
Google’s new reCAPTCHA has a dark side - ProAm
https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side
======
dessant
Google has been doing the same with reCAPTCHA v2 [1]. They are aware of the
legal risk of outright blocking users from accessing services, so reCAPTCHA v3
contains no user facing UI, Google merely makes a suggestion in the form of a
user score, so the responsibility to delay or block access and the legal
liability that comes with it falls on websites.

reCAPTCHA v2 is superseded by v3 because it presents a broader opportunity for
Google to collect data, and do so with reduced legal risk.

Since reCAPTCHA v3 scripts must be loaded on every page of a site, you must
send Google your browsing history and detailed data about how you interact
with sites in order to access basic services on the internet, such as paying
your bills, or accessing healthcare services.

It's needless to say that the kind of data that is collected by reCAPTCHA v3
is extremely sensitive. Those requests contain data about your motor skills,
health issues, and your interests and desires based on how you interact with
content. Everything about you that can be inferred or extracted from a website
visit is collected and sent to Google.

If you'll refuse to transmit personal data to Google, websites will hinder or
block your access.

[1]
[https://github.com/w3c/apa/issues/25](https://github.com/w3c/apa/issues/25)

~~~
benreesman
Your comment adds a lot to the conversation, so I don’t want to be more
contrary than necessary.

It’s nonetheless a shame that it’s so universally misunderstood how ad-
supported megacorps make their money that even highly sophisticated users of
the web still talk about the value of personal data (source: I ran Facebook’s
ads backend for years).

Much like the highest information-gain feature for the future price of a
security is it’s most recent price: ad historical CTR and user historical CTR
(called “clickiness” in the business) are basically the whole show when
predicting user cross ad CTR. The big shops like to ham up their data
advantage with one hand (to advertisers) while washing the other hand of it
(to regulators).

As with so many things Hanlon’s Razor cuts deeply here: if your browsing
history can juice CTR prediction then I’ve never seen it. I have seen careers
premised on that idea, but I’ve never seen it work.

~~~
__jal
> It’s nonetheless a shame that it’s so universally misunderstood how ad-
> supported megacorps make their money that even highly sophisticated users of
> the web still talk about the value of personal data (source: I ran
> Facebook’s ads backend for years).

That may be the case for some people, but that is not my complaint, nor that
of many folks I know.

I simply don't care how FB, Google and other surveillance outfits make money.
I don't care about marketers' careers or their CTRs. I don't even care about
putting a dollar value on my LTV to them.

I care about denying them visibility into my datastream. It is zero-sum. They
have no right to it, and I have every right to try to limit their visibility.

Why? None of your business. Seriously - nobody is owed an explanation for not
wanting robots watching.

But I will answer anyway. It is because of future risks. These professional
panty sniffers already have the raw material for many thousands of lawsuits,
divorces and less legal outcomes in their databases. Who knows what particular
bits of information will leak in 10 years, or when FB goes bankrupt? I have no
desire to be part of what I suspect will become a massive clusterfuck within
our lifetimes.

If you're correct that this data has so little value, then it is _more_ likely
it will leak. FB and Google are the equivalent of Superfund sites waiting to
happen, and storing that data should be considered criminal.

~~~
benreesman
You could either stop using these services or (as I suspect) you find them too
valuable to dismiss entirely quarantine them to a VPN/incognito interaction in
less time than it took to type that comment.

I don’t want to single you out personally but there’s a broad trend on HN of
bitter-sounding commentary on the surveillance powers of these companies by
people who can easily defeat any tracking that it’s economical for them to
even attempt let alone execute that reeks of sour grapes that a mediocre
employee at one of these places makes 3-20x what anyone makes (as a rank and
file employee) anywhere else.

Again, you’re not likely part of that group, but seriously who hangs out on HN
and can’t configure a VPN?

~~~
kbenson
> You could either stop using these services or

How do you stop using a service when you have little or no indication that it
does something like this before hand, and afterwards the privacy is already
gone?

If I use a site and view my profile page and the url contains aa account id or
username and some google or facebook analytics is loaded, or a like button is
sitting somewhere, how am I to know that before the page is loaded? What if
I'm visiting the site for the first time after it's been added?

It doesn't even matter if I have an account on Google or Facebook, they'll
create profiles for me aggregating my data anyway.

> quarantine them to a VPN/incognito interaction

Which does very little. I spent a few hours this morning trying to get a
system non-unique on panopticlick, but the canvas and WebGL hashing is enough
to dwarf all the other metrics. There are extensions to help with that, but
for the purpose I was attempting, were sub-optimal (and the one that seemed to
do time-based salting of the hashes wasn't working right).

So, I don't have any confidence that a VPN and incognito really does much at
all.

~~~
KirinDave
> How do you stop using a service when you have little or no indication that
> it does something like this before hand, and afterwards the privacy is
> already gone?

It is small comfort for the average user, but the way you do it is use
noscript. It makes the web _awful_ , sure, but it won't happen to you.

> It doesn't even matter if I have an account on Google or Facebook, they'll
> create profiles for me aggregating my data anyway.

I sort of wonder what you envision this actually meaning. If I spam your
website and you add a DoS filter for my IP, should I complain you made a
profile of me? If when a user tries to log in I check the referrer to see if
it contains a proper URL, have I violated your privacy?

~~~
kbenson
> I sort of wonder what you envision this actually meaning.

I mean it to respond to the common response people sometimes give in
conversations like these, which is "that's why I don't use Facebook" or
"that's why I stopped using Google services". For this conversation, whether
you use Facebook or not is irrelevant, they still gather your information, and
in the same way myriad other advertisers (or however they bill themselves) do
through online tracking. Google and Facebook are large, and have a portion
that's easily visible, but they are not the whole problem by a long shot.

> If when a user tries to log in I check the referrer to see if it contains a
> proper URL, have I violated your privacy?

No. Noting which door a customer came into your store seems fine to me. That
by default customers come in wearing the logo of the last store they visited
is weird, but entirely something they can control. Having people shadowing all
your customers while in the store looking and listening for tidbits they can
report back on to get more info about those people is pretty creepy. As you
suggest, the way to get around _most_ of that is to dress blandly and say
nothing.

