
Why Captchas have gotten so difficult - thmslee
https://www.theverge.com/2019/2/1/18205610/google-captcha-ai-robot-human-difficult-artificial-intelligence
======
outime
Google reCAPTCHA is the absolute worst. It makes me solve several puzzles very
often, usually when I use a mobile network and I’m not logged in with any
Google account. It’s so frustrating that most of the times I find a reCAPTCHA
I give up before trying and just go elsewhere e.g. when a site uses reCAPTCHA
for sign up or after the first failed login, I’ll most likely skip if I don’t
absolutely need to access such website.

Glad to see I’m not the only one who’s getting tired!

~~~
computerex
It's using you as human labor to label data. That's why you have to solve
multiple. It's annoying but greatly helps accelerate research and development
since data is king.

~~~
corey_moncure
If this is so, how does it know when I've mis-labeled?

~~~
captainbland
I think it works by labelling something like half the images, but doesn't tell
you which is which. At least that's how the older text recaptcha stuff worked
- you could easily identify the pre-labelled text by the kind of distortions
they used and just enter any old gibberish for the rest. So actually the
training stuff is extra work beyond just classifying you as human

------
dessant
I've made a browser extension that solves CAPTCHAs using the audio challenge.
Native user input simulation will come with the next release.

[https://github.com/dessant/buster](https://github.com/dessant/buster)

On my part it is a direct reaction to developers and their employers cutting
corners and adding these challenges to login forms and anything else you can
imagine. It's entirely reasonable to show a challenge after a couple of failed
login attempts, but they should never be part of the default login flow. These
decisions hurt users.

If you work on a product that shows a CAPTCHA while logging in, please discuss
this issue with your team and consider not challenging your users during their
first login attempt.

~~~
tyingq
I do use a CAPTCHA, but not on a login form. It's solely for a "contact us"
form. We do try to encourage just regular email with a mailto: href, but
unfortunately, customers expect a form.

And, if I don't use the captcha, we get flooded with spam. We are using
Google's "nocaptcha", which is usually unintrusive, but is a pain for anyone
not logged into some Google property.

~~~
dexterdog
Also a pain for anybody using tracking blocking. I get captchas all day on all
kinds of sites and I'm always logged into anywhere from 3-12 google accounts.

~~~
tyingq
We do put a clickable mailto: url on the page as well. Unfortunately,
unprotected forms get tons of automated spam. Emailing a verification doesn't
work well...customers just don't pay attention to instructions :)

~~~
ficklepickle
I just base64 encode my email address and decode it in an onload event
handler. Most bots don't seem to execute JS because I haven't received a spam
email yet.

Sucks for users with JS disabled though.

------
konschubert
And I SUCK at these to the point where I think I’m not getting the rules of
the game.

For example, for the one with traffic lights: Am I supposed to just mark the
light bulbs or also the poles and beams?

~~~
darkpuma
You're doing it right. Google is gaslighting you; lying and telling you you've
failed challenges when you actually solved them correctly. They do this to
punish users who opt out of the google 'ecosystem' by not having a google
account, not using chrome, using adblockers, etc.

The proof of this assertion comes when you manage to enable the noscript
version of reCAPTCHA (which is only available on sites that have opted to use
the lowest security setting). Once you start using noscript reCAPTCHA, you
discover that your correct answers are accepted the first time every time. The
challenges have the same format; click the cars, click the traffic lights,
etc. There are two differences: the tiles don't fade in slowly, and the
correct answers are always accepted.

Presumably when google implemented their dark patterns in reCAPTCHA, they
couldn't be bothered to implement them when javascript wasn't available. I
hesitate to draw attention to this since Google might correct their error, but
I'd like for people to become more aware of their anti-social business
practices.

(By the way, the noscript version will accept either sort of answer. Only the
bulbs, or the entire enclosure. Both answers are accepted.)

~~~
jjeaff
I actually don't think that they are trying to punish people for not being
logged in. If that were the case, they would make it clear that having a
Google account and leaving it logged in, and using chrome would make the
captchas appear less frequently or not at all.

In reality, I think they are telling people they were wrong in order to
extract just a little bit more free machine learning data from them. And
really, they don't actually tell you that you are wrong, they just keep
feeding you new questions. This is most likely because they don't know whether
your answer is correct or not. They are giving this specific question to a
bunch of people, then comparing the answers to get a correct response for
later.

So you might get a few training questions first, then end with a question that
they already know the correct answer to so they can decide if you are trying
or not.

It's quite brilliant and is going to really catapult Google ahead of the rest
of the world when it comes to self driving cars. The cars will be able to use
all the captcha data to not only train their ML models to recognize things
like signs and whatever, but the ML won't even be fully necessary since they
have the re-captcha volume to basically directly identify every roadside
visual on the planet one by one.

