Cloudflare’s War on CAPTCHA is a Scam and You’re the Mark

Cloudflare decided sometime in May that it was time to be mad about CAPTCHAs for the last time (kinda). Their solution to the mildly annoying little bot blockers? The internet equivalent of the key fob that gets you into the pool in the apartment complex — a solution that solves fewer problems than it creates, and relies on creating an entirely new type of online have and have not. It’s also an idea that doesn’t require any type of formal degree or over-padded resume to poke holes in. Taking less time than it takes to complete a CAPTCHA to think about the logistics of the proposal reveals the inherent absurdity of suggesting a complete replacement of everyone’s least favorite login activity.

Before I sink my teeth into the meaty buffet of bullshit that is Clouflare’s proposal, it’s worth pointing out that the tech they fixate on as an alternative to the CAPTCHA does present a solution to some of the CAPTCHA’s problems. In some cases, such as people with visual and motor impairment, physical authentication presents a potentially life changing shift in how they interact with vital online infrastructure; for others, such as those living in non-English-speaking countries, they simply represent a solution to a problem that only exists due to a lack of interest, either financial or inter-personal, in properly maintaining a system on the part of companies like Cloudflare themselves.

While they certainly have their place, the latter problem being as easily solvable (if not more so) with a drop-down menu and actually giving a damn about your user experience should highlight that their place is as part of a larger whole, and not as default interface for every internet user on the planet.

Let’s Start With the Math

The claim that Cloudflare leans on to try to rope the average reader into their scheme — since apparently making the world an easier place for disabled people and those who don’t speak English isn’t quite enough for them — is the amount of time we spend doing CAPTCHAs on average, a figure that they say, based on their “back of the envelope” math, works out to the equivalent of 500 years worth of time waste every day. The problem? Well, they cooked that book to a char and doused it in a heaping helping of snake oil.

First the math. Cloudflare cites 4.6 billion global internet users, an average of one CAPTCHA seen per user every ten days, and an average completion time of thirty-two seconds. The math is, as they claim, relatively simple — whether done in the calculator on your phone or the back of an envelope there is no way to make the equation more complex. You can make the numbers less round, but you’d still do the same math. Thirty-two seconds every ten days comes out to 3.2 seconds a day, a number we multiply by our total internet user figure to get the time wasted in total every day, before dividing by the number of seconds in a year (31,536,000), giving us a total of 466.768 years.

Now the snake oil. If 466.768 does not seem like a number that should round to 500 considering the context, then congratulations you’re probably a reasonable person who cares about said context and paid attention in your math classes. I can’t say the same for the people behind the Cloudflare blog, which although it has a single name attached to it I’m refusing to attribute to one person. This is a PR play, and if you know what to look for, it practically screams it at your face.

Setting aside the obvious manipulation that is rounding a quantification of years on a scale that eclipses the average human life-span significantly, only one number used to calculate that figure — the average time it takes to complete a CAPTCHA — is suggested to have come from actual data, and you still have to take Cloudflare’s word on it; that data certainly isn’t representative of the whole of the internet’s supposed 4.6 billion users. The frequency at which a user encounters a CAPTCHA is an assumption, and it’s hedged as an encounter, not a completed engagement.

Lacking any information on whether these figures, particularly the time it takes to complete a CAPTCHA, controlled against longer or shorter than average values caused by, say, an inattentive person leaving the page open, the CAPTCHA itself failing to authenticate, or someone simply clicking away leaves the 500 human year, and even the 466 human year, figure relatively useless; and that’s before you stop to consider that this data is only relevant to Cloudflare’s own, apparently insufferable, CAPTCHA implementation and not those of other providers.

Man Hours, Productivity, and Context

A single second of staring at a cloud by every person on the planet would equate to 253.678 human years of wasted time. If everyone lingers a second longer, we’d collectively eclipse Cloudflare’s absurdly rounded figure by the age of your average first grader. Employ the same disingenuous rounding tactics as the cloud service provider and we’ve eclipsed Clouflare’s figure by a full century, or enough time to go from the last combination of crippling global austerity and pestilence to its modern day reincarnation.

Since comprehending individual people in the context of billions can be difficult, let’s work the time wasted figure Cloudflare came up with back down to the scale of a single person. It’s pretty simple, we just take that 3.2 seconds per day that all of us internet users supposedly spend on CAPTCHAs, multiply it by the number of days in a non-leap year, and then divide by sixty to get our minutes wasted.

