Hacker News new | past | comments | ask | show | jobs | submit login

FYI: hCAPTCHA don’t pay us. We pay them.

ReCAPTCHA decided to start charging for their service (which they have every right to do, but it was a surprise). Just to use ReCAPTCHA on our Free customers would have cost us $10M+/year, which was untenable. We’d been concerned about the privacy issues around using a Google service for some time, and this was the kick in the butt we needed to move off of them.

hCAPTCHA has been incredibly responsive so far to improving their service, something even at our scale we had a tough time getting from the ReCAPTCHA team.

Ultimately, we’re working toward entirely eliminating visual/audio CAPTCHAs. But, until then, we are enjoying working with the hCAPTCHA team.

I recently switched my phone to route all internet traffic through Tor and the DDG browser on Android, but the hCaptcha challenges are even more exasperating than the ReCaptchas, and I've found my bounce rate close to 100%.

Is the abundance of hCaptcha challenges for those of us browisng CF-fronted properties in such a manner going to change any time soon?

Off topic here but since you seem knowledgeable can you point me in the direction of some good resources I can read to become informed on how to use tor? I worry I will have issues as you described. My kids school just moved online. The teacher was considering using google classroom then I voiced my concern which she thanked me and she ended up going with a Canadian company (I am Canadian) called myblueprint.ca and their privacy policy can be found here [1]. Reading their privacy policy it is quickly apparent they are a giant data collection machine and I want to throw up. I plan on sharing some of the key points but if I have to go forward want to try use like a tails live CD or what ever is recommended in 2020 to avoid their tracking. Thanks for any insight [1] https://myblueprint.ca/privacy

This seems paranoid. The kids are all surely already using Google for everything else. Tor and Tails would not only be an immense hassle for them which would make it much harder to get anything done, or use most school-relevant software, it also doesn't even help prevent any tracking in this case. If a service requires you signing up for an account with your real name, then that's all they need right there, because then they can just tie everything you do to your name.

Using Tor in this scenario really makes no sense, unless you plan to have them all use fake names, a fake school name, redacted/altered school material, etc.

And if you don't want to use Google, the privacy policy for that other service seems totally normal and fine. Respectfully, I think you may want to have your school consult with a technologist, rather than trying to give them software guidance based on your own understanding of the issues.

I’m curious, what about their privacy policy has you convinced that they’re a “giant data collection machine”? I just read it and it seems pretty reasonable to me.

They clearly outline all the purposes they need to use your data for, most of which are just to operate their site.

I would encourage you to think twice before implementing measures that are going to o add more friction to your kids’ schooling. (Live CD? Tor? Really?)

I worry a lot about my kid writing or saying something that would be innocent child's play when in person but might be construed as domestic terrorism if seen in the wrong data dump by the wrong enforcement agency.

How can you teach right and wrong in an environment like this?

Perhaps I misunderstand it as one person commented but the part that creeps me out was this one part (iii) the pages of the Site a user visits; and (iv) other sites a user visited before visiting our Site.

So they not only track what you do on their site but will be tracking the rest of my internet browsing history or am I misunderstanding this? There was more I didn't like to be honest but I am on my way to bed so will leave it at this point for tonight. This is my kids privacy I worry about they don't know how to and if I have to use a service for their school because of covid I don't want my kids and my internet browsing habits known. Other then a basic cookie for log in purposes there is no need to be doing a bunch of tracking on kids personal computers on there personal home networks. And since this is HN we have all see the many articles that basically say yes most of the time anonymous data can be tied to you. Yes I am sure it is so mundane to most but I really wish we had the privacy laws like gdpr because I really do not think our kids deserve to be snooped on. I appreciate your thoughts.

Thanks for the response. I hadn't previously heard of ReCAPTCHA charging users. Is it only large enterprise customers? The people I know who use it in applications haven't mentioned it, but they're nowhere near Cloudflare's scale.

> Ultimately, we’re working toward entirely eliminating visual/audio CAPTCHAs. But, until then, we are enjoying working with the hCAPTCHA team.

This sounds very interesting; are you able to comment on this further?

> If you wish to make more than 1k calls per second or 1m calls per month, you must use reCAPTCHA Enterprise or fill out this form and wait for an exception approval.

According to https://developers.google.com/recaptcha/docs/faq#are-there-a...

Wonder if there was a business case for making a captcha service that labels open data for the social good. IMHO even a pay-for-hosted open source model sounds feasible. I would have initially expected that the labels and not the security would provide the cash flow ( I know a company who puts labelling tasks in online games and actually pays the game host)

> We’d been concerned about the privacy issues around using a Google service for some time, and this was the kick in the butt we needed to move off of them.

Do you think this would have ever happened without a financial incentive?

As someone who’s been in a similar position, there aren’t really any alternatives that don’t piss people off. reCAPTCHA is a pain to get past for a small number of visitors, typically those using public proxies (e.g. Tor), but the majority just click a checkbox and are in.

Cloudflare already has a lengthy complaint thread on their forums with people insisting they switch back to reCAPTCHA for this very reason.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact