Using hCaptcha in our sign up
16 Jun 2020
One of the sad realities of life on the internet is that not everyone is always on their best behavior. Today I write to share with you that last week we had to integrate a CAPTCHA service into our sign up form because we were seeing a large volume of automated sign ups, presumably as a way to exploit our free trial.
It’s disappointing as our free trial is operated in good faith as way for people to test our service. We allow 2,500 requests per day and there is no time limit to the trial. You can test as long as you need to determine whether our service is a good match for your needs.
CAPTCHAs are a clever tool that helps to determine if the “user” on the other side of the screen is a human or a bot. Through a combination of algorithms, possibly including a little test that is simple for humans but hard for computers, the CAPTCHA service makes a judgement whether the user should be allowed to proceed. CAPTCHAs benefit from a very large volume of data, so they can spot patterns across many users. We don’t have sufficient volume (or time or skills) to build and run such a service ourselves, so it makes sense to use a third-party service. This does however have the negative of meaning we need to share some user data (for example IP-address) with that third-party service. We do our absolute best to minimize data sharing, which is why we resisted this step for a long time, but in the past few weeks the volume of automated sign ups had grown to an unbearable level. So, after evaluating a few options, we now integrate hCaptcha into our sign up pages. We have documented this on our GDPR page.
Many thanks to hCaptcha for providing this service. So far, so good, automated sign ups have been stopped. One of the best things about CAPTCHAs is that they can be used to help companies and organizations complete small tasks that only humans can do. The organizations are willing to pay for the work, that is how hCatcha makes money and is able to keep the service operating. But the really clever part is that the earnings from the CAPTCHAs are shared with us, we can choose to have them paid out or donate them to a charity. we’ve decided to donate 100% of our earnings to the Wikimedia foundation, the nonprofit that hosts Wikipedia.
As a future improvement we’ll be modifying our sign up flow to only show the CAPTCHA to some sign ups we deem to be higher risk. We would welcome all further ideas people have for reducing abuse.
The fight against abuse and spammers is unfortunately never ending. If you’d like to learn more about this struggle, over on the Geomob podcast I discussed this with my friend and co-host Steven Feldman in this week’s episode.
Happy (and secure) geocoding,