Consumer Rights Wiki

ReCAPTCHA: Difference between revisions

← Older editNewer edit →
VisualWikitext
Bananabot (talk | contribs)
Bots, confirmed
1,114 edits
Added archive URLs for 9 citation(s) using CRWCitationBot
Bananabot (talk | contribs)
Bots, confirmed
1,114 edits
Added archive URLs for 1 citation(s) using CRWCitationBot
Line 24: Line 24:
This digital fingerprinting is nearly inescapable even for privacy focused consumers since, as of November 2024, reCAPTCHA is employed in 84% of all websites.<ref>{{Cite web |title=CAPTCHA Usage Distribution in the Top 1 Million Sites |url=https://trends.builtwith.com/widgets/captcha |website=BuiltWith |archive-url=http://web.archive.org/web/20251121124533/https://trends.builtwith.com/widgets/captcha |archive-date=21 Nov 2025}}</ref><blockquote>"The implication is that Google isn’t just looking to identify whether you’re a human with its No CAPTCHA, but potentially exactly ''which human'' you are." - Lara O'Reilly<ref name=":0" /></blockquote>A 2023 study collected data on newly admitted students to UC Irvine's School of Information & Computer Sciences over 13 months and concludes that reCAPTCHA does not provide real security for Google's client websites and has, over its 13 years of existence, cost users an estimated 819 million hours equating to nearly $6 billion USD in wages and 134 petabytes of bandwidth corresponding to 7.5 million pounds of CO<sub>2</sub>. The study further estimated Google's direct profits from reCAPTCHA to be "$888 billion USD from cookies and $8.75-32.3 billion USD per each sale of their total labeled data set."<ref name=":1">{{Cite journal |last=Searles |first=Andrew |last2=Prapty |first2=Renascence Tarafder |last3=Tsudik |first3=Gene |date=21 Nov 2023 |title=Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2 |url=https://arxiv.org/pdf/2311.10911 |journal=Preprint |archive-url=http://web.archive.org/web/20260216085549/https://arxiv.org/pdf/2311.10911 |archive-date=16 Feb 2026}}</ref><blockquote>"It can be concluded that the true purpose of reCAPTCHAv2 is as a tracking cookie farm for advertising profit masquerading as a security service." - Searles, Prapty, and Tsudik<ref name=":1" /></blockquote>Some commentators have alleged that reCAPTCHA’s risk scoring and challenge behavior can differ by browser, with Chrome/Chromium users sometimes reporting fewer challenges than users of other browsers.<ref>{{Cite web |title=Google&apos;s reCAPTCHA test has been tricked by artificial intelligence |website=The Register |date=2019-06-28 |url=https://www.theregister.com/2019/06/28/google_recaptcha_favoring_google/ |access-date=2026-02-20}}</ref> Users of a Hacker News forum concluded that reCAPTCHA likely attributes a lower reputation score to users with privacy-focused applications and extensions running, thus [[Firefox]] users were assigned CAPTCHAs to solve at a higher rate and difficulty.<ref>{{Cite web |last=kojoru |date=10 Jun 2019 |title=Google's Captcha in Firefox vs. in Chrome |url=https://news.ycombinator.com/item?id=20147015 |via=Y Combinator |archive-url=http://web.archive.org/web/20250708234946/https://news.ycombinator.com/item?id=20147015 |archive-date=8 Jul 2025}}</ref>
This digital fingerprinting is nearly inescapable even for privacy focused consumers since, as of November 2024, reCAPTCHA is employed in 84% of all websites.<ref>{{Cite web |title=CAPTCHA Usage Distribution in the Top 1 Million Sites |url=https://trends.builtwith.com/widgets/captcha |website=BuiltWith |archive-url=http://web.archive.org/web/20251121124533/https://trends.builtwith.com/widgets/captcha |archive-date=21 Nov 2025}}</ref><blockquote>"The implication is that Google isn’t just looking to identify whether you’re a human with its No CAPTCHA, but potentially exactly ''which human'' you are." - Lara O'Reilly<ref name=":0" /></blockquote>A 2023 study collected data on newly admitted students to UC Irvine's School of Information & Computer Sciences over 13 months and concludes that reCAPTCHA does not provide real security for Google's client websites and has, over its 13 years of existence, cost users an estimated 819 million hours equating to nearly $6 billion USD in wages and 134 petabytes of bandwidth corresponding to 7.5 million pounds of CO<sub>2</sub>. The study further estimated Google's direct profits from reCAPTCHA to be "$888 billion USD from cookies and $8.75-32.3 billion USD per each sale of their total labeled data set."