Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Google Security Privacy The Internet

Google's New ReCAPTCHA Has a Dark Side (fastcompany.com) 94

An anonymous reader quotes a report from Fast Company: We've all tried to log into a website or submit a form only to be stuck clicking boxes of traffic lights or storefronts or bridges in a desperate attempt to finally convince the computer that we're not actually a bot. For many years, this has been one of the predominant ways that reCaptcha -- the Google-run internet bot detector -- has determined whether a user is a bot or not. But last fall, Google launched a new version of the tool, with the goal of eliminating that annoying user experience entirely. Now, when you enter a form on a website that's using reCaptcha V3, you won't see the "I'm not a robot" checkbox, nor will you have to prove you know what a cat looks like. Instead, you won't see anything at all.

Google is also now testing an enterprise version of reCaptcha v3, where Google creates a customized reCaptcha for enterprises that are looking for more granular data about users' risk levels to protect their site algorithms from malicious users and bots. But this new, risk-score based system comes with a serious trade-off: users' privacy. According to two security researchers who've studied reCaptcha, one of the ways that Google determines whether you're a malicious user or not is whether you already have a Google cookie installed on your browser. It's the same cookie that allows you to open new tabs in your browser and not have to re-log in to your Google account every time. But according to Mohamed Akrout, a computer science PhD student at the University of Toronto who has studied reCaptcha, it appears that Google is also using its cookies to determine whether someone is a human in reCaptcha v3 tests. Akrout wrote in an April paper about how reCaptcha v3 simulations that ran on a browser with a connected Google account received lower risk scores than browsers without a connected Google account.
"Because reCaptcha v3 is likely to be on every page of a website, if you're signed into your Google account there's a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3 -- and there many be no visual indication on the site that it's happening, beyond a small reCaptcha logo hidden in the corner," the report adds.
This discussion has been archived. No new comments can be posted.

Google's New ReCAPTCHA Has a Dark Side

Comments Filter:
  • Guess what! (Score:4, Insightful)

    by phantomfive ( 622387 ) on Thursday June 27, 2019 @05:47PM (#58837028) Journal
    Google can track you on almost every website! Are you surprised??

    Let's talk technical here. Even without the cookie, if you are making an HTTP request to the server, which you are with a captcha, then Google can track you with the HTTP request. The cookie doesn't make much difference.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      Let's not pretend fonts, frameworks and Javashit libraries aren't pimped widely by Google for no reason at all, either.

      Google's tracking you, no matter how thick and curly your neckbeard is.

    • Re:Guess what! (Score:4, Interesting)

      by AHuxley ( 892839 ) on Thursday June 27, 2019 @07:08PM (#58837418) Journal
      The next step is the need to have an ad company cookie to use the internet. Thats the new part.
      No ad company cookie, no working internet for that user on that site.
      The HTTPS request will start when the user can show they have the needed weeks/days/months of "ad company" cookie.

      The next step?
      Have to log into an ad company service to create the cookie.
      Only when a users has done the log in will the cookie be set.
      Then the www/https will work as it can see the set cookie.
      Log out? No more "request to the server" is approved.
      Don't have an account and never log in? That "request to the server" by a browser is never going to get accepted.
      An ad company cookie ID to keep the internet working.
      The set cookie is the user getting allowed to use the site. No cookie .... no use of the site.
      No ad company cookie, no use of more of the "school media" internet.
      Try a VPN and create a new ad company account and ad cookie every day?
      Guess how long a VPN will be accepted.
    • I think the extra tracking is really a secondary concern. The primary concern is that people who go out of their way to try and minimize their exposure to google (not purposely using their services, script blocking, firefox containers, auto cookie delete, etc) may not be able to participate in anything hidden behind a reCaptcha because google thinks that not using google services is suspicious.

      It sounds like this new version just considers you slightly less reputable if it can't link you to a google accoun

      • There's no indication you can't prove you are a human without the Google cookies. In fact, my experience is that you can.

        Either way, Fuck Google.

        Yeah, they're too big.

      • Depends on what's the next step:

        - if non-cookied users are just redirected to old-style Captchas (like us Tor users are nowadays): fine by me.
        - if the absence of cookies means being kick-banned from reCaptcha v3 websites: Google is going to get their ass kicked by the EU.

    • by ls671 ( 1122017 )

      Exactly, I guess the only thing new is that the user has less ways to tell. At least, with the current picture matching based captcha, you should be aware that you are sending something to google.

      Since I disable google with uMatrix, I guess I will still realize it although since I have to enable google temporarily for the current captcha implementation to work. I don't see how the new captcha could work without google enabled.

      The question is what will user disabling google see with the new captcha system? C

  • The lesson is to never remain 'signed in' to your Google account. Not anywhere that it isn't absolutely necessary. Pick a browser that you don't really like much (in my case Chrome works) and make it the only application on your system that you ever sign into Google with.

    This is a lesson that everybody will eventually figure out.

    • I got rid of my google account a long time ago. To make it worse, the tools I already use for privacy require me to always play the 'pick all the cars' game every time I login to places that use tools like this. I'll give up the web before I make another google account.

