminate them from use once they’re ubiquitous,” says Le Moignan. “It’d take cohesive will in what’s an inherently fragmentary ecosystem of players, data generation, and processes. Ultimately you can’t opt out, so the user is over a barrel. You can’t, as a user, go ‘Not today, Satan, no captchas from me.’”