hCaptcha Technical Architecture

This post details how hCaptcha works on a technical level, in the interest of providing more transparency to our users and to communicate our thinking on how to build a secure and valuable service.

Note: hCaptcha is under active development and details may change in the future.

First, a quick recap

The hCaptcha service is designed to produce datasets for machine learning. It does this by providing a useful service to website owners. Protecting their sites from non-human actors and bots via a captcha lets hCaptcha use work from site visitors that would otherwise be unproductive effort.

Everyone benefits from this:

• Website owners secure their site by placing a captcha challenge to protect against unwanted bot/spam traffic. They receive protection and compensation by using hCaptcha.
• Website visitors enjoy a site with less spam and fewer bots.
• Labeling requestors get high quality human annotations for their machine learning needs.

High Level Design

From a broad perspective, hCaptcha automates and secures datasets and transactions that take place.

When a labeling requestor comes to us, behind the scenes an Ethereum smart contract with their job details is created and launched on the blockchain:

• What sort of task is this? (eg. “add labels representing what this image consists of,” “is this translation accurate?”)
• Where can related resources can be found? (eg. location of images for image tasks)
• What is your maximum bid amount for the execution of this job on our network?

We then aggregate these job requests and provide them in the form of captcha tasks served up by the websites who use our service.

Website owners are a crucial part of this infrastructure. To incentivize them to help in this process, we use the funds in escrow provided by the requestor to pay site owners in proportion to the correct answers supplied by their users.

For website owners, the process to get involved is incredibly simple and is built to be a drop-in replacement for existing captcha services out there. Simply sign up, add our javascript tags where you want to protect your site, and tell us where you’d like the funds to be sent. It’s as easy as that.

Detecting Human Users

A common question that arises is: “how does hCaptcha know the answers to user-submitted, generic tasks if a human has never been involved?”

The answer is by combining a number of different techniques:

• Keeping track of human users vs. bot users over time and presenting them with captchas depending on their reputation.
• Using information from the client side environment to analyze data like browser data, mouse movements, and gyroscopic behavior.
• Presenting tasks multiple times in various forms, and comparing results via statistical analysis of the results.
• Using some of the latest machine learning techniques to enhance all of the above and verify the answers.

We have additional thoughts on how to improve this process down the road — this is just the beginning.

What’s Next?

There’s so much we want to do with this and we are working towards these goals as quickly as possible:

• Open-sourcing the components of our technology in the interest of security, transparency, and customization.
• Adding different types of challenges so our vision of a “human protocol” can be fully realized.
• Listening to our customers to determine what improvements will be most valuable to them.
• Using all of the knowledge and data we gain to apply this concept to other problem domains not yet served.

In the near future we also intend to release a whitepaper covering the design to improve transparency, security, and share with the world our ideas and tools.

Get Involved

If this is interesting to you, get in touch! We’re looking for talented individuals that are excited by this mission to help us build it out.

We’re also looking for both sides of the equation described above. If you can benefit from our services — get signed up!