Here's the thing, we're a market economy. There's a transaction going on,
where we're trading away something (our information and privacy) to a company
for some product, or possibly the right to view a product we might consider
buying. How many people are actually aware of this transaction? If they aren't
aware of the transaction, there's a name for that when it's a regular good,
and it's theft (or fraud). The difference here is that most of our government
systems don't apply any rights of ownership to this information, so our
regular rules don't apply. I admit, they may not make sense to apply entirely,
but at the same time, it's obvious that something is lost in the transaction,
whether the person losing it realizes it at the time, or views it as important
enough to make a big deal about when they notice.

~~~
KirinDave
> Google and Facebook are large, and have a portion that's easily visible, but
> they are not the whole problem by a long shot.

I meant more like in a literal sense, but okay. Point taken.

> No. Noting which door a customer came into your store seems fine to me. That
> by default customers come in wearing the logo of the last store they visited
> is weird, but entirely something they can control. Having people shadowing
> all your customers while in the store looking and listening for tidbits they
> can report back on to get more info about those people is pretty creepy. As
> you suggest, the way to get around most of that is to dress blandly and say
> nothing

These human metaphors are powerful, but don't map at all to basic analytics
concepts. There is no person watching you. There is no intelligence judging
you. There are a series of conditions in a deterministic system provoked by
your actions. If we _could_ have done this before now, we _would_ have because
it's a whole hell of a lot more ethical.

> Here's the thing, we're a market economy.

I dunno where you are but I'm in the US which is most definitely not "a market
economy" without a whole hell of a lot of qualifiers.

> There's a transaction going on, where we're trading away something (our
> information and privacy) to a company for some product, or possibly the
> right to view a product we might consider buying. How many people are
> actually aware of this transaction?

Roughly as many, I imagine, as folks who realized the shopkeeper could see
them enter and leave. Most folks know local proprietors can and will kick you
out and put up a photo if you act up.

> The difference here is that most of our government systems don't apply any
> rights of ownership to this information, so our regular rules don't apply.

This is just flatly false. I don't know what you're thinking writing this, but
it's clearly neglecting copyright and patents. For what it's worth, I think
the later is a bad system an the former is in desperate need of reform to
sharply limit it.

> it's obvious that something is lost in the transaction, whether the person
> losing it realizes it at the time, or views it as important enough to make a
> big deal about when they notice.

I am trying to read your comment in the spirit it was intended rather than the
literal delivery, so please forgive me if there is a subtle impedance mismatch
here but...

Welcome to the future, I guess? The top 50% earners of the world has access to
computers that would have once bankrupted a nation to produce, and the options
are still surprisingly good for the next quartile. With that power, it means
that the people around you are going to _start noticing things and making
decisions about them_ with the information they can now process.

Ideally, this will be a distributed thing, but right now due to the nature of
our society, authority of this sort is highly concentrated. But the dam has
broken. A total surveillance system for up to a modestly sized city, with
realtime tracking and long term data storage, is well within the reach of
anyone with $10000USD to spend on hardware. They can self-host it. _The
banality of this cannot be overstated._ It's boring to do this now. It's not
new ground. So much so that average people can monitor their homes with it, or
know if their friends have gone missing with it.

To some extent, there is just no undoing this. Society will have fewer secrets
and those secrets will be much more deliberate, and the only response that can
work is to change your attitude.

~~~
kbenson
> There is no person watching you. There is no intelligence judging you. There
> are a series of conditions in a deterministic system provoked by your
> actions.

I don't think it's creepy because there's a (theoretical) person watching me,
I think it's creepy because they're cataloguing all my actions in a systemic
was which pierces the veil of perceived privacy (mostly through anonymity).

> I dunno where you are but I'm in the US which is most definitely not "a
> market economy" without a whole hell of a lot of qualifiers.

I'm not sure how to respond to this without a specific criticism of how you
think it's incorrect. That said, it's somewhat tangential to the point, even
if it would be an interesting conversation.

> Roughly as many, I imagine, as folks who realized the shopkeeper could see
> them enter and leave.

I don't know. If every time I entered my local 7-eleven someone picked up a
clipboard, flipped to a specific page, looked back at me, nodded to their self
and then marked something on the page, I might decide to go somewhere else, at
least most the time. If I knew the info was shared with all the other
7-elevens, and the local grocery chain, and some hardware stores, that makes
me want to use all the places less.

> This is just flatly false. I don't know what you're thinking writing this,
> but it's clearly neglecting copyright and patents. For what it's worth, I
> think the later is a bad system an the former is in desperate need of reform
> to sharply limit it.

I said "this" to qualify what I was referring to (personal information) and
distinguish it from other types of protected information, of the type you
reference.

> To some extent, there is just no undoing this. Society will have fewer
> secrets and those secrets will be much more deliberate, and the only
> response that can work is to change your attitude.

I don't think that's the _only_ response that can work. It's the only one that
works completely, as deciding to not care is always a solution to caring, if
you can pull it off.

The alternative is new laws. Are they perfect? No. Will they solve the problem
adequately? Likely not. Do they have a chance of making a positive difference
across the board for massive amounts of people by empowering them with regard
to their own information? I dunno. Maybe? I think it's worth pushing for
though. Otherwise, why do we have minimum wage and labor laws? At some point
we could have thrown our hands up and said "screw it" about that stuff, but
people pushed for it, and while they aren't perfect, I think we're all better
off for them.

I don't believe there will be any perfect solution to this ever, or even a
good or acceptable solution all that soon. I do think it's still worth raising
my voice over, because I think there are some possible futures that are better
than others with regard to privacy and personal information, and I think
that's worth pushing towards.

------
superasn
There are a lot of sites that are totally unusable on Firefox regardless how
much you use ff.

I do all my mobile browsing on FF yet when I try to use some websites I always
get this Recaptcha failed error(1) while it works flawlessly on chrome though
I never use it often. Try it, maybe it will happen for you too.

Same happens on most sites which show you that "checking your browser" page
via cloudflare too.

The web is very unusable unless you're using chrome because of such antics.

(1)
[https://cdn3.imggmi.com/uploads/2019/6/27/0dd96b25707ce6e236...](https://cdn3.imggmi.com/uploads/2019/6/27/0dd96b25707ce6e236b9bfbdf3f3c82e-full.jpg)

~~~
ulfw
It's even worse when you're running a VPN (especially one of the major public
ones). When I see reCAPTCHA I basically give up as sometimes I have to go
through 6 or 7 full sets to be let into a site. It's the evil of the internet
this.

~~~
oil25
reCAPTCHA on VPN is difficult, but on the Tor network, they are downright
impossible. I've never been able to get past it, even after a few dozen
painful attempts. That means Google services are entirely off-limits over Tor,
even Search, which is a disgrace.

~~~
jimmaswell
You can hardly blame anyone for blocking Tor traffic. You might not be using
it for abuse but a large volume of abuse originates from it.

