As I understand it, reCAPTCHA only issues an actual puzzle to users it has reasons to doubt. In most cases, I only have to click a checkbox marked I am not a robot; and in a few rare cases, like if I'm in incognito mode, I have to click the parts of the image containing a car or something. Which clearly means that Google is fingerprinting me in order to guess whether I'm a human or not, and is storing information over time to facilitate the fingerprinting. It's not possible to get out of that. And ultimately, data that they have is data that they can use for ads; and we're supposed to "trust" them that they don't. Privacy policies are very nice and all, but they've been caught not respecting their own policies, haven't they? Though I guess whatever data they could get through reCAPTCHA would be rather insignificant compared to the firehose the vast majority of users sends to them anyway...
Google reCAPTCHA service under the microscope: Questions raised over privacy promises, cookie use
Six years ago, Google revised its reCAPTCHA service, designed to filter out bots, scrapers, and other automated web browsing, and allow humans through to websites. The v2 update in 2014 added an iframe or HTML Inline Frame, which is a way of embedding one web page in another. Then there was the v3 update in 2018, which added …
COMMENTS
-
-
Monday 2nd November 2020 09:01 GMT KittenHuffer
In a way this is all encouraging for me. Pretty much everywhere I go that uses reCRAPCHA I get asked to identify the buses/hydrants/bikes/hills/bridges every single time. Having to do this every single time is annoying, but is balanced by the fact that it tells me that the Google monster is having trouble tracking me with my choice of VPN, browser and add-ons.
-
Monday 2nd November 2020 10:26 GMT Craig 2
Re: In a way this is all encouraging for me
Definitely this, if you have your browser relatively locked down, recaptcha will ask every single time for image verification on sites you visit repeatedly. This should indicate that they can't fingerprint you so have to repeatedly verify you're not just a random bot.
Of course, the conspiracy version is that they can still track people running noscript / ublock etc just fine. They're only pretending they can't to make you feel safe....
-
Monday 2nd November 2020 10:56 GMT KittenHuffer
Re: In a way this is all encouraging for me
Unfortunately I believe they managed to grab a full set on info on me when I renewed my subscription to Tin Foil Beanie Monthly! I had to take mine off to get measurements while doing the renewal, and they must have read everything they needed while it was off!
-
-
-
-
Monday 2nd November 2020 15:30 GMT Trubbs
Re: In a way this is all encouraging for me
For me always just a check box until I started using Brave recently then multiple grainy pictures and repeated tests when trying to access PayPal (to close an account). At no time did I think I should open up the default shield behaviour. I did get a sense of repeated and varying attempts to identify me / set an identifier, I dunno maybe checking what my browser is doing in some way. Tbh couldn't be bothered to spend the time working it out. Close the account and avoid in future
-
-
-
-
-
-
Monday 2nd November 2020 11:24 GMT bombastic bob
the Google monster is having trouble tracking me with my choice of VPN, browser and add-ons.
It's been my observation that when I do the following:
* use chromium
* erase ALL history in an anal retentive way before I go someplace that uses CAPTCHA
The CAPTCHA puzzles are SIMPLER, and more frequently I just get a checkbox.
Thought I might mention that...
-
Monday 2nd November 2020 14:02 GMT RegGuy1
Clear cookies -- daily
Set your browser to clear your cookies. Chrome has a handy link you can bookmark:
chrome://settings/siteData?search=cookies
Close your browser at some point in the day. Open it again and click the link. Delete the youtube.com cookies that somehow never seem to get deleted. (Is that a bug in Chrome?[1])
Then you can get back to doing whatever. You'll probably have to log into things again, or just reload pages to get a cookie back, but you will have broken a link and made it just a little harder to be tracked.
[1] Of course it's not. I aways shut the browser down twice and check both times to see what the scum have tried to preserve.