~~~
tomc1985
It's not brilliant, it further ruins an already dessicated web. Brilliance in
the name of pissing people off is not brilliance.

~~~
jjeaff
Villains can be brilliant too.

------
webmobdev
What many commentors here don't realise is that Google also uses reCaptcha to
make you do free work for them.

~~~
hombre_fatal
I think people realize that, but is it much worse than proof of work that is
helpful to nobody? It's easy to take a position against Google and Recaptcha.
It's easy to take a position against something that inconveniences you.

What people actually don't seem to realize ITT is that abuse is becoming so
easy and such a problem that we are becoming increasingly reliant on
centralized services like Cloudflare and Google.

You used to be able to just generate your own captcha on the server with
simple libraries, but Xrumer (mass website-spamming software) could crack
those 10 years ago.

I'd like to see more comments addressing the ever-lowering barrier of online
spam/abuse instead of opting for the low hanging fruit of condemning people
for trying to save their websites/platforms from it.

~~~
webmobdev
I liked the idea when they just showed images of words that an OCR couldn't
read accurately.

But now all this damn clicking of hydrants, crossing, traffic lights, store
fronts, vehicles etc. etc. is becoming really irritating.

And no, I disagree that we have no option but to rely on "centralised"
services like cloudfare or Google.

~~~
hombre_fatal
> I liked the idea when they just showed images of words that an OCR couldn't
> read accurately.

Like I said, popular spamming software like Xrumer could crack those captchas
ten years ago.

> And no, I disagree that we have no option but to rely on "centralised"
> services like cloudfare or Google.

Can you pitch alternatives, though? For example, an attacker can still spoof
IP addresses in 2019 and create volumetric attacks that you certainly cannot
endure without someone's help upstream (i.e. centralization). No need to
bother with spoofing though since you can rent a botnet for peanuts. Attackers
have decentralized attacks but there is increasingly only centralized defense.

~~~
fro0116
In my mind the answer is in building decentralized apps/services.

A DDoS on a static site cached on just about any CDN that runs logic
exclusively on the client is much harder to pull off successfully because it's
so much cheaper (practically free?) to mitigate, and doesn't affect any
existing users who would already have the necessary resources cached locally.

~~~
hombre_fatal
I thought that until my sites behind AWS' CloudFront were repeatedly DDoSed
and I saw my bill.

AWS did let me report these DDoSes and they would reimburse me, but it felt
wayyy too precarious and I ended up switching to Cloudflare (free).

And I think that should worry us all.

Also, only the most trivial sites can be 100% cached. And those are the sites
who need Recaptcha the least (or need a server to get a challenge from). Abuse
is not a simple issue to solve.

------
TorKlingberg
I find it strange how all the comments here are blaming Google. Isn't it
obvious that CAPTCHAs have gotten difficult because AI got better at solving
them? Soon bots will be better than humans at solving CAPTCHAs, and the system
will fail completely. I predict that then Google and Facebook will completely
block new user signup from Tor, VPNs or browsers without cookines. Everyone
else will require an existing Google, Facebook or similar account to create an
account.

~~~
Pharmakon
We hate them for the same reason we hate airport security theater; they do not
work and have a high burden on the people being subjected to them. Plus, as
it’s Google doing it, you can hardly escape the goddamned things. So yeah, we
blame Google for using us as data classifiers and adding hoops and hurdles to
the open net, while accomplishing precisely dick.

I for one hope that AI gets to the point that it can effortlessly beat them,
so we can stop dealing with them.

~~~
hombre_fatal
> We hate them for the same reason we hate airport security theater; they do
> not work

Well, they absolutely do work. They work so well that they've reduced bot
actions by almost 100% on our sites.

We wouldn't use Recaptcha if there wasn't abuse on the internet. But,
unfortunately, there is. There is a sobering amount of it.

I'm actually curious about all these posts suggesting that websites use
Recaptcha for no real reason or for some trivial reason. To me, it suggests a
massive misunderstanding that people have about the internet.

