back to article DataDome looks to CAPTCHA the moment with test of humanity that doesn't hurt

Apple last month gave hope to a large segment of the mobile device-using population when it announced that the upcoming iOS 16 operating system will eliminate the requirement to use CAPTCHAs to verify their humanity before accessing a website. The advent of the Automatic Verification feature will mean that users of iOS 16 …

  1. OhForF'

    DataDome behavioural analysis

    >DataDome is "collecting thousands of different signals"<

    DataDome is using thousands of signals and analyses my behavior when i access a web site to figure out if i'm a real user or bot.

    Why is this even necessary and is it worth the effort?

    In my opinion its definitely not a valid reason for browsers to provide all those signals - those signals shouldn't even be available.

    I'd rather deal with the occasional captcha than sending all that data for analysis.

    What valid uses cases are there where you need to distinguish between real users and bots and where its not better to just ask the users to actually log in?

    1. Anonymous Coward
      Anonymous Coward

      Re: DataDome behavioural analysis

      > What valid uses cases are there where you need to distinguish between real users and bots and where its not better to just ask the users to actually log in?

      On the login page

      1. OhForF'

        I do not think the login page is a good use case for detecting bots.

        Unless you allow automated behavior for password manager tools you'll alienate your users.

        You do not need to detect bots to stop attempts to brute force the password. Limiting the number of attempts to login to a single account (from specific IP address [blocks]) or even locking the account after a number of failed attempts should work better.

        Thinking about the use of bot detection on the log in page however prompted me to come up with a similar scenario where detecting bots might be useful: the sign up page.

        Stopping bots from automatically creating new accounts might be useful if there are too many new users every day to vet them manually.

    2. tiggity Silver badge

      Re: DataDome behavioural analysis

      So probably running lots of js for its metrics

      .. unless js blocked

      I wonder if it even works at all with js blocked?

      I block lots of js, & dont see captchas, probably because sites that are likely to demand a captcha break so badly when I'm accessing it with my standard dubious 3rd party script blocks that I leave the site and go elsewhere (too many sites give a blank or minimal page with a lot of js disabled, when that happens I leave*)

      * There's too much shoddy design of js for everything, you can give basic information and functionality with HTML and just use js for non essential bells & whistles (or user experience improvements as the BS merchants would call it)

  2. Mike 137 Silver badge

    Why is this even necessary

    Possibly because they can see a way to monetise the data?

    I see no good reason for a 3rd party service to decide whether they think I'm a bot or not, and I can see this automation backfiring with large numbers of fallacious validations.

    The growing and non-circumventable intrusion of intermediaries between me and what I want to see on the web is not only making things more fragile - it's also contracting the view of what's out there. Such intermediaries include (obviously) search engines with proprietary agendas, but also 3rd party components that only work on the latest client side kit. So we're creating a 'digital divide' between a majority who constantly upgrade and browse will no protections and an increasingly devalued minority who either use older kit or are security aware (or both). Also yet another example of the 'ignorance amplifier' identified by Mark Pesce (taking the decision out of our hands so we lose the ability to decide).

    1. Headley_Grange Silver badge

      Re: Why is this even necessary

      As a simple end-user of websites I wholeheartedly agree, but I assume that there are other people and companies out there who, without some sort of defence, would get bombarded with sign-ups, queries, scraping, messages, and whatever else bots do make life miserable or your website slow and unuseable.

      I don't like captchas cos they are annoying and, I believe, mean that I'm giving free help to Google to train their AIs. If there are better ways to do it then I'm sure someone will come along soon and educate me.

      1. Mike 137 Silver badge

        Re: Why is this even necessary

        "If there are better ways to do it

        There certainly are. Just a cursory look at a Gooooooogle captchas show how little thought has gone into them - not least the absolute US bias in the images, which takes for granted, for example, that everyone in the world knows what an american street sign means. Admittedly, every time we come up with a person vs. bot discriminator, the bot folks will try to find a way for their bots to pass it, but the most human attribute we have in this context (which AI doesn't have) is common sense, so that could be a good basis for the task - and probably less of a nuisance to humans as it can incorporate humour.

        1. notyetanotherid

          Re: Why is this even necessary

          > Just a cursory look at a Gooooooogle captchas show how little thought has gone into them - not least the absolute US bias in the images

          E.g the assumption that a taxi must be yellow. Got that one yesterday with two photos of yellow taxis, but it needed me to click on a third photo which was just a regular yellow hatchback parked at the side of a road, but it did have a glass sunroof, which presumably their crappy AI identified as the Taxi sign.

          And then there is the annoyance of captchas on a mobile - nine grainy photos, three of which are off the right edge of the screen in portrait orientation and you have to guess which ones might contain e.g. a (leftpondian) hydrant.

  3. M.V. Lipvig Silver badge

    Unless I'm required

    to sign into a work website with a captcha-like system, I won't do it. A US-based automotive performance parts company associated with mountaintops routinely expects me to prove I'm a people just looking for parts. As soon as that screen goes up I close the window and send them an email detailing how much I just spent with a competitor. This year alone it's cost them 5,000USD in sales just from me. It's not my job to stop bots, it's their job, and I'm not doing it for them unless they want to pay my short-term contractor rate.

    1. Mike 137 Silver badge

      Re: Unless I'm required

      "This year alone it's cost them 5,000USD in sales

      Sadly, the person who reads your email doesn't give two hoots about the loss of your business, and almost certainly they won't pass it to anyone who might. The isolation of business decision makers from the customer is so vast these days it's practically impossible to get their attention - about the only way is a law suit, and even that may not bring home the real point you're trying to make as it will be handled by the legal department whose sole interest is defeating you. The primary function of 'customer relations' and 'complaints' departments is to reject criticism and ignore customer concerns.

  4. Pete 2 Silver badge

    Locked inside an apple

    > Apple's Automatic Verification feature is the latest proof that certificates can scale as an authentication approach.

    Which relies on a person using an Apple device with their Apple account and running an Apple approved app

    Where does this leave the freedom that the internet is supposed to be advocating?

    1. DS999 Silver badge

      Re: Locked inside an apple

      They are implementing a protocol they jointly developed with Google and Cloudflare, so it won't be an Apple only thing.

      Presumably Google will implement this for Android eventually, though you'll have to be able to upgrade your phone to that version of Android that adds it.

      At any rate this is an added convenience, not a requirement for being allowed to use the web. You will still be able to solve CAPTCHAs the old fashioned way.

  5. Randesigner

    Fingerprinting

    "The key to DataDome's verification tech is behavioral detection models that track a user's web session from the start – collecting signals ranging from the screen size and resolution of the device to the CPU or GPU it's running and the history of the pages that device goes to when on the site.

    So fingerprinting and tracking. How is this different than what Google does? How does this protect privacy? Really... how is this better?

    The bottom line is that any piece of javascript can read the contents of anything that is displayed on a page and send it back to the mothership. I just love captchas on the order confirmation page of some websites. Such valuable information to be gathered.

    1. Pete 2 Silver badge

      Re: Fingerprinting

      > So fingerprinting and tracking.

      Yes. All lovely and sweet until you get a new device and want to use that instead.

      Let's see them test the situation where your old iPhone gets unexpectedly squished by a steamroller and you buy a new Android device to take its place.

      Or you move to a new country, with a new phone number and want to take all your accounts and data with you.

      Let's see these situations actually demonstrated in the real world, not just promoted as theoretical possibilities.

  6. ChoHag Bronze badge
    Trollface

    It's a phone

    We want to see if people using phones are human? Can't we just call them and ask?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like