~~~
verisimilitudes
>You can hardly blame anyone for blocking Tor traffic.

Yes I can and do. It's bad enough that some websites won't let you do certain
things over Tor, but preventing access to the website entirely is
unacceptable. I made this account and comment entirely over Tor.

I don't see how it's okay to block Tor. That generic claim is made, but how
are your spam measures doing if you couldn't handle Tor spam?

>You might not be using it for abuse but a large volume of abuse originates
from it.

There is infinitely more ''abuse'' coming from Google, and yet it seems most
every page I visit contains Google malware.

On principle, I hold the idea that Tor should be a first-class citizen and not
disadvantaged in any way. Notice that Google's ''HTTP/3'' is over UDP, which
Tor doesn't work with; I don't find that a coincidence.

~~~
judge2020
[https://blog.cloudflare.com/the-trouble-with-
tor/](https://blog.cloudflare.com/the-trouble-with-tor/)

> like all IP addresses that connect to our network, we check the requests
> that they make and assign a threat score to the IP. Unfortunately, since
> such a high percentage of requests that are coming from the Tor network are
> malicious, the IPs of the Tor exit nodes often have a very high threat
> score.

------
cbsks
You can view your reCaptcha V3 score here: [https://recaptcha-
demo.appspot.com/recaptcha-v3-request-scor...](https://recaptcha-
demo.appspot.com/recaptcha-v3-request-scores.php)

I get .7 on my iPhone, I’m guessing that my liberal use of Firefox containers
and the cookie auto-delete extension on my desktop will give me a much lower
score and cause me to have to jump through extra hoops at websites that
implement it, just like the reCaptcha V2 does.

Edit: I also got 0.7 on Firefox with strict content blocking (which is
supposed to block fingerprinters), uBlock Origin, and Cookie AutoDelete. I get
0.9 from a container which is logged into Google.

~~~
danShumway
With Firefox fingerprint resisting turned on and with Ublock Origin/UMatrix, I
get a score of 0.1. And I'm not even on a VPN; I'm sure on my home network I'd
have an even lower score.

To me, it feels like Google's entire strategy behind reCaptcha is to make it
harder to protect your privacy. We've basically given up on the idea that
there are tasks only humans can do, and to me V3 feels like Google openly
saying, "You know how we can prove you're not a robot? Because we literally
know exactly who you are." I don't even know if it should be called a captcha
-- it feels like it's just identity verification.

I don't think this is an acceptable tradeoff. I know that when reCaptcha shows
up on HN there's often a crowd that says, "but how else can we block bots?"
I'm gonna draw a personal line in the sand and say that I think protecting
privacy is more important than stopping bots. If your website can't stop bots
without violating my privacy, then I'm starting to feel like I might be on the
bots' side.

~~~
fasicle
Not sure how much Ublock Origin makes a difference. I have a score of 0.9 with
it turned on.

~~~
asdff
I think this score is fishy. Ran the test three times and got three different
scores.

~~~
ravenstine
I get the exact same score no matter what browser I use, despite uBlock Origin
& Privacy Badger & Decentraleyes, even in private mode and with a VPN
connection from a country I normally don't use. Hmmmmm...

------
seieste
There are government services, such as the USPTO, that rely on Google
reCAPTCHA. The new reCAPTCHA has made it difficult for me to access documents,
and sometimes they think that I'm a bot and thus deny me access entirely.

Does the government realize the consequences of this? Both that it pushes
users to use Chromium-based browsers, and that they're helping to solidify a
company that already has a near monopoly in the browser space?

Further, this quote is very creepy:

> To make this risk-score system work accurately, website administrators are
> supposed to embed reCaptcha v3 code on all of the pages of their website,
> not just on forms or log-in pages.

With AMP, Google Ads, and reCAPTCHA, Google now has access to pretty much
everything that people do on the web.

~~~
nullc
I was amused that Elizabeth Warren's campaign site wouldn't display the
content for me unless I permitted scripts from google.com (w/ umatrix) since
she is promoting breaking up google.

~~~
aleksei
Although you can be pro break-up-Google while using one, or even many, of
their services.

So I don't really see the amusement.

~~~
pkaye
The belief these days is that when someone does something wrong everyone must
shun them and not do business with them. Her website didn't have to use Google
services as there are many alternatives.

------
cracker_jacks
The other tradeoff is you're giving Google an extraordinary amount of power to
decide who is allowed and not allowed on your website with no transparency on
how this decision was made. Not sure what company is willing to blindly trust
Google with that power.

~~~
cyphar
Unfortunately, the answer is (basically) all of them. Combined with
CloudFlare, even websites that aren't explicitly making that decision are
still opting their users into both CloudFlare and Google's tracking.

I use Tor fairly regularly and it's a complete nightmare. I sometimes spend
5-15 minutes solving reCAPTCHA (since your Tor circuit changes every 10
minutes this can result in having to solve the reCAPTCHA several times).

~~~
crankylinuxuser
Crummy solution, but get the FF user agent switcher in TBB.

And then set it to Windows/Chrome. And all those Scroogle-captchas are easy-
peasy.

~~~
byonge
can you expound on this? not sure I grok

~~~
crankylinuxuser

         1. Download Tor Browser Bundle
         2. Connect to the Tor network
         3. Download a user-agent switcher in the plugin store in TBB
         4. Change user-agent to "windows, chrome"

------
rbritton
I'm torn on this. reCAPTCHA v2 (mostly useless[0]) and v3 function largely on
browser fingerprinting plus a few other heuristics (e.g., whether or not you
have a Google cookie). Any meaningful privacy measures to resist
fingerprinting end up with a low reCAPTCHA score. I personally run into a wall
on most sites using it.

That said, it's one of the most effective means of combatting automated spam
and credential stuffing attacks. In a recent implementation I did, having 2FA
active for your account bypasses the captcha requirement, but the vast
majority of users are still too non-technical to use 2FA and are subject to
the frustrations of reCAPTCHA.

[0]: [https://github.com/dessant/buster](https://github.com/dessant/buster)

~~~
gcbw2
It is used irresponsibly.

A responsible spam protection system should allow every spam (and
consequentially responsible user) from an ISP.

If a ISP shows sign of abuse, then show Captcha or other system that will
block some spam _while also blocking some valid users_. This is a evil-for-
the-greater-good solution. Do _not_ fool yourself into thinking this is a
_solution_ (i.e. without caveats)

Impacted users can complain to both the service provider (you) _and_ their
ISP. And that failing, switching their ISP (i.e. voting with their wallet
--how that happens in a monopoly is another discussion)

Bottom line, if you show captcha for all users (even for ISPs that are now
showing signs of spam) you are _intentionally_ blocking some users for no good
reason. And you are part of the problem. Sadly, this includes the US
government as they blanket censor all their forms (from visa request to DMV
visits) behind Google(R) captcha(tm) at all times.