<ref name=":1">{{Cite journal |last=Searles |first=Andrew |last2=Prapty |first2=Renascence Tarafder |last3=Tsudik |first3=Gene |date=21 Nov 2023 |title=Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2 |url=https://arxiv.org/pdf/2311.10911 |journal=Preprint |archive-url=http://web.archive.org/web/20260216085549/https://arxiv.org/pdf/2311.10911 |archive-date=16 Feb 2026}}</ref><blockquote>"It can be concluded that the true purpose of reCAPTCHAv2 is as a tracking cookie farm for advertising profit masquerading as a security service." - Searles, Prapty, and Tsudik<ref name=":1" /></blockquote>Some commentators have alleged that reCAPTCHA’s risk scoring and challenge behavior can differ by browser, with Chrome/Chromium users sometimes reporting fewer challenges than users of other browsers.<ref>{{Cite web |title=Google&apos;s reCAPTCHA test has been tricked by artificial intelligence |website=The Register |date=2019-06-28 |url=https://www.theregister.com/2019/06/28/google_recaptcha_favoring_google/ |access-date=2026-02-20}}</ref> Users of a Hacker News forum concluded that reCAPTCHA likely attributes a lower reputation score to users with privacy-focused applications and extensions running, thus [[Firefox]] users were assigned CAPTCHAs to solve at a higher rate and difficulty.<ref>{{Cite web |last=kojoru |date=10 Jun 2019 |title=Google's Captcha in Firefox vs. in Chrome |url=https://news.ycombinator.com/item?id=20147015 |via=Y Combinator |archive-url=http://web.archive.org/web/20250708234946/https://news.ycombinator.com/item?id=20147015 |archive-date=8 Jul 2025}}</ref>


reCAPTCHA v3, the "Invisible reCAPTCHA," launched in 2017 with the goal of never interrupting legitimate human users.<ref>{{Cite web |last=Verger |first=Rob |date=11 Mar 2017 |title=Google just made the internet a tiny bit less annoying |url=https://www.popsci.com/google-invisible-recaptcha/ |url-status=live |archive-url=https://web.archive.org/web/20241123014232/https://www.popsci.com/google-invisible-recaptcha/ |archive-date=23 Nov 2024 |website=Populair Science}}</ref> This version works completely in the background using cookies to apply a reputation scored on a scale from 0.0 to 1.0, with the latter indicating high confidence a user is human.<ref>{{Cite web |title=reCAPTCHA v3 |url=https://developers.google.com/recaptcha/docs/v3 |website=Google for Developers |archive-url=http://web.archive.org/web/20260209114655/https://developers.google.com/recaptcha/docs/v3? |archive-date=9 Feb 2026}}</ref><ref>{{Cite web |title=reCAPTCHA v3 score detector |url=https://antcpt.com/score_detector/}}</ref> A 2019 study on hacking version 3 revealed that reCAPTCHA assigned low scores to simulated users using [[TOR browser]] and that browsers with an active Google account connected received higher scores as compared to browsers without a Google account connected.<ref>{{Cite journal |last=Akrout |first=Ismail |last2=Feriani |first2=Amal |last3=Akrout |first3=Mohamed |date=18 Apr 2019 |title=Hacking Google reCAPTCHA v3 using Reinforcement Learning |url=https://arxiv.org/pdf/1903.01003 |journal=Preprint |archive-url=http://web.archive.org/web/20251112104945/https://arxiv.org/pdf/1903.01003 |archive-date=12 Nov 2025}}</ref> Technology consultant Marcos Perona observed similar results and experienced low reputation scores when using a [[VPN]], too. Google recommends implementing reCAPTCHA v3 in the background of all client webpages, so that it collects user data prior to it needing to determine if the user is a bot.<ref name=":2">{{Cite web |last=Schwab |first=Katharine |date=27 Jun 2019 |title=Google’s new reCAPTCHA has a dark side |url=https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side |url-status=live |archive-url=https://web.archive.org/web/20190627144558/https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side |archive-date=27 Jun 2019 |website=Fast Company}}</ref><blockquote>"Because reCaptcha v3 is likely to be on every page of a website,  if you’re signed into your Google account there’s a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3—and there many be no visual indication on the site that it’s happening, beyond a small reCaptcha logo hidden in the corner" - Katharine Schwab<ref name=":2" />[[File:Invisible-reCaptcha-in-Corner.png|thumb|375px|reCAPTCHA logo in corner of webpage indicating user's behaviors are being analyzed.]]</blockquote>
