Hacker News new | past | comments | ask | show | jobs | submit login

> Isn't the author talking about recaptcha v2?


> My understanding of recaptcha v3 is, that it just gives you a score for how well google can track you and then leaves it up to the site operator to block users who aren't transparent enough.

Yeah, that's the one where you're supposed to put it on every page of your website so that Google can collect more information on your users. If they can't, they'll return a low score that you'll use to mark users as "bots".

> What I really hate about recaptcha v2 are those artificial delays before loading the next image (which it can happen to several times on a single card). And then in the end you frequently fail, despite answering everything correctly.

I think this is just what Google does when it thinks you're a "bot": i.e. they don't know who you are.

If you have strict privacy features enabled in firefox they block recaptcha and force you to do hard puzzles. It really sucks, but I'm not disabling the privacy features.

> I think this is just what Google does when it thinks you're a "bot": i.e. they don't know who you are.

I do wonder why though. For a long time, I assumed it was a rate limiter, but then another HN commenter pointed out to me that time is more valuable to humans than bots. Bots can work on multiple captcha's in parallel.

My thoughts exactly. A bot doesn't care if it takes 2 seconds to fade the images out and in for another challenge round, but a human viewing it perceives it as a frustrating delay.

I've become accustomed to just closing any page that presents me with a v2 reCAPTCHA.

Unfortunately one of those pages was the Equifax settlement. And other similar “important” sites. I never seem to come across them when it’s a service I could easily quit or avoid.

This might not be so sinister. It so happens that "important" operations, like a class action lawsuit settlement, are also the type of thing you'd particularly want to protect from bots.

Why would anyone protect an "unimportant" site with a captcha? The value of the information, to someone, in bulk, is exactly why some throttling is needed.

Good CAPTCHAs are solved by farming them out to low-paid workers, not bots.

Why? Maybe Google hopes that if reCAPTCHA is sufficiently annoying and prevalent that users will disabled any and all tracking extensions they've enabled?

Or maybe they notice that they don't get the same problems on Chrome, so they move to that...

Probably neither explicitly as a human judgment, but both constructively - some A/B experiments noticed favorable numbers went up by doing the crappy thing, and so it has been decided.

I'm waiting for the day when it pops up "find the humans" and there's someone clearly wearing CV-camouflage. For anyone that doesn't get it: you let that human hide, because it could be you in twenty years.

A lot of bots use humans to solve captchas, so the human time is important.

The bot is delegating what it presents to the human, though. So just present the human with images that have already faded in (and if no image has finished fading in, switch to the images from the other captcha).

Edit: Unless, it occurs to me now, Google is monitoring how the user responds to the fade in. When in the fade process do they click the square, for instance.

Still seems like it wouldn't be all that helpful, though.

> I think this is just what Google does when it thinks you're a "bot": i.e. they don't know who you are.

Maybe this is to prevent adversarial learning? If the images reload immediately, then the bot can learn (via a neural network) whether its solution was good or not. If there's a delay, it's the same, but the learning is slowed down by the same factor.

No idea if this is true, it just popped out of my head.

As I said below, this is what I thought too, but another HN'er pointed out that a bot could load up a thousand captcha's in parallel and just switch between them while waiting for the fade in.

Sure, they can, but putting a small delay forces an arms race on how big a cluster you need to operate those parallel bots and how cheaply you can offer a cracking service.

Google's pretty well done with the reCaptcha or are counting on a lot of sites to keep using v.2 for a while.

There's more saleable data to be collected tracking people's interactions in a website, under the guise of predicting who's a bot.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact