
There is no evil like reCAPTCHA - eitland
https://thestoic.me/there-is-no-evil-like-recaptcha
======
elehack
Google did not create reCAPTCHA. They bought it; it was started by Luis von
Ahn, who went on to create Duolingo.

When reCAPTCHA was created, the alternative was CAPTCHA, which tried to impede
bots but did not generate any social benefit. This was the genius of the
original reCAPTCHA concept: the time taken to 'confirm humanity' could be
channeled into the socially-useful endeavor of digitizing books. Capture some
of the heat emissions of impeding bots for a useful purpose, rather than
letting it all go to waste.

Now, yes, Google is using it to train their self-driving car AI, and there's a
bunch else happening in it to connect to Google's surveillance apparatus.
There's much to legitimately criticize there. I personally don't view training
Google's proprietary AI as the same kind of intrinsically altruistic purpose
as digitizing the world's pre-digital books.

But putting the entire concept on blast with erroneous history that can be
corrected with about 60 seconds on Wikipedia doesn't help the argument at all.

~~~
inlined
> but putting the entire concept on blast with erroneous history that can be
> corrected with about 60 seconds on Wikipedia doesn’t help the article at
> all.

Nor does an entirely fallacious premise. ReCAPTCAH v3 is entirely transparent
and non invasive to users. In fact it’s retroactive to help the site admin
figure out what to do with the score:

[https://developers.google.com/recaptcha/docs/v3](https://developers.google.com/recaptcha/docs/v3)

~~~
mustacheemperor
> non invasive to users.

Except for the invasion of my time and attention, used to train Google's AI to
get better at recognizing traffic signals. I took that as the main point of
the article.

~~~
shakna
That's v2.

v3 is "invisible" and is supposed to be deployed to every page on the site,
and the site is the one who decides how to punish you for not matching their
normal audience.

~~~
My1
Not just invisible but unlike "invisible recaptcha" which was kinda between v2
and v3 which does spawn a challenge on its own, but v3 is entirely non
interactive and as you said the site/admin decides the punishment.

------
CodesInChaos
Isn't the author talking about recaptcha v2? My understanding of recaptcha v3
is, that it just gives you a score for how well google can track you and then
leaves it up to the site operator to block users who aren't transparent
enough.

What I really hate about recaptcha v2 are those artificial delays before
loading the next image (which it can happen to several times on a single
card). And then in the end you frequently fail, despite answering everything
correctly.

~~~
saagarjha
> Isn't the author talking about recaptcha v2?

Yes.

> My understanding of recaptcha v3 is, that it just gives you a score for how
> well google can track you and then leaves it up to the site operator to
> block users who aren't transparent enough.

Yeah, that's the one where you're supposed to put it on every page of your
website so that Google can collect more information on your users. If they
can't, they'll return a low score that you'll use to mark users as "bots".

> What I really hate about recaptcha v2 are those artificial delays before
> loading the next image (which it can happen to several times on a single
> card). And then in the end you frequently fail, despite answering everything
> correctly.

I think this is just what Google does when it thinks you're a "bot": i.e. they
don't know who you are.

~~~
Wowfunhappy
> I think this is just what Google does when it thinks you're a "bot": i.e.
> they don't know who you are.

I do wonder _why_ though. For a long time, I assumed it was a rate limiter,
but then another HN commenter pointed out to me that time is more valuable to
humans than bots. Bots can work on multiple captcha's in parallel.

~~~
GraemeL
My thoughts exactly. A bot doesn't care if it takes 2 seconds to fade the
images out and in for another challenge round, but a human viewing it
perceives it as a frustrating delay.

I've become accustomed to just closing any page that presents me with a v2
reCAPTCHA.

~~~
jedberg
Unfortunately one of those pages was the Equifax settlement. And other similar
“important” sites. I never seem to come across them when it’s a service I
could easily quit or avoid.

~~~
Wowfunhappy
This might not be so sinister. It so happens that "important" operations, like
a class action lawsuit settlement, are also the type of thing you'd
particularly want to protect from bots.

------
Wowfunhappy
It's such a shame that this poor article is getting attention, given that
reCAPTCHA v3 is actually a terrible privacy violation.

Sadly, I don't think the author knows the difference between v2 and v3. The
article is definitely not talking about v3.

~~~
SQueeeeeL
A lot of articles posted on hacker news are by people who don't really
understand what they're talking about, but use a lot of emotionally charged
language. A lot of times this is fine, because it's articulating something
that bothers a lot of people and wastes their time. But in this case it's
absurd. I don't think he understand just how much crap bots were/are putting
out there, especially before we had good services like cloudflare and the
whole web hosting cloud to filter it. It's not Google's fault every
small/medium sized company decided to put important customer services on a web
portal which could be easily abused, they just capitalized on it. Sys admins
can't stop random executives from making crap decisions like having an
inherently insecure system, but at least they can pitch on reCaptcha to fix it
a tiny bit. But they wrote an article where they used a lot of CAPS LOCK, so
they must be an authority.

~~~
jonas21
> A lot of articles posted on hacker news are by people who don't really
> understand what they're talking about, but use a lot of emotionally charged
> language.

This seems to be the best strategy for getting to the top of the front page
these days. Even better if the target of the emotionally charged language is
Facebook, Google, or Amazon.

------
miohtama
Here is my earlier comment when somebody was bashing reCAPTCHA

[https://news.ycombinator.com/item?id=20297764](https://news.ycombinator.com/item?id=20297764)

\- Running a high profile, or even low profile. service which attracts
automated or spearhead attacks makes you appreciate reCAPTCHA

\- Web services and users are often low value and reCAPTCHA offers a free
medicine

\- Cleaning up attacks and such as a devops/webmasters is pain in the ass -
getting all those alerts ad Saturdat 11:00pm in a bar - you do not want to
cover them from your $100 budget

\- reCAPTCHA makes _many_ problems go away for a service provider

\- People complaining about reCAPTCHA are often low value users (they do not
buy anything) - though I have only subjective point to confirm this

Long term solutions can be only moving away for CAPTCHAs to strongly
authenticated humans by a trusted party

\- Strong human authentication on every service controlled by
Apple/Google/Facebook who has vast data to keep bots in the check

\- Start paying for the services - though you still need to do CAPTCHA at
least once in the card authorization to prevent cardsters

Alternative for reCAPTCHA - though I do not vouch in for the quality yet:
hcaptcha.com/

Bonus: Micropayments instead of ads or make botting too expensive - welcome to
cryptocurrency land

~~~
Avamander
We had an alternative to reCAPTCHA for a moment - proof of work coin miners,
when properly set up it is also very privacy-friendly by having the
possibility of fully self-hosting it. Yes it had it's downsides, but IMHO less
downsides than doing work for Google. Same goes for coinminers instead of
adsense.

~~~
RL_Quine
No you didn’t. A few seconds of proof of work is trivial for a bot, any amount
that makes it hard for a bot is unusable to a human. This is why nobody uses
hashcash.

~~~
Avamander
The same way you can buy captcha solves, it's trivial for a bot.

------
ronnier
With some of these I'm left debating what is a traffic light. Is the pole
itself a traffic light? I really don't know.

Also when it asks to select all the cars. Is a bus a car? Is a truck a car? I
really don't know what it is expecting and I must pick wrong as I often fail.

~~~
ceejayoz
It's very frustrating that there's no "your AI is an idiot, there isn't one"
button. I saw an example of one that said "click the tiles containing the bus"
where it was clear what the AI _thought_ was a bus, but it definitely wasn't.

~~~
dwyerm
This reminds me of Janelle C. Shane's work on AI[1]. Computer vision's been
learning based on the photos that people take, not the visions that people
see, and this is giving AI a preference for photogenics instead of reality.

People generally don't take pictures of rolling green hillsides. But they very
often take pictures of rolling green hillsides _with sheep on them_. So if you
ask the robot to draw a picture of rolling green hillsides, it will include
sheep. Or, if you ask it to draw a picture of the savanna, it will want to
include giraffes.

Now you're being asked to find a bus in a photo without a bus because it's a
street scene, and every street scene has a bus in it.

I haven't read her book, yet, but her Twitter[2] is often full of amusing
anecdotes like this.

[1] [https://aiweirdness.com/](https://aiweirdness.com/)

[2] [https://twitter.com/JanelleCShane](https://twitter.com/JanelleCShane)

~~~
Wowfunhappy
> People generally don't take pictures of rolling green hillsides. But they
> very often take pictures of rolling green hillsides with sheep on them. So
> if you ask the robot to draw a picture of rolling green hillsides, it will
> include sheep. Or, if you ask it to draw a picture of the savanna, it will
> want to include giraffes.

Don't humans do this too, though? If I asked someone to draw a picture of
rolling green hills, they may well add sheep as an additional detail.

~~~
dwyerm
Well, personally, I had the "bliss" image from the Windows wallpaper
collection in my head while I was writing this. But I'm cognizant that most of
the photos of hillsides I took in Ireland had sheep in them.

~~~
Wowfunhappy
I wonder if that would still be true, though, if "bliss" wasn't a default
Windows wallpaper. In other words, you're _still_ referring to common
pictures, you're just particularly biased to one in particular that you've
seen a lot.

I haven't done the experiment, but I'd posit that if you walked up to a group
of 8-year-old children, gave them crayons, and asked them to draw pictures of
"rolling hills", a significant portion would add sheep, cows, flowers, or some
other details—even though a majority of rolling hills in the world don't have
any of these features.

------
commandlinefan
I’ve had a blog for about a decade now - I wanted to host it myself rather
than use some blogging infrastructure, since I was afraid that blogging
infrastructures would become evil in the future (see: Medium). I also wanted a
comment section, but as soon as I turned it on, I got hundreds of spam
messages every. single. day. I shut it down and started working on adding
captcha support. My custom captcha solution did pretty much nothing to slow
down the spammers, and I realized how much time and effort I was going to have
to spend developing and maintaining it… I decided to hand the reins over to
the fine folks at Google, instead. If they want to recoup their costs by
having visitors on my site spend a few seconds training self-driving cars,
that’s a trade-off that’s worth it. It’s also worth noting that the article
doesn’t actually point out anything that’s particularly evil - just points out
the potential for some evil in the unspecified future. Although I agree that
the best time to tackle evil is now rather than later, I also don’t see any
alternative for recaptcha, so I’m going to continue to use it and hope for the
best.

