As Internet users, we encounter the “I’m not a robot” checkbox on websites so often that it’s become a muscle memory to tick it off to confirm our humanity without further thought. But did you know there’s some fascinating technology behind this seemingly straightforward checkbox?
The “I’m not a robot” checkbox is a type of CAPTCHA, also known as the Completely Automated Public Turing test to tell Computers and Humans Apart, that’s employed on websites to prevent automated scripts and bots from performing disruptive or harmful actions on these websites. The Turing test itself was formulated by World War II codebreaker Alan Turing in 1950 to differentiate humans from machines.
British quiz show QI featured CAPTCHA in one of its episodes in 2020, in which host Sandi Toksvig asked the contestants “why can’t a robot work out how to tick a box marked ‘I’m not a robot’.” After some short discussion with the contestants, Toksvig explained that the act of ticking the box is not the point of the test. Rather, the test analyzes how you behaved before clicking the checkbox.
Older versions of CAPTCHA used to require users to identify letters and numbers, which were distorted or blurred to be undecipherable to bots. Advancements in machine learning, however, have progressed, so bots have become capable of deciphering such distorted text.
To one-up bots once again, Google improved reCAPTCHA (its own system that it offers as a free service) to use behavioral analysis. The test now examines how the cursor moves as it gets near the checkbox.
As explained by Cloudflare, human movement comes with a degree of microscopic randomness and unpredictability that bots cannot replicate. The test may also examine browser cookies to determine if the user is human. If the system fails to confirm that the user is not a bot, then the usual reCAPTCHA challenge of identifying objects in an image will appear.
While it’s great for staving off bots, the need to pass CAPTCHA tests can be detrimental to the user experience. Cloudflare offers alternatives such as Cloudflare Bot Management, Super Bot Fight Mode, and the Cryptographic Attestation of Personhood. Google itself also released reCAPTCHA v3, a new version that can still detect abusive traffic from bots but without the need for users to tick off a checkbox or perform any other user interaction.