  • by Xenolith0 ( 808358 ) on Thursday June 27, 2019 @05:50PM (#58837050)

    Apparently I'm in the small minority that cares above privacy, as such, I use several browser plugins to blocks trackers. Which because I have a locked down browser means getting stuck in an endless-loop of "select all the buses" in ReCAPTCHA.

    It's gotten to the point where if a website I visit has ReCAPTCHA I don't even bother and go to another website.

    Cloudflare's DDOS Protect is another super annoying system that I have to actively avoid for the same reason.

    Luckily, the internet is vast, and if some merchant doesn't want to accept my money, there are dozens or hundreds of other store sites to visit. Same for news, and files.

    Plugins Used:
    uBlock Origin
    Secret Agent (https://www.dephormation.org.uk/SecretAgent/)
    uMatrix

    • by ki4iib ( 902605 )

      That's fine, and you do you — but I need a way to distinguish you from J. Random Asshole who's shown up to use my site's payment form to do some casual late-night credit card auth testing. reCAPTCHA is a way that lets me pick and choose who I trust. If you decide to show up to my site looking like three bots standing on each other's shoulders wearing a trenchcoat, that's your call, and I'm okay with my site asking a few probing questions before I let you run credit card transactions.

      There are, after a

      • Re: (Score:3, Insightful)

        by Rockoon ( 1252108 )

        reCAPTCHA is a way that lets me pick and choose who I trust

        No, its a way for Google to pick and choose who you trust.

        • No, reCAPTCHA v3 just hands you a score from 0-1 (0= definitely a bit, 1= definitely a human - 98% of my traffic comes in at 0.7 or better) and then you get a callback promise-y thenable thing to do whatever you want - 2fa, login, email confirmation, jumping jacks, whatever - or nothing. Up to the dev.

          • Re: (Score:2, Insightful)

            by Anonymous Coward

            No, reCAPTCHA v3 just hands you a score from 0-1 (0= Google can't tell who you are, 1= definitely ID-ed and monitored by Google

            FTFY.

    • by Anonymous Coward on Thursday June 27, 2019 @06:36PM (#58837264)

      I use several browser plugins to blocks trackers. Which because I have a locked down browser means getting stuck in an endless-loop of "select all the buses" in ReCAPTCHA.

      Google actually holds a patent [google.com] on the technique of presenting endless unsolvable CAPTCHAs to people they cannot identify.

      This company is fast becoming the gatekeeper of the internet. Not even just the web, but email and others too.

      They will more and more abuse the power that clueless idiots have given them.

      • by AmiMoJo ( 196126 )

        Wow, the bar for getting a patent on something completely obvious and which has been in use for years is extremely low, huh?

    • by jmccue ( 834797 )
      You and me both. I am hoping clued people start going back to USENET and Gopher.
  • by mrwireless ( 1056688 ) on Thursday June 27, 2019 @05:51PM (#58837058)

    At least in China they tell you that you get a score. In the west everyone and their aunt is using algorithms to rate us and rank us...but most of us have no clue.

    • At least in China they tell you that you get a score.

      They only tell you your score if you belong to the inner party. Plebs do not get to know their social score until their kids are kicked out of school, debt application is denied or they're not allowed to buy flight or train tickets..

    • In communist China, the website captchas you.

    • by AmiMoJo ( 196126 )

      It should be illegal to sue such scoring for anything. No more showing different prices to different people based on profiling.

    • > At least in China they tell you that you get a score. In the west everyone and their aunt is using algorithms to rate us and rank us...but most of us have no clue.

      The thing with google is while it does do all of that, they are restricted to what they can use this data by their privacy policies, use policies etc.. Now, I know that these policies are generally bullshit, and people put that stuff on their website and outright lie, but those are small fish. If you are google, and your privacy policy is
  • ... if you're signed into your Google account ...

    Ya, that's why I only log into my Google / Gmail account when I need to, then log out out it. Granted, I'm probably still missing something and they're still tracking me to some degree, but every little bit helps.

    • Are you clearing the cookies out every time too? If not, then you're not helping yourself at all - you might as well stay signed in. ...and all of this is just one of the many ways Google tracks you. For most browsing, they get you a half dozen other ways too.

  • Comment removed based on user account deletion
  • I personally couldn't care less if Google knows which pages I'm visiting on Google sites. I assume they know already. I just want to see the whole password and CAPTCHA mess replaced by some secure authentication standard we can live with. Let's implement an authentication system that runs off the user's choice of phone-in-vicinity or a plugged-in USB key.

  • No "www" for that browser?
  • I assumed this was the case all along -- recapcha is hosted at a Google URL, so sends google its cookies everywhere that uses it.

    I use Firefox containers to keep my Gmail usage separate from my general browsing (and I regularly clear cookies), which I think gives some protection against this tracking.

  • Be a nice Google sheep, else you will be locked out of your favorite websites!

  • It turns out that nearly everything Google does has a dark side.

    Who would have ever thought that an advertising company would have less-than-spotless morals?

  • Surprise! It's the same bad thing about all other Google stuff.
  • Wait, it has a light side? ReCAPTCHA is entirely a cost to society, with zero benefits (except to Google).

"We don't care. We don't have to. We're the Phone Company."

Working...