
Are You a Robot? Introducing “No CAPTCHA ReCAPTCHA” - r721
http://googleonlinesecurity.blogspot.com/2014/12/are-you-robot-introducing-no-captcha.html
======
userbinator
"If we can collect behavioural data from you, and it matches closely the
behaviour of other humans, you are a human. Otherwise you're not a human."

Does anyone else get that feeling from the description of what Google is
doing? I've tripped their "we think you are a bot" detection filter and been
presented with a captcha countless times while using complex search queries
and searching for relatively obscure things, and it's frankly very insulting
and rather disturbing that they think someone who inputs "unusual" search
queries, according to their measure, is not human. I have JS and cookies
disabled so they definitely cannot track my mouse movements and I can't use
this way of verifying "humanness", but what if they get rid of the regular
captchas completely (based on the argument that eventually the only ones who
will make use of and solve them are bots)? Then they'll basically be saying
"you are a human only if you have a browser that supports these features,
behave in this way, and act like every other human who does." The fact that
Google is attempting to define and thus strongly normalise what is human
behaviour is definitely a big red flag to me.

(Or maybe I'm really a bot, just an extremely intelligent one. :-)

~~~
xtracto
> and it's frankly very insulting and rather disturbing that they think
> someone who inputs "unusual" search queries, according to their measure, is
> not human.

Insulting? how is that insulting? You are entitled. You are entitled you block
scripts, use Google's FREE service to perform any search query to search the
web while blocking any program that attempts to identify you as not a bot.

But if while using their free service they cannot identify you as a human
given the factors they measure(becuase you actively disabled the programs that
measure such factors), then I see nothing wrong in them trying alternative
ways (which were a standard before).

I think you are making a storm in a teacup. If you feel offended by the way
their website work, just don't use them. I don't see any red flags at all.

~~~
forgottenpass
_You are entitled._

Has calling someone entitled ever been useful? For the last few years it's
felt like nothing more than a petty "you're wrong" remark with bonus
condensation built right in.

~~~
slayed0
Do you mean condescension? Not trying to be a smart ass, I just got a chuckle
out of the word choice.

~~~
pcthrowaway
There you go, being condensing again.

------
provemewrong
They've been doing this for a while. With recaptcha, you got easier captchas
(a single street number instead of two words) if the system thought you were
human. There was an official post about this a year ago. [1] Now they have
probably improved the system enough to be confident in not showing captcha at
all. It's nothing revolutionary. If it thinks you're a robot, you still get
the old captcha. [2] [1]
[http://googleonlinesecurity.blogspot.com/2013/10/recaptcha-j...](http://googleonlinesecurity.blogspot.com/2013/10/recaptcha-
just-got-easier-but-only-if.html) [2]
[http://i.imgur.com/pCKS8p5.png](http://i.imgur.com/pCKS8p5.png)

~~~
chuckcode
Am I being paranoid when I think that offering this "free" service is a great
way to track people over even more sites and usually the most important
conversion pages that don't have the usual google display ads. I don't see a
big technological innovation here as it appears that mostly they are checking
your cookies to see if they recognize you.

~~~
throwaway234
Every "free" service from Google has the end goal of serving you personalized
ads. That's their business.

~~~
chuckcode
Certainly correct. I guess it is new for me that I'm requiring my users to
give their data so they can be served personalized ads.

~~~
tracker1
And there are a number of sites using Analytics, Adwords/Adsense, DFP and a
number of other points of connection. They've already offered/bought
recaptcha, all this does is make it easier for most people (who have cookies
and JS enabled).

------
cJ0th
It says that they do take mouse movement into account but the cookie part
makes me feel a little uneasy:

> IP addresses and cookies provide evidence that the user is the same friendly
> human Google remembers from elsewhere on the Web.

If this becomes a trend then major commercial websites will become unusable
for people who are not accepting (third-party) cookies. "Because those damn
bots" is a straw man argument to make people trackable by assuming that there
are no other useability improving methods that don't track the user (which I
think is highly unlikely).

~~~
Pwntastic
It's only used to generate a confidence level.

"In cases when the risk analysis engine can't confidently predict whether a
user is a human or an abusive agent, it will prompt a CAPTCHA to elicit more
cues"

So if you have cookies disabled, you'll probably just get a regular captcha

~~~
cJ0th
okay, that's reasonable.

~~~
TallGuyShort
But then a bot need only copy a human's mouse movements and disable cookies
and we're back to the status quo.

~~~
notatoad
Sure, for the bot. Captchas are pretty effective against bots, what's wrong
with presenting the status quo to a bot? This is meant to improve things for
the real people. I will appreciate not having to decipher some strange text.

~~~
TallGuyShort
I'm just not convinced from what's been shown that they'll have a long-term
ability to distinguish between human mouse movements and those of a bot. So
I'm curious as to really how one can keep this in place before it's overrun by
spam and you need to make it more difficult anyway. More power to them if it
works, but they're pretty light on details that inspire confidence, IMO.

------
ricg
It's definitely not only relying on cursor movements. A simple
$('iframe').contents().find('.recaptcha-checkbox-checkmark').click() proved
that I'm not a robot, without me touching the mouse.

~~~
1Hz
The cursor movement story seems to be a smokescreen to dilute the fact they're
actually running an internet wide monitoring network, tracking users from site
to site and building profiles on them.

~~~
echeese
I'm not sure where cursor movement was mentioned, other than the comments.

