Jump to content

ReCAPTCHA

From Consumer_Action_Taskforce
reCAPTCHA
Basic Information
Release Year 2007
Product Type CAPTCHA and behavioral analysis
In Production Yes
Official Website https://google.com/recaptcha

reCAPTCHA was acquired by Google in 2009 and has since been used to protect websites from botting, crowdsource transcription work, and to mass train Google's other technical ventures such as artificial intelligence.[1][2] Google faced criticism over this crowdsourcing and training for using unpaid labor from millions of daily users around the world, even sparking an ultimately unsuccessful class action lawsuit in Massachusetts in 2015, with the court dismissing the amount of time spent by each user completing a CAPTCHA as "something for which [no] reasonable consumer would expect to receive compensation".[3][4]

A video published by YouTube channel CHUPPL sparked renewed controversy with a video released in December 2024. The video cites and details how reCAPTCHA doxxes users and how resulting user data can end up in the hands of the US government for unknown purposes, claiming exploitation of an intentional loophole in Google's terms of service allowing them to transmit user device and application data under the guise of "general security purposes."[5] User data allegedly began being collected in 2014, when Google deployed reCAPTCHA v2, specifically the “No CAPTCHA reCAPTCHA” i.e. "the checkbox CAPTCHA," which primarily uses cookies to whitelist users who reCAPTCHA identifies as humans. This opens up additional security vulnerabilities as once a user is identified as a human, a bot can take over and be given unrestricted access to all sites using reCAPTCHA without having to fill a CAPTCHA itself.[6]

The type of cookies collected includes, but is not limited to:[7]

  • Screen size and resolution, date, language, browser plug-ins, and all Javascript objects
  • IP address
  • CSS information from the page you are on
  • A count of mouse and touch events

This digital fingerprinting is nearly inescapable even for privacy focused consumers since, as of November 2024, reCAPTCHA is employed in 84% of all websites.[8]

"The implication is that Google isn’t just looking to identify whether you’re a human with its No CAPTCHA, but potentially exactly which human you are." - Lara O'Reilly[7]

A 2023 study collected data on newly admitted students to UC Irvine's School of Information & Computer Sciences over 13 months and concludes that reCAPTCHA does not provide real security for Google's client websites and has, over its 13 years of existence, cost users an estimated 819 million hours equating to nearly $6 billion USD in wages and 134 petabytes of bandwidth corresponding to 7.5 million pounds of CO2. The study further estimated Google's direct profits from reCAPTCHA to be "$888 billion USD from cookies and $8.75-32.3 billion USD per each sale of their total labeled data set."[9]

"It can be concluded that the true purpose of reCAPTCHAv2 is as a tracking cookie farm for advertising profit masquerading as a security service." - Searles, Prapty, and Tsudik[9]

Google has also been accused of allowing reCAPTCHA to accept users running Chromium web browsers more frequently than alternatives.[citation needed] Users of a Hacker News forum concluded that reCAPTCHA likely attributes a lower reputation score to users with privacy-focused applications and extensions running, thus Firefox users were assigned CAPTCHAs to solve at a higher rate and difficulty.[10] reCAPTCHA v3, the "Invisible reCAPTCHA," launched in 2017 with the goal of never interrupting legitimate human users.[11] This version works completely in the background using cookies to apply a reputation scored on a scale from 0.0 to 1.0, with the latter indicating high confidence a user is human.[12][13] A 2019 study on hacking version 3 revealed that reCAPTCHA assigned low scores to simulated users using TOR browser and that browsers with an active Google account connected received higher scores as compared to browsers without a Google account connected.[14] Technology consultant Marcos Perona observed similar results and experienced low reputation scores when using a VPN, too. Google recommends implementing reCAPTCHA v3 in the background of all client webpages, so that it collects user data prior to it needing to determine if the user is a bot.[15]

"Because reCaptcha v3 is likely to be on every page of a website,  if you’re signed into your Google account there’s a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3—and there many be no visual indication on the site that it’s happening, beyond a small reCaptcha logo hidden in the corner" - Katharine Schwab[15]

reCAPTCHA logo in corner of webpage indicating user's behaviors are being analyzed.

reCAPTCHA's shortcomings as summarized by one of their direct competitors, DataDome:[16]

  • Degrade the user experience.
  • Can lead to high false positives and false negatives.
  • Fail to be privacy compliant with GDPR, the foundational global privacy standard.
  • Leverage [...] users’ data for their organization’s advertising purposes.
  • Are easily bypassed with CAPTCHA farms and advanced bots.
  • Provide no real feedback mechanisms (pass/fail is not enough information to refine your security).

See also[edit | edit source]

References[edit | edit source]

  1. von Ahn, Luis; Cathcart, Will (16 Sep 2009). "Teaching computers to read: Google acquires reCAPTCHA". Google Blog. Archived from the original on 17 Sep 2009.
  2. "Google recaptcha intro on using reCaptcha to improve automation". google.com. Retrieved 2025-02-15.
  3. "Civil Action No. 15-10160-MGM". United States District Court for the District of Massachusetts. 22 Jan 2015.
  4. "Case No. 15-cv-03751-JSC". United States District Court for the Northern District of California. 3 Feb 2016.
  5. CHUPPL (5 Dec 2024). "Why reCAPTCHA is Spyware" – via YouTube.
  6. homakov (4 Dec 2014). "The No CAPTCHA problem". Archived from the original on 4 Dec 2014 – via Blogger.
  7. 7.0 7.1 O'Reilly, Lara (20 Feb 2015). "Google's new CAPTCHA security login raises 'legitimate privacy concerns'". Business Insider. Archived from the original on 22 Feb 2015.
  8. "CAPTCHA Usage Distribution in the Top 1 Million Sites". BuiltWith.
  9. 9.0 9.1 Searles, Andrew; Prapty, Renascence Tarafder; Tsudik, Gene (21 Nov 2023). "Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2". Preprint.
  10. kojoru (10 Jun 2019). "Google's Captcha in Firefox vs. in Chrome" – via Y Combinator.
  11. Verger, Rob (11 Mar 2017). "Google just made the internet a tiny bit less annoying". Populair Science. Archived from the original on 23 Nov 2024.
  12. "reCAPTCHA v3". Google for Developers.
  13. "reCAPTCHA v3 score detector".
  14. Akrout, Ismail; Feriani, Amal; Akrout, Mohamed (18 Apr 2019). "Hacking Google reCAPTCHA v3 using Reinforcement Learning". Preprint.
  15. 15.0 15.1 Schwab, Katharine (27 Jun 2019). "Google's new reCAPTCHA has a dark side". Fast Company. Archived from the original on 27 Jun 2019.
  16. "ReCAPTCHA v2 vs. v3: Efficient bot protection?". Data Dome. 20 Aug 2022. Archived from the original on 11 Feb 2024.
Retrieved from "https://consumerrights.wiki/index.php?title=ReCAPTCHA&oldid=11527"