It's certainly something to worry about, but how about this angle: abuse is
getting so cheap and hard to prevent that we're electing the aid of
complicated systems engineered by large corporations like Google. That scares
me, but not from a Google=bad standpoint. It indicates that the internet has
fundamental problems that make abuse trivial, and that's a different
discussion worth having, but it's a much harder one than Google=bad. Probably
less cathartic, too.

~~~
syrrim
The false negative rate may be very low, this doesn't speak to the false
postive rate. Considering the goal was supposed to be "telling humans and
computers apart" both kinds of errors are important to consider. Google
predicates their captcha primarily on the logged-in user's activity around the
web, failing that they use the ip. A human being not logged in and using an
open proxy is likely to get shut out completely. It ceases to be a captcha, in
the traditional sense, at that point. This may be a good thing, depending on
your standpoint.

~~~
hombre_fatal
Sure, but that should be a chilling reminder of how bad abuse is on the
internet.

Obviously it comes with downsides, but it's a trade-off. Nobody uses Recaptcha
for fun.

As I reminded a sibling comment, even HN uses Recaptcha on its login/register
page. There's no telling how many fewer spambots we have to deal with every
day because of it, yet we're somehow here discussing whether Recaptcha servers
a purpose while profiting from it. :)

------
Macha
Honestly, I'm finding Google's captchas quite difficult of late because its
Americanised. It asks me to identify crosswalks (oh.. pedestrian crossings, I
thought you meant the pavement), find traffic lights (I don't traditionally
expect them to be above the road or on motorways), or identify storefronts
which are not always clear, maybe because I lack the cultural context.

And I'm from a major Western European city, which is about the closest I can
get to American culture without being not, I wonder if they present the same
captchas if they think you're from rural China or Uganda.

------
robin_reala
Every time a CAPTCHA thread comes up I have to point this out. By using one
you’re externalising your business costs onto your users. You can make that
choice, but if you do you’re far more likely to negatively impact the section
of society that already has problems online: those who need to use assistive
technologies.

~~~
seandougall
I came here because that last point is getting lost in the discussion.

> While a bot will interact with a page without moving a mouse, or by moving a
> mouse very precisely, human actions have “entropy” that is hard to spoof,
> Ghosemajumder says.

It's bad enough that systems working from this (highly dubious, IMO) premise
will force us all to use the mouse even if we're used to the tab and arrow
keys; much worse is that there's no workaround for people who _can't_ use the
mouse and rely on switch control. It sounds like an accessibility nightmare.

~~~
jplayer01
So, I use Vimium to interact with my browser with solely my keyboard 90% of
the time. I wonder how much this in any way correlates with the absolutely
infuriating amount of captcha challenges I get one after the other.

------
nprateem
These really make my blood boil. I continually trip whatever it is that makes
Google think I'm a bot (probably a VPN + ublock). Sometimes it takes upwards
of 5 tries (each with 3 or 4 tests) to pass. After the first failure the audio
one stops working, and sometimes that's unintelligible. I honestly wonder how
anyone who's even slightly visually impaired is supposed to pass them.

I wouldn't be surprised if in the not too distant future they were hauled up
before the courts on discrimination grounds, and not before time. There's
something very wrong when a human consistently fails CAPTCHAs. For one thing
I've tried selecting all boxes containing parts of a traffic light/fire
hydrant, and only the ones that mostly contain parts of the object and have
failed both times.

~~~
jesseb
I run Linux, use my own VPN, and use Firefox with uMatrix. CAPTCHAs are one of
the most user-hostile things I experience on the web. I've had to give up on
registering for sites, or signing into sites I'm already registered with,
because after literally minutes I still hadn't gotten through. I actively try
to avoid sites that use CAPTCHA but unfortunately it's not always possible.

~~~
nyolfen
i have what sounds like the same setup as you but i don’t think i’ve ever done
more than 3 captchas sequentially, and almost always 1 or 2. /shrug

------
zaarn
For Google ReCaptcha, simply install the Buster addon, it solves the captcha
for you via speech-to-text.

For captcha's in general, I think we should stop pretending that we can
prevent bot traffic from a dedicated attacker without annoying the users.