~~~
ifdefdebug
I read it in the wired.com article about this also submitted to HN: "And
[Vinay] Shet says even the tiny movements a user’s mouse makes as it hovers
and approaches a checkbox can help reveal an automated bot."

~~~
echeese
I guess it's a lot more complicated than it looks at a cursory glance.

~~~
enneff
It's almost as if Google is playing its cards close to its chest to avoid
tipping off people intent on defeating it's captchas!

------
_wmd
Who wants to place bets on the "potential robots" more likely to be those
without Google cookies or a Google Account?

~~~
Jgrubb
I can't think of many better uses for the menagerie of different tracking
methods that they have planted on me, to be honest.

~~~
debacle
Well if you ever run for political office it's going to save them a boatload
on campaign contributions.

~~~
Jgrubb
Eh, you never know. Attitudes toward certain improprieties have moderated in
recent years...

~~~
forgottenpass
So what? Other once acceptable behavior is no longer tolerated.

There is always a center, just because it moves doesn't mean that people can't
be a socially unacceptable distance from it.

~~~
Jgrubb
I suspect you have mistakenly stumbled into a lighthearted thread with an
overly serious mindset.

------
Someone1234
I recently added recaptcha to a site and got this version.

From an implementation standpoint it is utterly painless. The client side is
copy/paste from Google's site and the PHP/server side was this:

    
    
          $recapchaURL = 'https://www.google.com/recaptcha/api/siteverify?secret=600SZZ0ZZZZZIZi-ZZ0ZEHZW1000Z_0ZZZ00QZZ&response=' . request_var('g-recaptcha-response','') .'&remoteip=' . $request->server('REMOTE_ADDR');
          $recapchaRespone = file_get_contents($recapchaURL);
          if(is_null($recapchaRespone))
          {
                print("Recaptcha failed. <more error msg>"); return; 
          }
          $recapchaResponeJSON = json_decode($recapchaRespone);
          if(!( !is_null($recapchaResponeJSON->{'success'}) && $recapchaResponeJSON->{'success'} == 'true'))
          {
                print("Recaptcha failed. <more error msg>"); return;
           }    
    

Most of the time it just gives you that one checkbox, but if you use the form
multiple times (e.g. testing) it starts to give you the classical text entry
box. I have no idea how it works fully and this article only sheds little
light on it.

~~~
timtadh
Is that your actual secret? you might not want to reveal that/you should get a
new one.

~~~
Someone1234
It is not. I kept the length and style the same to give a better example, but
replaced most of the characters with 0s and Zs.

------
Aissen
So now spammers will use botnets… Oh wait, they already do.

They already have the botnets. Now they need to use those end-user machines as
proxies, using the credentials already on the machine. They just need to
figure out the other parameters: maybe it's running js code ? Then you can use
a browser engine/selenium). Maybe it's the click pattern ? Just generate the
json data and send it. They can even apply the same machine learning
techniques to figure out the best way to circumvent the captchas.

And the escalation continues.

~~~
rudolf0
Yeah, I feel like it won't be too long before spammers start finding ways to
emulate users without having to solve any CAPTCHAs. Google is likely going to
need to switch their 98%/2% to something more like 80%/20% (that is, 20% of
users will still need to enter CAPTCHAs).

~~~
kuschku
I am using a small tool that I wrote to integrate Google Keep and other Google
stuff with KRunner and so on, and this tool (essentially being a dumb bot)
also passes all the Captchas.

I’d say malicious authors would have it really easy now.

------
nojvek
Computer Vision guy here. Okay so you've made some improvements for normal
users.

The captchas are still the old same, just not shown everytime. Still can be
cracked with latest neural net techniques. The visual matching stuff can be
guessed 6/10 times.

You still have audio captchas, that can be cracked.

If all fails you still have cheap labour from third world country. I don't see
why this is revolutionary?

Google will now have their captchas present on every site and start logging
user behavior in the name of identifying bots. Who says they won't use the
data to drive their ad empire?

~~~
TheCraiggers
Even if the success rate of detecting robots stays the same, I would say this
is still a win because the majority of humans won't have to mess with it any
longer.

Even better: those with various disabilities won't have to mess with it. My
parents' only disability that I know of is near-complete computer illiteracy
and I can tell you from experience that every time they're presented with a
normal CAPTCHA it's like somebody just handed them a Rubik's Cube and told
them to solve it before they can create a profile. In every case I know of,
they just turn the computer off and walk away. Now, these are what I would
call normal humans (don't tell them I ever said that) so I can only imagine
how aggravated those with visual and/or auditory problems get when presented
with a crazy CAPTCHA. And when your revenue comes from getting people to
submit these, I can see it still being a boon to the website, even if all they
did was lower the barrier of entry _for humans_.

------
username223
My guess is it's based on the tracking data they already collect on most
people. I try to avoid it, so I get stuff like this:

[http://i.imgur.com/6mGYsav.png](http://i.imgur.com/6mGYsav.png)

I have no idea what that second word is supposed to be, so if you use this, I
probably won't use your site.

~~~
lnanek2
It isn't user friendly, but often with that type it doesn't care what you
enter for the tough to read world. The easy to read word is your test. The
other is a way to harness people to do difficult OCR tasks. Some web sites
have had fun organizing entering dirty words for the tough to read ones
regularly to mess with the results :)

~~~
TimJRobinson
It's actually the other way round for the Captcha posted and most recaptchas
I've seen. The easy to read word is the OCR and the hard one is the real
captcha.

