
Judge tosses proposed class action accusing Google of CAPTCHA fraud - pavornyoh
http://arstechnica.com/tech-policy/2016/02/judge-tosses-proposed-class-action-accusing-google-of-captcha-fraud/
======
jonas21
This bit from the judge's ruling underscores how ridiculous the lawsuit is:

> In addition, at oral argument, Plaintiff did not represent that if given
> leave to amend she could allege that had she known the second reCAPTCHA word
> was used to assist Google with its other services she would not have
> completed the reCAPTCHA. To the contrary, counsel represented that he had
> not asked Plaintiff and he did not know what she would say. (Dkt. No. 60 at
> 20:23-25.) Such question, of course, should have been asked and answered
> before this lawsuit was filed and pursued in two states. Regardless, it
> defies common sense that the answer would be yes.

[1] [http://boothsweet.com/wp-content/uploads/2016/02/Google-
Orde...](http://boothsweet.com/wp-content/uploads/2016/02/Google-Order-
Granting-Dismissal.pdf)

~~~
pbnjay
This. Fraud generally requires that the victim rely on the "fradulent"
statement to decide to move forward (e.g. solving the captcha). So even if you
assume that the terms "free" and "security" were intentionally meant to
deceive, you'd have to prove that the user would not have otherwise signed up
for Gmail if those labels had been different.

The fact that they didn't cover this important point is ridiculous.

~~~
will_brown
Just playing devil's advocate, but look at the UI. The box I saw says
"CAPTCHA" and "type these two words". So the argument for fraud would be that
50% of words Google solicited under the guise of CAPTCHA were actually used
for the sole economic benefit of Google's other services. Maybe on a count for
fraud the plaintiff's can't prove that they would not have created a Google
account having known the 2nd word was not for CAPTCHA; however, the Plaintiffs
could certainly prevail on a unjust enrichment claim.

As the company who invented the anti-trust defense "competition is only a
click away", Google should equally be capable of acknowledging there in
absolutely no burden on Google to create 2 boxes for new users, one identified
as CAPTCHA, and the other as a crowd-sourced word to be used for Google's
other services.

------
cbhl
Distorted text isn't even used in reCAPTCHA all that much anymore -- Google
used a Deep Convolutional Neural Network and got over 90% accuracy in reading
street numbers in Street View, and 99.8% accuracy in solving distorted text
reCAPTCHA ([http://arxiv.org/abs/1312.6082](http://arxiv.org/abs/1312.6082)).

Most users will just check a "I'm not a robot" box now; and if you do get a
test, it will likely be a computer vision / image labeling problem:
[https://googleonlinesecurity.blogspot.com/2014/12/are-you-
ro...](https://googleonlinesecurity.blogspot.com/2014/12/are-you-robot-
introducing-no-captcha.html)

~~~
mikeash
I wonder what will happen once there are no more problems left that 99.9% of
humans can solve in a short time, but computers can't.

~~~
cyorir
Generally, the point of a CAPTCHA is to prevent automated use of a service. If
we get to the point where CAPTCHA's no longer work in preventing automated
access to services, we need to look for atypical use of services.

For example, if a computer passes a CAPTCHA in order to use gmail to automate
the sending of spam emails, look for users that mass-spam; typical users won't
do that. On the other hand, the computer may try to approximate the usage of a
typical user to avoid detection. But if you cant distinguish automated use of
your service from typical use of your service, then at that point maybe it
doesn't matter so much.

~~~
rms_returns
Another alternative to CAPTCHA is the obvious three-factor authentication.
Send a random code to your mobile number, if its really you, you can verify
yourself by entering that number on the web-page.

Another way is to send the same using email which is a bit more convenient
than sending it to cell-phone.

In other words, we need to keep inventing more sophisticated ways of telling
the difference between humans and computers (and the great progress in the
field of AI is certainly going to push us to do that more frequently)

Looking for atypical use of services is something that we should be already
doing, but there are limits to those. The said users you are talking about
keep churning new email addresses and hide behind dynamic IP ranges of
countries like Mongolia or Kyrgyzstan over which we have no control. We can't
tell the difference between good/bad IPs for traffic coming from there,
otherwise there is no need for Google to keep re-inventing the CAPTCHA every
few years.

------
Robadob
Surely the spare word allows the dictionary of potential CAPTCHA words to add
a new word for every CAPTCHA solved (sure they probably run them past many
users for validation purposes). This effectively allows the CAPTCHA service's
dictionary to scale/evolve continuously, preventing an anti-CAPTCHA service
from 'learning' the whole dictionary.

I thought this was the entire point of re-captcha, so regardless of the 'time
necessary to complete' element, their case doesn't seem very well thought out.