A simple captcha from the 2000's (the ones with lines over a word or number of
letters and numbers), should be good enough to hold off basic script kiddies.
Same for a basic TTS audio clip.

~~~
driverdan
Unfortunately Buster no longer works. Google detects it now and makes you
start over.

~~~
dessant
The next release will use native messaging to send native user input events to
the browser. It's already working well, I just need to finish the app
installation bits.

~~~
driverdan
Thanks!

------
sizzzzlerz
This is so eye-opening. I've been frustrated with these things for a while and
I always figured it was me. When asked to click on the traffic signs, I'm
never sure whether to click on just panes that have a part of a sign or
include cells that show the posts it is attached to. I finally got so
discouraged, I tried the audio clues and have found that to be easier. I've
found that, after listening closely, I only need to identify a single word and
that is usually relatiely easy. All in all, however, I really do hate these
things.

------
peteretep
> The latest version, reCaptcha v3, announced late last year, uses “adaptive
> risk analysis” to score traffic according to how suspicious it seems;
> website owners can then choose to present sketchy users with a challenge,
> like a password request or two-factor authentication

eg: if you're not browsing the web signed into a Google account and allowing
all their tracking. Fuck that.

------
vpmpaul
I've actually started trying to see how wrong the newer Capchas from will let
me be on purpose. Either by not selecting all of them or picking wrong ones.
They let you through a lot of the time.

~~~
danShumway
Me too!

My working theory was that companies like Google were using the capchas mostly
to generate AI data, so only a few of the images on any given test were
actually already labeled. Any of the other images (particularly the really
grainy ones) would accept any answer because they were genuine classification
questions.

Reading this article, I wonder if it's not even that -- that companies like
Google are assuming, "you're not going to get everything right, so we'll give
you some leeway."

------
erokar
I've concluded I am not human.

------
lowkeyokay
Well google’s traffic CAPTCHA’s main purpose is to label a huge data set for
Waze. At least it must be a huge beneficial (to google) side effect. Am I
wrong?

~~~
hyperman1
So if it asks to click on traffic lights, and a large enough group of people
click on, say, red cars, can we make their their self-driving cars stop if
they see red cars on the road?

    
    
      Come on HN, lets all do this for a few days, you know we can do it ;-)

------
CM30
The issue isn't just that humans struggle with them or that bots are getting
better or what not, it's because there's no way to make a captcha that works
across multiple websites like a standard 'library' and expect it to remain
uncracked. Anything that becomes common will be attacked and defeated, because
there becomes a financial incentive for spammers and no gooders to do so.

The solution is to make captchas that are bespoke to each site, since it means
the same bot or script can't be used on every one and spammers have to go out
of their way to crack each one. You can already see this right now; sites with
their own systems generally get no spam at all.

But given that most people aren't programmers, well it means they're stuck
with mainstream captcha systems which present a giant target to the internet's
never do wells.

Niche sites can avoid the issue with topic specific questions though.

~~~
Invictus0
This doesn't really hold water.

1\. It's not feasible for various website to implement their own custom
CAPTCHA formats. Building custom CAPTCHAs is a lot of work.

2\. The custom CAPTCHA tasks wouldn't be that different from each other. As
the article discusses, image/text/audio recognition are some of the only
universal tasks that can work for CAPTCHA.

3\. Nothing is stopping a malicious actor from implementing a "check which
type of captcha" function and then selecting one of several CAPTCHA cracking
functions. Fragmentation of CAPTCHA format just delays the cat and mouse game.

4\. Some custom captchas, like the chess captcha, are actually not even that
difficult for computers to solve.
[https://nakedsecurity.sophos.com/2013/03/12/chess-
captcha/](https://nakedsecurity.sophos.com/2013/03/12/chess-captcha/)

~~~
CM30
1\. As I said, this is a huge reason stuff like Recaptcha exists, and why
custom ones can't work here, even if they're probably better if done
correctly.

2\. You can also use stuff like timing how long it takes someone to fill in
the field, hiding form fields with CSS or JavaScript, randomising field input
names, checking the referrer, etc. All these come up in tutorials about
captchas.

3\. You could ask them niche specific questions instead of requiring them to
do general tasks. This is what I do with all topical internet forums and
sites; have a wide array of custom written questions on the topic in place of
stuff a bot can easily figure out. For instance, all questions on Wario Forums
are about Wario Land and WarioWare games, not things meant to be 'culturally
neutral'.

