Google's New ReCAPTCHA Has a Dark Side (fastcompany.com) 94
An anonymous reader quotes a report from Fast Company: We've all tried to log into a website or submit a form only to be stuck clicking boxes of traffic lights or storefronts or bridges in a desperate attempt to finally convince the computer that we're not actually a bot. For many years, this has been one of the predominant ways that reCaptcha -- the Google-run internet bot detector -- has determined whether a user is a bot or not. But last fall, Google launched a new version of the tool, with the goal of eliminating that annoying user experience entirely. Now, when you enter a form on a website that's using reCaptcha V3, you won't see the "I'm not a robot" checkbox, nor will you have to prove you know what a cat looks like. Instead, you won't see anything at all.
Google is also now testing an enterprise version of reCaptcha v3, where Google creates a customized reCaptcha for enterprises that are looking for more granular data about users' risk levels to protect their site algorithms from malicious users and bots. But this new, risk-score based system comes with a serious trade-off: users' privacy. According to two security researchers who've studied reCaptcha, one of the ways that Google determines whether you're a malicious user or not is whether you already have a Google cookie installed on your browser. It's the same cookie that allows you to open new tabs in your browser and not have to re-log in to your Google account every time. But according to Mohamed Akrout, a computer science PhD student at the University of Toronto who has studied reCaptcha, it appears that Google is also using its cookies to determine whether someone is a human in reCaptcha v3 tests. Akrout wrote in an April paper about how reCaptcha v3 simulations that ran on a browser with a connected Google account received lower risk scores than browsers without a connected Google account. "Because reCaptcha v3 is likely to be on every page of a website, if you're signed into your Google account there's a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3 -- and there many be no visual indication on the site that it's happening, beyond a small reCaptcha logo hidden in the corner," the report adds.
Google is also now testing an enterprise version of reCaptcha v3, where Google creates a customized reCaptcha for enterprises that are looking for more granular data about users' risk levels to protect their site algorithms from malicious users and bots. But this new, risk-score based system comes with a serious trade-off: users' privacy. According to two security researchers who've studied reCaptcha, one of the ways that Google determines whether you're a malicious user or not is whether you already have a Google cookie installed on your browser. It's the same cookie that allows you to open new tabs in your browser and not have to re-log in to your Google account every time. But according to Mohamed Akrout, a computer science PhD student at the University of Toronto who has studied reCaptcha, it appears that Google is also using its cookies to determine whether someone is a human in reCaptcha v3 tests. Akrout wrote in an April paper about how reCaptcha v3 simulations that ran on a browser with a connected Google account received lower risk scores than browsers without a connected Google account. "Because reCaptcha v3 is likely to be on every page of a website, if you're signed into your Google account there's a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3 -- and there many be no visual indication on the site that it's happening, beyond a small reCaptcha logo hidden in the corner," the report adds.
Guess what! (Score:4, Insightful)
Let's talk technical here. Even without the cookie, if you are making an HTTP request to the server, which you are with a captcha, then Google can track you with the HTTP request. The cookie doesn't make much difference.
Re: (Score:3, Informative)
Let's not pretend fonts, frameworks and Javashit libraries aren't pimped widely by Google for no reason at all, either.
Google's tracking you, no matter how thick and curly your neckbeard is.
Re:Guess what! (Score:4, Interesting)
No ad company cookie, no working internet for that user on that site.
The HTTPS request will start when the user can show they have the needed weeks/days/months of "ad company" cookie.
The next step?
Have to log into an ad company service to create the cookie.
Only when a users has done the log in will the cookie be set.
Then the www/https will work as it can see the set cookie.
Log out? No more "request to the server" is approved.
Don't have an account and never log in? That "request to the server" by a browser is never going to get accepted.
An ad company cookie ID to keep the internet working.
The set cookie is the user getting allowed to use the site. No cookie
No ad company cookie, no use of more of the "school media" internet.
Try a VPN and create a new ad company account and ad cookie every day?
Guess how long a VPN will be accepted.
Re: (Score:2)
I think the extra tracking is really a secondary concern. The primary concern is that people who go out of their way to try and minimize their exposure to google (not purposely using their services, script blocking, firefox containers, auto cookie delete, etc) may not be able to participate in anything hidden behind a reCaptcha because google thinks that not using google services is suspicious.