If you’re one of the people who at least stayed awake in math and cares about context, you might have seen minutes and, in the context of “500 human years a day”, thought, “Hold on, this giant number can be boiled down to minutes a year?” Yes, 19.46667, which I’ll generously round up to 20 even though rounding to the nearest whole number would normally dictate rounding down in this case; as unlike Cloudfare, I don’t need to pull more favorable numbers out of my ass to make my point. Hold onto that 20 minutes number, we’ll get back to it.

Even if the numbers were genuine, the metric they use is not. Man Hours — or Human Hours if you care more about neutral language non-representation than whether or not you should treat your employees like human beings — are nominally a measure of time traditionally used in discussions of productivity, most commonly in conjunction with measures of product produced. The broader problem with them is that they do not accurately reflect usable time, the more specific is that they’ve created a cult obsession with the impossible. It’s a figure that is easily manipulated, and largely irrelevant to the thing it is attempting to measure.

I’ve done a bit of math in this, so let’s engage in a bit more abstract critical thinking task. Let us assume that you and I work for app developers doing whatever task you feel we’re best suited for. We are both expected to be at work for the classic nine to five, with half an hour of the day allocated for a lunch break. How many different ways can you come up with to turn that seven and a half hours into less time spent working without intentionally wasting time? Well, I stopped for coffee Tuesday, and was five minutes late because the person in front of me that day was making a large order. And maybe you stepped out to take a personal call in the afternoon. We both used the restroom at least once, maybe more depending on our caffeine dependencies. I definitely went to have a fight with the vending machine in an attempt to stave off a combination of thirst and boredom.

More importantly, at which points in the day do you think you’re most productive? What else might alter your focus and the amount of work you’re doing without actually removing you from it? Would eliminating these little dalliances with life and remaining glued to whatever task as if by the nefarious devices of A Clockwork Orange actually make you more productive? Would holding it in all day or consuming nothing but disgusting meal replacement drinks make you a better worker? Your answer is your own, but for most people it is likely at least similar. No.

Classically, Man Hours as a measure does not care about this, it assumes time at work is time working and that all time is uniformly useful. Some attempts have been made to account for time engaged in a fruitless, sociopathic ploy to micromanage the lives of individual workers, but even “more advanced” methods lack the ability to control for enough of the variables of daily life to make it a meaningful metric when utilized in an application other than wanton harassment of employees. This is precisely because its intent is not as a measurement, but as a vector for the infliction of anxiety — a task the broader concept of productivity and the use of time as an accompanying measure is exceptionally suited for.

Save 15 Minutes In Your Morning Routine With These Great Breakfast Hacks, Clean Up Your Inbox And Get Back To What You Love With This Super Fast Trick, Stop Peeling Bananas The Slow Way, and so forth and so on. This is a now classic form of click bait, and a favorite tactic of underhanded retail marketers. Invoke the concept of wasted time to lure in an audience that has had it drilled into their head constantly that productivity, regardless of compensation, is vital to their success and well-being; then sell them on the idea that you can grant them back a chunk of their busy lives, either to increase their productivity or free them from the death grip of contemporary work. A modern cure all for the overbooked, unbalanced work life.

So Can They Even Deliver?

On paper? Sure, there’s time to be gained there, even if eliminating the source of Cloudflare’s mania only gets you back a third of a premium TV show a year and less than a day over the course of the average human lifespan. In practice? There’s almost no way that Cloudflare’s master plan to free us all from the vile CAPTCHA doesn’t make using the internet harder for almost everyone.

Spend even a few seconds of your time considering the ramifications of their proposed internet key fob, and numerous issues arise that the pushers of this idea almost certainly know about. The first is logistics, an issue that makes this even more puzzling as a proposal. While your future internet key wouldn’t require the type of high end computational power devouring natural resources and manufacturing capacity at the TSMC end of the scale, it’s still everyone in the world relying on another frivolous piece of electronic trash. A proposition that should be startling in a world that’s chewing through its sources of silica as fast as it’s heating its atmosphere.

On top of this it also needs to be compatible with any device in your possession, working as well on your Android phone as it does on your Apple tablet, agreeing with your Windows laptop and your Linux workstation. Any hiccup or slowdown in the process, even something like forgetting to slot the fob into a USB port, and a substantial amount of the time saved skipping the CAPTCHAs vanishes into the ether.