~~~
remus
It seems that your suggestion is that ISP is a good signal for detecting spam,
but it's not obvious to me that this is true. For example a site targeted by a
botnet could be hit with traffic from a wide range of otherwise legitimate
looking ISPs, in which case you're going to be getting a lot of spam on your
website.

~~~
rbritton
In our experience, country of origin is a better heuristic for possible abuse
than an individual ISP is. Most malicious traffic comes from a fairly small
number of countries, many of which are the obvious culprits. That kind of data
is never guaranteed accurate, though.

------
jcomis
I hate the v3 reCAPTCHA. On FF, I usually KNOW I am answering correctly and it
says I failed. I always have to go through it multiple times. It's maddening.
It often leaves me second guessing myself... is that sliver of car counted? is
a crossing signal a street light? What about those streetlights way off in the
distance, do I select those two in addition to the ones front and center? That
RV looks sort of like a bus, should I select that too?

~~~
gok
It's not really about getting the questions right. The challenges they present
aren't that hard for modern computer vision systems. It's more about verifying
that you consider the question for a "human" amount of time, make your mouse
move like a human might, etc.

~~~
stirfrykitty
Captchas are hell on the blind and vision impaired. There are add-ons for
this, but they mostly suck. Things like Webvisum exist but they are invite
only.

------
mrosett
The subheadline gets it right:

> It’s great for security—but not so great for your privacy.

For individual users, security and privacy frequently go hand-in-hand. But for
site operators, user privacy makes security a lot harder. The more you know
about a user, the easier it is to figure out if they're an adversary.

------
writeslowly
Wouldn't reCaptcha V3 also make things much more difficult for Google
competitors, assuming that site owners place it on every page? I'm guessing it
will block any sort of scraper (since scraper access patterns don't look
human) with some sort of whitelist for Google's scrapers.

~~~
luckylion
They typically won't completely deny access, but only disallow certain actions
(posting a comment etc). All out denying access will likely get site owners
into trouble, at least in the EU - you need to be able to access privacy
information, publisher info etc. I'm also not sure whether non-opt-in usage of
recaptchav3 is GDPR compliant.

------
dheera
I guess another question is why we really need captchas. What are we trying to
protect against that can't be accomplished with rate limits, voting systems,
or other ways to regulate meaningful use of a website?

Ultimately why does it matter if the user is a human or bot, as long as they
are being a valuable user? What's wrong if a bot buys some of your inventory,
pays for it and everything? What's wrong if an NLP bot responds to discussion
threads with scientific facts and citations?

~~~
dangrossman
> What's wrong if a bot buys some of your inventory, pays for it and
> everything?

100% of the time, a bot buying things from a store is doing so to test a
database of stolen credit cards the bot's owner has purchased/stolen.
Accepting those sales means you'll get hit with chargebacks a few weeks later
as the real owners of those cards see their statements. Then your store gets
shut down for exceeding the maximum 1% chargeback ratio mandated by Visa and
MasterCard. So preventing this scenario matters a lot, and when someone
targets one of my stores for testing like this, enabling a CAPTCHA on the
payment page is one of several, often-essential mitigations. Blocking IPs,
blocking whole countries, including a nonce in the form, etc are on their own
insufficient most of the time: the readily-available tools for this kind of
attack already handle rotating IPs, retrieving a new form nonce on each try,
spoofing the proper referrer, etc.

~~~
mrguyorama
Our company has industry leading fraud rejection rates and we don't use
captcha at all

~~~
spicytunacone
Would you be able to say how your company accomplishes that?

~~~
mrguyorama
Honestly, statistics from about 2010 (ie before the age of neural network
hype) and limited human observation.

~~~
benologist
Human moderation and ad-hoc heuristics seems to make the difference at Reddit
too, rather than the CAPTCHA at registration.

~~~
judge2020
I get a recaptcha when trying to sign up for a new account:

[https://i.judge.sh/Flutter/45DyMRuL.png](https://i.judge.sh/Flutter/45DyMRuL.png)

maybe this is related to some other heuristic they're using for determining
whether or not to show recaptcha (although this is in a no-extension Chrome on
a residential IP address).

~~~
benologist
Right, they have that at registration but it's either superfluous or it only
catches the really easy stuff because they rely on an army of human moderators
who spend all day cleaning up after bad actors able to click buses.

------
LinuxBender
So this is probably a bit off topic, but why don't more site owners just
create their own unique anti-spam system? In my opinion, if they were simpler,
yet all unique, there would be less bots that could mass spam and privacy
would be improved.

Even something as simple as a question: "How many legs does a spider have?"
____

And then cycle through different types of free form questions of things that
most people should know. Perhaps block the IP after {n} failed attempts for an
hour.

~~~
mxcrossb
I think this would fail under any directed attack. It’s too hard to generate a
database that’s large enough.

~~~
lucb1e
This is the answer. It seems that most website owners are somehow super scared
of a targeted attack, since it is indeed trivial to bypass (and they realize
that), even if nobody will take the time.

I've heard stories from people that own small sites and still have someone
targeting the site with custom scripts, but never anyone I know (not even a
friend of a friend, only ever random people on the internet). But there is
also the (much larger, from what I can tell) group of people that never had
these issues. But people don't like risks, and installing a tracking captcha
from google is made very easy. "Everyone does it, that ought to work!"
(Meanwhile I hear of a 90% success rate from a recaptcha browser plugin, but
who cares about that right?)

~~~
marcosdumay
I've had received attacks from custom scripts to post spam in a blog that
nobody read. I changed my custom robots tests a couple of times, and each time
it took a few days for the bots to adapt. At the end I removed the comments
section, so there was nothing to attack.

~~~
lucb1e
This is exactly the kind of story I'm taking about. I'm sorry about your
experience, I don't doubt that you're real, but this is the kind of
confirmation/hindsight bias that makes people misjudge risks. I expect you are
an outlier, but I have no idea.

Might be interesting to poll random people that have websites with <100 unique
visitors a month for this sort of thing to get us any sort of idea of how
necessary an invasive CAPTCHA like Google's is.

------
vasili111
Disabling browser API that adblockers/privacy protectors use. Fingerprinting
users with adds at stackowerflow. Now collect information how user navigate
webpage. This is a scary trend.

 _And I am not speaking here about how Android and Android apps (which is
allowed by Google) track users._

------
jk2faster
[https://hcaptcha.com/](https://hcaptcha.com/) seems to be a viable
alternative. If you are a developer, please consider using something other
than reCaptcha. Not only is it annoying, but a privacy nightmare as well.

