ReCAPTCHA: Difference between revisions

(2 intermediate revisions by 2 users not shown)

Line 15:

A video published by YouTube channel CHUPPL sparked renewed controversy with a video released in December 2024. The video cites and details how reCAPTCHA [[wikipedia:Doxing|doxxes]] users and how resulting user data can end up in the hands of the US government for unknown purposes, claiming exploitation of an intentional loophole in Google's terms of service allowing them to transmit user device and application data under the guise of "general security purposes."<ref>{{Cite web |last=CHUPPL |date=5 Dec 2024 |title=Why reCAPTCHA is Spyware |url=https://www.youtube.com/watch?v=VTsBP21-XpI |via=YouTube |archive-url=https://preservetube.com/watch?v=VTsBP21-XpI |archive-date=22 Feb 2026}}</ref> User data allegedly began being collected in 2014, when Google deployed reCAPTCHA v2, specifically the “No CAPTCHA reCAPTCHA” i.e. "the checkbox CAPTCHA," which primarily uses [[wikipedia:HTTP_cookie|cookies]] to whitelist users who reCAPTCHA identifies as humans. This opens up additional security vulnerabilities as once a user is identified as a human, a bot can take over and be given unrestricted access to all sites using reCAPTCHA without having to fill a CAPTCHA itself.<ref>{{Cite web |last=homakov |date=4 Dec 2014 |title=The No CAPTCHA problem |url=https://homakov.blogspot.com/2014/12/the-no-captcha-problem.html |url-status=live |archive-url=https://web.archive.org/web/20141204133024/https://homakov.blogspot.com/2014/12/the-no-captcha-problem.html |archive-date=4 Dec 2014 |via=Blogger}}</ref>

The type of cookies collected includes, but is not limited to:<ref name=":0">{{Cite web |last=O'Reilly |first=Lara |date=20 Feb 2015 |title=Google's new CAPTCHA security login raises 'legitimate privacy concerns' |url=https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2 |url-status=live |archive-url=https://web.archive.org/web/20150222100003/https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2 |archive-date=22 Feb 2015 |website=Business Insider}}</ref>

The type of [[Web_cookie|cookies]] collected includes, but is not limited to:<ref name=":0">{{Cite web |last=O'Reilly |first=Lara |date=20 Feb 2015 |title=Google's new CAPTCHA security login raises 'legitimate privacy concerns' |url=https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2 |url-status=live |archive-url=https://web.archive.org/web/20150222100003/https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2 |archive-date=22 Feb 2015 |website=Business Insider}}</ref>

*Screen size and resolution, date, language, browser plug-ins, and all ~~Javascript~~ objects

*Screen size and resolution, date, language, browser plug-ins, and all [[JavaScript]] objects