~~~
judge2020
Perhaps the wordpress method of comments would work for you without a captcha
- you allow comments but hold for review any comment that has a potential link
in it. Most spammers skip posting links in WP comment sections unless they
specifically are trying to market to the site admins.

~~~
flemhans
No they don't, WP sites left unattended this way will amass millions of posts
pending approval

------
squirrelicus
> human right of mental comfort

Hahahahahah hahhaha ahhah hah. Lol.

I'm sorry, I just can't help myself. This cultural tendency toward naming
everything you prefer as a right is just... It's hilarious to the extent it's
not just sad. I'm willing to give the author the benefit of the doubt that it
was just hyperbole. In which case, bravo.

~~~
imgabe
That was the exact point when I decided this article was a waste of time. What
a ridiculous statement. Even if it was meant to be comedic hyperbole, the
effect is that it's impossible to take seriously anything else the author has
to say.

~~~
Retra
Well I suppose "Hahahahahah hahhaha ahhah hah. Lol" is a better example of the
kind thought-provoking serious writing one should aspire to consume.

~~~
lucb1e
Yeah I'm not sure whether to flag the comment as an unconstructive personal
attack on the author or if it's just within the lines of what we like to see
in this community.

~~~
carapace
If it's marginal enough to give you pause for more than a few seconds, down-
vote it. If HN becomes _too_ dry and technical there's always Reddit...

------
ve55
For those of you asking for alternatives, I've tried a few of the things
posted in [https://kevv.net/you-probably-dont-need-
recaptcha/](https://kevv.net/you-probably-dont-need-recaptcha/) to some
success, but obviously it depends on your use case.

~~~
tkp
thanks for your overview !

Does anyone knows a recapthca2-like service/software, that would help solve
such tasks (OCR, object recognition..) on a custom provided dataset ?

It could provide an alternative to recaptcha, and a "Mechanical
Turk"/crowdsourcing for universities, institutions or companies to help solve
some of their repetitive tasks.

------
OJFord
My two main frustrations with reCaptcha:

1\. No (or at least piss poor) localisation. It asks me to locate English
words, sure, but the images are of things familiar only from American films -
sorry, movies. ReCaptcha is how I know (and my only use for knowing) what a
'crosswalk' is.

2\. Sometimes it's just wrong. But I have to select the images that it
incorrectly thinks is a bridge or whatever anyway, otherwise I'm not allowed
to login.

Everyone's one of N top complaints:

\- How much of the damn structure counts as a traffic light?!

~~~
nickflood
Yep, they've trained my neuronet that they always show the images in a 3-2-1
or a 3-1-1 sequence, so now even if shows me something weird, I know I need to
select the number of most likely things they want me to. This way I almost
always finish it on first try.

------
hrjet
Would appreciate thoughts on this alternative that we are developing:

[https://github.com/librecaptcha/lc-core](https://github.com/librecaptcha/lc-
core)

The idea is to develop a framework for Captcha generators. A few sample
generators are provided out of the box, but new ones can be written easily.
The framework takes care of storing entries in the database, serving them as
challenges through an HTTP API, and checking the responses.

From the README, why libreCaptcha:

    
    
      * Eliminate dependency on a third-party
      * Respecting user privacy
      * More variety of CAPTCHAs, tailored to your audience
    

The implementation has a long way to go (it was written by students trying to
learn Scala), but would appreciate thoughts on the concept.

~~~
ackbar03
If you give me a captcha generator I can give you a captcha solver. You have
no idea

~~~
hrjet
Agreed; a determined programmer could solve almost any Captcha given
sufficient time and resources.

But we are not trying to create an unsolvable Captcha. For those websites that
need something good enough to deter generic bots while not compromising
privacy of their users, this might be a good enough alternative to reCaptcha.

Imagine a docker image which just works with out-of-the-box generators. Those
who need more variety could create a custom generator with Javascript and drop
it into a docker volume.

~~~
SubiculumCode
e.g. the difference between a general intelligence and the AI we have today.
Generators that vary what is being asked from site to site make generic
solutions much more difficult.

------
sgjohnson
I love competition, but I hate Google.

So I wish them luck while hoping that they’ll go die in a fire.

Manifest v3, tracking everything, this... Only validates my decision to scrap
all Google services 2 years ago.

~~~
webninja
I can’t get behind this google hate. I can think of many companies that aren’t
providing any sort of public good.

------
buboard
Recaptcha is a free mechanical turk for Google. Right now they re training
waymo's cars, but soon they 'll need to train other networks. Prepare for
"Click on all images showing intraductal papillary biliary neoplasm". C'mon,
don t be lazy

~~~
LeonM
This conspiracy theory has been debunked many times.

~~~
stordoff
What conspiracy theory? That's what Google say it is for:

> Hundreds of millions of CAPTCHAs are solved by people every day. reCAPTCHA
> makes positive use of this human effort by channeling the time spent solving
> CAPTCHAs into annotating images and building machine learning datasets. This
> in turn helps improve maps and solve hard AI problems.

[https://www.google.com/recaptcha/intro/v3.html](https://www.google.com/recaptcha/intro/v3.html)
(under "Creation of Value - Help everyone, everywhere - One CAPTCHA at a
time.")

------
nyuszika7h
The title mentions reCAPTCHA v3 but then the article goes on to rant about the
challenges you have to solve. reCAPTCHA v3 is completely automatic, there are
no challenges at all. Of course, it's not perfect either, because occasionally
actual humans fail the challenge too.

