Captchas

Date adopted: 
February 10, 2022
Last update: 
July 18, 2024

Don’t use captchas

CAPTCHAs are used to try and distinguish between humans and bots (automated software). They do this by having users perform a task to prove they’re human - for example, decipher and enter jumbled up text before submitting a form.

There are security, privacy, usability and accessibility issues associated with CAPTCHAs. You must not use them unless you both:

  • Limit their use to cases where you detect suspicious activity (for example, you detect bot-like behaviour and need to test whether the user is human); and
  • have evidence to show that alternative solutions will not work for your service.

Why CAPTCHAs are problematic

CAPTCHAs force your clients to manage spam and it adds an additional step to interacting with the government that has a proven drop-off rate. They also make your service more difficult for some people to use, including disabled people.

3rd-party CAPTCHA services could also introduce additional risks, including:

  • security issues - if your provider’s security is compromised, your service and its users may also be affected;
  • privacy concerns - for example, third-party services might set cookies, collect analytics and track users across multiple sites; and
  • performance issues - if you rely on a supplier, it means you’ll be affected by any performance problems or outages they experience.

Your service could still be at risk, even with a CAPTCHA in place. Advances in computer imaging and the use of CAPTCHA farms means some bots will still be able to access your service.

Alternatives to CAPTCHAs

Many of the risks that CAPTCHAs are aimed at reducing can be addressed in other ways including:

  • rate and connection limiting;
  • using honey pots; and/or
  • transaction monitoring.

Existing alternatives for services

Email [email protected] for information about existing alternatives to CAPTCHAs that you can use with your service.