*IP address

*CSS information from the page you are on

*A count of mouse and touch events

This digital fingerprinting is nearly inescapable even for privacy focused consumers since, as of November 2024, reCAPTCHA is employed in 84% of all websites.<ref>{{Cite web |title=CAPTCHA Usage Distribution in the Top 1 Million Sites |url=https://trends.builtwith.com/widgets/captcha |website=BuiltWith |archive-url=http://web.archive.org/web/20251121124533/https://trends.builtwith.com/widgets/captcha |archive-date=21 Nov 2025}}</ref><blockquote>"The implication is that Google isn’t just looking to identify whether you’re a human with its No CAPTCHA, but potentially exactly ''which human'' you are." - Lara O'Reilly<ref name=":0" /></blockquote>A 2023 study collected data on newly admitted students to UC Irvine's School of Information & Computer Sciences over 13 months and concludes that reCAPTCHA does not provide real security for Google's client websites and has, over its 13 years of existence, cost users an estimated 819 million hours equating to nearly $6 billion USD in wages and 134 petabytes of bandwidth corresponding to 7.5 million pounds of CO<sub>2</sub>. The study further estimated Google's direct profits from reCAPTCHA to be "$888 billion USD from cookies and $8.75-32.3 billion USD per each sale of their total labeled data set."<ref name=":1">{{Cite journal |last=Searles |first=Andrew |last2=Prapty |first2=Renascence Tarafder |last3=Tsudik |first3=Gene |date=21 Nov 2023 |title=Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2 |url=https://arxiv.org/pdf/2311.10911 |journal=Preprint |archive-url=http://web.archive.org/web/20260216085549/https://arxiv.org/pdf/2311.10911 |archive-date=16 Feb 2026}}</ref><blockquote>"It can be concluded that the true purpose of reCAPTCHAv2 is as a tracking cookie farm for advertising profit masquerading as a security service." - Searles, Prapty, and Tsudik<ref name=":1" /></blockquote>Some commentators have alleged that reCAPTCHA’s risk scoring and challenge behavior can differ by browser, with Chrome/Chromium users sometimes reporting fewer challenges than users of other browsers.<ref>{{Cite web |title=Google's reCAPTCHA test has been tricked by artificial intelligence |website=The Register |date=2019-06-28 |url=https://www.theregister.com/2019/06/28/google_recaptcha_favoring_google/ |access-date=2026-02-20}}</ref> Users of a Hacker News forum concluded that reCAPTCHA likely attributes a lower reputation score to users with privacy-focused applications and extensions running, thus [[Firefox]] users were assigned CAPTCHAs to solve at a higher rate and difficulty.<ref>{{Cite web |last=kojoru |date=10 Jun 2019 |title=Google's Captcha in Firefox vs. in Chrome |url=https://news.ycombinator.com/item?id=20147015 |via=Y Combinator |archive-url=http://web.archive.org/web/20250708234946/https://news.ycombinator.com/item?id=20147015 |archive-date=8 Jul 2025}}</ref>

This digital fingerprinting is nearly inescapable even for privacy focused consumers since, as of November 2024, reCAPTCHA is employed in 84% of all websites.<ref>{{Cite web |title=CAPTCHA Usage Distribution in the Top 1 Million Sites |url=https://trends.builtwith.com/widgets/captcha |website=BuiltWith |archive-url=http://web.archive.org/web/20251121124533/https://trends.builtwith.com/widgets/captcha |archive-date=21 Nov 2025}}</ref><blockquote>"The implication is that Google isn’t just looking to identify whether you’re a human with its No CAPTCHA, but potentially exactly ''which human'' you are." - Lara O'Reilly<ref name=":0" /></blockquote>A 2023 study collected data on newly admitted students to UC Irvine's School of Information & Computer Sciences over 13 months and concludes that reCAPTCHA does not provide real security for Google's client websites and has, over its 13 years of existence, cost users an estimated 819 million hours equating to nearly $6 billion USD in wages and 134 petabytes of bandwidth corresponding to 7.5 million pounds of CO<sub>2</sub>. The study further estimated Google's direct profits from reCAPTCHA to be "$888 billion USD from cookies and $8.75-32.3 billion USD per each sale of their total labeled data set."<ref name=":1">{{Cite journal |last=Searles |first=Andrew |last2=Prapty |first2=Renascence Tarafder |last3=Tsudik |first3=Gene |date=21 Nov 2023 |title=Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2 |url=https://arxiv.org/pdf/2311.10911 |journal=Preprint |archive-url=http://web.archive.org/web/20260216085549/https://arxiv.org/pdf/2311.10911 |archive-date=16 Feb 2026}}</ref><blockquote>"It can be concluded that the true purpose of reCAPTCHAv2 is as a tracking cookie farm for advertising profit masquerading as a security service." - Searles, Prapty, and Tsudik<ref name=":1" /></blockquote>Some commentators have alleged that reCAPTCHA’s risk scoring and challenge behavior can differ by browser, with Chrome/Chromium users sometimes reporting fewer challenges than users of other browsers.<ref>{{Cite web |title=Google's reCAPTCHA test has been tricked by artificial intelligence |website=The Register |date=2019-06-28 |url=https://www.theregister.com/2019/06/28/google_recaptcha_favoring_google/ |access-date=2026-02-20 |archive-url=http://web.archive.org/web/20250825040226/https://www.theregister.com/2019/06/28/google_recaptcha_favoring_google/ |archive-date=25 Aug 2025}}</ref> Users of a Hacker News forum concluded that reCAPTCHA likely attributes a lower reputation score to users with privacy-focused applications and extensions running, thus [[Firefox]] users were assigned CAPTCHAs to solve at a higher rate and difficulty.<ref>{{Cite web |last=kojoru |date=10 Jun 2019 |title=Google's Captcha in Firefox vs. in Chrome |url=https://news.ycombinator.com/item?id=20147015 |via=Y Combinator |archive-url=http://web.archive.org/web/20250708234946/https://news.ycombinator.com/item?id=20147015 |archive-date=8 Jul 2025}}</ref>