~~~
saagarjha
> reCAPTCHA v3 is completely automatic, there are no challenge at all.

Yeah, if you're signed into Chrome and Google has enough information to know
who you are (yes, I know the new one is score-based…this just means that
anyone who isn't the above is going to get a poor score and be blocked.)

~~~
christudor
You can actually set the minimum score requirements to whatever you want. The
default is 0.5, but there's nothing stopping you setting it to 0.0 and letting
everyone through.

~~~
a1369209993
Can you set it to only allow people with score < 0.5?

No, I'm not joking.

------
jsf01
reCAPTCHA v2 has prevented me from doing so many things. A recent example: I
attempted to make a LinkedIn account. When I got to the captcha, it gave me
one of the really nasty ones where you wait for each new image square to
slowly appear, and almost every new square also contains a bus or whatever it
wants me to click. Then after hitting submit, it still thinks I’m a bot, so I
get sent back to another captcha, infinitely. I never ended up creating the
account. I attribute this to me using ublock and not using google products,
but I can’t say for certain, and I’m not changing that just so I can pass a
captcha. One of the stated purposes of reCAPTCHA v2 is to prevent actions from
taking place altogether by wasting a user/bot’s time, so this was probably one
of those cases. Somehow it felt certain I was a bot, so to prevent the signup
from being possible it instead sent me on an infinite captcha solving tangent.
It would have been nice to know before solving tons of them that this would
never work and I was just wasting my time.

~~~
lucb1e
Same here. I got a gift card, went to the site to check its value, didn't get
a cookie banner but they still hired this third party from the other side of
the planet to try and identify which human I am, allegedly the only way to
tell whether I'm human (y'know, a 21 digit account number isn't proof enough).
The third party decided I'm not. Wanted to contact customer support, guess
what? Form broken. Turned of tracking protection, ad blocker, etc. No dice.
Tried a second browser, same issue. Called the next day and finally got to the
amount... Of course they couldn't reproduct the ReCAPTCHA issue and the form
didn't give them an Internal Server Error either. Must be me.

If this were about not being able to see cat pictures, alright, but this is
about accessing money that I'm supposed to own. This is so backwards to me.

~~~
jaclaz
Which brings us back to the old way of using cash instead of gift cards, it
might have a number of other issues, still it remains simpler.

------
ElijahLynn
Would downvote this if I could.

1) Google bough reCAPTCHA in the first place. 2) Google's latest captcha isn't
even a captcha, you just click a button saying you are human and it analyzes
your mouse movement and probably a fingerprint of sorts and you are in.

The article just isn't accurate and seems unnecessarily hateful about things
that are not exactly true.

~~~
christudor
Google's latest reCAPTCHA is v3, which works behind the scenes to generate a
'trustworthiness' score for each user. There is no longer any button for the
user to click. You're thinking of v2, I think.

~~~
ElijahLynn
I am talking about V3 it appears, just checked here
[https://www.google.com/recaptcha/intro/v3.html](https://www.google.com/recaptcha/intro/v3.html),
at 0:11 on the splash video is the image I am talking about
([https://youtu.be/tbvxFW4UJdU?t=11](https://youtu.be/tbvxFW4UJdU?t=11)).

I guess I didn't mean a button, but a checkbox.

------
athenot
reCAPTCHA is turning into a punishement for those who don't want to consent to
full tracking by Google.

Apple is working on their SSO project (Sign in with Apple); I hope they will
also consider the use-case of being able to tell a site that you're a human
without sending any information.

------
ofrzeta
That article aside, what are everyone's experiences with reCAPTCHA? We are
using it to secure one of our contact forms and get a lot of spam through it.
Upon research (googling) I found that reCAPTCHA is "broken", e.g.
[https://threatpost.com/uncaptcha-googles-
recaptchas/140593/](https://threatpost.com/uncaptcha-googles-
recaptchas/140593/)

~~~
tadzik_
We use it to stop bots from opening thousands of trial accounts. We don't have
bots anymore, but instead we have humans who open hundreds of trial accounts
hourly. I guess it's an improvement.

~~~
ackbar03
Whats the service fir? I know game miners and some other niche services that
attract these kind of actors. Do you know what they want from your site?

~~~
tadzik_
An email provider. Interestingly enough they don't even send anything. They
just... sit there. And who knows why. Not really doing anything harmful afaik,
but obviously fradulent so our support still kills them in bulk just in case
they were a proper threat waiting for the activation.

