Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 284362

Summary: blind users are unable to register for forums accounts
Product: Gentoo Infrastructure Reporter: William Hubbs <williamh>
Component: ForumsAssignee: Gentoo Board of Trustees <trustees>
Status: RESOLVED FIXED    
Severity: normal CC: deedra, email, forum-mods, jer, quantumsummers
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://recaptcha.net/plugins/phpbb
Whiteboard:
Package list:
Runtime testing required: ---

Description William Hubbs gentoo-dev 2009-09-09 21:50:14 UTC
All,

I just happened to notice (when I attempted it myself), that registering for the forums includes solving a visual captcha (typing in what you see in a picture).

There is an option to email the forums administrator, but this is not good either, since it makes a blind person wait for a response to get an account set up instead of being able to register the same way any other user can.

I would like to suggest the alternative I linked to.  Is there any way this could be done?

Also, for more information on this issue, you might want to look at http://blog.blindaccessjournal.com/search/label/Visual%20Verification.

Thanks much.
Comment 1 Antek Grzymała (antoszka) 2010-04-10 10:22:33 UTC
(In reply to comment #0)

> Also, for more information on this issue, you might want to look at
> http://blog.blindaccessjournal.com/search/label/Visual%20Verification.

Link dead.
Comment 2 William Hubbs gentoo-dev 2010-04-10 15:03:42 UTC
(In reply to comment #1)
> (In reply to comment #0)
> > Also, for more information on this issue, you might want to look at
> > http://blog.blindaccessjournal.com/search/label/Visual%20Verification.
> Link dead.

You are correct, I guess they changed their site since this bug has been opened; it was a valid link at the time.

In a nutshell though, this form of captcha, which blocks people from accessing something based on their lack of sight, is wrong, and needs to be fixed.

The article on captcha on wikipedia discusses this issue.  Also, the original captcha site, http://www.captcha.net, states that a sight that does not provide accessible captcha may be breaking the law in the US.
Comment 3 (RETIRED) gentoo-dev 2010-04-13 03:54:32 UTC
(In reply to comment #2)
> In a nutshell though, this form of captcha, which blocks people from accessing
> something based on their lack of sight, is wrong, and needs to be fixed.
> 
Even given the current CAPTCHA, blind users are hardly blocked from using the forums, simply send e-mail to forum-mods@ and account would be created, generally within a few hours; no CAPTCHA required.

> The article on captcha on wikipedia discusses this issue.  Also, the original
> captcha site, http://www.captcha.net, states that a sight that does not provide
> accessible captcha may be breaking the law in the US.
> 
Please stop trying to spread FUD, section 508 covers some, though by no means all, software procured pursuant to federal government contracts. So while following the guidelines in section 508 may be worthwhile, it is hardly a legal requirement.
Comment 4 William Hubbs gentoo-dev 2010-04-13 04:30:31 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > In a nutshell though, this form of captcha, which blocks people from accessing
> > something based on their lack of sight, is wrong, and needs to be fixed.
> > 
> Even given the current CAPTCHA, blind users are hardly blocked from using the
> forums, simply send e-mail to forum-mods@ and account would be created,
> generally within a few hours; no CAPTCHA required.

This is not a solution, because, it makes a blind person wait a few hours to gain access while everyone else can gain access immediately.

> > The article on captcha on wikipedia discusses this issue.  Also, the original
> > captcha site, http://www.captcha.net, states that a sight that does not provide
> > accessible captcha may be breaking the law in the US.
> > 
> Please stop trying to spread FUD, section 508 covers some, though by no means
> all, software procured pursuant to federal government contracts. So while
> following the guidelines in section 508 may be worthwhile, it is hardly a legal
> requirement.

I simply refered you to the original developers of captchas and what they have to say about visual captchas like the one on the forums.  I figure since they are the ones who came up with the idea they would know what they are talking about.

Comment 5 William Hubbs gentoo-dev 2010-04-14 19:01:17 UTC
(In reply to comment #3)
> Even given the current CAPTCHA, blind users are hardly blocked from using the
> forums, simply send e-mail to forum-mods@ and account would be created,
> generally within a few hours; no CAPTCHA required.