reCAPTCHA v3, the "Invisible reCAPTCHA," launched in 2017 with the goal of never interrupting legitimate human users.<ref>{{Cite web |last=Verger |first=Rob |date=11 Mar 2017 |title=Google just made the internet a tiny bit less annoying |url=https://www.popsci.com/google-invisible-recaptcha/ |url-status=live |archive-url=https://web.archive.org/web/20241123014232/https://www.popsci.com/google-invisible-recaptcha/ |archive-date=23 Nov 2024 |website=Populair Science}}</ref> This version works completely in the background using cookies to apply a reputation scored on a scale from 0.0 to 1.0, with the latter indicating high confidence a user is human.<ref>{{Cite web |title=reCAPTCHA v3 |url=https://developers.google.com/recaptcha/docs/v3 |website=Google for Developers |archive-url=http://web.archive.org/web/20260209114655/https://developers.google.com/recaptcha/docs/v3? |archive-date=9 Feb 2026}}</ref><ref>{{Cite web |title=reCAPTCHA v3 score detector |url=https://antcpt.com/score_detector/ |archive-url=http://web.archive.org/web/20260222200003/https://antcpt.com/score_detector/ |archive-date=22 Feb 2026}}</ref> A 2019 study on hacking version 3 revealed that reCAPTCHA assigned low scores to simulated users using [[TOR browser]] and that browsers with an active Google account connected received higher scores as compared to browsers without a Google account connected.<ref>{{Cite journal |last=Akrout |first=Ismail |last2=Feriani |first2=Amal |last3=Akrout |first3=Mohamed |date=18 Apr 2019 |title=Hacking Google reCAPTCHA v3 using Reinforcement Learning |url=https://arxiv.org/pdf/1903.01003 |journal=Preprint |archive-url=http://web.archive.org/web/20251112104945/https://arxiv.org/pdf/1903.01003 |archive-date=12 Nov 2025}}</ref> Technology consultant Marcos Perona observed similar results and experienced low reputation scores when using a [[VPN]], too. Google recommends implementing reCAPTCHA v3 in the background of all client webpages, so that it collects user data prior to it needing to determine if the user is a bot.<ref name=":2">{{Cite web |last=Schwab |first=Katharine |date=27 Jun 2019 |title=Google’s new reCAPTCHA has a dark side |url=https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side |url-status=live |archive-url=https://web.archive.org/web/20190627144558/https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side |archive-date=27 Jun 2019 |website=Fast Company}}</ref><blockquote>"Because reCaptcha v3 is likely to be on every page of a website, if you’re signed into your Google account there’s a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3—and there many be no visual indication on the site that it’s happening, beyond a small reCaptcha logo hidden in the corner" - Katharine Schwab<ref name=":2" />[[File:Invisible-reCaptcha-in-Corner.png|thumb|375px|reCAPTCHA logo in corner of webpage indicating user's behaviors are being analyzed.]]</blockquote>

