Home Blog Google Releases an Alternative to CAPTCHA, Adding to a History of Spam Fighting Programs


Google Releases an Alternative to CAPTCHA, Adding to a History of Spam Fighting Programs

Posted by fusionbox on Dec. 16, 2014, 5 p.m.

NPR recently published an article about how CAPTCHAs may soon be an obsolete way of telling humans and computers apart. Google has proposed an alternative to CAPTCHAs--they are calling it “No CAPTCHA reCAPTCHA”--that can tell if a user is human by their mouse movements, as opposed to making them decipher distorted words.

Google’s method simply asks users to check a box next to a statement “I’m not a robot,” and based on the mouse movements used to navigate to that box, the automated program determines if you are a spammer or not. On mobile devices (where there are no mouse movements), users are asked to match images together based on a clue--for instance, choosing all of the cat pictures among a series of animal photos.

Google CAPTCHA Mobile Shot.png

Many people will likely celebrate the end of the wavy, blurry, or otherwise obscured words, but this technology isn’t particularly new. There have been alternatives to hard-to-read CAPTCHAs for years, some of which approach spam filtering in a different way.

Types of Spam Filtering

For a moment, let’s think about the different theories behind spam prevention online. Programs can filter out spam by focusing on the users or by focusing on the content itself. CAPTCHAs are an example of programs that focus on the users, distinguishing real humans from spambots using some kind of test, and blocking the latter from commenting, posting, submitting forms, etc.

Programs that block spam by focusing on content read text and use algorithms to recognize spammy patterns. People can help the program learn by marking comments as spammy or legitimate. This kind of program does not require any additional user test (such as checking a box or typing text) to function.

For the sake of usability, Google’s mouse-tracking check box solution is an improvement. Anyone who has dealt with CAPTCHA in the past knows how inscrutable the scrambled words can be. Surely, checking a box is easier on the user, reducing the friction for a particular action. However, that doesn’t mean it is necessarily the best solution.

As noted above, spam fighting programs that focus on content do not require an extra step from the user to function. They also have the added benefit of blocking spammy comments, even when they come from humans or from computers smart enough to solve CAPTCHAs as they exist today.

Some spammers will employ teams of low-wage workers to reverse CAPTCHAs. This thwarts spam fighting techniques that focus on users. In addition, as CAPTCHA technology evolves, so does the technology designed to circumvent these filters (this will likely always be the case for spam).

Content-focused filters get around this issue and improve usability. However, using a spam filter like this often means relying on some sort of third party application with a subscription.

For Fusionbox clients that use Widgy, our drag-and-drop CMS framework, we have implemented a user-focused spam fighting approach called unCAPTCHA. This is an open source solution, meaning clients are not tied to another company, as they might be with a content-focused application.

unCAPTCHA works by checking if users are running javascript. If a user has javascript enabled, they will not see anything on the form, and they will be able to continue with their action unimpeded. If they have javascript disabled, they will be asked to copy a snippet of text into a field, similar to a CAPTCHA.

The vast majority of spammers are running ‘lightweight’ browsers for their spam efforts, so they can move more quickly. This means  not running javascript, which would slow down the process. Simply checking for enabled javascript will eliminate the vast majority of spammers.

Of course, this isn’t a perfect solution (there never is, in this situation). Some advanced spammers will run javascript in their browsers, and that will circumvent unCAPTCHA.


While Google’s “No CAPTCHA reCAPTCHA” API is a usability improvement over the squiggly text of yore, it is not a particularly new technology, and it is still vulnerable in the same ways as other user-focused spam fighting techniques.

Without tying yourself to a third-party application, we feel that our use of unCAPTCHA is the best for usability and provides sufficient spam blocking capabilities for most web sites. It is worth noting that some sites will naturally be bigger targets for spammers, and these sites may require more spam filtering capabilities than unCAPTCHA can provide.