~~~
judge2020
> earns website owners money

> an open decentralized protocol for human review that runs on the Ethereum
> blockchain.

Is this basically a JS crypto miner?

~~~
amirhirsch
We provide dataset annotation services and pay out to sites based on what
companies pay us.

~~~
judge2020
I guess the big question is accuracy -

If you have a brand new dataset, couldn't bots assess the first few thousand
images randomly and get through (since there is little or no basis for what is
an accurate selection)? And if they do, how would that affect future real
human selections (assuming it learns over time what selections are accurate)?

Another concern is that it's very likely that Google's existing Cloud vision
ML could handle most classification challenges your clients are trying to
train (since you're basically working against a much wider-deployed mechanical
turk dataset, recaptcha). High-profile websites (such as ecommerce sites) may
have attackers (such as those with stolen CC's) willing to spend the money
needed to run all of your images through Cloud Vision. So I guess my question
is: are other data points collected to prevent bots from getting through?

I would understand if you can't answer some of these as they may fall under
"trade secret" territory.

~~~
amirhirsch
I work on bot detection, so I should be careful not to leak all of our
approaches, email me at amir@imachines.com and we can have a more in depth
offline conversation.

Since our captcha provides an opportunity for website monetization, we expect
different uses aside from just bot detection, for example as a replacement for
the "disable ad-blocker" popup or replacing paywalls with micropayments. This
means there will be a broader set of users who are not strictly focused on
attacking our dataset and polluting it with bad results. This allows us to
have a confidence model initially based purely on the site.

Having a state-of-the-art AI is table stakes for a captcha product. We already
run our datasets through visual recognition systems and run our captcha with
an AI model-in-the-loop. In beta now, we offer websites under attack offline
bot data in the background, currently as a batch report, and soon as a
webhook. This approach has a game theoretic advantage of not leaking results
to attackers, and allows us to run non-causal analysis of different attacks
over a wide period of time. By combining this approach with a variety of
rotating challenges we can identify patterns of behavior consistent with bots
as they continue their attack strategy against only the mix of challenges they
have seen.

There are also services where you can pay for people to solve captchas for you
and this is a different sort of attack from bots, since they are in fact
humans signing up for hundreds of accounts. If your goal was to prevent
fraudulent signups, or to host a give-away for example, then we can have days
of time to perform an extensive analysis offline, and perform an epidemic
analysis of the traffic.

------
nkkollaw
Google is trying to kill the competition by purposely introducing weird bugs
here and there, taking advantage of the fact that they own the most visited
sites on the web.

They've been doing it for a while now, Tech Altar even had a video about it
the other day:
[https://www.youtube.com/watch?v=ELCq63652ig](https://www.youtube.com/watch?v=ELCq63652ig)

Along with the censorship and privacy issues, I guess it's time for them to
change their payoff, "don't be evil".

~~~
SlowRobotAhead
>I guess it's time for them to change their payoff, "don't be evil".

They dropped that years ago, literally and effectively.

~~~
nkkollaw
Ah, really—wasn't aware, thanks.

------
KirinDave
I'm... actually struggling to see what this dark side is. The data is
collected under a non-reuse agreement. It's specifically there to make a good
captcha. There are other captcha vendors, and they don't make that promise
(and I can think of at least one who admits they collect and resell data via
captcha).

So the downside here is that no one has a credible way to compete with Google?
Maybe because their Google cookie actually is a pretty good indicator of
humanity?

That's nonsense. Tons of people do. There's LOADS of great research on captcha
that isn't implemented by any vendor. The roadblock is that NO ONE WANTS TO,
because it's a thankless, unprofitable task that puts you dead in the
crosshairs of a ton of very organized people who will devote huge resources to
circumventing or breaking your offering.

"A land grab," sure. Of a nuclear wasteland covered in small arms battles.

~~~
feanaro
It's a land grab of the general web and browser market, not of the captcha
market. They're using the captcha to disincentivize users from using browsers
other than Chrome or from not having a Google account. And now with v3, it's
supposed to happen on every page of the web? It shouldn't be too hard to see
it's a disaster.

~~~
KirinDave
> They're using the captcha to disincentivize users from using browsers other
> than Chrome or from not having a Google account.

It has absolutely nothing to do with Chrome. And anyone who is sane has
switched to Firefox and is now patiently enduring how lousy it is by
comparison because ad blockers are sacrosanct.

> And now with v3, it's supposed to happen on every page of the web? It
> shouldn't be too hard to see it's a disaster.

Yes, site owners gotta opt in to captchas. Most sites already have enough
connections to Google on every page they could already do most of this work.
But that's unethical.

Ultimately, a increasingly sophisticated statistical analysis of users is the
only reliable way to get robots out of spaces meant for humans. Our social
media is crippled by robots masquerading as humans for the profits of various
agencies who's names you aren't even privileged to know, but you're concerned
about opt-in countermeasures because... Why again? That in a dark future every
mom and pop web shop is gonna have sophisticated log analytics at their
disposal, either because free software finally gets off its ass or because
state capitalism does what it does and awards all the business to 1-2
competitors?

To me, you're arguing about the color of the insulin bottle rather than
pointing out how absurd the system that can cheerfully jack it's price 10x is.

------
rmolin88
How can I complain? Where to go? How can we organize? I want to do something
about this!

This is complete and utter bullying. Bullying on user privacy, bullying on
Firefox.

Somebody please tell me where to go?

------
xg15
Apart from the privacy nightmare, couldn't this also result in discrimination?

> _For instance, if a user with a high risk score attempts to log in, the
> website can set rules to ask them to enter additional verification
> information through two-factor authentication._

Seems to me, this could easily flag genuine users who access the site through
a non-standard flow - e.g. because they use assistive technologies. In the
worst case, this could result in impaired users being forced to jump through
additional hoops - or being blocked completely.

------
Mountain_Skies
Smells a lot like using Google's virtual monopoly on bot detection as a way to
push users into using one of their other products. Likely not a wise idea when
the government is itching for an excuse to bring an antitrust case against
you.

------
octosphere
Google's captcha system is overkill for most websites. If I want to filter out
bad actors (on a simple straight-forward site), there are other more simpler
and easier to solve captcha systems out there. They might not have the rigour
of Google's system, but they do the job, and well.

I would however use Google's system if the site is massive and there is the
possibility that someone is using a script or some program to algorithmically
bypass the (simple) captcha, and register accounts en-masse and trying to
create a psyop[0], or disinformation campaign, or even a sockpuppet army.

[0]
[https://en.wikipedia.org/wiki/Psychological_Operations_(Unit...](https://en.wikipedia.org/wiki/Psychological_Operations_\(United_States\))

~~~
eli
There are diminishing returns once a CAPTCHA gets past a certain point. Bad
actors can (and do) just humans to fill out captchas all day. We get some spam
submissions on our sites that I'm 99.9% certain are people in developing
countries copy/pasting spam templates and filling out captchas by hand.

~~~
wolco
What happens is the captcha is farmed out to live operators who solve it.

------
cm2187
Stupid question: why do companies care so much about bots to the point of
degrading the customer experience significantly? I can understand for things
like public forums. But like why would an ecommerce website ever put a captcha
between you and your order (or a news website)?