~~~
hombre_fatal
#3 (a rotation of specific questions) is definitely a measure some sites could
use, but as you point out, it's incredibly niche -- I've only even seen it on
forums. For example, what questions could Reddit ask you? Wario Forums is
pretty much the ideal on the niche spectrum, so it's not a very useful
baseline for comparison.

I rotated questions on the /register page for a large forum I run, but as my
forum became more popular and more of a spam magnet, my attackers simply built
a lookup table of my questions->answers. I regressed back to Recaptcha.

Another problem is that I was surprised how many legit users would be pruned
out by a simple question like the equivalent of "what color is Wario's hat?"
for, say, a forum that covers games in general. I did basic stat tracking on
the pass-rate per question to know which were bad ones, and it seemed pretty
random which ones users had trouble with. Or they'd accidentally be riddles
like (made-up example) "How many triangles in a triforce?" 3? 4? 5?

And people would finally register and complain on the forum that a seemingly
trivial question was too hard. Or they didn't know what "the website footer"
was.

At a point, especially if you're not so extreme on the niche/theme spectrum,
Recaptcha was the better trade-off.

I've said this in another comment, but I'd love to see an HN submission where
we discuss anti-spam/anti-abuse strategies instead of just doing the easy
thing of bashing Recaptcha.

~~~
CM30
You're right, it's only a solution for niche sites rather than ones aiming at
all users. Obviously, Reddit/Facebook/Google/YouTube/whatever are out of luck
here, their audience is basically 'everyone on the planet' and they don't have
any real way to test that.

And you've also got a point that a certain percentage of legitimate users
would be pruned out by a simple, topical question. There are probably a few
people who couldn't register on Wario Forums cause of this sort of thing, and
there were probably a few who couldn't join my previous sites cause of it.

So your questions would have to be very much tied to the audience. General
gaming site? Asking who this is with a picture of Mario, Link, Pikachu or
Sonic the Hedgehog would work pretty well. Niche site? A bit more obscure, to
go with the audience likely to be visiting there.

That said, I think a few things will need to kept in mind:

1\. Firstly, a lot of niche sites already have fairly strict requirements to
get in, and have a more drawn out approval process than the norm. For example,
quite a few I know of have you required to post an intro in an 'approval'
forum in order to get access to the rest of the site or server. So I suspect
users on these sites may be more used to having to think/research the process
to join a forum than those on Facebook.

2\. To some degree, it also filters for people who are genuinely interested in
the topic to a more than average degree, which may overlap well with 'people
likely to stick around for the long run'. For example, the people likely to
remember King K Rool's guises in Donkey Kong Country 2 and 3 may be good users
at DK Vine, someone who could identify Rawk Hawk or Flavio would be more
likely to be a good Mario RPG forum member, etc.

It's a bit like the comments I've heard about Ling's Cars... the only people
who shop there really, really need a car.

Actually, maybe a bit like Hacker News too. The people most likely to
'tolerate' the old school design here are well, web developers, old school
hacker types, etc.

Either way, it definitely all depends on how niche the site is.

------
zzo38computer
If you need CAPTCHA I may suggest plain text CAPTCHA (preferably ASCII only)
with entirely server side computation, meaning anyone can read it and has
maximum compatibility. If necessary, make your own rather than using an
existing package, since that makes it less likely that automated spam will get
through if you use a different one for each thing.

However, you should never need CAPTCHA to login (except possibly anonymously;
Fossil requires a CAPTCHA to login anonymously), or to do stuff while logged
in. You should not require CAPTCHA to read public information either, or to
download (since you may wish to use external download management; for example,
I prefer to use curl to download files rather than using the web browser, and
it seems that I may not be the only one).

Of course manually entered spam will still get through even if you do use
CAPTCHA.

------
mcv
I fear any test where a machine has to decide whether you're human enough, is
always going to be easy to game for a machine. You can't replace humans with
machines and then not expect machines to replace humans.

When you look at it that way, the whole captcha approach, no matter how
clever, seems doomed to fail.

Why not simply allow bots? If it is because bots exhibit behaviour you don't
want (like spamming), why not filter them based on the behaviour you don't
want? Learn to recognise spam rather than fabricating some test. And when bots
are truly indistinguishable from people, is it really a problem that they're
not real people?

------
mmagin
What's actually wrong with reCAPTCHA is that google has convinced so many
sites all over the web to require it to use them, and all that free labor is
going to just improve Google's machine learning programs.

------
leni536
Google: Hey, you don't have any Google login/session cookies? Not even one
from a previous login (yeah, you can't fully log out)? That's wrong! Here,
click on the traffic lights for 5 minutes! Or have one of those super slow
fade-in fade-out captchas!