It sounds like this new version just considers you slightly less reputable if it can't link you to a google accoun
Re: (Score:2)
Either way, Fuck Google.
Yeah, they're too big.
Captcha vs reject. (Score:2)
Depends on what's the next step:
- if non-cookied users are just redirected to old-style Captchas (like us Tor users are nowadays): fine by me.
- if the absence of cookies means being kick-banned from reCaptcha v3 websites: Google is going to get their ass kicked by the EU.
Re: (Score:2)
Exactly, I guess the only thing new is that the user has less ways to tell. At least, with the current picture matching based captcha, you should be aware that you are sending something to google.
Since I disable google with uMatrix, I guess I will still realize it although since I have to enable google temporarily for the current captcha implementation to work. I don't see how the new captcha could work without google enabled.
The question is what will user disabling google see with the new captcha system? C
Never Sign In To Google (Score:1)
The lesson is to never remain 'signed in' to your Google account. Not anywhere that it isn't absolutely necessary. Pick a browser that you don't really like much (in my case Chrome works) and make it the only application on your system that you ever sign into Google with.
This is a lesson that everybody will eventually figure out.
Re: (Score:1)
As long as I'm not doing anything illegal, which I don't
Everybody is doing SOMETHING illegal. [wsj.com] If not, expect to find yourself under extra super-duper scrutiny soon, because you are very abnormal and worthy of further study to determine just how you are evading the scanners...
Re: (Score:1)
If all you see is ads you’re not interested in, mission accomplished. You won’t be tempted to waste money on crap. No more impulse to click on a link that takes you down a rabbit hole.
You won't see anything at all (Score:2)
If you do not sign into Google then the recapture will start to fail. Make people identify cats etc. Eventually most people will learn to sign into google. And those that don't will have to verify huge numbers of cats.
That said, the Google sign in is not really needed. Google just puts a cookie on your browser anyway. Probably already has some.
Re: (Score:1)
You're quite right, except for one detail: it's not cats they'll make you ID, it's things that help their self-driving automation.
Ever wonder why they make you identify crosswalks, stoplights, bicycles, buses, etc?
Yeah. You're doing free work for Google's self-driving car division.
Re: (Score:1)
I'm not so sure about this argument. They IDed the fire trucks, crosswalks and the rest in the first place to show them on the recaptchas.
I can think of a few other reasons : This is using a subset of petabytes in pictures captured by the google cameras, belonging to google. Buses, bridges etc. have no particular cultural signification and can be recognized by almost any internet user. There are no people in the pictures (as far as I remember).
It's a subtle ad or reminder for google maps, streetview and a s
Re: (Score:2)
I do not accept 3rd party cookies. I clear cookies on a regular basis and I use firefox and I have configured it to have the strictest privacy out of the box plus, multi-account containers, privacy possum, decentraleyes, uBlock origin, https everywhere, and my home network has another 2 or 3 layers of protection. I never use google.com or any google service.
The easiest way to track me is that I can't actually be given a cookie by google.
Re: (Score:2)
I got rid of my google account a long time ago. To make it worse, the tools I already use for privacy require me to always play the 'pick all the cars' game every time I login to places that use tools like this. I'll give up the web before I make another google account.
ReCAPTCHA breaks the web (Score:3)
Apparently I'm in the small minority that cares above privacy, as such, I use several browser plugins to blocks trackers. Which because I have a locked down browser means getting stuck in an endless-loop of "select all the buses" in ReCAPTCHA.
It's gotten to the point where if a website I visit has ReCAPTCHA I don't even bother and go to another website.
Cloudflare's DDOS Protect is another super annoying system that I have to actively avoid for the same reason.
Luckily, the internet is vast, and if some merchant doesn't want to accept my money, there are dozens or hundreds of other store sites to visit. Same for news, and files.
Plugins Used:
uBlock Origin
Secret Agent (https://www.dephormation.org.uk/SecretAgent/)
uMatrix
Re: (Score:1)
That's fine, and you do you — but I need a way to distinguish you from J. Random Asshole who's shown up to use my site's payment form to do some casual late-night credit card auth testing. reCAPTCHA is a way that lets me pick and choose who I trust. If you decide to show up to my site looking like three bots standing on each other's shoulders wearing a trenchcoat, that's your call, and I'm okay with my site asking a few probing questions before I let you run credit card transactions.
