
Google's new CAPTCHA security login raises 'legitimate privacy concerns' - r0h1n
http://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2?r=US
======
rdl
Does anyone have good alternatives to old/new ReCAPTCHA? I've been scratching
the surface of academic research in the area, and it's all kind of messy.

(It's no great secret that CloudFlare would love to switch away from
ReCAPTCHA, for a whole variety of reasons. It's one of the things Tor users
complain about the most, but it's an issue for a lot more users than that.
We're doing a lot of stuff to reduce reliance on CAPTCHAs overall throughout
2015, but we still need a good one for some checks.)

I wonder if some kind of prize (anti-Turing prize?) would help. There's the
core algorithm/approach question, as well as the infrastructure and deployment
model question. I'm a lot more comfortable answering the latter; the former is
a black art mixture of science and art.

~~~
logn
Why not just rate limit responses? That ends up costing bot makers about the
same amount of money as captchas (which are often solved by workers earning
slave wages). This arms race will never end and if the insistence is always to
prove you're human, then humans will always be exploited for this proof.
Imagine one day when we've automated the world and the only reason humans have
to do any work is so that robots can prove they're human. This whole thing is
ridiculous.

Specifically one way to rate limit would be a cookie value that changes on
each request, the previous cookie value expires, and only the site knows what
the next valid cookie value is. Bots will pay for the cost of waiting in terms
of computing time, and in terms of memory if they get around this by
parallelization. As these costs go down due to cheaper computers, then so too
will the costs of serving the site.

~~~
chrismcb
The article claims bits can solve the most distorted text with 99.8% accuracy.
I'm not that accurate. Perhaps someone can write a captcha breaking chrome
extension, so I don't have to bother.

~~~
RubyPinch
[https://chrome.google.com/webstore/detail/rumola-bypass-
capt...](https://chrome.google.com/webstore/detail/rumola-bypass-
captcha/bjjgbdlbgjeoankjijbmheneoekbghcg?hl=en)

the power of paying other peole cents to fill in captchas

------
pilif
So if google is grabbing all your profile data via the traditional reCAPTCHA
but also makes you fill out a form, then it's all ok. But once it becomes
obvious that they are collecting the data and they are using (the already
collected) data to make it so you don't have to type in the text on the
picture, _then_ it's a privacy concern.

Or do you honestly believe they bought and continued to operate the old
reCAPTCHA out of the goodness of their hearts, never collecting all that data
that everybody is upset about now?

~~~
voidz
"Or do you honestly believe"? Really? Your choice of wording is a tactic that
spins the discussion in a way that people should recognise as a derailing
tactic by now. It attempts to make people who do indeed view things this way
feel embarassed, and it's not even about beliefs to begin with. Please stop.

~~~
pilif
I agree. That was badly worded. Sorry. Unfortunately, by now I can't edit the
comment any more.

However, there is no technical reason why the old system would not have had
exactly the same means for tracking the user as the current system has.

If you consider that Google is mainly an advertising company and that Google's
investment into reCAPTCHA must provide them with some value, that lead me to
conclude that the old system was doing exactly the same tracking as the new
system is doing now.

The advantage is that now I don't have to type in letters while the tracking
stays the same.

------
DanBC
This sounds pike Google could be violating EU laws about data protection.
We've seen that the EU is happy to enforce stupid laws (cookie notification;
right to be forgotten) so they need to be a bit careful. They at least need a
robust rebuttal to researched concerns.

------
LeoPanthera
I've been presented with this new captcha about a dozen times, and "failed" it
every single time, whereupon it falls back to the traditional squiggly text.

I run Ghostery, so perhaps passing it relies on possessing some tracking
cookies? If so, I'm happy to continue failing it.

~~~
homakov
There is no AI and other stuff this article talks about. It's just google
cookies and nothing interesting about it
[http://homakov.blogspot.com/2014/12/the-no-captcha-
problem.h...](http://homakov.blogspot.com/2014/12/the-no-captcha-problem.html)

------
whizzkid
Little bit off topic but, if you use only <tab> to go to checkbox and press
space to select it, it brings up the good old "type the text in the image"
verification (distorted text).

So it thought I was a robot and fallback is to use the old captcha. Well, not
sure if this new captcha solves the problem it was intended to do so. Am i
missing something?

This is quoted from their blog post about recaptcha -->

"However, our research recently showed that today’s Artificial Intelligence
technology can solve even the most difficult variant of distorted text at
99.8% accuracy."

Here you can test it by yourself -->
[https://www.google.com/recaptcha/api2/demo](https://www.google.com/recaptcha/api2/demo)

~~~
dingaling
Oooops... It presents me with the Recaptcha image challenge but the top half
of the challenge image isn't visible on the pop-up.

1800x1280 phone screen isn't sufficient it appears.

------
vlunkr
I assumed this was how it worked. Tracking mouse/keyboard seemed a little
phony, and google is hardly a stranger to tracking personal information. It
really is a bummer that there aren't many great alternatives.

------
joshfraser
I can't imagine there are many sites using this that aren't already using
Google Analytics, which is already deeply integrated with their ad platform
and knows exactly who you are using cookies.

------
pearjuice
Friendly reminder that every request to any Google associated server comes at
the price of having your privacy invaded. Yes, this means Google Search but
also GMail, Android, reCAPTCHA, Maps (any website displaying a Google Map),
Google fonts (any website using Google fonts), Google CDN (any website using
Google CDN), G+ (any website using an integration) et cetera.

In fact, completing this list with ALL Google its tentacles will probably
break the character limit on HN. On a very few exceptions, Google its scooping
eye is there to learn more about you.

~~~
lern_too_spel
This isn't Reddit, and substance-free paranoia isn't welcome here. In
particular, some of the properties you listed are hosted on cookie-less
domains and have privacy policies that severely limit data collection.

------
andridk
I can't understand why anyone is surprised. Anything you load from Google's
servers is used to gain more insight into your online habits.

It's their core business. To learn as much as possible about people online to
be able to show them the most relevant ads.

------
hellbanner
Forgive my ignorance, is there a way I can use cookies for authentication
tracking only on websites while blocking access to screen-size, CSS etc?

------
mavhc
I'm confused as to why people would care. It's easy to block, and if so you
have to do a harder test. No one said wanting more privacy wasn't hard work.

For the 99% of people who don't care, it's a great improvement.

And if someone wants to write a better system, who's stopping them?

~~~
joosters
Great. How do I 'easily' block this on my iphone, please?

~~~
whyever
Well, I guess jailbreaking does not qualify as easy, does it?

------
homakov
So what? Kind of useless article, nothing new.

------
blueskin_
It's google. By this point, if anyone is really surprised they hate privacy,
they have clearly been living without any internet or newspaper access for the
last 10 years.

