1. Gitlab.com treats Tor users trying to register with hostility.
Access is inconvenient in some cases (e.g. GUI users), while access
is outright denied to other Tor users (e.g. terminal users with
non-GUI browsers, browsers without javascript capability, and users
who happen to use a high traffic exit node).
[FSF criteria C3][fsfCriteria] is therefore unmet.
1. Gitlab.com refuses service to users who attempt to register with a
`@spamgourmet.com` forwarding email address to track spam and to
protect their more sensitive internal email address. This means
people who approach gitlab.com to contribute a bug report
charitably are forced to compromise their own security. This
ultimately discourages bug reports.
1. Hostile treatment of Tor users *after* they've established an
account and have proven to be a non-spammer. The irony is that a
Tor user was denied collaboration with the PRISM-Break Project
(PBP) because a PRISM privacy abuser was given the power to control
who can participate. Google should not have that power over the
PRISM Break project. (note that PBP [refused][glbug] to leave
gitlab.com, so they have a hand in the oppression of their own
contributors).
Regarding the last item above, a user was simply trying to edit an
existing message that they had already posted and a CAPTCHA was forced
on them. There are several problems with gitlab.com's rampant abuse
of CAPTCHAs:
11. CAPTCHAs break robots and robots are not necessarily malicious.
E.g. An author could have had a robot correcting a widespread
misspelling error in all their posts.
1. CAPTCHAs inflict uncompensated human labor and undermine the 13th
amendment in the US (note the CIA's role in this regard). CAPTCHAs
put humans to work for machines when it is machines that should
work for humans. The fruits of the human labor does not go to the
laborer, but instead hCAPTCHA [pays][cfpaid] CloudFlare a cash
reward. Consequently the laborers benefit their oppressor.
1. CAPTCHAs are defeated. Spammers find it economical to use
third-world sweat shop labor for CAPTCHAs while legitimate users
have this burden of dealing with CAPTCHAs that are often broken.
1. hCAPTCHAs compromise security as a consequence of surveillance
capitalism that entails collection of IP address and browser
print.
* anonymity is [compromised][grcDenanymises] (the article covers
reCAPTCHA but hCAPTCHA is vulnerable for the same reasons).
* the third-party javascript that hCAPTCHA executes could linger
well after the CAPTCHA puzzle is solved and intercept user
information and actions. They could even pull an eBay move and
[scan your LAN ports][ebay].
1. GUI CAPTCHAs fail to meet [WCAG standards][wcag] and thus
discriminate against impaired people, ultimately blocking
satisfaction of [FSF criteria C2][fsfCriteria]:
<details>
<summary>(rationale)</summary>
<table>
<thead>
<tr>
<th><strong><em>WCAG Principle</em></strong></th>
<th><strong><em>How the Principle is Violated</em></strong></th>
</tr>
</thead>
<tbody>
<tr>
<td><em>1.1: Provide text alternatives for any non-text content so that it can be changed into other forms people need, such as large print, braille, speech, symbols or simpler language.</em></td>
<td>hCAPTCHA wholly relies on graphical images. There is no option for a text or audible puzzle.</td>
</tr>
<tr>
<td><em>1.2: Time-based media: Provide alternatives for time-based media.</em></td>
<td>hCAPTCHA has an invisible timer that the user cannot control.</td>
</tr>
<tr>
<td><em>1.3: Create content that can be presented in different ways (for example simpler layout) without losing information or structure.</em></td>
<td>When a user attempts to use <code>lynx</code>, <code>w3m</code>, <code>wget</code>, <code>cURL</code>, or any other text-based tool, the CAPTCHA is inaccessible and thus unsolvable. The website's content is thus also inaccessible. Moreover, CloudFlare attacks robots -- robots that could help provide an alternative user interface for users that are impaired or handicapped. Robots often use wget or cURL to obtain data that is presented to the user in a more useful way.</td>
</tr>
<tr>
<td><em>2.1: Make all functionality available from a keyboard.</em></td>
<td>The hCAPTCHA does not accept answers from the keyboard.</td>
</tr>
<tr>
<td><em>2.2: Provide users enough time to read and use content.</em></td>
<td>If you don't solve the hCAPTCHA puzzle fast enough, the puzzle is removed and the user must start over. Some puzzles are vague and need time to ponder that exceeds the time limit.</td>
</tr>
<tr>
<td><em>3.1: Make text content readable and understandable.</em></td>
<td>When the CAPTCHA says "select all images with parking meters", how is someone in Ireland supposed to know what a parking meter in the USA looks like? When the CAPTCHA says "click on all squares with a motorcycle" and shows an image of an apparent motorcycle instrument panel, it's unclear if that qualifies (it could be a moped). Another image showed a scooter with a faring that resembled a sports bike. Some people would consider it a motorcycle. When the CAPTCHA said "click on all squares with a train", some of the images were the interior of a subway train or tram. Some people consider a subway to be a train underground, while others don't equate the two. The instructions are also sometimes given in a language the user doesn't understand.</td>
</tr>
<tr>
<td><em>3.2: Make web pages appear and operate in predictable ways.</em></td>
<td>It's unpredictable whether the IP reputation assessment will invoke a CAPTCHA and also unpredictable whether a CAPTCHA solution will be accepted. The time you have to solve the puzzle is also unpredictable.</td>
</tr>
<tr>
<td><em>4.1.: Maximize compatibility with current and future user agents, including assistive technologies.</em></td>
<td>When a user attempts to use <code>lynx</code>, <code>w3m</code>, <code>wget</code>, <code>cURL</code> or any other text-based tool, the blockade imposes tooling limitations on the user.</td>
</tr>
</tbody>
</table>
</details>
1. Users are forced to execute [non-free javascript][nonfreejs],
thus violating [FSF criteria C0.0][fsfCriteria].
1. The CAPTCHA requires a GUI, thus denying service to users of text-based clients including the `git` command.
1. The CAPTCHAs are often broken. This amounts to a denial of service:
[//]: # (<!--I solved the hCAPTCHA, got a green checkmark, and then it looped back to an empty checkbox and I was forced to solve the hCAPTCHA for a 2nd time. And both times I had to solve 2 windows (4 windows in total [36 images]). After solving the 2nd hCAPTCHA gitlab.com brought me to a 404 error. So after all the hard work I was still blocked.-->)
* E.g.1: the CAPTCHA server itself refuses to give the puzzle saying there is too much activity.
* E.g.2: gitlab.com has switched back and forth between Google's reCAPTCHA and hCAPTCHA (by *Intuition Machines, Inc.*) but at the moment they've settled on hCAPTCHA. Both have broken and both default to access denial in that event: <table>