There are, after a
Re: (Score:3, Insightful)
reCAPTCHA is a way that lets me pick and choose who I trust
No, its a way for Google to pick and choose who you trust.
Re: ReCAPTCHA breaks the web (Score:1)
No, reCAPTCHA v3 just hands you a score from 0-1 (0= definitely a bit, 1= definitely a human - 98% of my traffic comes in at 0.7 or better) and then you get a callback promise-y thenable thing to do whatever you want - 2fa, login, email confirmation, jumping jacks, whatever - or nothing. Up to the dev.
Re: (Score:2, Insightful)
No, reCAPTCHA v3 just hands you a score from 0-1 (0= Google can't tell who you are, 1= definitely ID-ed and monitored by Google
FTFY.
Re:ReCAPTCHA breaks the web (Score:5, Informative)
I use several browser plugins to blocks trackers. Which because I have a locked down browser means getting stuck in an endless-loop of "select all the buses" in ReCAPTCHA.
Google actually holds a patent [google.com] on the technique of presenting endless unsolvable CAPTCHAs to people they cannot identify.
This company is fast becoming the gatekeeper of the internet. Not even just the web, but email and others too.
They will more and more abuse the power that clueless idiots have given them.
Re: (Score:2)
Wow, the bar for getting a patent on something completely obvious and which has been in use for years is extremely low, huh?
Re: (Score:2)
Scoring everywhere! (Score:5, Insightful)
At least in China they tell you that you get a score. In the west everyone and their aunt is using algorithms to rate us and rank us...but most of us have no clue.
Re: (Score:3)
At least in China they tell you that you get a score.
They only tell you your score if you belong to the inner party. Plebs do not get to know their social score until their kids are kicked out of school, debt application is denied or they're not allowed to buy flight or train tickets..
Re: (Score:2)
In communist China, the website captchas you.
Re: (Score:2)
It should be illegal to sue such scoring for anything. No more showing different prices to different people based on profiling.
Re: (Score:2)
The thing with google is while it does do all of that, they are restricted to what they can use this data by their privacy policies, use policies etc.. Now, I know that these policies are generally bullshit, and people put that stuff on their website and outright lie, but those are small fish. If you are google, and your privacy policy is
Re: (Score:2)
Seems like the obvious solution is to start stealing google cookies and testing if this captcha is vulnerable to a 'replay' attack. Then they can 'track' the hundreds of thousands of harvested cookies my browser uses.
Re: (Score:2)
Not got the ad company cookie thats been on for days/weeks/months?
The "internet" stops on that site AC.
What can a users browser do when it detects a request for the needed "ad company" cookie?
This cookie tastes stale. (Score:2)
Ya, that's why I only log into my Google / Gmail account when I need to, then log out out it. Granted, I'm probably still missing something and they're still tracking me to some degree, but every little bit helps.
Re: (Score:2)
Are you clearing the cookies out every time too? If not, then you're not helping yourself at all - you might as well stay signed in. ...and all of this is just one of the many ways Google tracks you. For most browsing, they get you a half dozen other ways too.
Re: (Score:2)
Isn't this supposed to be the Year of WebAuthn? (Score:2)
I personally couldn't care less if Google knows which pages I'm visiting on Google sites. I assume they know already. I just want to see the whole password and CAPTCHA mess replaced by some secure authentication standard we can live with. Let's implement an authentication system that runs off the user's choice of phone-in-vicinity or a plugged-in USB key.
No big brand cookie (Score:2)
Is that a new risk? (Score:2)
I assumed this was the case all along -- recapcha is hosted at a Google URL, so sends google its cookies everywhere that uses it.
I use Firefox containers to keep my Gmail usage separate from my general browsing (and I regularly clear cookies), which I think gives some protection against this tracking.
Google Credit Score (Score:2)
Be a nice Google sheep, else you will be locked out of your favorite websites!
Don't be what? (Score:2)
It turns out that nearly everything Google does has a dark side.
Who would have ever thought that an advertising company would have less-than-spotless morals?
Something something, Dark Side (Score:2)
Dark Side (Score:1)
Wait, it has a light side? ReCAPTCHA is entirely a cost to society, with zero benefits (except to Google).