@@ Line 15: / Line 15: @@
 A video published by YouTube channel CHUPPL sparked renewed controversy with a video released in December 2024. The video cites and details how reCAPTCHA [[wikipedia:Doxing|doxxes]] users and how resulting user data can end up in the hands of the US government for unknown purposes, claiming exploitation of an intentional loophole in Google's terms of service allowing them to transmit user device and application data under the guise of "general security purposes."<ref>{{Cite web |last=CHUPPL |date=5 Dec 2024 |title=Why reCAPTCHA is Spyware |url=https://www.youtube.com/watch?v=VTsBP21-XpI |via=YouTube |archive-url=https://preservetube.com/watch?v=VTsBP21-XpI |archive-date=22 Feb 2026}}</ref> User data allegedly began being collected in 2014, when Google deployed reCAPTCHA v2, specifically the “No CAPTCHA reCAPTCHA” i.e. "the checkbox CAPTCHA," which primarily uses [[wikipedia:HTTP_cookie|cookies]] to whitelist users who reCAPTCHA identifies as humans. This opens up additional security vulnerabilities as once a user is identified as a human, a bot can take over and be given unrestricted access to all sites using reCAPTCHA without having to fill a CAPTCHA itself.<ref>{{Cite web |last=homakov |date=4 Dec 2014 |title=The No CAPTCHA problem |url=https://homakov.blogspot.com/2014/12/the-no-captcha-problem.html |url-status=live |archive-url=https://web.archive.org/web/20141204133024/https://homakov.blogspot.com/2014/12/the-no-captcha-problem.html |archive-date=4 Dec 2014 |via=Blogger}}</ref>
-The type of cookies collected includes, but is not limited to:<ref name=":0">{{Cite web |last=O'Reilly |first=Lara |date=20 Feb 2015 |title=Google's new CAPTCHA security login raises 'legitimate privacy concerns' |url=https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2 |url-status=live |archive-url=https://web.archive.org/web/20150222100003/https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2 |archive-date=22 Feb 2015 |website=Business Insider}}</ref>
+The type of [[Web_cookie|cookies]] collected includes, but is not limited to:<ref name=":0">{{Cite web |last=O'Reilly |first=Lara |date=20 Feb 2015 |title=Google's new CAPTCHA security login raises 'legitimate privacy concerns' |url=https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2 |url-status=live |archive-url=https://web.archive.org/web/20150222100003/https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2 |archive-date=22 Feb 2015 |website=Business Insider}}</ref>
-*Screen size and resolution, date, language, browser plug-ins, and all Javascript objects
+*Screen size and resolution, date, language, browser plug-ins, and all [[JavaScript]] objects
 *IP address
 *CSS information from the page you are on
 *A count of mouse and touch events
-This digital fingerprinting is nearly inescapable even for privacy focused consumers since, as of November 2024, reCAPTCHA is employed in 84% of all websites.<ref>{{Cite web |title=CAPTCHA Usage Distribution in the Top 1 Million Sites |url=https://trends.builtwith.com/widgets/captcha |website=BuiltWith |archive-url=http://web.archive.org/web/20251121124533/https://trends.builtwith.com/widgets/captcha |archive-date=21 Nov 2025}}</ref><blockquote>"The implication is that Google isn’t just looking to identify whether you’re a human with its No CAPTCHA, but potentially exactly ''which human'' you are." - Lara O'Reilly<ref name=":0" /></blockquote>A 2023 study collected data on newly admitted students to UC Irvine's School of Information & Computer Sciences over 13 months and concludes that reCAPTCHA does not provide real security for Google's client websites and has, over its 13 years of existence, cost users an estimated 819 million hours equating to nearly $6 billion USD in wages and 134 petabytes of bandwidth corresponding to 7.5 million pounds of CO<sub>2</sub>. The study further estimated Google's direct profits from reCAPTCHA to be "$888 billion USD from cookies and $8.75-32.3 billion USD per each sale of their total labeled data set."