~~~
Michielvv
For example: \- bots sign up with email addresses that are owned by other
people that don't appreciate your welcome/activation/etc. mails. \- all that
automatically generated data can start to hurt performance. Especially on a
smaller site, having millions of useless users in your database can slow
things down significantly.

~~~
cm2187
That's one thing, but like why would the FT put a captcha on the login page. I
am not signing up. I just want to access a website I already paid for. This is
just terrible UX.

~~~
blinzy
I think it's again to mitigate against potential bad actors attempting to
access legitimate users' accounts.

You could use other methods but there's always tradeoffs, e.g., let's say that
instead of using a captcha you just temporarily block login attempts to some
account after X failed login attempts. This has the advantage that it's faster
for legitimate users as you don't need to complete the captcha; however, the
main disadvantage is that you can then get an attacker brute-forcing logins
(even if they don't really care about getting users' credentials) which can
disrupt your website by preventing potentially thousands of users from signing
in.

In my opinion the captcha is the least bad option from a security point of
view, as long as it has an alternative accessible mechanism for example for
blind users.

------
verisimilitudes
Entirely disregarding how it is browsing with Tor and finding ReCAPTCHA so
often due to Cloudflare, it's a bother even on a website I regularly use over
my normal connection.

Bandcamp is an online music store and I'm prompted for a Google ReCAPTCHA
every time I try to log in, which really causes me to do it less often than I
normally would, as I must permit Google JavaScript for it to succeed.

I've wanted to send a complaint about this to Bandcamp, but their email is
hosted by gmail and none of my messages get to them because I host my own
email. Adding reverse DNS and SPF is enough for many email servers, but not
Google.

I find it a bad situation that my experience with a business is worse, due to
Google, and I can't even contact them to let them know, due to Google.

------
dao-
> “Google is so deeply integrated with the internet,” Khormaee says. “We want
> to do anything we can to protect it.”

This is outright creepy.

------
gingerlime
I know people are (rightfully) worried about centralisation on the Internet,
but I still wonder how come there's virtually no "competition" to reCaptcha.
Even from one of the "centralised" players.

For example, even Cloudflare, which has its own "checking your browser"
protection, still uses reCaptcha in some other cases... Why doesn't Cloudflare
offer a reCaptcha alternative to their customers? (a transparent one, more
like reCaptcha v3 rather than the intrusive 5-second one...).

------
shock
> According to two security researchers who’ve studied reCaptcha, one of the
> ways that Google determines whether you’re a malicious user or not is
> whether you already have a Google cookie installed on your browser. It’s the
> same cookie that allows you to open new tabs in your browser and not have to
> re-log in to your Google account every time.

I try to never be logged into my google account as a matter of principle.
Maybe I'm just fooling myself thinking this will make tracking me more
difficult.

~~~
toong
You don't need to log-in, to be tagged with a cookie and subsequently be
identified. Sometimes referred to as "anonymous authentication".

~~~
cyphar
Or "shadow profiles".

------
keiru
I'm much more worried about ideological persecution than targeted advertising.
It's very easy to think you are doing the right thing, everyone thinks that.

------
quickthrower2
Next step: recapcha pro. $29 a year (by CC or Googlecoin of course!) to browse
the web free of recapchas and be able to use your favourite sites again.

~~~
theandrewbailey
$29 to spam the web to my heart's content? I'll take infinity of them!

~~~
quickthrower2
You did read the ToS? It can be cancelled any time for any reason, and you'll
never find out why.

------
jchook
reCAPTCHA apparently doesn't stop bots well at all.

When I published a brand new site, I got thousands of bot sign-ups in the
first couple weeks. reCAPTCHA apparently had no effect on stopping them. The
bots signed-up with real user emails, causing my site to send unsolicited
email to them, which affected my domain's email reputation significantly.