~~~
ackbar03
Huh, interesting, thanks for sharing. Maybe they're just using it as an
address to open up accounts for other stuff?

~~~
tadzik_
Perhaps – but I'm pretty sure there's some that don't even receive emails
either. It's as if someone was just creating a "standing army" of accounts in
preparation to unleash something. Spooky :)

------
paulcarroty
Absolutely, trying to avoid any website with reCAPTCHA.

If you're non-Chrome user, don't even try playing with images - Google force
you to click 3-5 times more than Chrome users, it's just stupid.

~~~
ultimoo
This! I use FF with uBlock Origin without being signed into Google and it is
absurd how many tries it takes to solve the crosswalks, bikes, and storefront
riddles. Sometimes I give up due to frustration and open the site in Chrome.

~~~
samb1729
Seems like just another way for Google to funnel non-Chrome users into Chrome

~~~
Avamander
Hate to say this, EU please help.

------
VeninVidiaVicii
>Select all pictures of storefronts.

Hmm, if only I could read Bengali, I could tell if this were a storefront or
not.

------
1f60c
See also: “You (probably) don’t need ReCAPTCHA”[0]

(submitted to HN here:
[https://news.ycombinator.com/item?id=20158386](https://news.ycombinator.com/item?id=20158386))

[0]: [https://kevv.net/you-probably-dont-need-
recaptcha/](https://kevv.net/you-probably-dont-need-recaptcha/)

------
zelphirkalt
reCAPTCHA is the most annoying and presumptuous tracking spyware online. I've
come to close websites almost immediately when I discover that they use it.
"Discover" is the correct word here, as website developers are usually too
careless, to provide any noscript hint that reCAPTCHA is even used and I find
myself wondering, why that damn website does not work, until I check my
uMatrix and see the evil that reCAPTCHA is. If the service is really needed, I
need to allow stuff and reload pages up to 5 times, as script loads script
loads script from other domain loads frame ...

This makes for the most shitty experience ever, when I try to use such a
website and I give the middle finger to the person who decided they need to
have a reCAPTCHA there and to the person who put it there and I tell them the
F work in my mind. The disregard for people's privacy cannot get much worse
than with reCAPTCHA.

------
Osiris
My payment provider (Braintree) required me to implement reCAPTCHA v3, despite
the fact that I had already implemented server-side fraud checks (MaxMind). I
didn't have a choice if I wanted to continue taking credit card payments.

~~~
saagarjha
Do they specifically require reCAPTCHA v3, or just any sort of bot-prevention
CAPTCHA?

~~~
Osiris
The specifically told me to use reCAPTCHA v3. I don't know if they would have
accepted another one. I didn't want to take the time to research them.
Honestly, from a UX perspective I also preferred the "no user interaction"
part of reCAPTCHA.

------
octosphere
I'm glad someone is talking about this and we can have a healthy discussion
about it. Things like PrivacyPass[0] are a step forward, but for those who
don't know about such a tool, they will continue to be 'tortured' and get
repetitive strain injury from constantly having to solve recaptcha v2, at
least, well if they browse under Tor heavily and will have to pass recaptcha's
test multiple times, and even after proving they were not a bot countless
times.

[0] [https://privacypass.github.io/](https://privacypass.github.io/)

~~~
cyphar
The problem with PrivacyPass is that it is a (not nearly as peer-reviewed as
Tor) privacy-related cryptosystem that lets you bypass the reCAPTCHA _that
CloudFlare put in your way in the first place_.

Using it with Tor is almost certainly not a good idea because it changes your
own behavior from other Tor users thus compromising your anonymity (and the
Tor folks are not in favour of PrivacyPass, because they think the solution is
that CloudFlare shouldn't be putting the reCAPTCHA in the way in the first
place). And that's assuming that the cryptography is actually solid and there
is no way to distinguish between different PrivacyPass users. Tor has decades
worth of research put into it -- what level of scrutiny does PrivacyPass have?
How many people actually use it and how many have tried to break it?

~~~
judge2020
I've said this before but:

> When 80% of traffic from an IP is malicious and the other 20% is regular
> traffic, but both sources look like the same traffic (impersonating browser
> headers, sometimes running headless chromium), what else can you do? Cookies
> and stateful cookie-like objects, such as privacy pass.

------
arange
turn on comments on your blog without recaptcha, i dare you.

~~~
jMyles
There are other techniques that do a reasonable job at stemming the flood. The
"hidden field" technique still reduces spam by quite a lot.

~~~
inimino
I wrote about another technique at the end of my own captcha rant:
[https://inimino.org/~inimino/blog/kill_captcha](https://inimino.org/~inimino/blog/kill_captcha)

The proposed solution would replace captcha entirely, but to my knowledge
nobody has tried it.

~~~
basicplus2
How about different revocable secret keys to your mailbox given only to those
who you wish to contact you

~~~
inimino
If people have to request to be able to contact you, it is not a public inbox
anymore. This is the way most walled gardens work, you have a separate step
before you can interact, so it works, but it lacks some of the affordances of
the public inbox model of email or blog posts, such as allowing anonymity.

