The Mastodon development team currently suggest enabling #hCaptcha in order to combat the current spam wave in the fediverse.
However, hCaptcha discriminates genuine users with disabilities from accessing your instance. So if people and inclusion are important to you, please just don't. Consider closing your public registrations instead, for the time being.
Even though hCaptcha provides "accessibility", they do it by providing a so-called "accessibility cookie" that screen reader users can apply for and set it on their browser. This will allow them to bypass any hCaptcha checks - but of course only in that specific browser. Many users with disabilities rely on third-party apps to which the cookie does not carry over without major technical troubles, so even if they have the cookie set up, they might not be able to access an instance.
Even when hCaptcha is only required for registration, there is no guarantee that the "accessibility cookie" actually works as intended. There are countless instances in which it hasn't, and the hCaptcha support is also known for revoking disabled users' access for "unsupported uses of the service" after they have asked for usage support.
The Captcha concept in general, in all cases, discriminates against people with cognitive disabilities and neurodivergent people the most. If one is unable to understand the visual challenges, they are also likely to not understand how the hCaptcha accessibility cookie and the sign up procedure works.
So, again, #MastoAdmin, please refrain from requiring #hCaptcha on your instance and only use it as a very last resort, when all other measures fail. If you absolutely have to, please provide an alternative sign-up method that safely works without it.
Thank you very much, on behalf of all of us disabled users - and also on behalf of most of the not-quite superhumans here.
P.S. there are also huge privacy concerns with commercial #Captcha services.
@kc@serrebi Look, everyone stop whining. These people suck. Agreed. What you should do is stop whining, and start fucking them up. Find a site, government, utility, etc you can't access, where your only option is inaccessible captcha. Get a lawyer. Sue them in Civil Court for discrimination. Take all their money. Strike fear in to others. Do it again to another company. And again. And again.
@bryansmart@serrebi Not possible in most of Europe, and certainly not in Germany where I'm from. There are no laws here that would allow for something, so "whining" as you call it is our only option.
I love your whole thread! The feature to stop spam registrations has been there all along, make registrations invite only. The instance users can generate invite links where the person automatically follows them, even. #HCaptcha is inaccessible, even with their text based captcha. I genuinely don't understand why #Mastodon and the #Fediverse at large are so against closing down open registrations, at least until this spam wave has passed. There's enough users across instances now where we can still have an influx of users if that's what they really want. Bonus points, you get to see what user is doing the most inviting. As for how inaccessible HCaptcha is,
The cookie doesn't always work. Not to mention, it won't handle VPN's or unorthodox emails.
The text captcha requires perfect spelling and grammar, and, quite honestly, as a person without any mental challenges I found a lot of these text questions to give me a headache as I try and parce the answer. This makes it inaccessible to people with mental disabilities.
There is no secure method to get an accessibility bypass. The #Privacy issues alone are a huge issue.
The cookies break, often, similar to 1 above but if your cookie breaks, it's gonna be a pain getting another cookie.
Making registrations invite-only would turn the Fediverse into an exclusive club. That, too, is the opposite of inclusive; it just unfairly excludes a different set of people.
I suppose we could reduce the exclusion by allowing both invitations and CAPTCHA registrations, but even that is not a complete solution.
@argv_minus_one@weirdwriter There‘s also an option that requires mod approval and answering a prompt defined by the instance, through which you can get to know your new user.
@weirdwriter@argv_minus_one They could, but at the moment it looks like the spammers ignore these instances, and they would still require manual approval. A human moderator would likely quickly spot patterns and be able to detect the AI sign ups.
At the moment, yes, but now that the Fediverse's vulnerability to spam has been publicly demonstrated, I worry that professional spammers are going to descend on this place like locusts.
@weirdwriter@argv_minus_one That’s why many admins now call for anti-spam moderation features in Mastodon, which currently are very limited. Let’s go ahead and support their needs.
@weirdwriter@argv_minus_one By the way, this would already require a scale at which the spammers could easily pay captcha solving services and get to their targets anyhow.
@kc hCaptcha solves nothing and just discriminates against people with disabilities. The suggestion of the Mastodon team is shortsighted.
The only solution is to switch to manual approval of sign-ups. This feature has been there forever and should be turned on by any responsible admin.
When someone runs a public instance but finds it "tedious" to approve signups, which is basically a single click, they shouldn't run an instance at all.
Add comment