~~~
user_0001
anti captcha (against recaptcha) works via captcha farms, the biggest being
deathbycaptcha.com. $10 gets you about 10k solved captchas.

They work quite well. I tend to get about a 1 out of 5 correct of the squiggly
words, whereas the service is more like 4/5

I am not aware of any successful dictionary attack on recaptcha. And the only
OCR techniques to bypass recaptcha was by xrumer[0] but that was a few years
ago

[0]xrumer: once popular forum spamming software waned in popularity /
effectiveness in recent years

~~~
mchahn
deathbycaptcha.com is ...

> A hybrid system composed of the most advanced OCR system on the market,
> along with a 24/7 team of CAPTCHA solvers. An average response time of 11
> seconds,...

My understanding is that this is mostly humans in third-world countries
staring at a screen and working for peanuts (or maybe less than the value of a
peanut). I don't see how any system for recognizing humans can succeed against
real humans.

------
Someone1234
The judge's argument makes sense to me, and seems right.

But I'd argue that the CAPTCHA itself is a greater benefit to the end user
than the cost (not just Gmail or Google Maps). If Google had to stop using OCR
CAPTCHA tomorrow, they would have to use an alternative, and frankly most of
the alternatives are worse. Further still without the ability to hinder bots
services like Gmail couldn't exist.

Arguing that Gmail is a greater benefit than the CAPTCHA costs to complete is
fine, but potentially leaves the gate open to sue later because someone finds
a service which they claim doesn't benefit the end user (e.g. paying a bill).
Arguing that the CAPTCHA method itself has more benefit than cost completely
destroys any future lawsuits.

~~~
aluhut
What a sad world. We have pretty reasonable judge with an reasonable verdict
that seems obviously right but you can be sure there is automatically a bunch
of lawyers looking for loopholes to crash it all and make money on it.

Sometimes I have the feeling like the whole judicial apparatus has gone from
solving real life problems to creating absurd problems that allow you to sue
somebody.

~~~
rayiner
Like everything in life, there are two sides of the coin. When I was in law
school, I worked with a small town in central Illinois that Big Chemical Co.
had left polluted with heavy metals after a decades-long mining operation.
Making headway in the lawsuit was extremely difficult because of all the legal
barriers put in place to protect defendants. The legal system has become very
unfriendly to plaintiffs over the last 20-30 years and it's affecting a lot of
legitimate cases.

~~~
toomuchtodo
Why would the EPA not be taking that case? And extract a financial penalty for
Superfund cleanup?

~~~
rayiner
EPA and state departments of environmental protection have limited resources
to take on these cases, prove them up, and follow-through over the years it
takes to do cleanup. In our case, Illinois EPA actually entered into a consent
decree with defendants regarding the site, and defendants argued that the
consent decree preempted our common law clams. But IEPA pretty much ignored
enforcement for 15+ years. So we were stuck in a situation where enforcement
power had been shifted from the courts to the agency, but the agency wasn't
interested in acting.[1]

What ultimately happened was that regime change happened at IEPA and they got
serious about enforcing the consent decree. But that still doesn't compensate
the townspeople. Good luck getting someone to buy your house in a former
superfund site, even if the heavy metals on the school grounds have been
cleaned up to a reasonable, cost-effective standard.

[1] This problem is recurring. Agency enforcement is a _lot more efficient_
than lawsuits. But agencies only have the resources to go after the biggest
fish for the most egregious violations. And they're far more susceptible to
political pressure ("you can't sue XYZ, they have 10,000 jobs in our state!")

~~~
toomuchtodo
Thanks for taking the time to respond, I appreciate it.

------
xixi77
Quite a frivolous case, nice to see the legal system working for once.

One interesting thing I've learned from the court rule though: apparently
software delivered online and through downloads does not qualify as a good or
service under the California's Consumer Legal Remedies Act, unlike boxed
software delivered on physical media (pp.14-16)

------
seanwilson
What a bizarre lawsuit. Even if the CAPTCHA required 30 mins of work for a
free gmail account and that work was used for significant gain for Google
only, why would you be entitled to compensation?

~~~
tyingq
Not that I agree with it, but the premise is this...

\- reCaptcha presents 2 words for the end user to solve

\- the purpose of the second word has nothing to do with security. The word
itself is not known to Google.

\- the "fraud" is that Google is deceiving you into helping them decipher the
second word for their own financial gain

(paraphrasing from
[http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?articl...](http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1904&context=historical))

Edit: Please note that I am not in agreement with the premise above...just
trying to summarize it.

~~~
comex
Not mentioned is that it actually _does_ have something to do with security,
because once enough users have transcribed a word, in addition to it being
returned to the digitization project, it can be used for future CAPTCHAs as a
known word. According to Wikipedia, this was at least historically the case
for reCAPTCHA.