Dean, this is my concern.  A blind user will come to the forums just like anyone else, wanting to find help for an issue they are having with their system or post a question.

The current captcha system requires a blind user to wait for someone to create their account for them before they can post  their question.  Can you assure me that this will ALWAYS be done in a reasonable amount of time (say  24 hours)?  Even if that answer is yes, do you feel that it is a good thing for community relations to make a blind user wait for someone to create their account, which could take hours, before they can post their question while at the same time allowing sighted users to create their accounts immediately?

Another document to consider is the World Wide Web Consortium's working group note on this subject:

http://www.w3.org/TR/turingtest

There are alternatives such as math captcha's, phrase captchas and logic puzzles which could be used instead of visual captchas.

All I'm asking for is a reasonable accomodation, and I don't think that the response-by-email method is good because it can make blind users wait an unreasonably long time to get an account created.

Let me know what you think.

William
Comment 6 (RETIRED) gentoo-dev 2010-04-16 03:14:34 UTC
(In reply to comment #4)
> I simply refered you to the original developers of captchas and what they have
> to say about visual captchas like the one on the forums.  I figure since they
> are the ones who came up with the idea they would know what they are talking
> about.
> 
Their statement is correct, sites reliant solely upon visual CAPTCHAs would not meet the requirements set out in that statute; yours proceeded to expand that into a claim that all sites are somehow subject to those requirements, which is false. Given that you are the accessibility project lead and that your location is listed as being in the U.S.A, it seems highly unlikely that you were somehow unaware of that.

(In reply to comment #5)
> The current captcha system requires a blind user to wait for someone to create
> their account for them before they can post  their question.  Can you assure me
> that this will ALWAYS be done in a reasonable amount of time (say  24 hours)? 
Obviously not, there have been multiple occasions where the forums were either down or read only for various reasons for longer periods and additional such periods are expected to occur in the future. However, I can assure you that all such requests since I have been receiving mail to the forum-mods@ alias have been handled in under 24 hours, most in under one hour.

> Even if that answer is yes, do you feel that it is a good thing for community
> relations to make a blind user wait for someone to create their account, which
> could take hours, before they can post their question while at the same time
> allowing sighted users to create their accounts immediately?
> 
My feelings on the matter are irrelevant, as yours should be; rational assessment of the the problem at hand, potential solutions thereto or ameliorations thereof, the costs involved and benefits of each, being far more useful. Having a system which allowed any interested user to register and begin using their account immediately would, obviously, be preferable.

> Another document to consider is the World Wide Web Consortium's working group
> note on this subject:
> 
> http://www.w3.org/TR/turingtest
> 
The relevant concerns mentioned in that note have been and will continue to be addressed in whatever manner is deemed most practical by those actually maintaining the site.

> There are alternatives such as math captcha's, phrase captchas and logic
> puzzles which could be used instead of visual captchas.
> 
All of which are relatively easily, if not trivially, defeated.

> All I'm asking for is a reasonable accomodation, and I don't think that the
> response-by-email method is good because it can make blind users wait an
> unreasonably long time to get an account created.
> 
> Let me know what you think.
> 
While the current situation is hardly optimal, it is as acceptable a compromise as is presently available.
Comment 7 William Hubbs gentoo-dev 2010-04-16 19:59:13 UTC
 (In reply to comment #6)
> (In reply to comment #4)
> > I simply refered you to the original developers of captchas and what they have
> > to say about visual captchas like the one on the forums.  I figure since they
> > are the ones who came up with the idea they would know what they are talking
> > about.
> > 
> Their statement is correct, sites reliant solely upon visual CAPTCHAs would not
> meet the requirements set out in that statute; yours proceeded to expand that
> into a claim that all sites are somehow subject to those requirements, which is
> false. Given that you are the accessibility project lead and that your location
> is listed as being in the U.S.A, it seems highly unlikely that you were somehow
> unaware of that.