<ref name=":1">{{Cite journal |last=Searles |first=Andrew |last2=Prapty |first2=Renascence Tarafder |last3=Tsudik |first3=Gene |date=21 Nov 2023 |title=Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2 |url=https://arxiv.org/pdf/2311.10911 |journal=Preprint |archive-url=http://web.archive.org/web/20260216085549/https://arxiv.org/pdf/2311.10911 |archive-date=16 Feb 2026}}</ref><blockquote>"It can be concluded that the true purpose of reCAPTCHAv2 is as a tracking cookie farm for advertising profit masquerading as a security service." - Searles, Prapty, and Tsudik<ref name=":1" /></blockquote>Some commentators have alleged that reCAPTCHA’s risk scoring and challenge behavior can differ by browser, with Chrome/Chromium users sometimes reporting fewer challenges than users of other browsers.<ref>{{Cite web |title=Google&apos;s reCAPTCHA test has been tricked by artificial intelligence |website=The Register |date=2019-06-28 |url=https://www.theregister.com/2019/06/28/google_recaptcha_favoring_google/ |access-date=2026-02-20}}</ref> Users of a Hacker News forum concluded that reCAPTCHA likely attributes a lower reputation score to users with privacy-focused applications and extensions running, thus [[Firefox]] users were assigned CAPTCHAs to solve at a higher rate and difficulty.<ref>{{Cite web |last=kojoru |date=10 Jun 2019 |title=Google's Captcha in Firefox vs. in Chrome |url=https://news.ycombinator.com/item?id=20147015 |via=Y Combinator |archive-url=http://web.archive.org/web/20250708234946/https://news.ycombinator.com/item?id=20147015 |archive-date=8 Jul 2025}}</ref>
+This digital fingerprinting is nearly inescapable even for privacy focused consumers since, as of November 2024, reCAPTCHA is employed in 84% of all websites.<ref>{{Cite web |title=CAPTCHA Usage Distribution in the Top 1 Million Sites |url=https://trends.builtwith.com/widgets/captcha |website=BuiltWith |archive-url=http://web.archive.org/web/20251121124533/https://trends.builtwith.com/widgets/captcha |archive-date=21 Nov 2025}}</ref><blockquote>"The implication is that Google isn’t just looking to identify whether you’re a human with its No CAPTCHA, but potentially exactly ''which human'' you are." - Lara O'Reilly<ref name=":0" /></blockquote>A 2023 study collected data on newly admitted students to UC Irvine's School of Information & Computer Sciences over 13 months and concludes that reCAPTCHA does not provide real security for Google's client websites and has, over its 13 years of existence, cost users an estimated 819 million hours equating to nearly $6 billion USD in wages and 134 petabytes of bandwidth corresponding to 7.5 million pounds of CO<sub>2</sub>. The study further estimated Google's direct profits from reCAPTCHA to be "$888 billion USD from cookies and $8.75-32.3 billion USD per each sale of their total labeled data set."<ref name=":1">{{Cite journal |last=Searles |first=Andrew |last2=Prapty |first2=Renascence Tarafder |last3=Tsudik |first3=Gene |date=21 Nov 2023 |title=Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2 |url=https://arxiv.org/pdf/2311.10911 |journal=Preprint |archive-url=http://web.archive.org/web/20260216085549/https://arxiv.org/pdf/2311.10911 |archive-date=16 Feb 2026}}</ref><blockquote>"It can be concluded that the true purpose of reCAPTCHAv2 is as a tracking cookie farm for advertising profit masquerading as a security service." - Searles, Prapty, and Tsudik<ref name=":1" /></blockquote>Some commentators have alleged that reCAPTCHA’s risk scoring and challenge behavior can differ by browser, with Chrome/Chromium users sometimes reporting fewer challenges than users of other browsers.