I rolled my own invisible CAPTCHA and immediately stopped ALL the bot traffic.

~~~
folkhack
This is 100% accurate. There is no way to stop bots through reCAPTCHA, doesn't
matter the version. It's honestly trivial and can be done with even the most
basic web automation skillset.

Rolling your own CAPTCHA is a fantastic option, because folks like 2captcha
are never going to take the time to integrate against a one-off solution. When
you do something like that you drastically increase the barrier by introducing
the need for a reverse engineering skillset to bypass your unique solution...
and that skillset is expensive lemme tell ya ;)

------
Theodores
I had to test a simple contact form implementation with reCAPTCHA yesterday on
an office worker's PC that was running Chrome.

I spent all day clicking on sidewalks ans traffic lights! Or buses. No idea
what they want the clicks on buses for.

I actually had problems upstream of the CAPTCHA. This was on a Wordpress site
and I was patching up the Contact Form 7 implementation on there.

What shocked me was how naff Wordpress is. After however many years it does
not come with a contact form built in. Comments yes, but a contact form, no.
Then the fairly de-facto Contact Form 7 would not work with Google Captcha 3
and the latest V5 Wordpress. So there must be hundreds of sites out there with
contact forms that do not work. Then there are people cussing ReCaptcha when
there is this hideous mess of bloat going on.

The Contact Form 7 didn't even use HTML5 form validation and styling it was a
nightmare.

I eventually went to CAPTCHA2 with the box you tick. Having the v3 box in the
bottom right of the screen on every page was not what the client wanted. Plus
it didn't work with this kludge known as Wordpress.

I think the issues raised in the article are not that big a deal. If you have
logged in to Chrome and you are on your normal device and IP address then you
can get a free pass. Why not?

I seriously advise anyone to test their implementations on a non-logged in PC,
it is an eye opener. And a time consumer. But forms have to be made to work.
You can't have people locked out.

There is a lot to be said for backend validation based on form data, I like to
make forms unique with a hidden timestamp in it that is MD5 encoded. You can
then see if someone has spent long enough on the form for it to be 'real'.

------
vinay_ys
Any app should be clear and upfront about what data it collects and how it
collects it, and what it does with it.

The platforms - web-browser or operating system - that run these apps - web
app or native app - for the benefit of that user - should provide well-
understood intuitive experience around what is allowed/possible to be
collected and used from the user's device.

Now, technical mechanisms are one major part of the solution. In this regard,
these mega corps should be held to a higher standards as they run the
platforms as well as the biggest apps on those platforms.

But we also need legal protections that make both the application owners and
the platforms owners responsible for any abuse of the user.

This particular case is eerily similar.

Credit card fraud prevention companies do the same thing - they say they need
to know as much transaction data as possible in real-time for them to know
which is a legitimate transaction and which is a fraud transaction. There is
misdirection and fog around how they justify this with thinly veiled technical
explanations about network effects and criticisms about monopolistic by
design.

The reality is fraud can be prevent by designing the product differently in
the first place - chip & pin - multi-factor authentication etc. technology is
present to prevent theft and fraud without having to collect so much data
centrally.

In this case, similarly, to prevent DDoS attacks, there are other anonymous
non-data collection oriented solutions possible. More research and
collaboration is needed to evolve the Internet architecture to react to DDoS
attackers and other types of technical abusers of your app, catch them and
prevent them from growing. Instead, we get these centralized monopolistic
solutions.

------
saltminer
>For instance, if a user with a high risk score attempts to log in, the
website can set rules to ask them to enter additional verification information
through two-factor authentication.

This defeats the purpose of using 2FA: to require a second factor _every_ time
you login. This completely negates the benefits of 2FA if a hacker has gotten
my username/password through a keylogger. It's easy enough to get a good score
if you just disable tracking protections and login to a Google account, then a
hacker can easily break into your account. I was thinking it had to be the
author not understanding how 2FA worked, but Google is actually advocating
this ([0]):

> login With low scores, require 2-factor-authentication or email verification
> to prevent credential stuffing attacks.

You would think the people behind recaptcha would understand how 2FA is
supposed to work.

[0]:
[https://developers.google.com/recaptcha/docs/v3#score](https://developers.google.com/recaptcha/docs/v3#score)

~~~
judge2020
I think "real" 2fa isn't going to care about what ReCaptcha v3's trust score
is, the case for this is "this user has a recaptcha score of 0.2, they don't
have any cookies for this site, and [other system] also thinks they are
suspicious. Let's require extra email verification and/or ask to answer a
security question".

------
shehfnfndjdj
Recaptcha is only used on 25% of top 10k websites? Anyway, I’m very angry
about the way the web is made to work, especially identity, and usually I
would spew a bunch of anger and swear words describing how stupid it is and
all the people who blindly support it but I don’t want this to be censored so
instead I will behave myself!

This is hilarious because this is the worst, most needlessly complicated
solution to identity that one could ever imagine. It’s funny how it apparently
takes a PhD to tell you that google isn’t analyzing your behavior on the
website. They track you across every webpage you visit that has their code
running. And it goes way beyond cookies. Look at the filter bubble research
that duck duck go did — they have an idea of who you are regardless of what
cookies you have or whatever else. And this data has informed captcha results
before this latest iteration. It’s complicated, needless and also gives a
bunch of sensitive data to a private company that shouldn’t have it. Nobody
cares.

Identity services are the alternative to this. Have a company that has
multiple ways of verifying identity including operating physical locations
where you can show up and prove beyond any doubt that you are person X. Once
identity is established, something like a yubikey or whatever can be used to
authenticate various things like making an account on a website or what have
you. If you get hacked then you can rectify by engaging in one of the identity
verifications tasks, up to and including coming in person and being
biometrically verified with absolute certainty. The company would make money
with modest fees to users and charging websites to use their service to verify
their users.

It should be that the government has all this in place, and you can use
secondary identification numbers for websites. But I’m the United States
identity is broken, based on a shitty Ssn where if it’s stolen you are
basically fucked.

------
miccah
> According to two security researchers who’ve studied reCaptcha, one of the
> ways that Google determines whether you’re a malicious user or not is
> whether you already have a Google cookie installed on your browser.

This makes sense to me. The presence of cookies is a strong indicator of
normal human browsing, and Google would only be able to see their own cookie.

~~~
zcid
Except a lot of people don't like Google having persistent cookies that track
your web usage. Why should giving up that data be a prerequisite for accessing
a website?

~~~
themacguffinman
It's not a prerequisite for accessing the website, it's just a prerequisite
for skipping the captcha puzzle.

------
amluto
> Because reCaptcha v3 is likely to be on every page of a website, if you’re
> signed into your Google account there’s a chance Google is getting data
> about every single webpage you go to that is embedded with reCaptcha v3—and
> there many be no visual indication on the site that it’s happening, beyond a
> small reCaptcha logo hidden in the corner.

There’s a potentially bigger risk being overlooked. Google can execute first-
party script. This means they get every user’s session credentials and can
freely impersonate that user. So can all the other trackers in use.

I don’t understand how anyone thinks this is remotely okay.

------
heavymark
I get score of .7 in Safari. .3 in Chrome if not logged in/paused, but a .9 if
logged in. Always hate that in non-logged in chrome browsers I have to fill
out those picture questions a 100 times seemingly endlessly.

------
kabacha
> Google encouraging site admins to put reCaptcha all over their sites

hahah, wow. Put this tracking software suit on every page please - it's for
your own good!

I used to kinda believe in Accelerationism[1] - philosophy where you encourage
and accelerate flawed systems to promote a breaking point. However it turns
out our society doesn't really have a breaking point.

1 -
[https://en.wikipedia.org/wiki/Accelerationism](https://en.wikipedia.org/wiki/Accelerationism)

------
anfilt
Yet, I can't visit websites because I don't want be tracked. What's worse is
this stupid thing even shows up on government, university websites ect...

------
djsumdog
I can't seem to find what rules for uBlock Origin and others will block
reCAPTCHA v3.

I'm noticing that little blue bock in the bottom right corner of more sites
now and I think I just want to block it entirely. If a site won't let me login
because of it, guess I'll just stop using it. If it's something like my Bank
.. well guess I gotta get a new bank.

Nothing really excuses this level of potential tracking.

------
MR4D
Not sure how this is any worse than the Facebook "like" button that's on every
website on the planet.