------
maxerickson
It's quite the rant, meanwhile I don't quite remember the last time I did
something where I had to solve a captcha that wasn't the "click once" one.

~~~
opmac
To offer a counter-experience, I don't remember the last time I actually HAD
the "click once" captcha. It's always "click the buses/traffic lights/store
fronts" etc.

~~~
ocdtrekkie
Your experience will differ based on how much Google tracking you block. If
you're not letting them surveil your every move, they're less convinced you're
human by default (or perhaps spite).

~~~
rtkwe
I have a hard time assigning malice to the recaptcha more blocking = lower
score because while it's a fun conspiratorial position it's also true that the
more you block the less you look like the average user who doesn't. Also the
less info they can pull from to determine how likely it is you're an actual
person so of course people without a trail are going to be more suspicious.

------
have_faith
What's the next best alternative to reCaptcha? this is something I will be in
need of soon.

~~~
webninja
People on the other side of the world that solve captchas for $1 an hour.
Sadly, I’m not kidding.

------
megous
Companies use recpatcha in inappropriate ways. Especially on contact forms.
Imagine you'd have to solve a captcha before sending every mail (or possibly
be rejected completely).

Contact forms should just send an e-mail and let the e-mail's content based
statistical filter deal with spam.

Blocking people from communicating with your company based on Google's whims
is really not smart. It's giving too much power to Google.

------
caiocaiocaio
I got dragged into clickbait, read _15_ paragraphs of fluff till I actually
got to the point of the article, and now I hate myself.

------
mnm1
Another technology that needs to be regulated and banned in many cases. Paying
bills and handling finances online should be accessible to everyone. This
prevents it from being so. It may already be a violation of the ADA. After
all, how is a blind person supposed to pass? Impossible. For other websites,
well they can do whatever. The internet is mostly a cesspool and anything that
can't be visited with JavaScript turned off is not worth visiting. That
includes "clever" spa blogs that could just be static sites and all types of
other garbage. Maybe one in a thousand or one in a million sites other than
finance, shopping, etc might be an exception to that but no website with
recaptcha is. I wonder if we can sue Google for ada violations. I'm sure there
are plenty of disabled people on the internet for q class action.

~~~
nyuszika7h
> After all, how is a blind person supposed to pass?

There's an audio captcha option.

~~~
bluGill
I have a friend who is both blind and deaf: audio is also out. It is possible
to use a braille terminal to access the web, so while I don't know if he uses
the internet, it is possible.

Okay, he isn't really a friend, I only met him once. We have a friend in
common who speaks sign language and was able to translate. Seeing him read
sign language with his hand was interesting.

------
tdb7893
What's the alternative to the recaptchas? Is the difference to just to use a
different captcha service?

~~~
shakna
CAPTCHA is a divisive topic on HN, so you'll get a lot of people suggesting
it's vital, and a lot saying it just isn't, depending on their own
experiences.

"You probably don't need ReCAPTCHA" [0] is an article discussing techniques
that has had decent discussion [1] on HN before.

[0] [https://kevv.net/you-probably-dont-need-recaptcha/](https://kevv.net/you-
probably-dont-need-recaptcha/)

[1]
[https://news.ycombinator.com/item?id=20158386](https://news.ycombinator.com/item?id=20158386)

------
throwawaylolx
There's plenty to write about this, but this is just a rambling rant that
struggles to stay coherent

------
the_watcher
This article seems to be confused about reCaptcha v2 vs. v3, as others have
mentioned. That said, the broader point about the amount of time they take and
the fact that Google is farming out labeling has some validity. It seems like
the value to Google is high enough that they could easily remit some money or
value to the people taking them.

There's an argument to be made that this would incentivize even more
investment in bots that can pass them. My reply: Google should just create a
bounty for anyone who successfully beats it worth more than the black hat
value.

------
MakiXx
I wish they mentioned
[https://github.com/dessant/buster](https://github.com/dessant/buster) which I
love using

------
EvanAnderson
I joke about signs of the robot apocalypse eventually showing-up in reCAPTCHA:

"Click on the photos of humans with weapons."

Sometimes I feel like I'm only half-joking, though.

------
cascom
life's too short to solve these things - i view it as the equivalent of a rude
host at a restaurant (meaning I'll take my business elsewhere)

------
azhenley
I just tweeted a video of me doing nonsensical "Rotate the ball" puzzles to
login to Hotels.com. I couldn't even tell what the pictures were!
[https://twitter.com/AustinZHenley/status/1158430726888407040](https://twitter.com/AustinZHenley/status/1158430726888407040)

------
My1
The post talks about recaptcha v3 but shouldn't it be v2? Because correct me
if I'm wrong, but as far as i remember recaptcha v3 does NOTHING with the user
as far as i remember and only tells the admin what it thinks about the user
and then he can spawn a normal recaptcha v2 if needed.

------
bitL
Google moved puzzles from interviews onto random Internet users ;-) There must
be some sophisticated internal metrics registering increase of puzzle takers
somewhere, with a hidden goal of increasing general intelligence levels,
adversarial-style. It's the only scientific explanation! :D

------
radcon
I didn't realize how bad reCAPTCHA is until I started trying to protect my
privacy.

The internet became practically unusable thanks to the constant, unsolvable
CAPTCHAs. You can click the correct image tiles until your finger falls off
but you still won't get through.

------
db48x
I agree completely. I've just stopped using any website which asks me to do
reCAPTCHA. In fact, I've got uBlock to block it from even loading. If you use
reCAPTCHA for any reason then you don't deserve my business.

------
breck
One of my favorite takes on captchas is John Mulaney's SNL skit from the past
year: [https://youtu.be/en5_JrcSTcU?t=337](https://youtu.be/en5_JrcSTcU?t=337)

------
emptyparadise
Recaptcha is now a rate limiting service for people not signed into their
Google account. That's about all it does. The score on v3 falls through the
floor if you block third-party Google cookies.

------
zzo38computer
I agree that reCAPTCHA (all versions) are terrible. (At least, sometimes it is
possible to avoid the problems by selecting the audio CAPTCHA, which tends to
work better as far as I can tell.)

Instead, use the protocol-independent CAPTCHA. It is a SASL mechanism, which
sends a challenge with plain ASCII text (and may include line breaks), and
then accepts a single response of plain ASCII text, and then the server
decides whether or not the response is acceptable. The similar thing can also
be done with a simple HTML form, but using SASL would then allow working with
any protocols and work with command-line interface just as well as HTML
interface, too.

------
throwaway66666
Didn't facebook try "Is this your friend Bob?" (showing you a picture of some
random people) as their forgot password captcha, in the past?

Now that was evil!