reCAPTCHA v3, the "Invisible reCAPTCHA," launched in 2017 with the goal of never interrupting legitimate human users.<ref>{{Cite web |last=Verger |first=Rob |date=11 Mar 2017 |title=Google just made the internet a tiny bit less annoying |url=https://www.popsci.com/google-invisible-recaptcha/ |url-status=live |archive-url=https://web.archive.org/web/20241123014232/https://www.popsci.com/google-invisible-recaptcha/ |archive-date=23 Nov 2024 |website=Populair Science}}</ref> This version works completely in the background using cookies to apply a reputation scored on a scale from 0.0 to 1.0, with the latter indicating high confidence a user is human.<ref>{{Cite web |title=reCAPTCHA v3 |url=https://developers.google.com/recaptcha/docs/v3 |website=Google for Developers |archive-url=http://web.archive.org/web/20260209114655/https://developers.google.com/recaptcha/docs/v3? |archive-date=9 Feb 2026}}</ref><ref>{{Cite web |title=reCAPTCHA v3 score detector |url=https://antcpt.com/score_detector/ |archive-url=http://web.archive.org/web/20260222200003/https://antcpt.com/score_detector/ |archive-date=22 Feb 2026}}</ref> A 2019 study on hacking version 3 revealed that reCAPTCHA assigned low scores to simulated users using [[TOR browser]] and that browsers with an active Google account connected received higher scores as compared to browsers without a Google account connected.<ref>{{Cite journal |last=Akrout |first=Ismail |last2=Feriani |first2=Amal |last3=Akrout |first3=Mohamed |date=18 Apr 2019 |title=Hacking Google reCAPTCHA v3 using Reinforcement Learning |url=https://arxiv.org/pdf/1903.01003 |journal=Preprint |archive-url=http://web.archive.org/web/20251112104945/https://arxiv.org/pdf/1903.01003 |archive-date=12 Nov 2025}}</ref> Technology consultant Marcos Perona observed similar results and experienced low reputation scores when using a [[VPN]], too. Google recommends implementing reCAPTCHA v3 in the background of all client webpages, so that it collects user data prior to it needing to determine if the user is a bot.<ref name=":2">{{Cite web |last=Schwab |first=Katharine |date=27 Jun 2019 |title=Google’s new reCAPTCHA has a dark side |url=https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side |url-status=live |archive-url=https://web.archive.org/web/20190627144558/https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side |archive-date=27 Jun 2019 |website=Fast Company}}</ref><blockquote>"Because reCaptcha v3 is likely to be on every page of a website,  if you’re signed into your Google account there’s a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3—and there many be no visual indication on the site that it’s happening, beyond a small reCaptcha logo hidden in the corner" - Katharine Schwab<ref name=":2" />[[File:Invisible-reCaptcha-in-Corner.png|thumb|375px|reCAPTCHA logo in corner of webpage indicating user's behaviors are being analyzed.]]</blockquote>


reCAPTCHA's shortcomings as summarized by one of their direct competitors, DataDome:<ref>{{Cite web |date=20 Aug 2022 |title=ReCAPTCHA v2 vs. v3: Efficient bot protection? |url=https://datadome.co/guides/captcha/recaptchav2-recaptchav3-efficient-bot-protection/ |url-status=live |archive-url=https://web.archive.org/web/20240211073038/https://datadome.co/guides/captcha/recaptchav2-recaptchav3-efficient-bot-protection/ |archive-date=11 Feb 2024 |website=Data Dome}}</ref>
reCAPTCHA's shortcomings as summarized by one of their direct competitors, DataDome:<ref>{{Cite web |date=20 Aug 2022 |title=ReCAPTCHA v2 vs. v3: Efficient bot protection? |url=https://datadome.co/guides/captcha/recaptchav2-recaptchav3-efficient-bot-protection/ |url-status=live |archive-url=https://web.archive.org/web/20240211073038/https://datadome.co/guides/captcha/recaptchav2-recaptchav3-efficient-bot-protection/ |archive-date=11 Feb 2024 |website=Data Dome}}</ref>
Retrieved from "https://consumerrights.wiki/w/ReCAPTCHA"