------
hackuser
What concerns me is the attitude that users can be used and manipulated
without their permission or knowledge; they have no choice or right to be
informed, in this or in tracking or in many other situations. They are just
objects of commerce to the developers, not human beings. This leads to bad
practices like widespread confidentiality violations, free-to-play user
manipulations [1], and the sorts of manipulation of customers practiced in
places like Wall Street.

My feeling these days is that either you're on the inside or you're a sucker.

(On the level of fairness and justice - I don't know enough to comment on
legality - I don't think this particular incident rises to the level of
damages. However, Google could just display, _In return for our free service,
please help our computers read this word! Even Google 's computers can't do
everything - read more about it <here>._ \- Why not disclose it if you are
doing nothing wrong? If you don't disclose it, you're manipulating people.)

[1] [http://toucharcade.com/2015/09/16/we-own-you-confessions-
of-...](http://toucharcade.com/2015/09/16/we-own-you-confessions-of-a-free-to-
play-producer/)

~~~
grkvlt
From the reCAPTCHA site itself:

> reCAPTCHA offers more than just spam protection. Every time our CAPTCHAs are
> solved, that human effort helps digitize text, annotate images, and build
> machine learning datasets. This in turn helps preserve books, improve maps,
> and solve hard AI problems.

That seems like disclosure to me?

~~~
hackuser
Thanks for pointin that out. Having filled in many CAPTCHAs, I was unaware of
that disclosure. Assuming I'm representative, I don't think it's meaningful to
disclose something where very few will see it - for example, burying it in a
EULA doesn't help either.

------
throwaway6845
> As Google suggests, it strains credulity that Plaintiff or class members
> would forego access to a free Gmail account and higher quality Google Books
> or Google Maps because their brief transcription of a single word might,
> indirectly or directly, facilitate Google’s profit earning

Call me a data point to the contrary. I don't use gmail or Google Books at
all, and Google Maps rarely. I contribute to OpenStreetMap. It sticks in the
craw that whenever I use any Google Captcha-enabled site (even if the site's
not owned by Google) I'm helping to increase the quality divide between Google
Maps and OSM.

~~~
wvenable
It really sticks in your craw that you are improving the quality of data, just
because that data belongs to Google? Seems petty.

~~~
creshal
Why should I help Google make money, for free? I'll gladly discuss their
employment options if they need my help.

~~~
wvenable
You are helping Google make money for free whenever you are using one of their
services. I fail to see the moral issue with that. If you don't want to help
Google make money, don't use them.

~~~
Thirdegree
In their defence, reCaptcha are fairly ubiquitous. Very difficult to avoid.

------
ChuckMcM
I have always found Google's way of getting data at the same time as some
other activity pretty clever. Offering a free 4-1-1 (directory) service for
phones so that you can collect millions of minutes of voice recognition code
with various accents? Seemed pretty brilliant to me. Using a security
technique to fix hard to fix otherwise OCR errors? also pretty clever.

When you think like that, all sorts of interesting things come out. For
example, something I don't think anyone has done but could be pretty amazing,
put a camera in a store which tracks gazes, set up a set of mannequins with
different looks and compare male and female gaze time. Sure it used to be you
could change the window display and count sales, this is so much more
informative than that.

So are you using their interactions for your own benefit? Sure. Is this a new
phenomena? No. I totally think the judge called it on this one.

------
MidoAssran
Is it just me, or does it seem like Google is being the target of a large
number of obscure law suits lately (especially in Europe)?

------
LoSboccacc
Ot but arstechnica is now using the shitty mobsweet ad network making reading
the article impossible on mobile - and they complain when the users fight
back!

------
ck2
I wish people would stop feeding the class action lawyers.

There are plenty of legit class actions and stuff like this diminishes them.

~~~
kodis
It really does serve to make lawyers look like extortionist thugs. Had the
lawsuit gone forward, it would have been funny if Google had proposed
compensating everyone -- lawyers and "victims" alike -- with free Gmail
accounts.

~~~
morgante
Even better, it should have offered exactly what the plaintiffs claim was
stolen from them. It would tell the plaintiffs what word is in an image of
their choice.

------
gcb0
At least captcha worked and helped digitalize books.

After google bought them and moved to useless training for their image
classification, which helps nobody, i was simply banned from contributing to
all sites that demand captcha. Because it simply refuses to work with my
phone.

------
hiby007
So what is the future?

Will all site who used google captcha be affected by the result of this case?

~~~
ceejayoz
The "result of this case" is its being tossed out of court, leaving it with
zero effects.

