Google’s new reCAPTCHA has a dark side

[steven36]

The latest version of the bot detector reCaptcha is invisible to users and has spread to more than 650,000 websites. It’s great for security—but not so great for your privacy.

 

 

We’ve all tried to log into a website or submit a form only to be stuck clicking boxes of traffic lights or storefronts or bridges in a desperate attempt to finally convince the computer that we’re not actually a bot.

 

For many years, this has been one of the predominant ways that reCaptcha—the Google-run internet bot detector—has determined whether a user is a bot or not. But last fall, Google launched a new version of the tool, with the goal of eliminating that annoying user experience entirely. Now, when you enter a form on a website that’s using reCaptcha V3, you won’t see the “I’m not a robot” checkbox, nor will you have to prove you know what a cat looks like. Instead, you won’t see anything at all.

 

 

“It’s a better experience for users. Everyone has failed a Captcha,” says Cy Khormaee, the reCaptcha product lead at Google. Instead, Google analyzes the way users navigate through a website and assigns them a risk score based on how malicious their behavior is. Khormaee won’t share what signals Google uses to determine these scores because he says that would make it easier for scammers to imitate benign users, but he believes that this new version of reCaptcha makes it incredibly difficult for bots or Captcha farmers—humans who are paid tiny amounts to break Captchas online—to fool Google’s system.

 

An old version of reCaptcha.

 

“You have to understand what behavior on the site should be and mimic that well enough to fool us,” he says. “That’s a really hard problem versus the general problem of, ‘Pretend like I’m a human.'”

 

Website administrators then get access to their visitors’ risk scores and can decide how to handle them: For instance, if a user with a high risk score attempts to log in, the website can set rules to ask them to enter additional verification information through two-factor authentication. As Khormaee put it, the “worst case is we have a little inconvenience for legitimate users, but if there is an adversary, we prevent your account from being stolen.”

 

According to tech statistics website Built With, more than 650,000 websites are already using reCaptcha v3; overall, there are at least 4.5 million websites use reCaptcha, including 25% of the top 10,000 sites. Google is also now testing an enterprise version of reCaptcha v3, where Google creates a customized reCaptcha for enterprises that are looking for more granular data about users’ risk levels to protect their site algorithms from malicious users and bots.

 

But this new, risk-score based system comes with a serious trade-off: users’ privacy.

 

According to two security researchers who’ve studied reCaptcha, one of the ways that Google determines whether you’re a malicious user or not is whether you already have a Google cookie installed on your browser. It’s the same cookie that allows you to open new tabs in your browser and not have to re-log in to your Google account every time. But according to Mohamed Akrout, a computer science PhD student at the University of Toronto who has studied reCaptcha, it appears that Google is also using its cookies to determine whether someone is a human in reCaptcha v3 tests. Akrout wrote in an April paper about how reCaptcha v3 simulations that ran on a browser with a connected Google account received lower risk scores than browsers without a connected Google account. “If you have a Google account it’s more likely you are human,” he says. Google did not respond to questions about the role that Google cookies play in reCaptcha.

 

With reCaptcha v3, technology consultant Marcos Perona and Akrout’s tests both found that their reCaptcha scores were always low risk when they visited a test website on a browser where they were already logged into a Google account. Alternatively, if they went to the test website from a private browser like Tor or a VPN, their scores were high risk.

 

To make this risk-score system work accurately, website administrators are supposed to embed reCaptcha v3 code on all of the pages of their website, not just on forms or log-in pages. Then, reCaptcha learns over time how their website’s users typically act, helping the machine learning algorithm underlying it to generate more accurate risk scores. Because reCaptcha v3 is likely to be on every page of a website,  if you’re signed into your Google account there’s a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3—and there many be no visual indication on the site that it’s happening, beyond a small reCaptcha logo hidden in the corner.

 

Khormaee would not address the way that Google uses data for reCaptcha in any way and instead referred Fast Company to Google’s terms of service, which is linked beneath the reCaptcha logo on most sites. However, there was no reference to reCaptcha anywhere in the terms of service. After this story was published, Google reached out to say that reCaptcha’s API sends hardware and software information, including device and application data, back to Google for analysis, and that the service is only used to fight spam and abuse.

 

Google encouraging site admins to put reCaptcha all over their sites, and then sharing the resulting risk scores with those admins is great for security, Perona thinks, because he says it “gives site owners more control and visibility over what’s going on” with potential scammer and bot attacks, and the system will give admins more accurate scores than if reCaptcha is only using data from a single webpage to analyze user behavior. But there’s the trade-off. “It makes sense and makes it more user-friendly, but it also gives Google more data,” he says. Google would not clarify what it does with the data it captures about user behavior via reCaptcha, only that it is used for improving reCaptcha and general security purposes.

 

This kind of cookie-based data collection happens elsewhere on the internet. Giant companies use it as a way to assess where their users go as they surf the web, which can then be tied into providing better targeted advertising. For instance, Google’s reCaptcha cookie follows the same logic of the Facebook “like” button when it’s embedded in other websites—it gives that site some social media functionality, but it also lets Facebook know that you’re there. Previously, Google has said that the data captured from reCaptcha is not used for ad targeting or analyzing user interests and preferences. After this story was published, Google said that the information collected through reCaptcha will not be used for personalized advertising by Google.

