views:

112

answers:

1

I am sourcing some info from the OWASP (open application security community) web site (http://owasp.org) and came across some info in their Authentication section.

CAPTCHA (Completely automated Turing Tests To Tell Humans and Computers Apart) are illegal in any jurisdiction that prohibits discrimination against disabled citizens. This is essentially the entire world. Although CAPTCHAs seem useful, they are in fact, trivial to break using any of the following methods:

• Optical Character Recognition. Most common CAPTCHAs are solvable using specialist CAPTCHA breaking OCR software.
• Break a test, get free access to foo, where foo is a desirable resource
• Pay someone to solve the CAPTCHAs. The current rate at the time of writing is $12 per 500 tests.

Therefore implementing CAPTCHAs in your software is most likely to be illegal in at least a few countries, and worse - completely ineffective.

http://www.owasp.org/index.php/Guide_to_Authentication

They are saying that their useage is illegal due to discrimination laws in place for Disabled Citizens.

I know OWASP is pretty good for info on security, but I have to question how serious the legality of implementing something like CAPTCHA is.

So. Can anyone reference or point me in the direction of any type of documentation confirming there is an issue of legality with using CAPTCHA? Is it specific to all countries or just U.S.?

Is implmementing speech features for the CAPTCHA enough to overcome the legality?

Extra points if you can find the relevant documents to support this in Canada. As I work in Canada for a large multinational company which uses CAPTCHA extensively.

Cheers Mates!

EDIT:
I was not looking for pure legal advice on the topic, just a general understanding of whether using it has implications. I just wasn't sure as to whether it was a legitimate statement in the OWASP article as there was no reference to any documentation. Just a vague statement to the effect that it is potentially illegal somewhere. If there is potential, then I would rather act on potential than waste company time and money on securing a lawyer for something as small as a CAPTCHA. I was just asking if anyone had any reference to ANYTHING that could support the OWASP statement.

You can tell me there are chartreuse polka dotted apples out there but I haven't seen one so why would I be inclined to believe it. But if you show me one I can't refute they exist.

The purpose of this site is to find answers to questions that are relevant to:
a specific programming problem
a software algorithm
software tools commonly used by programmers
matters that are unique to the programming profession

CAPTCHA is a tool and unique to the programming profession. It may not be a software algorithm or a programming question but it is definitely relevant to what we do, and the implications of the question are important to our profession, if it does have the potential to cause legal problems then it's something we should all know about is it not?

What if you were working for a company and used captcha. What if your company ends up in court being sued because you used it? Do you think you'll be keeping your job? This may not be as relevant to hobbyist programmers but in a corporate environment I can't just walk up to a manager and say we have to edit all these pages and find a new CAPTCHA alternative because a single page on the internet I found said so. It would be dismissed as unimportant. If it is relevant though; and I can find articles or documents that reference the legality of it, I can make my case and maybe then take it to a lawyer. But unless I have evidence to back the statement or at reiterate it, I can't do anything.

What if you implement CAPTCHA on a site for a freelance client, if they come under legal attack guess who they're going to go after?

I was clear in my question that I was looking for any supporting references or documents for the statement OWASP statement.

How is this not applicable and relevant to what we do?

+8  A: 

Stating that they are 'illegal in any jurisdiction...' seems like quite a sweeping statement. You may as well say that any graphic, and certainly any site with heavy use of Flash, is illegal. The point where they tend to fall foul of the law is where they make it impossible for particular groups (typically blind users) to access a site.

Most worthwhile captcha systems these days provide an audio alternative, which should be enough to resolve the disability issues. For example, look at recaptcha (which is used by loads of sites, including this one).

Recaptcha is now owned by Google, and if they're okay with it's legality, that's frankly good enough for me.

The point on owasp about hackers paying for captcha solutions to be done is a valid one, but it's far better to have some protection than none.

Finally, it's worth pointing out that neither I nor most of the people on this site are lawyers, so please do not construe anything you read here as legal advice. If you really want to know if something is illegal, consult a lawyer in your own country.

Spudley
Other than the comment about CAPTCHA being better than nothing (strongly disagree in *almost* all situations), this answer does cover the correct points. Worth emphasizing though, if your CAPTCHA solution does **NOT** include an audio alternative, you will more likely have issues. And again, disability laws **are** defined differently from country to country, and state to state... However, it's not just a question of law, its also just good practice :)
AviD