<ref>{{Cite web |title=Google&apos;s reCAPTCHA test has been tricked by artificial intelligence |website=The Register |date=2019-06-28 |url=https://www.theregister.com/2019/06/28/google_recaptcha_favoring_google/ |access-date=2026-02-20 |archive-url=http://web.archive.org/web/20250825040226/https://www.theregister.com/2019/06/28/google_recaptcha_favoring_google/ |archive-date=25 Aug 2025}}</ref> Users of a Hacker News forum concluded that reCAPTCHA likely attributes a lower reputation score to users with privacy-focused applications and extensions running, thus [[Firefox]] users were assigned CAPTCHAs to solve at a higher rate and difficulty.<ref>{{Cite web |last=kojoru |date=10 Jun 2019 |title=Google's Captcha in Firefox vs. in Chrome |url=https://news.ycombinator.com/item?id=20147015 |via=Y Combinator |archive-url=http://web.archive.org/web/20250708234946/https://news.ycombinator.com/item?id=20147015 |archive-date=8 Jul 2025}}</ref>
 reCAPTCHA v3, the "Invisible reCAPTCHA," launched in 2017 with the goal of never interrupting legitimate human users.<ref>{{Cite web |last=Verger |first=Rob |date=11 Mar 2017 |title=Google just made the internet a tiny bit less annoying |url=https://www.popsci.com/google-invisible-recaptcha/ |url-status=live |archive-url=https://web.archive.org/web/20241123014232/https://www.popsci.com/google-invisible-recaptcha/ |archive-date=23 Nov 2024 |website=Populair Science}}</ref> This version works completely in the background using cookies to apply a reputation scored on a scale from 0.0 to 1.0, with the latter indicating high confidence a user is human.<ref>{{Cite web |title=reCAPTCHA v3 |url=https://developers.google.com/recaptcha/docs/v3 |website=Google for Developers |archive-url=http://web.archive.org/web/20260209114655/https://developers.google.com/recaptcha/docs/v3? |archive-date=9 Feb 2026}}</ref><ref>{{Cite web |title=reCAPTCHA v3 score detector |url=https://antcpt.com/score_detector/ |archive-url=http://web.archive.org/web/20260222200003/https://antcpt.com/score_detector/ |archive-date=22 Feb 2026}}</ref> A 2019 study on hacking version 3 revealed that reCAPTCHA assigned low scores to simulated users using [[TOR browser]] and that browsers with an active Google account connected received higher scores as compared to browsers without a Google account connected.<ref>{{Cite journal |last=Akrout |first=Ismail |last2=Feriani |first2=Amal |last3=Akrout |first3=Mohamed |date=18 Apr 2019 |title=Hacking Google reCAPTCHA v3 using Reinforcement Learning |url=https://arxiv.org/pdf/1903.01003 |journal=Preprint |archive-url=http://web.archive.org/web/20251112104945/https://arxiv.org/pdf/1903.01003 |archive-date=12 Nov 2025}}</ref> Technology consultant Marcos Perona observed similar results and experienced low reputation scores when using a [[VPN]], too. Google recommends implementing reCAPTCHA v3 in the background of all client webpages, so that it collects user data prior to it needing to determine if the user is a bot.<ref name=":2">{{Cite web |last=Schwab |first=Katharine |date=27 Jun 2019 |title=Google’s new reCAPTCHA has a dark side |url=https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side |url-status=live |archive-url=https://web.archive.org/web/20190627144558/https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side |archive-date=27 Jun 2019 |website=Fast Company}}</ref><blockquote>"Because reCaptcha v3 is likely to be on every page of a website,  if you’re signed into your Google account there’s a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3—and there many be no visual indication on the site that it’s happening, beyond a small reCaptcha logo hidden in the corner" - Katharine Schwab<ref name=":2" />[[File:Invisible-reCaptcha-in-Corner.png|thumb|375px|reCAPTCHA logo in corner of webpage indicating user's behaviors are being analyzed.]]</blockquote>