~~~
tootahe45
Been testing captchas inadvertently quite a bit in fresh installs across
multiple VMs, from what I can tell it has nothing to do with whether you have
cookies or privacy configurations, it comes down to whether you use Chromium
or use a shared IP. If you use Firefox even without privacy configs, expect to
spend 3x the time as Chrome, that's not even including the fact that those
fading images load 5x slower on Firefox. If you use a shared IP (in my case a
$6/mo vpn) + Firefox, it's not even worth trying imo as it can take 3+ mins to
complete captchas on most sites and it's much quicker to just open Brave to
complete it in 10 seconds, the amount of tries you have to do also has nothing
to do with getting all the pictures correct.

~~~
darkpuma
I've found it easier to get past their captchas with chrome from a shared IP
than from firefox on any normal residential IP.

------
jsmith99
I use Firefox android with Ublock origin and am logged into Google (boo). I
used to use a plugin to change my user agent to Chrome when on Google sites.
This was necessary as you get the old style search results page if you use
Firefox, but if you pretend to be Chrome you get the current page style which
works perfectly. With that plugin enabled I always had to solve multiple
recaptchas and my recaptcha v3 score was 0.1. Disabled it jumps to 0.9 and v2
gives me no puzzles. Guess I will have to live without shiny Google search
results then.

------
rahuldottech
tbh I'm sick of just how often I have to solve those click-on-image captchas.
It's a pain.

~~~
dplgk
You don't need to prepend your statement with tbh unless we are to presume
things you say without that prefix are dishonest.

~~~
Siemens
desu

------
diafygi
> Malenfant says that five to ten years from now, CAPTCHA challenges likely
> won’t be viable at all. Instead, much of the web will have a constant,
> secret Turing test running in the background.

I wonder how tracking-based captchas can be compatible with privacy
regulations like the GDPR. Do you have to positively opt-in to a website
seeing whether or not you're a robot?

We're basically moving towards a world where the venn diagram for the web and
privacy no longer intersect.

------
umvi
I'm not convinced OCR is as good as humans. I recent did a project making an
unauthorized copy of a rare ($2000) book from a university library. I scanned
in every page, but tesseract OCR really struggled with pages that started off
straight but curved off. I tried lots of preprocessing techniques with limited
success. My options were to type it in by hand or rescan that page so the
lines were straight.

~~~
computerex
What a weird way to compare OCR to humans. If a human can't see the writing
because the page surface is curving away, they'd adjust the page surface.
Likewise, getting decent scans is the most cost and effort effective way of
getting good performance in OCR.

I personally found tesseract to be incredibly good, and have even used it in
non-traditional OCR applications for doing things like reading signs.

~~~
umvi
I'm saying that _I_ can read skewed/bending pages easily, but I'm having a
super hard time getting tesseract to play nice with such images. I almost
always need to rescan.

Tesseract is incredibly good... as long as your lines of words are straight.

------
hanging
Related article from 2012, 230+ comments:

[https://news.ycombinator.com/item?id=4307136](https://news.ycombinator.com/item?id=4307136)

Reposted in 2014, 190+ comments:

[https://news.ycombinator.com/item?id=7945283](https://news.ycombinator.com/item?id=7945283)

------
onetimemanytime
Just use Chrome, and be logged in as a Google user. What a coincidence that
this serves Google's interests...

------
salgernon
I'd welcome a CashCaptcha that charged me $.05usd to click past a reCaptcha.
They happen enough to be annoying, but not often enough to present a financial
burden - but if I were a spammer trying to abuse automated access, the actual
cost might finally outweigh the return.

------
oil25
It seems they are difficult because they're intentionally designed to de-
anonymize users coming in over VPN/Tor, using the small variation in click
timing. If you see one of these and want to stay anonymous, close the tab and
walk away.

------
FakeComments
Is it not monopolistic behavior that Google favors their own customers in
their captchas?

I hope the EU fines Google for leveraging their security library prevalence to
coerce people to use Chrome and/or open Google accounts.

I also wonder if that’s GDPR compliant: unless you accept Google’s data
collection terms on GMail and/or Chrome products, they will use their position
as security authority to degrade your browsing experience on third party
sites.

------
EvanAnderson
Each time I'm faced with a Google reCAPTCHA I think about how how I, and so
many people like me, are unwittingly helping to train our eventual robot
overlords.

------
kenzieL
Recently I have felt like half the time I'm browsing I am filling in god-awful
captchas, multiple times. They're so infuriating.

------
niqmk
I removed it, I'd lost almost 70% registered account because 3 loops of Google
Recaptcha

------
pmoriarty
I've long suspected that Google quickly realizes when the user is human, but
then serves up some more images for them to "solve" to get some extra training
data for its pattern recognition AIs.

------
hippich
That's why I created hashcash.io in 2014 =) Some ridiculus examples -
[https://twitter.com/hashcashio](https://twitter.com/hashcashio) =)

------
hedora
> Google wouldn’t say what factors go into that score, other than that Google
> observes what a bunch of “good traffic” on a site looks like

A few days ago, I signed up for some service on a new-ish laptop, and it made
me pass the storefront captcha three separate times.

This is yet another example of the social credit score being implemented in
the US; in this case punishing users for opting out of continuous tracking
(which will in turn be used for price discrimination or worse).

The good news is that this is almost certainly going to lead to a massive
backlash as it becomes more common.