 

Perona views Google’s use of reCaptcha as an “online land grab” that strengthens Google’s hold over the internet. He thinks reCaptcha is similar in this way to other Google products like Accelerated Mobile Pages (AMP), a program to make news sites’ pages load faster on mobile devices but has caused some consternation from publishers over whether Google is taking web traffic away from news sites. Same goes for Google Chrome, which the Washington Post recently called “surveillance software” (I’m among those who have ditched Chrome for Firefox).

 

“It’s always a double-edged sword,” Perona says. “You gain something, but you’re also giving Google a little more control over everything online.” The gain is security and a better user experience, but privacy may suffer.

 

Google did not address any potential privacy problems and insisted that reCaptcha v3 is a matter of corporate responsibility. It sees reCaptcha v3 as a way of ensuring a safe, frictionless online experience. “Google is so deeply integrated with the internet,” Khormaee says. “We want to do anything we can to protect it.”

 

Source

 

[xpkRAKE]

I used to think the old text captchas were bad - I'd rather have them back than these new ones which are unsolvable, take 20 tries or just fail.

 

I want to get that fire hydrant, find the nearest google exec and shove it where the sun don't shine.

[DKT27]

34 minutes ago, xpkRAKE said:

I used to think the old text captchas were bad - I'd rather have them back than these new ones which are unsolvable, take 20 tries or just fail.

 

I want to get that fire hydrant, find the nearest google exec and shove it where the sun don't shine.

 

Couldn't have said it better myself here.

[steven36]

6 hours ago, xpkRAKE said:

I used to think the old text captchas were bad - I'd rather have them back than these new ones which are unsolvable, take 20 tries or just fail.

they a pain and i been solving lots of them for years now and i'm good at it  , I read somewhere google is using that info to make self driving  cars  , I don't know how true it is but im sure they have a reason for everything being mostly road related  . Sites could use the old style ones if they wanted , but not many do solve media makes them too  and there more easy than old text captchas because they use real words . Waterfox   just now got them working good again for awhile when i  went to a site that used them i just used open with addon and open the page in Firefox but that's been fixed    . I use a vpn  and never stay signed in Google  so v3 hardly  lets me past  without having to solve it maybe one try out of 20 lol. Some people  refuse to use sites  with them a lot of warez downloaders go to sites that don't have them  because they to lazy or maybe they don't know how to solve them   any they have to deal with shity links  and dead links.

[DKT27]

4 minutes ago, steven36 said:

they a pain and i been solving lots of them for years now and i'm good at it  , I read somewhere google is using that info to make self driving  cars  , I don't know how true it is but im sure they have a reason for everything being mostly road related  . Sites could use the old style ones if they wanted , but not many do solve media makes them too  and there more easy than old text captchas because they use real words . Waterfox   just now got them working good again for awhile when i  went to a site that used them i just used open with addon and open the page in Firefox but that's been fixed    . I use vpn  and never stay signed in Google  so v3 hardly  lets me past  without having to solve it maybe one try out of 20 lol.

 

People say if you long click the I'm not a robot checkbox, then you do not need to select things. Works sometimes, sometimes it does not. One of my mouse broke doing that again and again.

 

Some others say just move your mouse a lot before clicking I'm not a robot checkbox, doing so Google thinks you are a human and allows you to go through it.

[steven36]

5 minutes ago, DKT27 said:

 

People say if you long click the I'm not a robot checkbox, then you do not need to select things. Works sometimes, sometimes it does not. One of my mouse broke doing that again and again.

 

Some others say just move your mouse a lot before clicking I'm not a robot checkbox, doing so Google thinks you are a human and allows you to go through it.

For me its just as easy for me to click on  cars  or bridges , etc than it is  to try to fool it  , But i been doing it for years now.

[DKT27]

7 minutes ago, steven36 said:

For me its just as easy for me to click on  cars  or bridges , etc than it is  to try to fool it  , But i been doing it for years now.

 

I do not mind clicking them. The problem happens when new ones load on top of them after clicking them. Those are really really hard on mobile.

 

Another thing is, Google somehow thinks small parts of the things do not matter, only big parts matter to it.

[steven36]

5 minutes ago, DKT27 said:

 

I do not mind clicking them. The problem happens when new ones load on top of them after clicking them.

 

Another thing is, Google somehow thinks small parts of the things do not matter, only big parts matter to it.

If  you mess around to much  and  try to fool it like keep trying to get new ones google will block your ip for awhile and you will be locked out the site unless you have a vpn or proxy to change ips,  i got locked  out before playing around with it  they think your a bot or addon trying to fool it .

[Jordan]

Too much clicks and weird gestures with mice would also make us robots!

 

Problem solved!

 

 

[liverpal]

That's why have been encountering some download site with captcha without boring puzzle 😂 cool

[DKT27]

On 6/28/2019 at 8:50 PM, steven36 said:

If  you mess around to much  and  try to fool it like keep trying to get new ones google will block your ip for awhile and you will be locked out the site unless you have a vpn or proxy to change ips,  i got locked  out before playing around with it  they think your a bot or addon trying to fool it .

 

Google probably did not make a mistake. Maybe you are a bot after all there.

[rushdie]

Oh these tiresome captchas..... I have noticed some new problems while trying to solve the captchas for a couple of days now. No matter how many times I solve the captcha correctly, a new captcha arises with a notice that the previous captcha was not solved properly. I am so disheartened with this new behaviour that I so much wish that the whole system at the Google's that houses the captcha phenomenon burst up or got hacked with no possibility of rising up again.