Sure, we hate that, but it's there, and plus, Google probably already has a
cookie on your computer anyway.

Given all that, this seems like a very minor privacy loss to whine about
compared to all the other crap that Google/FB/etc does.

Please help me if I'm missing something unique about this particular issue.

------
InTheArena
Same box, same physical location. Chrome I get a score .2 higher then firefox,
despite the fact that I never use chrome for anything...

------
beart
If it takes me longer than 5 seconds to access the content I'm looking for, I
close the tab. Am I alone in this?

~~~
hombre_fatal
I doubt you're consistent with it. You'd probably wait 10+ seconds to post an
HN comment for example.

Easy to say you'd bounce on a website you didn't care about. That's a bit of a
tautology.

~~~
beart
reCAPTCHA is often used at sign-up time. Unless I'm paying a parking ticket or
something, if I can't get through your sign up process in a few seconds, then
you've already lost my interest.

There are so many SAAS products now, and it doesn't take much to lose out on
potential users. It doesn't really impact my life much because, as you said, I
probably don't have much investment in it in the first place.

------
neop1x
How else do you want to detect humans in a widely-used centralized service
like reCaptcha? This is the result of laziness of website developers. There
could be thousands of custom captcha implementations but instead, most devs
just put recaptcha there and they're done.

------
kabacha
Could anti-competitive suit be raised towards google regarding their
reCaptcha? They aiming to have (if not already) a crawler blocking tool that
obviously doesn't block their own crawler.

Doesn't that sound a bit dystopian?

~~~
qtplatypus
You can block googles crawler with robots.txt

~~~
kabacha
That's not very relavant to my proposed problem. Here's an immaginary
scenario: recaptcha blocks all crawlers except google's ones, how are
competitors supposed to compete if they can't crawl anything despite
robots.txt or whatever?

~~~
qtplatypus
The purpose of recaptcha is to block malicious bots from accessing parts of a
site that automated bots are not supposed to go to.

Why would someone be using recaptcha to block bots from the general part of
their web site? Your imaginary scenario would require web masters to become
hostile to crawlers.

~~~
kabacha
> web masters to become hostile to crawlers

You must have been living under a rock for the past decade, haven't you? Web
masters are definitely hostile towards webcrawlers. There's an entire
platitude of "web-crawler" protection services - cloudflare for example is
probably the biggest one.

------
lg101
`It works best with context about how humans and bots interact with your
website, so for best performance include reCAPTCHA in _many places_ ` O.o

------
lg101
_It works best with context about how humans and bots interact with your
website, so for best performance include reCAPTCHA in _many places_ _ O.o

------
jvagner
My confidence in Google reCAPTCHA is diminished by their admin site.. can't
edit/change "reCAPTCHA type:v3" settings.

------
vasili111
Is it possible to inject code that will provide that kind of reCAPCHA fake but
looking as legit data and bypass its check that way?

------
basicplus2
Time for a separate computer just for when i am forced to interact with
websites using Googles recaptcha for paying bills etc

------
bbmario
What are the open source alternatives to this?

------
kwhitefoot
Luckily Idon't need any of the sites that ues this obnoxious tool.

Just vote with your feet and tell the site to drop it or lose you.

~~~
hombre_fatal
Yet you're on a website that uses ReCaptcha.

Just tried to register via Tor and got this:
[https://i.imgur.com/svjfLqo.png](https://i.imgur.com/svjfLqo.png)

Kind of toothless to say "I'll NEVER use ReCaptcha (except for websites I want
to use)!" In fact, I'd go a step further and assert that, while you complain
about ReCaptcha, you're actively benefiting from HN using ReCaptcha since you
see less spam day-to-day because of it. ;)

~~~
kwhitefoot
I don't remember using recaptcha on HN.

------
braindead_in
What about Google Analytics? They already have all my browsing history.
reCAPTCHA data is not even as detailed as GA.

~~~
zuzun
Difference is you can block Google Analytics and the websites continue to
work.

~~~
braindead_in
You can roll your own captcha as well. Nobody forces you to use reCAPTCHA v3.

------
ksajadi
I now leave any website that has google recaptcha unless it’s really necessary
for the same reason

------
edgartaor
I just want shout out a previous article published here in HN that sparkle a
quite interesting conversations.

[https://news.ycombinator.com/item?id=20158386](https://news.ycombinator.com/item?id=20158386)

Long history short, don't use a captcha if you don't need it. And most of the
time your website don't need it.

------
numlock86
Is it just me or is the site broken? I see it for a quarter second, then the
page turns blank.

------
turrini
Wait until they make google-webassembly-blobs mandatory, it will get even
worse.

------
totaldude87
add this to the list of how Google's open source engines work! ex how they
treat captcha in other browsers ( easier captcha/validations for chrome users
and beating the crap out of Firefox users)

------
macinjosh
Everything Google does has a dark side. They are a parasitic corporation.

------
cyrksoft
“Google’s ... has a dark side” is valid for almost everything they do.

------
OrgNet
not sure how Google can keep making their product worst and keep getting more
customers...

------
uniformlyrandom
Every 3rd party service has a dark (or grey) side. This is a trade-off for
offloading some functionality onto 3rd party.

------
modzu
you will identify yourself to google, or you will be denied the web.

------
mikojan
There is a light side?

------
zipslip
And the bright side?

------
ga-vu
Congratulations to the reporter who found reCAPTCHA after 10 years

------
pteredactyl
Is this a surprise to anyone in this community?

------
alexnewman
It also doesn't block bots

------
mikojan
there is a light side?

------
gcbw2
Remember every time you complained about China's citizen score system?

Now remember that every interaction with the government must happen online
(from requesting a US visa to going to the DMV), and all those forms are
behind a Google(R) Captcha(TM) censorship system, which ranks users based on
how well Google(R) can monetize the current user browser session. Let that
sink in.

------
rolltiide
This is probably good for proxy users, since it probably isnt just tracing a
polluted IP anymore

But Im not sure, since the browser sessions for some proxy users like TOR exit
nodes are so short

------
klyrs
> one of the ways that Google determines whether you’re a malicious user or
> not is whether you already have a Google cookie installed on your browser.

... can we please get a serious antitrust investigation now?

------
g00d_hack3r
So you are so afraid of being tracked? you don't wanna give any ounce of your
data? but you still want to have full access to the web, and for free?!! The
world doesn't work this way. Either pay for what you get, or be prepared to
accept ads/tracking. It is that simple.

~~~
crtasm
I pay money to plenty of businesses and most of them still embed loads of
advertising/analysis/tracking scripts. Seems less simple than you make out.

