
Tell HN: In NSW, if Google doesn't track you, you can't pay Public School fees - mastazi
I have recently enabled the &quot;resistFingerprinting&quot; option in Firefox[1], in order to prevent tracking based on browser fingerprinting. However I have found out that once I&#x27;ve done that, Google&#x27;s reCAPTCHA becomes almost impossible to solve.<p>Normally I wouldn&#x27;t care too much about Google, the problem is that in Australia, reCAPTCHA is used by Westpac bank, for processing payments on behalf of the Department of Education of New South Wales. In other words, you can&#x27;t pay your child&#x27;s public school fees online, unless you agree to Google tracking you.<p>How to test:<p>create a form with reCAPTCHA or just use a pre-existing one like [2], then try and solve the reCAPTCHA while resistFingerprinting is set to false (default setting)[1]. Now change it to true, and try to solve the reCAPTCHA once again.<p>[1] <a href="https:&#x2F;&#x2F;support.mozilla.org&#x2F;en-US&#x2F;kb&#x2F;firefox-protection-against-fingerprinting" rel="nofollow">https:&#x2F;&#x2F;support.mozilla.org&#x2F;en-US&#x2F;kb&#x2F;firefox-protection-agai...</a><p>[2] <a href="https:&#x2F;&#x2F;patrickhlauke.github.io&#x2F;recaptcha&#x2F;" rel="nofollow">https:&#x2F;&#x2F;patrickhlauke.github.io&#x2F;recaptcha&#x2F;</a>
======
mih
I hope Firefox turns this option on by default. Overnight millions will face a
hard time with reCAPTCHA and Google might be forced to sit up and take note.
Fantasy aside, people will simply switch to Chrome-based browsers contributing
to Firefox's dwindling market share. A win-win situation for Google.

Most Google products provide me services in exchange for tracking me, offering
a reasonable compromise. With reCAPTCHA, they exploit me as an unpaid worker
helping classify and train their ML algorithms, cost me time and wreck privacy
leaving Google and the captcha hosting website as the only beneficiaries.
Google in this case is more like a corrupt gatekeeper preventing you from
entering the town. The town can employ more friendly options, but they don't
care as long as the undesirables are kept at bay.

For those who have experience with using reCAPTCHA, is it so easy to setup and
deploy that more and more sites are switching to them? Are there no decent
non-exploitative alternatives which are tough on bots but solvable in
reasonable time for humans without being a test of patience?

~~~
lkdjjdjjjdskjd
It really annoys me when companies I do business with make me do extra work
for Google by employing reCAPTCHA.

~~~
dpwm
It truly is pervasive now, and the likelihood of being asked to select
crosswalks or store fronts or signals subjectively seems to be rising. I
question whether that would be the same if I capitulated and used Chrome.

What would once be a certain no, I now question whether google is actively
weaponizing reCAPTCHA in the new browser wars. After all, Chrome has such a
large market share in the right places that I'd be surprised if the model
didn't take into account user agent to determine non-automated users.

The worst pattern I'm seeing now is when login forms decide to add it after
just one incorrect password attempt. I completely understand registration
forms -- but login forms?

~~~
elisaado
On the login form thing: it's to prevent easy brute force attacks

~~~
JeanMarcS
Isn’t it a bit lazy on the developers side ?

Limiting the number of errors before sending a link to reset your password
(for example, I agree there might be different ways to deal with that) is no
rocket science, and being dependent on third party for such a trivial thing
is, in my opinion, a bad idea.

~~~
dmurray
It really isn't trivial. Rate limiting is great, but not enough. If you lock
people out after a certain number of failed login attempts, you allow an
adversary to DOS your users by constantly trying to log in as them.

~~~
dpwm
> It really isn't trivial. Rate limiting is great, but not enough.

Rate limiting alone isn't a solution. But it can be part of a solution that
doesn't require reCAPTCHA.

> If you lock people out after a certain number of failed login attempts, you
> allow an adversary to DOS your users by constantly trying to log in as them.

That isn't how the pattern works. On next successful login you basically
inform the user that they need to confirm it's them with an email token. It
works well. ReCAPTCHA doesn't.

------
swalladge
Google reCaptcha is one of the most pervasive nasty tracking devices because
legitimate sites use it for its advertised spam protection without caring
about anything else. Suddenly you have Google able to track you on Government
sites (like opting out of myhealthrecord), Banks, Exchanges, and a myriad of
others. I hate it because they make you choose between letting Google track
you fully, letting Google track you only a bit and spend forever trying to
solve the captcha (ie if you are logged out of google or have tracking
protection on), or not using the service at all. :|

~~~
hrrsn
Even the UX of reCaptcha has seriously gone downhill recently. I wonder how
many hours per week I spend clicking pictures of busses and traffic lights. I
would rather pay than complete them at this point.