-
Tuesday 3rd November 2020 21:07 GMT bombastic bob
Re: Clear cookies -- daily
WARNING: do not execute these commands until you understand what they do...
rm -rf ~/.cache/chromium/Default/*
rm -rf ~/.config/chromium/*
This also deletes preferences. you may still find it useful. If you want to KEEP your preferences, then you should do this first, then reopen chrome, set your preferences, and check the date/times on the files to see which ones you should keep
Just deleting the cache is not enough. SOME things, like those cookies you mention, reside "ELSEWHERE". You need to figure out which files/dirs CAN be removed, and remove them. I use a script with 30+ lines in it. Rather than post here, you can probably figure out which files need keeping, and delete the rest. No harm to chrome, it just returns to default if you delete a config file.
-
-
Monday 2nd November 2020 13:06 GMT Graham 32
I've given up with these. I never know if a traffic light is just the lights that are on, the lights on or off, the light unit, only the front of light units or the backs. Must the whole thing be in the square or just part of it. Whatever I try it asks me to do another. And then there's the time it insisted I hadn't selected all the taxis until I reluctantly lied and said a 90s mustard yellow Volvo 240 which isn't a taxi is a taxi.
If I must complete a captcha I do the audio ones. Much quicker.
-
Monday 2nd November 2020 14:26 GMT Cederic
I find them genuinely rage inducing. Unfortunately I can't afford to sue Google, let alone all the idiots using their anti-accessibility idiocy.
I have managed to convince a few companies to stop using them though, and/or provide alternate forms of interaction.
It's still fucking annoying when you want to provide feedback to a company, or contact them for other reasons, and you can't, because they decided that you're not sufficiently human.
-
Monday 2nd November 2020 14:52 GMT Andy Non
On one occasion I filled my shopping basket with specialist items from an engineering site and went to the checkout only to be presented with one of those Captchas to do, except it wouldn't actually show me any pictures to tick! I ended up abandoning my shopping cart and buying the items from their competitor.
-
-
-
-
Monday 2nd November 2020 11:24 GMT bombastic bob
In most cases, I only have to click a checkbox marked I am not a robot;
My experience has demonstrated that CAPTCHA does NOT like you to use non-chromium browsers.
* Nearly every time I use firefox, I have trouble with as many as half of the captchas
* Specifically, the captchas that involve a slow fade-out and slow-fade in of a picture you might need to click because of an object on it *ALWAYS* *FAIL* whenever I use Firefox. This has been going on (sometimes worse, sometimes just bad) for ABOUT A YEAR now.
* There does NOT seem to be any kind of reasonable feedback or customer service contact on this [I have tried, in one case an e-mail address]
* Using FreeBSD and/or Firefox should _NOT_ make you "suspect" nor cause you to get "nothing but the hard ones that require a screen magnifier to solve and involve more than 2 'next/verify' buttons"
* NOT having "the most bleeding edge browser" should _NOT_ make you "suspect" [and it should STILL WORK PROPERLY]
* rejecting 3rd party cookies or setting 'private browsing mode' should NOT make you "suspect"
I have seen government services for the state of California actually USE CAPTCHA which is EXTREMELY ANNOYING because of this sort of thing.
I have also been waiting for a chance to RANT about this where someone else might actually CONFIRM it independently. I do frequent a particular web site that uses captcha to control user posts to (try to) prevent abuse. So I'm basically FORCED to USE CHROMIUM for this.
(but I have great hacks in place to prevent everything I do from being tracked by "that one browser" that doesn't have noscript or cookie blocking or private browsing or any OTHER mitigating 'thing' and I use a script to DUMP ALL HISTORY which is comprehensive and seems to work just fine...)
-
Monday 2nd November 2020 13:16 GMT find users who cut cat tail
This explains why I tend to get those terrible CAPTCHAs. I can tick more or less everything on your list.
For some of them I actually have no idea what it wants from me – like ‘store fronts’ (is this one an office or a store… and this one looks like laundrette…) or ’vehicles‘ (sure, kick scooters, skateboards and wheelbarrows are all vehicles, but is this how the machine sees them?). Several times I just gave up after getting an apparently endless stream of cropped ambiguous poorly shot rubbish in poor light to identify.
-
-
Monday 2nd November 2020 12:53 GMT Mage
reCAPTCHA only issues
Nonsense.
Problems with it:
Ebay.co.uk is using it as well as login, but denies it. Not always.
Sometimes PayPal uses it, like when you click on a link in an email to confirm a new email.
It's US cultured. Loads of people outside the USA wouldn't know taxis are yellow rather than black or random. Or that a crosswalk is a Zebra crossing.
It's obviously a parasite using crowd funding to train so called self driving cars.
The images can be too small.
***
IT'S ABUSIVE, CULTURALLY BIASED and an INVASION OF PRIVACY. It's all about Google, not genuinely anti-spam.
It's also being misused by website operators. It is NOT part of 2FA. Nuke it from orbit!
-
Monday 2nd November 2020 14:43 GMT J27
Re: reCAPTCHA only issues
reCAPTCHA has never been about 2FA, it's not an authentication factor. It's about trying lock out bots from your web application. It definitely does work, I've tested its effectiveness personally many times. But the main reason you see it implemented so many places is that they downside is not felt by the people implementing it, it's only an issue for the end user and even then they almost never notice.
For reference my employer's products all tell you up front that 3rd party tracking cookies are in use, but I don't think hardly anyone actually reads and comprehends that privacy notice. I don't think end users read 1/10 of the text on any web site.
-
Monday 2nd November 2020 19:37 GMT Mage
Re: reCAPTCHA only issues
So why are eBay.co.uk and PayPal using it on EXISTING Users logging in?
You enter user name, password and then have the stupid multiple picture quizzes.
OBVIOUSLY it's useless as a 2FA. It's supposedly authenticating that it's a human logging in.
There is no valid reason to have 3rd party cookies. I block all of those all the time on laptop and Mobile. They are purely malicious trackers nothing to do with the site. A privacy notice doesn't make them legal in the EU. This can be true for many actual site cookies. A privacy notice with Click Next to Continue is not obtaining consent.
-
-
Monday 2nd November 2020 14:56 GMT Andy Non
Re: reCAPTCHA only issues
"Ebay.co.uk is using it as well as login"
I gave up on ebay, it won't even let me enter my postal address (or any address at all!) Whatever I type it just says "Enter a valid address". So I abandoned the sign-up process.
It must be objecting to Firefox blocking third party cookies or some other privacy setting, but I wasn't going to wade through all the settings to find if one of them was responsible.
-
Monday 2nd November 2020 13:30 GMT heyrick
"Which clearly means that Google is fingerprinting me in order to guess whether I'm a human or not"
Please do. The less I have to see those bloody things, the better.
Otherwise I have to remember what a crosswalk is, that when they say identify buses they mean the yellow ones, ditto the taxis, and that Americans put traffic lights in some really weird places (including on what looks like a rope strung across the road?).
At least be fair, Google, and ask your own country's citizens to select all the Belisha beacons!
-
Tuesday 3rd November 2020 11:40 GMT big_D
It depends, in Europe, data captured for reCAPTCHA couldn't be used for advertising purposes, unless it is explicitly listed in the T&Cs and the user has explicitly agreed (opt-in) to having it used for advertising purposes.
There are also things like data retention - it must be deleted as soon as its purpose has been fulfilled or within a reasonable period (probably a maximum of 6 weeks to 3 months, depending on what you can argue is reasonable).
-
-
Monday 2nd November 2020 10:27 GMT hoola
Re: Helping Google
Along with the assumption that the entire world speaks or translates to American English. What the hell is a cross walk?
I know it is obvious but they have so much "intelligence" with language settings and tracking then have the courtesy to make the stupid puzzle appropriate to the region the request is coming from.
-
Monday 2nd November 2020 13:13 GMT Brewster's Angle Grinder
Re: Helping Google
Never give the right answer first time; sometime it will succeed. (Although, if you're reading this Google, failures on the second round are my natural incompetence allied with your insistence that 1 pixel of a traffic light in one square means there is a traffic light in it.)