------
joshfraser
Here's the JavaScript behind it:
[https://www.gstatic.com/recaptcha/api2/r20141202135649/recap...](https://www.gstatic.com/recaptcha/api2/r20141202135649/recaptcha__en.js)

It's hard to see what's sent over the wire (it's obfuscated), but the source
gives you a good idea of what they're collecting. The biggie is the GA cookie
which is running on over 10 million sites. Like any CAPTCHA, this is still
breakable -- just load your actual cookies into Selenium or PhantomJS and
replay your mouse movements. Of course, once you do that more than a couple
times, you'll likely have to write a crawlers to generate fresh cookies. At
that point, you may as well just break the visual CAPTCHA which is trivial
anyway. Ie. You should still never use a CAPTCHA
([http://www.onlineaspect.com/2010/07/02/why-you-should-
never-...](http://www.onlineaspect.com/2010/07/02/why-you-should-never-use-a-
captcha/)).

~~~
rtpg
Captchas can also be useful as a differentiator between free/paid plans, or to
slow down users (see 4chan)

------
rdl
In the long run, I think it's unavoidable that AI-type systems continue to
improve, while humans don't, so this will become a harder and harder problem.

One helpful approach would be to separate out "why CAPTCHA" into preventing
abuse (through high volumes) and "guaranteed one (or small number) per person"
from "am I interacting directly with a live human", and using different things
for each.

The naive solution to a lot of this is identity -- if FB profiles are
"expensive" to create, especially old ones with lots of social proof, you can
use something like FB connect. However, there are a lot of downsides to this
(chief being centralization/commercial control by one entity, which might be a
direct competitor; secondarily, loss of anonymity overall.)

One interesting approach might be some kind of bond -- ideally with a ZK proof
of ownership/control, and where the bond amount is at risk in the case of
abuse, but it's not linked to identity.

------
moron4hire
The tiniest mouse movements I make while tabbing to the checkbox and hitting
my spacebar to check it? Or tap it on my touch screen? And why wouldn't this
be vulnerable to replaying a real user's input--collected on, say, a "free"
pornographic website? Their answer seems to be "security through obscurity".

~~~
dsjoerg
"Security through obscurity" is a weak concept, however the goal here is not
security but fraud detection.

Obscurity is a legitimate component of a fraud detection system, for the same
reason that hiding your cards is an important part (but only a part!) of being
a good poker player.

------
cheshire137
I wish they would explain more about how the user interacts with the whole
reCAPTCHA leads them to know it's a person and not a robot, but maybe they're
worried about people writing bots to get around their protections.

~~~
chrisan
> However, CAPTCHAs aren't going away just yet. In cases when the risk
> analysis engine can't confidently predict whether a user is a human or an
> abusive agent, it will prompt a CAPTCHA to elicit more cues, increasing the
> number of security checkpoints to confirm the user is valid.

Probably using a combination of G+ and GA to check your 'history' to see the
activity is like a normal human. Visits a couple news sites each day, checks
their gmail, searches for random crap randomly, GA registered a 'conversion'
for some company = probably a human

~~~
emcrazyone
I was thinking they may be looking at how long it takes for a user to click
the "I'm not a robot" link. A robot would probably load the page and quickly,
without delay, send the HTTP POST but I have to imagine they thought of this
already and bots writers would quickly add a sleep() call in there at some
point... Yea, I wonder about their internal logic too.

------
dyeje
In regards to the video, I feel like it has become a cliche to have upbeat,
light ukelele music in the background for product demonstration videos. I
instantly felt myself become annoyed when the music started.

~~~
walkon
And some unison whistling at the end to complete the cliche. Weird they would
even have a video for something like this, leading me to be more suspicious of
the mechanisms and data they are using behind the scenes to make this work.

------
chuckcode
What a misleading headline. Google will now look at your mouse movement but
really be scanning to see if they've been tracking you across the web. Anybody
who is is concerned enough about privacy to block/clean cookies will be
assumed to be a non-human.

~~~
azinman2
And then you'll do a captcha like they would have you done previously. So
either you're status quo, or you get an improved experience if you're in the
vast majority that don't do anything other than non-default. What's wrong with
that?

------
siavosh
It's interesting that the adversarial nature of internet security is
"breeding" an adversarial AI. Inevitably, people will start working on AI to
beat this new captcha. I think in terms of parallels to biological evolution,
security/fraud AI has the greatest evolutionary force behind it. Fun and scary
to think where this particular breed of AI will lead.

------
jackalope
I always assumed Google's use of reCAPTCHA was to augment the OCR used to
digitize Google Books, particularly in results the software couldn't
confidently match to a word. Is this true? It's interesting that it's still
the fallback for the new method.

~~~
jrochkind1
That was the original idea behind reCAPTCHA (which originated outside of
Google, acquired in 2009), but my understanding is that they long ago ran out
of actual text that needed human OCR'ing, and/or found other reasons that
approach no longer was helpful.

The "help OCR while also spam protecting" thing isn't currently mentioned on
Google's recaptcha product page.

~~~
towelguy
It is:

> Creation of Value

> Stop a bot. Save a book.

> reCAPTCHA digitizes books by turning words that cannot be read by computers
> into CAPTCHAs for people to solve. Word by word, a book is digitized and
> preserved online for people to find and read.