~~~
dagw
_I wonder how many hours per week I spend clicking pictures_

Where are you running into this problem. I spend an embarrassing amount of
time online and I'd probably estimate that I average around 1 minute a month
"clicking pictures"

~~~
rdbell
Spend a day or two using Tor browser and you'll feel the pain that recatpcha
causes real human users. It's beyond frustrating.

------
expertentipp
Google’s reCaptcha must die. I’m not training your AI, Google.

~~~
oferzelig
I don't get your argument.

I get the original post's argument of not willing to be tracked by Google, but
what hurts you so much in training Google's AI?

~~~
Flavius
Well, mainly because Google is a 1 Trillion $ company and why should you help
them in exchange for nothing? It's not like they're open sourcing all their
data for others to use. They use and control whatever they can in their own
interest.

~~~
darawk
You aren't the customer. The website is. They're providing a valuable service
to the website. The website is providing a valuable service to you. You get to
choose whether or not doing one unit of Google AI training work is worth using
the services of the website. Generally speaking, I find that trade to be quite
fair.

~~~
majewsky
> You get to choose whether or not doing _N units_ of Google AI training work
> _where N measures how much Google hates you_ is worth using the services of
> the website.

FTFY

------
rdbell
I wish EFF or some other privacy advocate would start making a fuss about
recaptcha.

Recaptcha will often make you retry multiple times despite obviously correct
answers. It really feels like Google is punishing users for trying to opt-out
of their data collection.

------
badrabbit
Google tracks you anways. Do that in a VM over a dedicated vpn. The problem is
legal,your local law needs to prohibit non-consent user tracking of any form.

------
gagan2020
I think that's why they removed their motto of "Don't be evil".
[[https://www.searchenginejournal.com/google-dont-be-
evil/2540...](https://www.searchenginejournal.com/google-dont-be-
evil/254019/)] Google is now what Microsoft use to be. And, Developers like me
end up hating Microsoft for everything.

------
xte
I do not know how Australian's law say, but fortunately in France all I need
is taking a small screenshot or video, publish somewhere and phone (at least
for now ANY public administration have human-operated public phone services)
signaling a problem. At this point normally other's take the potatoes and work
for me as they should being civil servant's...

However I fear a future in witch Windows scenario of the '90s replicate
tomorrow with websites and that's far worse since actual IT grow rate and
general situation...

------
treerock
Tried enabling the resistFingerprinting option, and while it was (even more)
annoying, it wasn't impossible. Seemed to require one or two additional
screens. The slowly fading images are really frustrating, but I get hit with
them normally.

I'm also curious about how this works internationally. Surely not everyone
know what a 'crosswalk' looks like.

------
beagle3
Can you file a legal challenge? You are being forced to do for-profit work,
for a for-profit company, to pay your pubblic school fees.

Sure, it's just 1 cent worth of work in the grand scheme of things - but the
distance from zero to anything is much larger than the distance between 1 cent
and 1 dollar.

That's something that courts dislike much more than any tracking.

------
ForHackernews
Are there any good alternatives to reCAPTCHA? If I remember correctly, it
started as an academic/nonprofit from Carnegie Melon to digitize books, but
then somehow got acquired by Google.

Have any academic groups looked at offering a replacement?

~~~
lwansbrough
Computer puzzles are dead. AI is too good. Anomaly detection is the future.
Track your users’ behaviour yourself, find outliers, handle them
appropriately.

~~~
Rjevski
Repost of my comment above:

"Squiggly letters" captchas are still fine. There's a lot of FUD around AI &
ML breaking them but I have yet to find an off-the-shelf tool that can break
them; and so do the spammers. Sure, you might break them if you pay a team of
computer vision scientists for a few months but that isn't profitable for
spammers, so even though they are technically breakable, in practice they're
still good enough to thwart spam & bruteforce.

------
pvg
This isn't what 'Show HN' is for. Take a look at
[https://news.ycombinator.com/showhn.html](https://news.ycombinator.com/showhn.html)

~~~
mastazi
Sorry, I actually realised that shortly after posting but it was too late to
edit, thanks to the mods for rectifying.

~~~
pvg
You can just email them if you need something edited or fixed, they're set up
with email in their cages so they're quite responsive.

------
stockkid
As someone that lives in NSW, I find this to be very sad and distressing. You
should complain to Westpac and the government to let them know that this is
not okay.

------
trumped
I was able to solve it with "resistFingerprinting" set to true but I had to
unblock Google's domains in uMatrix and it took 3 submissions. I really
dislike companies that use Google's reCAPTCHA...

------
ykevinator
I hope someone launches a captcha cracker soon as an extension.

------
sublupo
and don't think about doing that while in a country where you don't know their
native language. The challenge that Google gives you will be in that language,
with no way to change it to English

------
polskibus
Did you file a complaint?

~~~
chris_wot
To whom?

~~~
icebraining
The Department of Education of New South Wales, I assume.

------
shard972
Is there any decent alternatives to reCaptcha?