-
Monday 2nd November 2020 14:49 GMT J27
Re: Helping Google
It's not Google who decides which squares are considered the correct answer. The answers come from an amalgamation of all the previous reCAPTCHA answers from other users the system has deemed "human". That's right, half the time when it asks you those questions it doesn't even know the answer.
-
Monday 2nd November 2020 15:11 GMT Jellied Eel
Re: Helping Google
Never give the right answer first time; sometime it will succeed.
Everyone should give the wrong answer, several times. I miss the old days (ok, not really) when captchas were bits of books that machine translation was struggling with. At least our work had the potential to increase the digitised store of human knowledge.
Now, we are contributing to the decline in driving standards, hence why captchas like asking about traffic lights. We're helping train the next generation of bad drivers. But we may be able to subvert this and delay the rise of the machines.
So given the volume of image fragments, I doubt the images are screened (initially) by humans, and they need to be challenging enough that less sophisticated image recognition systems fail. Which potentially means there's some doubt in the AI's mind as to what it's looking at, which could be exploited. So fail to identify traffic lights. Or identify parking spaces next to fire hydrants. Or identify fire hydrants as traffic lights. If enough people do this, the system may be subverted, and we find self-driving cars stopped at red fire hydrants with their 'drivers' looking confused.
-
Tuesday 3rd November 2020 17:47 GMT heyrick
Re: Helping Google
"At least our work had the potential to increase the digitised store of human knowledge."
Yeah, about that. I have somewhere (from about a decade ago) a screenshot of where it gave me two words and wanted them entered. One was Hebrew (I think, could have been Arameic for all I know), the other was Hangul (Korean). And I do that on my British QWERTY keyboard how, exactly?
-
-
-
-
Monday 2nd November 2020 15:03 GMT John Brown (no body)
Re: Helping Google
Does it? I don't recall seeing anything other US street scenes. If they do, then it seems odd that they know which country I', in but never seem to show any UK street scenes. Maybe it's only a tiny fraction of a percentage that is non-US and I've not been lucky enough to get a localised one.
-
Tuesday 3rd November 2020 17:52 GMT heyrick
Re: Helping Google
I'll +1 to John.
Buses are yellow.
So are taxis.
Always.
Zebra crossings? Could be anywhere but they are always called crosswalks, even when your browser is set to prefer en-GB.
And as for traffic lights, my god, it's a game of hide and seek! (and they're often yellow too).
Never ever, not ONCE seen a bolisha beacon nor a roundabout.
I will grant you, sometimes the shopfronts don't always look like they're in English...or shops... but that's probably just the Googlemobile wandering through Chinatown, little Italy...
-
-
-
Monday 2nd November 2020 17:03 GMT DS999
Which is why I usually take a minute
to pollute their results with a lot of incorrect information, only getting it "right" after I get tired of spamming them. If more people did this the information would become completely useless to them and they'd stop trying to use us as forced labor to help their AI efforts.
-
-
Monday 2nd November 2020 10:23 GMT Mr Anonymous
Google are lying
I can prove Google are lying, when I need to log in to a site using recaptcha, but also when I use two different accounts to do so.
One is a personal account, I have a dedicated email address for it used only there, not used for anything but this one site. As a general standard, I delete cookies from all sites I visit after I leave (I have about 6 sites that I allow primary domain cookies, but block all third party) . I have blocked all Google domain and advertising sites for years and if a site uses resources from a Google domain like fonts or scripts and it doesn't work with the blocks in place, I go else where. I do not use any Google services, except my Android phone does have an account that's not used anywhere else and that doesn't work too well as it likes to continually nag me, as though there is a virus running, "App permission management is running" and I have blocked as much as I can there too.
The second account is a work colleague's address. Although he occasionally does add blocking, he does little else and remains logged in to many sites/services.
When I use the target site, I have to allow Google.com and gstatic.com (used to be recaptcha.net and gstatic,com, I wonder why that changed?). I login, order some parts I need, log out, delete cookies and re-block the two domains and the main site I just used. I do this whether I use my account or my colleagues, there is NO data on my machine to show if I have visited before and that I passed the recaptcha.