~~~
aitchnyu
In India it is common to set your profile pic as flowers and little girls for
women, supercars and superbikes for men.

------
strawman666
Not that I would do it, but couldn't someone create a bot to purposely give
incorrect results and screw up Googles AI learning machine?

------
brightball
I’m curious, what’s the best option for protecting web forms if not using
reCAPTCHA? Specifically for things like account sign ups?

~~~
_-___________-_
It depends what value there is in an account, but for a service I run, I just
let the bots sign up accounts.

Accounts don't really cost me anything, and they get automatically deactivated
if they didn't get any activity in the first 30 days anyway. Activity on my
service costs money, so if someone wants to make a bot that pays me money, I
have no problem with that.

The only time I'd consider implementing something like reCAPTCHA is if I was
giving something away for free (e.g. a free trial) such that a signup actually
had a cost for me.

~~~
brightball
I was more concerned about triggering activation emails to people

~~~
_-___________-_
If you collect email addresses, then yeah that's a concern. Then again, if you
send a single activation email and never send another email unless the link is
clicked, there's no value to the bot in signing up accounts, so it's unlikely
to be a major problem.

------
sbhn
If recaptcha is so good at finding bots, then why does google still show ads
to bots?

------
davesmith1983
reCAPTCHA on a site forces me to use Google and quite a few sites now use it.
There are other ways of detecting bots that aren't as intrusive nor require
you to allow Google everywhere.

------
marykimm00
Ug, can't stand reCAPTCHA. But seems like a necessary evil.

------
brokensegue
the tone of this article is awful. it also has the history of recaptcha wrong.

I can't imagine it actually taking 30 seconds to solve a reCAPTCHA. That needs
a citation.

~~~
michaelt
In Firefox, log out of your google account, block cookies and enable the anti-
fingerprinting features. Or just browse with Tor Browser.

You will start getting challenged more often, you'll find you're asked to
solve several multi-select challenges in a row even if you get them right, the
multi-select challenges will replace tiles after you select them, and the
tiles will start fading in and out very slowly.

See
[https://www.youtube.com/watch?v=en5KSZSpDFY](https://www.youtube.com/watch?v=en5KSZSpDFY)
for an example video.

These are (AFAIK) intentional features deployed Google - you just don't see
them if they can already track you via something like your Google account.

~~~
brokensegue
Ok I did as you suggested and then went to
[https://www.google.com/recaptcha/api2/demo](https://www.google.com/recaptcha/api2/demo)

Took me all of 5 seconds to solve

~~~
cyphar
Try using Tor and a real website that is using reCAPTCHA (I don't think they
have their actual scoring system enabled on the demo). GP posted a link to a
video of someone solving a single reCAPTCHA prompt for 2.5 _minutes_. I also
regularly have to solve several CAPTCHAs in a row, often with increasing
levels of image distortion.

Before being so brazenly dismissive of other people's experiences, take the
few measly minutes it would take to actually try it out. Even doing a simple
Google search with Tor Browser usually gives you a reCAPTCHA to solve.

~~~
brokensegue
> being so brazenly dismissive of other people's experiences, take the few
> measly minutes it would take to actually try it out

?? I did try it exactly as was requested of me. I didn't know where to find a
recaptcha so I went to the demo page.

It's possible the video is the result of a bug and not normal behaviour. I
wouldn't know as I don't often browse with tor.

~~~
jraph
I've experienced that in the past, without using tor, but using Firefox. I go
to great lengths to block anything Google. Google Fonts, Google CDNs (and I
now use Decentraleyes so CDNs are mostly not even reached). I have to
explicitly unblock reCAPTCHA scripts for it to even work - or use a clean and
disposable browser profile. I've occasionally seen the behavior on the video
when I really need to access the page (though usually I just complain to the
webmaster).