[https://www.google.com/recaptcha/intro/index.html#creation-o...](https://www.google.com/recaptcha/intro/index.html#creation-
of-value)

~~~
jrochkind1
Good catch.

I wonder where i heard/got the impression that it wasn't really being used for
this much anymore. Maybe from when most of the recaptchas most of us saw
switched from scanned books to google street view photo crops. And I was also
surprised by the implication that google's algorithms really needed human help
for visual recognition of almost exclusively strings of 0-9. I would have
thought that would be a pretty well solved problem.

Anyway, somehow I got the idea that recaptcha wasn't actually providing much
OCR help anymore, but maybe I just made that up.

------
sjs382
Those computer-vision challenges mentioned in the blog post aren't 100% clear.
For the first one, my eyes went directly to the cranberry sauce, and I thought
to myself "Wait... is that one supposed to be clicked, too?"

~~~
mcintyre1994
I thought it was unclear too for a different reason - the text says "that
match this one" which I read as being actual identical matches. Sure it's
obvious when you see the images but that wording feels really awkward.

~~~
pimlottc
Same, my first thought was to look for the identical cat photo, or maybe the
same cat from a different angle, not just other cats.

------
ins0
don't know if this works only for me but here is a live example -
[https://www.google.com/cbk?cb_client=maps_sv.tactile&output=...](https://www.google.com/cbk?cb_client=maps_sv.tactile&output=report&photosource=panoramio&photoid=&cid=RoMfLbw-
sME)

~~~
tokenizerrr
It gives me the new version as well, but it seems google is convinced that I
am a bot. Getting a regular captcha after clicking the button and I have to
say that this is a lot worse of an experience than regular old captchas. Now I
have to wait for a few seconds after clicking a button, then still solve a
captcha.

Hopefully it gets better with time.

~~~
nobodysfool
Try this one:

[http://nomorecaptchas.com/](http://nomorecaptchas.com/)

It's very similar. I might go as far as saying that Google copied them.

------
slig
I've been blocking third-party cookies for a while, and I noticed that I only
get the old, hard to read, captchas, instead of the easier version with
numbers.

Too bad this new version won't work for me either.

------
chrisweekly
Obligatory XKCD: [http://xkcd.com/810/](http://xkcd.com/810/)

------
amelius
I just hope it also works for pen-tablets, where the "pointer" can suddenly
jump from one location to the next when the pen comes near the surface of the
tablet.

~~~
ldng
That and what about those who fill their form with tab navigation ? No mouse
involved here. It is just showing off ...

~~~
fredley
I just tried the one ins0 linked above, and tabbing through, using space to
select the checkbox, worked fine.

------
echeese
It's definitely not mouse based. I tried it in an incognito tab and it showed
me the old form when I clicked the checkbox.

~~~
BogdanCalin
On what page did you tested the new system?

~~~
echeese
Here you go:
[https://www.google.com/recaptcha/api2/demo](https://www.google.com/recaptcha/api2/demo)

~~~
underlines
1\. Tested on my normal chrome where I didn't delete any cookies and logged in
to my google accounts, and no adblocker running. So plenty of evidence I'm
human, with all those cookies from big G.

2\. Tested in incognito mode: BAAM: I'm a bot, had to fill out the old
captcha!

------
garrettgrimsley
This not even close to a Turing test.

I thought Wired was supposed to be a tech site.

~~~
umeshunni
Wired has been slowly moving from being a tech site to a
clickbait/sensationalism site.

------
sytelus
I suspect there is no theoretically perfect solution to CAPTCHA. Bot must get
good at emulating user and software must get better at identified users. None
of our interaction with computer are non-emulatable so the war would be
indefinitely ongoing.

But what we can do is to make it expensive for bot to emulate user. One way to
do this is creating ID system which requires some form of payment and thus
creating an ID and expensive proposition. For example, Amazon can make their
user account as open ID for logins and provide the target system a flag
IsVerifiedPurchaser. Payments don't have be strickly in direct monetary forms
also. For example, Facebook can estimate ad revenue generated by an user so
far and provide some flag as to whether user is active and trustable as not
being a bot.

------
Geee
It's based on Google account. There might be other vectors too. I tried
browsing lots of pages in incognito, making Google searches, clicking ads etc.
but that didn't help (might work in long term). Signing into my Google account
(with history) was enough to pass the test.

------
zoidb
How long before you will have to answer a series of annoying and difficult
questions if you _don 't_ allow tracking cookies and google to collect
personal information (which I assume the far majority of users allow on a
regular basis)? Not sure how I feel about this.

~~~
LLWM
If they create services that you want to use so badly, they can charge you
whatever they want for them. If you don't want to pay, I'm sure Bing will be
happy to have you.

------
pbaehr
I suddenly became extremely conscious of how I was moving my mouse for the
duration of that article.

------
cinquemb
Tangential: From a philosophical perspective, I wonder if notion of asking
human beings if they are robots, will soon escape the space we consider
virtual? In sci-fi (which more or less informs the masses not involved in such
fields and have more sway over public opinion than say HN or LW), the premise
focused on is that people seemed more concerned with asking robots/automata if
they are human. I'm starting to wonder if such questions will become moot.

Though, I wonder if you can start to defeat such systems by slurping up
headers sent on public networks (like coffee shops, public wi-fi in large
cities, airports, etc) and with techniques like ssl striping, to obtain local-
storage info being sent in the body.