Logistics are not just manufacturing and function, though. This scheme would require one of these fobs be provided to every internet user, from the rich man in his Manhattan penthouse, to the African farmer connecting from a remote location via satellite. It needs to be compatible with decades of internet capable devices. Perhaps most importantly, to avoid simply shifting the burdens of one disadvantaged group to another, it needs to be impossibly cheap and impossibly available. Anything other than free, and anything other than omnipresent is a failure.

As someone who lives with executive dysfunction, I regularly forget things. I’m lucky in that this can be managed via methods I’ve developed over the years, but it still rears its head even with strategy and medication. I keep my keys on a lanyard, to make their absence more noticeable, but I still regularly lock them in my office. My phone and wallet regularly get days off, relaxing at home. I still regularly get in my car and press the start button, only to have it beep a warning letting me know that I’ve left my keys inside.

So what happens when I forget my “Cryptographic Attestation of Person-hood”? What happens if I lose it? If I spend twenty minutes trying to find it, and I must do this dozens of times over the course of a year, how has this not made my life worse? If I have to replace it, and the process of replacing it wastes more time than it could ever save me, how has this not made my life worse? If it breaks, and I must suddenly pay to replace it, how has this not made my life worse? What if it breaks and I can’t pay to replace it? Suddenly, to Cloudflare, I’m no longer a person. This should scare you, because it is an inevitability in this system.

Put simply, there is almost no way that this technology, presented as a total replacement for the CAPTCHA, does not simply shift a burden experienced by other people onto those like me. There is no reality in which this makes the internet more accessible, and no reasonable perspective from which to argue that it would.

More importantly, though Cloudflare insists the fobs are anonymous and secure, we should all have learned better than to believe people like them at this point. We’re two decades into the broad proliferation of digital life. Two decades of companies like Cloudflare claiming anonymity and then failing with no repercussions. Two decades of the unhackable and unspoofable being routinely hacked and spoofed. Dozens of scandals involving leaks of supposedly anonymized data, multiple revelations about how our data is used to manipulate us through services like Facebook, even Apple baking in the ability for apps to steal from our phone’s photo albums and clipboards without our knowledge.

In a world where the companies we rely on install backdoors to allow us to be spied on without a hint of resistance, there is no greater hubris than claiming that your technology is impenetrable and untraceable. There is always a vector of attack, and if it is not in the fobs themselves, then it will be in the websites and networks that use them. Or, perhaps it will be at the executive level of Cloudflare itself.

So What’s The Point?

You might be asking yourself, “So, what’s the point if it probably won’t do what they say, and it doesn’t save much time to begin with?” The answer is simple: turn expenses into profit.

Cloudflare is now a publicly traded company, and publicly traded companies have only one mandate. Make profit at all costs. Slash budgets, reduce staff, maximize revenue, build cheaper, squeeze every last drop of blood from the business stone and then find a way to get more out next year.

There is no doubt that, as a supplier of provider-side internet security resources, Cloudflare stands to profit mightily from the introduction of the system they’re proposing. It would be unthinkable in a world where anti-trust law has functionally ceased to exist for them to not attempt to control, or at least profit from, the market these little cryptographic fobs would create. More importantly for them, it would instantly alleviate the burden of solving problems created by companies like Cloudflare and Google treating the broader world as a lower class than the English-speaking “west”.

The language barrier has been solved a dozen times over, by companies that are orders of magnitude smaller. They could solve the cultural issues they speak of with the proper desire and a bit of the corporate anathema that is spending. Invest in localizing CAPTCHA, leveraging the vast stores of data the human race has compiled into slowly rotting mounds of hoarded information to find something recognizable to person who lives in South East Asia. Anyone who actually cared about accessibility would not suggest wholesale replacement and obliteration of access redundancy.

This is a problem of their own creation, no different in its source than the litany of unwittingly racist algorithms deployed by the likes of Twitter. But why fix the problem, when you could simply remove it entirely, and replace it with something that requires less upkeep for you, and might even be leveraged to turn a profit for the vampires that have sunk their teeth into your shares? Why spend your money fixing your junk system, when you could make your users pay you to ignore the problem entirely?

This is snake oil. A salve for an ailment they have helped you imagine. If they make the sale, they’ll be a whisper on the wind before most people realize they’ve been had.

Extremely bored and equally distressed.