I once had to request a new password for my online bank account. I ended up
asking the bank manager to reset my password, pretending that reCAPTCHA is
preventing me from resetting the password myself. My bank is not paying me for
solving captchas for Google's benefit (this is so screwed up…).

The biggest offender is CloudFlare for me.

------
Spooky23
I prefer the newer captchas personally.

------
midnightdiesel
Google sucks nowadays. So much of what it does just makes technology and the
web worse, not better.

------
anonu
tldr: Author claims reCAPTCHAs will get incrementally harder and force users
to do strange things like turn on their webcams or open other devices to
confirm their identity. Eventually people will pay Google to bypass the
system.

All plausible...

------
sieabahlpark
The current new captcha is invisible. It's no less evil since Google
recommends to put it on all your pages...

~~~
andrewl-hn
Well, it's only invisible if all pages / tabs you visit share the same cookie
/ session store. With browsers implementing more and more of privacy-focusing
features this becomes less and less frequent.

If I use Safari private mode (each tab has its own cookie store) or Firefox
with containers and cookie auto delete extension every tab I open, every page
I visit gets a brand new Google session. Obviously, Google treats my like a
bot.

------
tanzbaer
Not true. Google has made a new capture system that only requires you to click
a checkbox.

~~~
cyphar
Try using Tor with one of those captchas -- you will get a whole load of
puzzles and picture matching goodness (usually having to solve multiple in a
row). It can easily take me several minutes to pass a reCAPTCHA challenge when
using Tor. And even then, sometimes Google will even refuse to give you a
challenge _at all_!

------
Jagat
Hmm I don't know. It's been 10 years since I've been hearing that self driving
cars are right around the horizon. And we now know we're nowhere close to it.

If this recaptcha helps google, or for that matter, any company, accelerate
their self driving capability, I'd fully support it.

~~~
djsumdog
Billions of tax dollars and breaks are going to self-driving research, which
is fucking insane. America needs to build back it's public rail
infrastructure. Passenger rail is a solved problem, and the US use to have
more passenger rail that Europe. We have one of the best freight rail systems
in the world, but we have high speed rail in New England and Florida. That's
it. Maybe California if they can get their shit together.

I wrote an article about this before, and talk about how even if you had a
four lane high way with nothing but self driving cars, all filled and
traveling at 120kph bumper to bumper, you wouldn't even come close to
approaching 10% of the capacity of a single track metro light rail line
running with 2 minute headway (during rush hour headways can be less than
2min, and with automated systems like those in Singapore and the new ones
coming to London's underground--DLR is already automated--you can get headways
of less than a minute or even 30 seconds)

[https://penguindreams.org/blog/self-driving-cars-will-not-
so...](https://penguindreams.org/blog/self-driving-cars-will-not-solve-the-
transportation-problem/)

Sure self driving cars could help in Europe with the last leg where they have
real transport infrastructure, but the US is so far behind that successful
self driving cars would just add to grid-lock.

~~~
manigandham
This discussion has been well hashed before, but comes down to the US being
very big. People are far more spread out here than anywhere in Europe or Asia.
This also makes last-mile transport even more critical if you aren't close to
the station. The distances also drive up the cost and waits between trains,
further reducing ridership.

High-speed mid/long distance passenger rail just isn't viable given our
population densities, and we already have metros/subways/light-rail in core
metropolitan areas. Without major construction with hundreds of new lines and
a shift in city planning, it's unlikely to ever change in the US.

~~~
djsumdog
That is the worst possible argument. Australia has a fraction of our
population and every one of their capitals (except for Darwin and Hobart) has
a very good rail system. Sure they don't have high speed, but they could
easily saturate a Sydney to Melbourne high speed route (if Melbourne didn't
waste a few billion on their ticketing system).

Russia has high speed rail and it's less dense than the United States. China
created their high speed system in less than a decade.

This argument comes up all the time and it's so poor. The United States use to
have more passenger rail than Europe does now! You build light city rail and
immediately, new housing and commercial stuff pops up around it. It can
potentially reduce drunk driving as well.

The US/density argument is really tired and just doesn't hold up when you
really look at it.

~~~
manigandham
We _do_ have passenger rail, it's not fast but you can travel the whole
country. We also do have intra-city surface and underground lines.

The issue of why we don't have _more_ and _faster_ rail is a multifactorial
problem of city size, zoning, spread, and alternate transportation. The US
only has 3 major population centers, and they're very wide. The rest of the
population lives in thousands of small and midsize cities spread far apart.

This is the worst combination for expensive railways and stations, and
requires solid last-mile coverage. This means cars, and if you have cars then
they already provide similar speeds, better coverage, more freedom, and lower
costs. The only feasible plan is high-speed long-haul that doesn't stop
anywhere in the middle, but demand for that is weak because people do live in
the middle, and air-travel is faster and cheaper at those distances.

Lower population with a few big cities like Australia is a much better fit. If
the US just had 3-5 major cities all along a single coastline then we would
also have a similar railway network.