In my original statement, I said that a sight "might be breaking the law in the US".  I did not specifically mention section 508, because I know that there are other laws, such as the Americans with Disabilities Act, and similar laws at the  state level which could apply.  I'm not a lawyer by any means, so I don't know all of the details about how the laws work.  I was just saying that we could possibly be open to action if someone wanted to push it.  So, I stand behind my original statement about this issue, it is not false.

But let's move away from the legal issue for now.

> (In reply to comment #5)
> > The current captcha system requires a blind user to wait for someone to create
> > their account for them before they can post  their question.  Can you assure me
> > that this will ALWAYS be done in a reasonable amount of time (say  24 hours)? 
> Obviously not, there have been multiple occasions where the forums were either
> down or read only for various reasons for longer periods and additional such
> periods are expected to occur in the future. However, I can assure you that all
> such requests since I have been receiving mail to the forum-mods@ alias have
> been handled in under 24 hours, most in under one hour.

I was not referring to technical issues such as the forums  being down or read only for a time, as these would affect all users who wanted to create accounts, not just blind users.  I was specifically referring to the situation where a blind user emails forum-mods and wants an account to be created.

I appreciate  you handling these as quickly as you have, and I don't have a problem with forum-mods creating accounts for blind users, or for  anyone who asks them to.  I just don't think this should be the primary way that blind users get their accounts created.

> > Even if that answer is yes, do you feel that it is a good thing for community
> > relations to make a blind user wait for someone to create their account, which
> > could take hours, before they can post their question while at the same time
> > allowing sighted users to create their accounts immediately?
> > 
> My feelings on the matter are irrelevant, as yours should be; rational
> assessment of the the problem at hand, potential solutions thereto or
> ameliorations thereof, the costs involved and benefits of each, being far more
> useful. Having a system which allowed any interested user to register and begin
> using their account immediately would, obviously, be preferable.

We are on the same page here then.

> > Another document to consider is the World Wide Web Consortium's working group
> > note on this subject:
> > 
> > http://www.w3.org/TR/turingtest
> > 
> The relevant concerns mentioned in that note have been and will continue to be
> addressed in whatever manner is deemed most practical by those actually
> maintaining the site.

According to section 1.1, there is a false sense of security associated  with visual only captchas, and there are a number of techniques that are as affective  as visual captchas without causing accessibility issues.

Also, take a look at section 3 of this document for more ideas of how this could be done.  Yes, some of the suggestions there are theoretical, but some are not.

The issue I have with visual only captchas comes down to this.  The purpose of a captcha is to tell the difference between a computer and a human.  Visual only captchas are inherently flawed in this regard, because they can't recognize blind users as human.  I'm  not convinced, especially after reading the w3c working group note that I referred to, that a visual only captcha has enough benefits to justify this flaw.

All I am saying is that I do not agree that the email optionn should be the only option for blind users to get their account created, and I am asking the forum maintainers to research other options, and we can discuss other options here.  I'm not telling you which option to implement, but something needs to be done.

Thanks,

William
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2011-01-20 19:20:39 UTC
It looks to me like forums.g.o could start using an improved CAPTCHA implementation, regardless of the perceived inconvenience of the current implementation to specific groups of users.

Is anything technically stopping us from basically upgrading the CAPTCHA library? If not, are other resources needed to move forward with this?
Comment 9 William Hubbs gentoo-dev 2011-03-07 16:40:58 UTC
Here is more information to consider for this issue.

http://www.smashingmagazine.com/2011/03/04/in-search-of-the-perfect-captcha

According to this article, captchas should be the very last resort, and
other methods of spam detection should be used.
Comment 10 Deedra Waters 2011-03-19 20:49:25 UTC
forum folks anyone want to fix this pretty please? I'm a returning 
developer, can't register because i can't read the capture, and i 
definitly should not have to email anyone to get an account registered 
for this.

google has audio captures that work just as well on their websites, as 
do others.