When I login as me, I need to select the images to prove I'm not a bot, when I use my colleague's account, all I need to do is check the box. This is from the same Linux PC, both accounts, I don't use my colleagues machine to login.
How do they know it's a human when I use my colleague's email, but not when I use my mainly Google protected email, I have to be tested? Where are they getting the data from to decide my colleague with lots of Google data is human, but my low profile account needs a bot test?
The simplest explanation is that as on other occasions, Google are lying, they are using their trove of personal data and making the experience of non Googled people worse. I'd give this as evidence in a legal hearing.
-
Monday 2nd November 2020 14:52 GMT J27
Re: Google are lying
Google are literally tracking your activities across every site that links anything from Google. Including mouse movements and keypresses. This is how the automatic reCAPTCHA works (it's spelled out in the dev documentation for reCAPTCHA). Illegal? Not right now. 1984? Getting close in my opinion.
-
-
Monday 2nd November 2020 13:06 GMT Mage
Utter Bollocks
""In my opinion, organizations in Europe that use reCAPTCHA for spam protection now need to move reCAPTCHA behind their consent walls," he said.
No, they need to stop using it. It's abusive even if not used somehow for adverts. Also giving consent or not accessing the resource is toxic. Very many cookie consent forms are actually illegal.
-
Monday 2nd November 2020 13:15 GMT Mike 137
Quite apart from privacy...
"reCAPTCHA makes it possible for the internet giant to challenge netizens to prove they are real people"
The reality is more like "reCAPTCHA makes it possible for the internet giant to challenge netizens to prove they are real Americans".
Most of the images are parochially USA-biased and culture bound, which indicates the level of care with which they are chosen for a supposedly "universal" service.
-
Monday 2nd November 2020 15:06 GMT Claverhouse
Fuck Google
The abominable reCAPTCHA always shows up when I'm using a VPN and going to Google Search. Several times in a row.
It is a great time-waster, and if one leaves the page whilst waiting it reverts to Are You A Human and serves up another dumb selection of blocky American Buses, Bicycles, and Fire Hydrants [ whatever they may be ]. I reckon Google just wants to discourage VPNs to maintain it's perfect spying record.
-
Monday 2nd November 2020 15:29 GMT Missing Semicolon
The wrong people are paying.
reCAPTCHA has the same problem that Google Analytics has. Both are free for the web-site operator to use, and they provide useful services (bot prevention and usage stats). But we, the users, pay with our PII. And we didn't agree to help pay for the website like that.
Even the UK Government does it!.
-
Monday 2nd November 2020 15:39 GMT Anonymous Coward
I'm pretty sure that I'm not the only one who considers reCAPTCHA to be a 'denial of service' tool - I actively avoid any sites which employ it.
If the Great Satan of Mountain View wants me to help train their neural networks then all they need to do is ask - my rates are pretty reasonable.
-
Monday 2nd November 2020 17:29 GMT Compression Artifact
reCAPTCHA in government website
There's a place in the Colorado Secretary of State's website where users who have just entered private information into a form have to solve a Google reCAPTCHA to submit it. Private information for the government and Google are two things that do not go well together.
-
Monday 2nd November 2020 19:12 GMT LenG
I hate the stinking things
They always seem to ask me for several iterations, possibly because I use an obscure browser. There is one particular site which invariably runs through several challenges, tells me I am not a robot then locks up until the session times out and I have to start again, which doesn't help because the same thing happens every time.
-
Tuesday 3rd November 2020 19:06 GMT Infi 1
I hate reCaptcha. If a site uses it, there's about an 80% chance I'll see one of its stupid popups and then, depending on how it's set up, I may have to 'solve' 4 or 5 different reCaptcha's before it will let me log in.
Pisses me off. It's not like I'm hiding behind a dodgy VPN. I have a static IP, with reverse DNS that matches the domain I own. I don't do anything particularly dodgy using on my connection, yet Google's rePester constantly targets me.
If I was paranoid, I'd say they had it in for me!!!
Who said that?!??!?!?!