------
mdhgriffiths
_> in the last week, more than 60% of WordPress’ traffic and more than 80% of
Humble Bundle’s traffic on reCAPTCHA encountered the No CAPTCHA
experience—users got to these sites faster._

Does this mean WordPress saw an 60% decrease in traffic from bots?

~~~
sp332
It still shows a CAPTCHA if it's not sure that you're a human or a bot.

------
johnward
The old recaptcha takes good sites and gives them terrible user experience. I
tried to order tickets one time on ticketmaster and actually gave up because I
couldn't get past the captcha. I hate current captchas with a passion and I
hope they finally die. I understand fighting spam but when it completely ruins
a user experience it's not worth it.

edit: Bury me with no explanation why? Please don't tell me you think the UX
of using recaptcha is great. I'm a 28 year old dev with near perfect eyesight
and It takes me several tries to get these right. They are horrible. I welcome
this new change and hope it isn't easily cracked.

~~~
whydoyouthink
"Bury me with no explanation why?" \-- because your comment has only the most
tangential relation to the linked article.

Downvotes are supposed to penalize _uninteresting_ posts, not just _wrong_
posts. No one likes captchas, and everyone has had shitty experiences with
them. Your comment adds nothing to the discussion, doubly so since you're
complaining about a type of captcha that has just been replaced!

------
Nib
Hmmmm. Nice move Google. But I also remember that a machine passed the Turing
test. And I don't like the sound of these two news together. Not because I'm
worried about you, but because I'm worried about the websites I run as a dev.

Moreover, I'm not sure if most people know this, but reCaptcha was supposed to
be converting ancient text to digital text[I read that once on quora, I'm not
really sure if it's entirely true, but I guess it is]. So now, I can be less
proud of not contributing to conversion of ancient texts to digital books.

And, I'd love you if you make the thing open-source, Google...

~~~
ChrisArchitect
ha yeah that was definitely the original purpose/project of reCAPTCHA.... but
I think shortly after the google purchase, the AI got so good at reading
garbled ancient texts that G allowed it to move on to other things..like house
numbers.

~~~
mynameisvlad
House numbers are actually the easier version, you got them if reCAPTCHA
already knew you're probably human. After screwing it up a few times, it punts
you back into the general category and you get two words again.

------
widowlark
I feel like there is a lot of discussion on whether its okay for Google to
have this information or not, but truthfully if you don't want them having
this info then don't use their services. Its that simple.

------
xkiwi
It rise privacy concern for me.

If real name and email validation is mandatory, I will wonder what Google will
use that data for. Is that some kind of monitor tool which want to know REAL
NAME, EMAIL ADDR whenever you want to use a website?

Don't forget Google always beg for your telephone number for "security
reasons", Google+ wants your real name for "Policy reason", I upgraded one of
my Nexus to Android L, and everything I do has to sign in: some
game(Botanicula for instant) work fine without internet in Android 4.4.4 but
requires internet signin in Android L.

~~~
m_myers
Where are you seeing mandatory real name and email validation?

~~~
grecy
In the video the user has to type in their first and last name, and an email
address.

I have to assume there is a confirmation email, otherwise what's the point in
asking for an email address?

~~~
doodpants
I believe that the video was just showing an example of a form on which a
CAPTCHA would appear.

------
jules
Why would you care whether a user is a robot? Surely whether the actions of
that user are desirable or not is determined solely by those actions and not
whether the thing performing the actions is a human or a robot. It seems like
a better idea to disallow bad actions than to disallow robots. There are also
people farms who solve captchas (e.g. via porn sites who ask you to solve a
captcha which they then input to another site, or by paying people $1 to solve
X thousand capchas).

~~~
willlma
Robots don't buy stuff. Their actions by definition are undesirable from the
service provider's standpoint.

~~~
jules
Then limit the access of everyone who does not buy stuff to X requests per
minute?

------
towelguy
Do they even need the checkbox anymore? They could track mouse movement,
keypresses, history or whatever else they are tracking without showing any
kind of GUI at all.

~~~
debacle
How do you track mouse movement on a tablet?

~~~
towelguy
You could track other things like window scrolling or the focusing of other
form inputs.

------
swalsh
Sorry if the article mentioned it (i only read the first few paragraphs) but
looking at the cat click, that looks like a great way to generate training
data for AI.

~~~
andreigheorghe
This is exactly what the previous implementation was as well. The "words" you
had to recognize were either scanned from Google Books, or house numbers from
StreetView, effectively enhancing their OCR training set.

------
Shivetya
I always liked the captcha's that asked simple questions or told you what to
type. Sites that used what is 1+3 or type the number four into the box below.

Is there really a system once employed that coders won't overcome in days? Do
we need a trusted user system, where the machine registered at a central site
and that can be queried by the commerce site? Recognition of the consumer
machine through combination of mac/ip range/provider

------
netvisao
This will greatly help them with bettering their CV classification algorithms.
The kitty picture matching question is a great example.

------
ThomPete
Maybe I am getting ahead of myself but this seems to have huge potentials and
is actually quite interesting from a whole other perspective.

If a machine can determine you are human what if it learns your unique
patterns? Couldn't it then be used to determine you are you?

And couldn't this solve the problem of identity?

In the bitcoin world, what if you could use this to log into your bitcoin
wallet?

------
alpeb
Think of Captcha as the first battle in humanity's fight against AI. Over the
long term this problem has no solution.

~~~
mkal_tsr
Except by answering captchas, you're helping the machines (first words for
books, then numbers for street view, now pictures for classification).

