Consumer_Action_Taskforce

ReCAPTCHA: Difference between revisions

← Older editNewer edit →
Visual
Emanuele (talk | contribs)
confirmed
629 edits
mNo edit summary
mNo edit summary
Line 21: Line 21:
This digital fingerprinting is nearly inescapable even for privacy focused consumers since, as of November 2024, reCAPTCHA is employed in 84% of all websites.<ref>https://trends.builtwith.com/widgets/captcha</ref><blockquote>"The implication is that Google isn’t just looking to identify whether you’re a human with its No CAPTCHA, but potentially exactly ''which human'' you are." - Lara O'Reilly<ref name=":0" /></blockquote>A 2023 study collected data on newly admitted students to UC Irvine's School of Information & Computer Sciences over 13 months and concludes that reCAPTCHA does not provide real security for Google's client websites and has, over its 13 years of existence, cost users an estimated 819 million hours equating to nearly $6 billion USD in wages and 134 petabytes of bandwidth corresponding to 7.5 million pounds of CO<sub>2</sub>. The study further estimated Google's direct profits from reCAPTCHA to be "$888 billion USD from cookies and $8.75-32.3 billion USD per each sale of their total labeled data set."<ref name=":1">https://arxiv.org/pdf/2311.10911</ref><blockquote>"It can be concluded that the true purpose of reCAPTCHAv2 is as a tracking cookie farm for advertising profit masquerading as a security service." - Searles, Prapty, and Tsudik<ref name=":1" /></blockquote>Google has also been accused of allowing reCAPTCHA to accept users running [[Chromium]] web browsers more frequently than alternatives.{{Citation needed}} Users of a Hacker News forum concluded that reCAPTCHA likely attributes a lower reputation score to users with privacy-focused applications and extensions running, thus [[Firefox]] users were assigned CAPTCHAs to solve at a higher rate and difficulty.<ref>https://news.ycombinator.com/item?id=20147015</ref>
This digital fingerprinting is nearly inescapable even for privacy focused consumers since, as of November 2024, reCAPTCHA is employed in 84% of all websites.<ref>https://trends.builtwith.com/widgets/captcha</ref><blockquote>"The implication is that Google isn’t just looking to identify whether you’re a human with its No CAPTCHA, but potentially exactly ''which human'' you are." - Lara O'Reilly<ref name=":0" /></blockquote>A 2023 study collected data on newly admitted students to UC Irvine's School of Information & Computer Sciences over 13 months and concludes that reCAPTCHA does not provide real security for Google's client websites and has, over its 13 years of existence, cost users an estimated 819 million hours equating to nearly $6 billion USD in wages and 134 petabytes of bandwidth corresponding to 7.5 million pounds of CO<sub>2</sub>. The study further estimated Google's direct profits from reCAPTCHA to be "$888 billion USD from cookies and $8.75-32.3 billion USD per each sale of their total labeled data set."<ref name=":1">https://arxiv.org/pdf/2311.10911</ref><blockquote>"It can be concluded that the true purpose of reCAPTCHAv2 is as a tracking cookie farm for advertising profit masquerading as a security service." - Searles, Prapty, and Tsudik<ref name=":1" /></blockquote>Google has also been accused of allowing reCAPTCHA to accept users running [[Chromium]] web browsers more frequently than alternatives.{{Citation needed}} Users of a Hacker News forum concluded that reCAPTCHA likely attributes a lower reputation score to users with privacy-focused applications and extensions running, thus [[Firefox]] users were assigned CAPTCHAs to solve at a higher rate and difficulty.<ref>https://news.ycombinator.com/item?id=20147015</ref>


reCAPTCHA v3, the "Invisible reCAPTCHA," launched in 2017 with the goal of never interrupting legitimate human users.<ref>https://www.popsci.com/google-invisible-recaptcha/</ref> This version works completely in the background using cookies to apply a reputation scored on a scale from 0.0 to 1.0, with the latter indicating high confidence a user is human.<ref>https://developers.google.com/recaptcha/docs/v3</ref><ref>https://antcpt.com/score_detector/</ref> A 2019 study on hacking version 3 revealed that reCAPTCHA assigned low scores to simulated users using [[TOR browser]] and that browsers with an active Google account connected received higher scores as compared to browsers without a Google account connected.<ref>https://arxiv.org/pdf/1903.01003</ref> Technology consultant Marcos Perona observed similar results and experienced low reputation scores when using a [[VPN]], too. Google recommends implementing reCAPTCHA v3 in the background of all client webpages, so that it collects user data prior to it needing to determine if the user is a bot.<ref name=":2">https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side</ref><blockquote>"Because reCaptcha v3 is likely to be on every page of a website,  if you’re signed into your Google account there’s a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3—and there many be no visual indication on the site that it’s happening, beyond a small reCaptcha logo hidden in the corner" - Katharine Schwab<ref name=":2" />[[File:Invisible-reCaptcha-in-Corner.png|thumb|375px|reCAPTCHA logo in corner of webpage indicating user's behaviors are being analyzed]]</blockquote>
reCAPTCHA v3, the "Invisible reCAPTCHA," launched in 2017 with the goal of never interrupting legitimate human users.<ref>https://www.popsci.com/google-invisible-recaptcha/</ref> This version works completely in the background using cookies to apply a reputation scored on a scale from 0.0 to 1.0, with the latter indicating high confidence a user is human.<ref>https://developers.google.com/recaptcha/docs/v3</ref><ref>https://antcpt.com/score_detector/</ref> A 2019 study on hacking version 3 revealed that reCAPTCHA assigned low scores to simulated users using [[TOR browser]] and that browsers with an active Google account connected received higher scores as compared to browsers without a Google account connected.<ref>https://arxiv.org/pdf/1903.01003</ref> Technology consultant Marcos Perona observed similar results and experienced low reputation scores when using a [[VPN]], too. Google recommends implementing reCAPTCHA v3 in the background of all client webpages, so that it collects user data prior to it needing to determine if the user is a bot.<ref name=":2">https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side</ref><blockquote>"Because reCaptcha v3 is likely to be on every page of a website,  if you’re signed into your Google account there’s a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3—and there many be no visual indication on the site that it’s happening, beyond a small reCaptcha logo hidden in the corner" - Katharine Schwab<ref name=":2" />[[File:Invisible-reCaptcha-in-Corner.png|thumb|375px|reCAPTCHA logo in corner of webpage indicating user's behaviors are being analyzed.]]</blockquote>


reCAPTCHA's shortcomings as summarized by one of their direct competitors, DataDome:<ref>https://datadome.co/guides/captcha/recaptchav2-recaptchav3-efficient-bot-protection/</ref>
reCAPTCHA's shortcomings as summarized by one of their direct competitors, DataDome:<ref>https://datadome.co/guides/captcha/recaptchav2-recaptchav3-efficient-bot-protection/</ref>
Retrieved from "https://consumerrights.wiki/ReCAPTCHA"