~~~
Cacti
While I see your point, social credit is not tracking, it is tracking with
legal, economic, and political consequences. Given that the consequences to
you of opting out of this tracking are little more than a minor inconvenience
of your time, comparing it to the nightmare that is the social credit system
is laughable.

And, I would add, you're in part trivializing the horrendous impact of the
social credit system by making this comparison, because it gives others the
impression that this is merely a difference of degree, rather than of
substance. It allows people to make arguments like "Oh, the US credit score is
just like China's social credit score, so the social credit system can't be
that bad." Yeah, NO. You don't get denied freedom of movement between cities
or states because you owe a few dollars, you don't have your passport revoked
because you don't use Google cookies, you're not forced to sit in the back of
the bus because of something vaguely political you posted on twitter, you
don't get denied the ability to send your kids to certain schools because you
rolled a stop sign.

The social credit system is not a _tracking system_, it is a _legal system_
(made possible by surveilance), and while the US may one day be there, to
suggest they are anywhere even on the same planet yet is laughable. Your
average person in the US still, even after decades of abuse, has innumerably
more rights than your average Chinese citizen.

~~~
bennofs
> ... little more than a minor inconvenience of your time

This is not entirely correct. I have seen recaptchas that simply deny access
without giving any option to solve them when browsing with Tor. The message
says something like: automated systems detected unusual activity, try again
later

------
sys_64738
I find if I use VPN then google will display one on search. In particular,
when I try using Opera VPN then I always get one. I decline to do them so
search via bing instead.

Forcing users to prove their not bots is totally the wrong approach. They
should be forcing bots to prove they're human so that real humans don't see
this nonsense. Easier said than done, but that's not my problem.

~~~
Cacti
I agree with you, but, to be clear, the issue isn't VPNs, it's that the VPNs
you are using are also used by spammers/bots/etc. or a large amount of other
people. If you set up your own VPN somewhere that is just used by you and your
family (for example), you will never run into this issue.

As a case in point, the same issue crops up with lots of users going through
the same corporate proxy.

And it's the same reason that you can run Netflix (for example) through a
personal VPN with no issue but will run into problems if you use a popular,
retail VPN service.

~~~
nprateem
What's the point of a VPN if you're easily identifiable? Surely you want to
blend into a crowd?

~~~
wl
I run a VPN from home for using at coffee shops and the like. While the
proliferation of HTTPS has made sketchy networks less of a problem, DNS is
still leaky.

~~~
Cacti
You can run the DNS through your VPN and have it use secure DNS outside of
your home ISP, and then cache the DNS results on a DNS server at home.

It's not perfect but leaks will end up being pretty minimal, even in
accidental situations.

~~~
wl
I route all traffic, including DNS, through my VPN when I'm not at home. I was
just commenting on the leakiness of DNS to preempt people saying "HTTPS means
you're safe!"

I used to run my own DNS server when I was on Comcast. Now that I have a real
ISP run by people I trust who have the same opinions on privacy that I do,
it's no longer worth the hassle.