I understand there are reasons this is enabled, however, I really do 
think that this needs to be addressed.
Comment 11 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-03-19 20:53:44 UTC
forum-mods:
Any reason you can't just drop in reCAPTCHA?
Comment 12 Deedra Waters 2011-03-23 21:34:18 UTC
recaptcha will only work  if there's a way for the blind folks to 
actually download the audio file. Problem with some of the audio captcha 
stuff is that the sound isn't clear enough to  be understandable. I'm 
not trying to complain here, but if you add audio captchas, we need to 
make sure that they're understandable for people. I've seen some so bad 
that they can't be understood, and i've seen some really good ones. I 
suspect to fix this it's going to take a bit of trial and error to find 
a decent compromise.
Comment 13 Matt Summers (RETIRED) gentoo-dev 2011-04-14 20:38:34 UTC
I am reassigning this to the Trustees of the Foundation, as accessibility is a legal issue. We may not be able to implement a perfect fix for this issue immediately, we must address this with an incremental solution now.

The trustees will have a discussion regarding this at the next regular meeting in May, however I am hopeful we have an interim mitigating partial solution in less time.
Comment 14 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-04-14 20:49:43 UTC
(adding forum-mods to the CC as they need to be in the discussion still to implement whatever is required)
williamh:
you linked recaptcha in your original bug submission, since it had audio support. dmwaters per comment 12 objects to audio, so can you can suggest a specific alternative solution that can be dropped into place like recaptcha?

As an idea I had, what if there is a email template that gets processed automatically? That would be entirely text-based, and could be subject to classical spam reduction techniques. The user MUST however fill out all of the fields of the form to pass the automation. There will be NO bounce or rejection messages, to avoid backscatter spam attackers either.
Comment 15 William Hubbs gentoo-dev 2011-04-14 23:36:05 UTC
(In reply to comment #14)
> (adding forum-mods to the CC as they need to be in the discussion still to
> implement whatever is required)
> williamh:
> you linked recaptcha in your original bug submission, since it had audio
> support. dmwaters per comment 12 objects to audio, so can you can suggest a
> specific alternative solution that can be dropped into place like recaptcha?

I don't think dmwaters objected to an audio captcha per se. The issue with most of them is that they are so distorted that it is difficult to make out what you are supposed to type.

dmwaters, I would like you to reply to this comment and tell me if you agree with what I'm about to say.

I think a good example of a solvable audio captcha is something like the one on www.slashdot.org.

> As an idea I had, what if there is a email template that gets processed
> automatically? That would be entirely text-based, and could be subject to
> classical spam reduction techniques. The user MUST however fill out all of the
> fields of the form to pass the automation. There will be NO bounce or rejection
> messages, to avoid backscatter spam attackers either.

This is a possibility too, as long as filling out the form immediately gives the user a forums account. What we are trying to get passed is the email-and-wait situation for registering an account.
Comment 16 (RETIRED) gentoo-dev 2011-04-15 08:07:22 UTC
(In reply to comment #13)
> I am reassigning this to the Trustees of the Foundation, as accessibility is a
> legal issue. We may not be able to implement a perfect fix for this issue
> immediately, we must address this with an incremental solution now.
> 
> The trustees will have a discussion regarding this at the next regular meeting
> in May, however I am hopeful we have an interim mitigating partial solution in
> less time.
A few hours delay would have saved everyone some bug spam, considering that the CAPTCHA has been disabled for two weeks running following the activation of additional anti-spam measures courtesy of tomk. This had been our intended trial period to ensure that things would not get out of hand with respect to spam or false positives, both remained under control and, as we had expected, the CAPTCHA is to remain disabled until such time as enabling one would appear, to us, to provide sufficient benefit.

(In reply to comment #14)
> (adding forum-mods to the CC as they need to be in the discussion still to
> implement whatever is required)
Thanks.

> As an idea I had, what if there is a email template that gets processed
> automatically? That would be entirely text-based, and could be subject to
> classical spam reduction techniques. The user MUST however fill out all of the
> fields of the form to pass the automation. There will be NO bounce or rejection
> messages, to avoid backscatter spam attackers either.
If and when we do enable a CAPTCHA again, we may well try something along those lines.

Marking bug as resolved as there were no other issues beyond the CAPTCHA itself cited as delaying registrations.