~~~
hashmymustache
That's an interesting thought that every time we introduce novel
classification schemes to resolve humans from computers we feed a large
training set for them.

I never understood how that works, though. If I get a captcha street address
wrong then that means they already had the answer, so how am I contributing?

~~~
dagw
For the street address ones you generally have to answer two questions, one
that they know and one that they don't know. You're only 'tested' on one of
them, but you don't know which. Once enough people have gotten the known one
right and given the same answer to the unknown image they move the unknown
image to the known pile.

------
geographomics
I wonder if they've taken into account people with movement disabilities such
as multiple sclerosis or parkinsonism. Then again, the previous recaptcha
techniques would be somewhat discriminatory against those with visual or
auditory difficulties as well so they've had to think of this already

------
mbondr
There's practically no documentation for this. They have "examples" for many
languages, but they're so sparse as to be useless. I don't have time to crawl
through their code. I'm going to wait a few months before implementing this to
see what questions pop up on the blogs.

------
grimtrigger
It seems like they're using cursor tracking to validate human-ness. Assuming
thats the case: Since the cursor is outside of javascript's control, it would
force the attacker one level higher (to the browser/os, instead of the dom).
Not impossible, but still a significant barrier.

~~~
fatratchet
Not really, you would just need to reverse the js code, look at what data they
actually send to google and randomly generate appropriate data like mouse
movements.

~~~
grimtrigger
Ah, good point

------
hokkos
> Google also will use other variables that it is keeping secret—revealing
> them, he says, would help botmasters improve their software and undermine
> Google’s filters

I'm pretty sure that looking at the javascript calls will tell what
"variables" they use, with browser agent, ip, cookies.

------
arikrak
I had my own simple 'captcha' on my site (since recaptcha could be annoying),
but now I added recaptcha since it looks like it will be easier on users.

You just need to query recaptcha's service and check if the json string they
return contains "success\": true".

------
spain
So how does it work?

~~~
rbdn
Google collects all your data and applies machine learning to predict a
probability value that you are human. If it is below a certain threshold you
have to enter a CAPTCHA.

~~~
spacefight
The question was more about on how the new captcha works, I guess.

~~~
rbdn
The old system presented you a challenge-response test no matter what.

~~~
spacefight
Sorry, I just thought "all your data" was a bit unspecific. I have no idea
what Google collects in order to derive that. I have a lot of guesses, but
"all your data" doesn't tell me in fact, how it works. And I thinks that was
what the parent poster asked for.

------
mikey_p
The image captcha looks nearly identical to Confident Captcha:
[http://confidenttechnologies.com/products/confident-
captcha/](http://confidenttechnologies.com/products/confident-captcha/)
(formerly Vidoop).

------
codeshaman
Robot testing if user is not a robot.

Now that it knows how to detect humans, one day we'll all laugh when we read
the news that Google can't log in to their own administration systems, because
an AI security algorithm evolved the decision to lock out human beings.

------
Houshalter
I'm concerned this will just ban people using obscure browsers, blocking
javascript and cookies, and just behaving in non-typical ways.

Fortunately I rarely encounter CAPTCHAs outside of creating an account, and I
can just do that through a different browser.

------
henpa
Challenge Accepted!

------
Dirlewanger
I feel like if anything this would just add some time to bots plowing through
these so their web scrapers can move in gentle curves and whatnot to simulate
a human. These don't appear to be that far off from being broken.

~~~
LLWM
Forcing bots to slow down their interaction with online services to human
speeds would still reduce spam by a lot.

------
homakov
I wrote my thoughts on this protection
[http://homakov.blogspot.com/2014/12/the-no-captcha-
problem.h...](http://homakov.blogspot.com/2014/12/the-no-captcha-problem.html)

------
gizzlon
This is great news! I really really really hate the normal Captcha's.

It has a nice property: To combat spam, Google can tweak this as often as they
like without bothering the users of a website or the devs running it.

------
yc1010
Anyone know where the documentation for the "old" recaptcha has gone?

How long can we continue to use the "old" way?

Seems like google want everyone to use this "new" method, which i am not so
sure about yet

~~~
blalab
Here you are:
[https://developers.google.com/recaptcha/old/intro](https://developers.google.com/recaptcha/old/intro)

------
arh68
Does this remind anyone of SweetCaptcha? [1] The image match games aren't new.
Is one better than the other?

[1] [http://sweetcaptcha.com/](http://sweetcaptcha.com/)

------
peeyushagarwal
Here is a video introducing the no CAPTCHA reCAPTCHA
[https://www.youtube.com/watch?v=jwslDn3ImM0](https://www.youtube.com/watch?v=jwslDn3ImM0)

~~~
TallGuyShort
If I had only seen that video, I would think this was an April Fool's joke. I
then read the article and was relieved to hear there is a little more than
this. Perhaps I'm just being pessimistic, but I feel like this only raises the
bar a little. I would expect checks it does of mouse movements or headers to
be spoofable quite quickly after introduction. I think the best measure
mentioned is tracking which IPs are bots, but that's still going to have
serious shortcomings.

------
delinka
I don't understand how this can't be spoofed. I can only see how it'll slow a
bot down, and maybe reduce the number of accounts it can create/commandeer.

~~~
towelguy
As long as it behaves like a human, what difference does it make if it's
actually a really sophisticated bot?

