recaptcha and mcaptcha case studies

case-studies/main.tex

@@ -0,0 +1,3 @@
+\section{Case Studies}
+\input{case-studies/recaptcha.tex}
+\input{case-studies/mcaptcha.tex}

case-studies/mcaptcha.tex

@@ -0,0 +1,57 @@
+\subsection{mCaptcha}
+
+mCaptcha is a free (as in freedom), experimental Proof of Work CAPTCHA system
+that uses variable difficulty proofs. The AGPL licensing guarantees freedom of
+its users and allows for competing implementations.
+
+The system uses variable difficulty proofs to 
+\begin{itemize}
+	\item Image identification
+	\item IP tracking
+	\item Proprietary AI
+	\item Session tracking
+\end{itemize}
+
+\subsubsection{Privacy}
+Excellent\\
+mCaptcha doesn't use session or IP  tracking, so it works when used in anonymous
+networks like TOR\@.
+
+\subsubsection{Effectiveness}
+Excellent\\
+
+mCaptcha uses salts to prevent rainbow table based attacks and TTLs to ban
+stale entries. It also users a caching mechanism to prevent replay attacks. To
+combat an attack in-progress attack, the system is designed to temporarily 
+increase the difficulty of the proofs. The system also has options to
+personalise proof requirements for each CAPTCHA deployment. This allows for
+system administrators to select requirements which better suit their needs. 
+
+% TODO cite CAPTCHA farm cost analysis paper
+ease.
+\subsubsection{Accessibility}
+Good to Excellent\\
+
+mCaptcha is non-interactive, so it is fully accessible to users with all
+disabilities. To allow users on slow devices access to the service, mCaptcha has
+options to set different difficulty levels. Webmasters can use this option to
+set lower difficulties to while the website is receiving normal levels of
+traffic and set higher levels of difficulties when the website receives unusual
+amounts of traffic. Therefore, the website administrators are responsible for
+mCaptcha's behaviour on their websites.
+
+\subsubsection{Accuracy}
+Excellent\\
+
+Success and failure are absolute states in this method. A proof that fails
+verification is rejected, and a successful verification is permitted. The system
+is able to sense attacks and adapts by raising the difficulty requirement for
+all incoming users. An attacker who is presented with increased difficulty will
+either have to allocate more resources to sustain the attack or retreat in
+defeat. However, this increased difficulty might impact well behaving users too,
+but this is short-lived as the difficulty requirement will be relaxed once the
+attack is contained.
+
+Overall, mCaptcha is an attempt at strengthening the web and the internet with
+open technologies. CAPTCHAs in their original sense were used as rate-limiters
+and mCaptcha, with its PoW mechanism does just that.

case-studies/recaptcha.tex

@@ -0,0 +1,62 @@
+\subsection{reCAPTCHA}
+
+reCAPTCHA is a CAPTCHA system owned by Google. It is the most popular CAPTCHA
+system currently deployed on the internet. The system uses the following methods
+in its decision making process:
+
+\begin{itemize}
+	\item Image identification
+	\item IP tracking
+	\item Proprietary AI
+	\item Session tracking
+\end{itemize}
+
+\subsubsection{Privacy}
+Bad\\
+Google's reCAPTCHA tracks its users via IP logging and session tracking. They
+use supercookies to monitor their users' internet activity. The user can ban
+cookies from reCAPTCHA and related services but if they did, they will be
+subjected to higher difficulty puzzles or won't be allowed to access the
+service. This is one of the reasons why TOR and other VPN users face
+difficulties with the system.
+
+The system also bans traffic from TOR exit nodes and due to their proprietary
+and opaque decision mechanism, very little is known about how they blacklist
+users.
+\subsubsection{Effectiveness}
+Good\\
+
+reCAPTCHA denies access to most bots. The OCR technology used by the system is
+very sophisticated. But cheap labor powered CAPTCHA farms are available which
+offer CAPTCHA solving solutions for a fraction of what reCAPTCHA charges its
+users. This bypass is practical as it is cheap and readily available. 
+
+% TODO cite CAPTCHA farm cost analysis paper
+ease.
+\subsubsection{Accessibility}
+Bad\\
+
+reCAPTCHA was initially offering audio CAPTCHAs along with image identification
+challenges but when audio recognition technology matured and was able to solve
+most audio challenges, reCAPTCHA stopped offering audio challenges.
+
+Image identification poses challenges to users with visual and cognitive
+disabilities.
+
+The IP tracking based mechanism posses accessibility threats to users behind
+NATs and VPNs.
+
+\subsubsection{Accuracy}
+Bad\\
+
+IP based tracking produces poor results when users behind NATs and VPN encounter
+the service.
+
+
+Overall, reCAPTCHA is a serious threat to the internet as it can, in theory,
+deny access to anyone it chooses to. The decision making process is opaque and
+centralised in nature and users, service providers and visitors alike, have very
+little say in how the system behaves.
+
+Also, the popularity of reCAPTCHA allows Google to track users across websites
+and profile them which threatens the freedom of users on the internet.

paper.tex

@@ -12,6 +12,7 @@
 \input{intro/intro.tex}
 \input{pre-req/main.tex}
 \input{analysis/main.tex}
+\input{case-studies/main.tex}
 
 \input{conclusion.tex}
 \end{document}