LIANE HANSEN, host:
Try to buy some concert tickets or create a new e-mail account, and you're usually confronted with a puzzle of sorts. A box appears with a distorted word that sometimes isn't even a word and you have to re-type it. If you tilt your head or squint your eyes, you can usually just make it out. And that's the point.
These puzzles are called CAPTCHAs. A human can decipher them but a computer, set up by a spammer or a hacker, can't. So, to get around the problem, spammers and mass-ticket purchasers have outsourced CAPTCHA solving to teams of low-wage workers, in places like Russia and Southeast Asia. And many of them dont speak English.
Stefan Savage is a professor in the Department of Computer Science and Engineering at the University of California, San Diego. He recently co-wrote a paper on the economics of this underground CAPTCHA trade. And he joins us now from UCSD.
Welcome to the program.
Professor STEFAN SAVAGE (Internet Criminal Economics, Department of Computer Science and Engineering, UCSD): Thank you very much.
HANSEN: So there's this outsourcing of CAPTCHA-solving. How does this work? I mean you're finding other humans to solve these CAPTCHAs instead of computers?
Prof. SAVAGE: Precisely. The whole premise behind the CAPTCHA is you want to allow users to access your service, as long as they're an actual person. But you dont want to allow miscreants on the Internet to sign up for, say, hundreds of thousands of Hotmail accounts. And so you put this screen in the way that human can solve but a computer can't unmask.
So what these miscreants did in response is they simply outsourced the task of solving them to effectively sweatshop labor, where people will just sit and be given these images to solve and will type them in all day.
HANSEN: Usually these CAPTCHAs have to be solved pretty quickly to get through to the site. So how fast are these workers?
Prof. SAVAGE: They, generally speaking, can turn around a CAPTCHA in between 10 and 20 seconds. They're probably a little better at it than we are, because they do it all day.
HANSEN: But what if they don't speak English?
Prof. SAVAGE: They dont need to speak English. The beauty of most modern CAPTCHAs is that they simply take Latin characters, so they don't actually need to understand what the words mean. They simply need to be able to look at the symbols and type the appropriate ones on their keyboard.
HANSEN: How much are they paid?
Prof. SAVAGE: Very little. On the labor side, the going rate is about 75 cents per thousand CAPTCHAs solved. It's about two or $3 a day. And it's really in line with some of the lowest paid textile work around, although probably the quality of life is slightly better than being at a textile mill.
HANSEN: Is it legal to do this?
Prof. SAVAGE: That's something of a gray area. It's not clear what laws being broken in simply solving the CAPTCHAs. The solvers themselves, particularly in other countries, it's not clear that in fact to their breaking a law - even though fundamentally what they're doing is supporting a fraudulent activity.
HANSEN: Is this a big problem?
Prof. SAVAGE: No. So the interesting thing about this is that on the one hand, CAPTCHAs do not keep the bad guys out. But at the same time, they actually are effective at keeping the problem in control. So even at that very low cost - 75 cents, say, per thousand - they have to be able to make enough money, send enough spam from each one of those accounts that it ends up being worthwhile.
And so, even that very low drag turns out to be enough to weed out a huge number of the people who would play at this game.
HANSEN: Stefan Savage is a professor in the Department of Computer Science and Engineering at the University of California, San Diego.
Thank you very much.
Prof. SAVAGE: Thank you.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.