~~~
delinka
That brings me back to "why are we trying to prevent bots?" And I'm under the
impression that we want to prevent automated spamming of
$web_community_resourse. So to answer your question, it makes a difference
because once the really sophisticated bot is in, it starts spamming up the
place.

------
datakid
Am I Robot by Goodnight Electric is awesome
[http://m.youtube.com/watch?v=78nGkD3-0kU](http://m.youtube.com/watch?v=78nGkD3-0kU)

------
kolev
Did anybody notice that they killed the email obfuscation service? It made
possible to share publicly your email, which was getting revealed with
reCAPTCHA.

------
jfmercer
I wonder how long it will take for black-hat hackers to crack this. I imagine
that it will be very difficult to crack, but it seems inevitable to me.

------
ck2
One day we are going to have thinking, feeling robots and all this prejudice
against them is going to haunt us.

Seriously though, this is a great improvement.

------
robbles
Is there a page where we can test out these new captchas? I'm curious about
how they work in the wild, and this post only shows gifs.

------
rocks
Isn't that like a reverse touring test? The machine has to guess if I am human
and not I have to guess if I am talking to a machine.

------
why-el
Is there any published research on this? I am interested to learn about these
risk analysis techniques they are talking about.

------
pizzashark
If a bot just makes more random mouse movements of varied speeds, and takes a
bit longer, won't it appear human?

~~~
iso8859-1
The bot probably has too much or too little mail in it's Gmail inbox, or maybe
its is not many Google+ circles of confirmed authentic humans. Maybe the bot
has not been using Google Chrome for a very long time, so its browsing
patterns may still seem incoherent. This socially disconnected bot is
abnormal; it doesn't fit into society. It deserves punishment; we'll make it
click pictures of cats. Once it gets enough friends on Google+, we'll cut it
some slack.

~~~
kuschku
I posted this multiple times in this thread already, but I tried it with a
Google Account that has a fake name, hasn’t been used for over 2 years, has
received nor sent any emails since then, is in only one Google+ circle, and
was only ever used from Firefox.

And it passed the test. While trying it from within a Java client toolkit.

Like, I took the worst setup any spammer would have, and it passed.

How is this going to protect my sites from spammers? And on the other hand, am
I even allowed to embed this into my site, if I am in the EU (Data protection,
etc)?

------
rocks
Isn't that like a reversed touring test? The machine has to guess if I am
human and not if I talk to a machine.

------
trolltroll5
I can not find any documentation about how to put in the new reCAPTCHA if you
already using their older version...

~~~
darkstar999
I'm fairly certain that it doesn't require you to change anything, it will
just start working. You must be a bot.

------
dlss
What am I missing? Breaking this looks much easier than a regular captcha...

This is the sort of problem that genetic algorithms are well suited for (a
small, well defined input domain with a binary oracle). You'd simply generate
a random path, run a smoothing function over it, see if that works, then
iterate.

edit: does anyone know a site that is actually using this new widget? I only
seem to be finding the older version... :/

~~~
joelthelion
You're missing the fact that they're relying on many cues, not just mouse
movement. I don't think they're even discolosing everything they use.

~~~
dlss
You're missing the fact that they went from something that is quite difficult
to get a program to do (essentially an AI complete task) to one that's _not_
AI complete.

It doesn't really matter how many non-AI complete components they are
measuring... without at least one AI complete task, they removed the thing
that makes CAPTCHAs work.

~~~
joelthelion
Except distorted text reading is not hard for AI anymore, and all "AI-
complete" tasks, whatever that means, are pretty much broken nowadays.

So where left with a very hard problem, and their best solution so far seems
to be security through obscurity with a bunch of non-disclosed "cues". Not
great, but I guess it's hard to come up with anything better.

------
Eric_WVGG
I really wish they hadn’t botched this through use of the first-person
pronoun.

“I’m not a robot” no, computer, you sort of are

------
eridal
[Irony] Isn't "bot detection" a small problem related to "human tracking"??

------
Sir_Cmpwn
I noticed this a while ago when the Humble Bundle switched. I was able to
break it with PhantomJS.

~~~
divegeek
What do you mean by "break"?

~~~
Sir_Cmpwn
Passing the captcha through an entirely automated procedure.

~~~
Dylan16807
In bulk? It's not supposed to stop real users from using a bit of scripting.

~~~
rudolf0
It kind of is, actually. Cloudflare, for example, uses a single CAPTCHA to
prevent ongoing DDoS attacks. If they switched to this new reCAPTCHA and if a
DDoSer can use Selenium to get past the challenge, then the CAPTCHA process
has failed.

There are always tradeoffs with this. I strongly suspect Google is going to
have to restrict it within a year or so, resulting in the number of users who
still have to solve CAPTCHAs closer to 10-20%.

~~~
Dylan16807
'a bit' being key. It's not like a DDoSer can't already solve captchas for
three minutes if that's the only protection.

~~~
rudolf0
The work still has to be done manually in those cases, though, whether they
type it themselves or rent use of a captcha farm.

~~~
Dylan16807
In most scenarios you only have to solve one captcha. Those are not going to
be significantly affected, since the manual work is minimal. It will provide a
multiplier on traffic in the case that a captcha is needed for every single
action.

------
mostafaberg
So if the risk analysis fails I'll get to see a captcha PLUS the new cool
check box !, nice.

------
amenghra
Let's make Captcha mobile friendly by having the client download MBs of
useless pictures...

------
rbdn
I could imagine that this system could still be tricked with a Markov chain
and some dedication.

------
nateabele
This looks like a very clever way to train machine learning algorithms on
image recognition.

------
davecyen
Perhaps Google will be using this to train a more broader purposed image
recognition AI

~~~
mdb333
Yes exactly... the whole concept of their original captcha came from fixing
OCR where the text was distorted. ie put armies of unsuspecting individuals
across the globe to work to help their ability to digitize text content into
something more searchable.

So, no surprise, same thing is going on here. It's much less about security
than it is about deriving value from the solved image matches.

------
dj-wonk
It seems plausible that as more sites adopt this kind of technology, automated
web access (e.g. scraping) the web will become harder -- for whatever purpose,
good or ill. This has long been an "arms race" between hiding and detection. I
can hope that reasonable uses of automation still remain feasible.

~~~
aruggirello
You're welcome as long as you're respectful.

Just use a bot with a clear User Agent, not "Mozilla/5.0 (iPad; CPU OS 7_1_2
like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) CriOS/36.0.1985.57
Mobile/11D257 Safari/9537.53". And, don't forget to start by reading my
/robots.txt. If you behave yourself and abide by the rules, why should I ban
your bot?

If for whatever reason I don't want to allow your bot in, you might still try
and contact me to ask, and perhaps I could arrange for your bot to scrape my
site.

Automated web access _to my site_ must obey _my rules_ because you're using
_my bandwidth_ and resources.

~~~
dj-wonk
This comment seems like a non-sequitur. My comment had nothing to do with a
particular site, much less "your" site.

I was making a general comment about automation and detection. If the
detection gets better than the automation, it could change the dynamic. There
is no fixed rule that says that content providers will or will not allow
scraping based on robots.txt or other guidelines. Some could elect to disallow
any/all robot behavior, if they have the capability.

------
agumonkey
Now bots will have to up their game and really become human level agents.
#evolution

------
xxs
Given that I use keyboard to navigate, I'd qualify as bot easily.

------
mr-no
Where are you supposed to click if you're a robot?

------
ohash
And what about people with motor-neural conditions?

~~~
oaktowner
I think worst case scenario is that they get what they have today (solve a
captcha style problem).

Con: They _will_ have an additional click. Pro: They might get a more solvable
puzzle than some of the "read this distorted text" images they would see
today.

------
mattaus
Hi all, if you want to give it a try, I've just added it to the MaterialUp
submission form.

[http://www.materialup.com/submit](http://www.materialup.com/submit)

------
uokyas
will GUI automation tools be able to surpass this?

~~~
Khao
It probably uses a LOT more info than only the mouse move/mouse click.
Remember, google tracking is embedded in probably 99% of websites you visit so
from your ip, cookies, tracking, logged in Google profile, etc... they're able
to know if you're a human or not.

~~~
towelguy
So if I don't have a Google account or allow their cookies in other sites then
I'm not a human anymore?

~~~
seren
Nothing as dramatic : if you don't have a strong Google footprint, it is less
likely that the system will recognize you automatically as human, and you'll
have to answer the picture question.

------
Malstrond
So we're actually training users to behave like what Google's behaviour model
assumes to be the behaviour of humas. Because then they won't get annoying
captchas.

------
hardwaresofton
I'm still more impressed by sites like [http://www.funcaptcha.co/try-
it/](http://www.funcaptcha.co/try-it/)

Why have they not caught on?

~~~
doodpants
This CAPTCHA is "fun" the way that fun-size candy bars are fun.

------
whyNotBoth
Oh, so just program bots to provide a mouse movement toward a form element
along a distorted path, and always trigger them through the UI rather than as
events. Got it!

~~~
ggambetta
Yeah, good luck with that.

~~~
nodejsisbest
[http://phantomjs.org/](http://phantomjs.org/) makes this easy enough to do.

~~~
ggambetta
You seem to be assuming Google doesn't know of PhantomJS and many other
automation frameworks. In fact, I personally wrote some of the code to detect
them - not in ReCaptcha, but in a closely related project (which ReCaptcha may
be using, even...)

------
alebaffa
The death of Lord Inglip.

------
towelguy
Is it keyboard friendly?

~~~
rbdn
You can try it out here:
[https://www.google.com/recaptcha/api2/demo](https://www.google.com/recaptcha/api2/demo)

If you are a recognized as human you could perhaps try it via Tor.

~~~
xioxox
I wish these google pages wouldn't automatically assume you speak some
language based on your IP address - I get mine in German without any option to
switch. Aren't there standards for setting language in web browsers?

~~~
towelguy
Your browser sends an "Accept-Language" header with the list of languages and
order of preference you have configured.

~~~
pluma
Sure, but many sites including Google like to ignore these (or at least have
done so in the past).

The rationalisation is that users don't change settings like these, so their
location is a better indicator than what their browser thinks.

------
seamoss
Equally as annoying.

------
luckystarr
How does this work?

------
bilalashraf
kjh kh khk hkjhkj

------
bilalashraf
kjhkj hkj

------
rakmm
fuck

------
jonathanmarvens
Because ... Google.

------
natch
Just give us your full name. How is this better?

They might already have my name but not in an incognito window. But they want
it, obviously.

------
natch
We can run robots to act on our behalf, but you can't. We can build and
leverage AI, but you can't. Seems like that is where this is going.

