back to article Google reCAPTCHA service under the microscope: Questions raised over privacy promises, cookie use

Six years ago, Google revised its reCAPTCHA service, designed to filter out bots, scrapers, and other automated web browsing, and allow humans through to websites. The v2 update in 2014 added an iframe or HTML Inline Frame, which is a way of embedding one web page in another. Then there was the v3 update in 2018, which added …

  1. Dinanziame Silver badge
    Meh

    As I understand it, reCAPTCHA only issues an actual puzzle to users it has reasons to doubt. In most cases, I only have to click a checkbox marked I am not a robot; and in a few rare cases, like if I'm in incognito mode, I have to click the parts of the image containing a car or something. Which clearly means that Google is fingerprinting me in order to guess whether I'm a human or not, and is storing information over time to facilitate the fingerprinting. It's not possible to get out of that. And ultimately, data that they have is data that they can use for ads; and we're supposed to "trust" them that they don't. Privacy policies are very nice and all, but they've been caught not respecting their own policies, haven't they? Though I guess whatever data they could get through reCAPTCHA would be rather insignificant compared to the firehose the vast majority of users sends to them anyway...

    1. Chris G Silver badge

      Google may have been caught not respecting the policies they pubish but those are not necessarily the policies they operate under.

      They should be broken up to make way for someone else to slurp our data!

    2. KittenHuffer Silver badge

      In a way this is all encouraging for me. Pretty much everywhere I go that uses reCRAPCHA I get asked to identify the buses/hydrants/bikes/hills/bridges every single time. Having to do this every single time is annoying, but is balanced by the fact that it tells me that the Google monster is having trouble tracking me with my choice of VPN, browser and add-ons.

      1. Craig 2
        Big Brother

        Re: In a way this is all encouraging for me

        Definitely this, if you have your browser relatively locked down, recaptcha will ask every single time for image verification on sites you visit repeatedly. This should indicate that they can't fingerprint you so have to repeatedly verify you're not just a random bot.

        Of course, the conspiracy version is that they can still track people running noscript / ublock etc just fine. They're only pretending they can't to make you feel safe....

        1. KittenHuffer Silver badge

          Re: In a way this is all encouraging for me

          Unfortunately I believe they managed to grab a full set on info on me when I renewed my subscription to Tin Foil Beanie Monthly! I had to take mine off to get measurements while doing the renewal, and they must have read everything they needed while it was off!

        2. Blazde Bronze badge
          Facepalm

          Re: In a way this is all encouraging for me

          Sometimes I'm asked to answer 3 or 4 puzzles in a row. Am I really dumb, or do you think they could be pretending I got them wrong to make me feel dumb?

          1. heyrick Silver badge

            Re: In a way this is all encouraging for me

            You probably missed something like a traffic light in the air or a bicycle half hidden behind a bush. Yes, it's annoying. Especially when you get those pictures that are so bad that they're barely distinguishable from random noise.

            1. NightFox

              Re: In a way this is all encouraging for me

              I never know if a traffic light includes the pole it's mounted on or not.

              1. Trubbs

                Re: In a way this is all encouraging for me

                For me always just a check box until I started using Brave recently then multiple grainy pictures and repeated tests when trying to access PayPal (to close an account). At no time did I think I should open up the default shield behaviour. I did get a sense of repeated and varying attempts to identify me / set an identifier, I dunno maybe checking what my browser is doing in some way. Tbh couldn't be bothered to spend the time working it out. Close the account and avoid in future

              2. -maniax-

                Re: In a way this is all encouraging for me

                If I'm not sure whether there's enough of the traffic light\steps\boat\tractor etc for a box to be ticked I ask myself, "If I saw that square in isolation would I recognise the object?", if the answer is no then i don't tick it

          2. cd

            Re: In a way this is all encouraging for me

            When you ID photos you are working for them for free, helping train their AI. So of course if they find someone willing they'll keep plying you with more work.

            -Hesitate, take your time

            -Use the sound ID instead and don't put in all the words.

      2. bombastic bob Silver badge
        Pirate

        the Google monster is having trouble tracking me with my choice of VPN, browser and add-ons.

        It's been my observation that when I do the following:

        * use chromium

        * erase ALL history in an anal retentive way before I go someplace that uses CAPTCHA

        The CAPTCHA puzzles are SIMPLER, and more frequently I just get a checkbox.

        Thought I might mention that...

        1. RegGuy1 Silver badge

          Clear cookies -- daily

          Set your browser to clear your cookies. Chrome has a handy link you can bookmark:

          chrome://settings/siteData?search=cookies

          Close your browser at some point in the day. Open it again and click the link. Delete the youtube.com cookies that somehow never seem to get deleted. (Is that a bug in Chrome?[1])

          Then you can get back to doing whatever. You'll probably have to log into things again, or just reload pages to get a cookie back, but you will have broken a link and made it just a little harder to be tracked.

          [1] Of course it's not. I aways shut the browser down twice and check both times to see what the scum have tried to preserve.

          1. DMcDonnell

            Re: Clear cookies -- daily

            Self destructing cookies. When I close the tab the cookie is deleted, and of course when I close the browser select cookies are deleted then as well.

          2. bombastic bob Silver badge
            Pirate

            Re: Clear cookies -- daily

            WARNING: do not execute these commands until you understand what they do...

            rm -rf ~/.cache/chromium/Default/*

            rm -rf ~/.config/chromium/*

            This also deletes preferences. you may still find it useful. If you want to KEEP your preferences, then you should do this first, then reopen chrome, set your preferences, and check the date/times on the files to see which ones you should keep

            Just deleting the cache is not enough. SOME things, like those cookies you mention, reside "ELSEWHERE". You need to figure out which files/dirs CAN be removed, and remove them. I use a script with 30+ lines in it. Rather than post here, you can probably figure out which files need keeping, and delete the rest. No harm to chrome, it just returns to default if you delete a config file.

      3. Graham 32

        I've given up with these. I never know if a traffic light is just the lights that are on, the lights on or off, the light unit, only the front of light units or the backs. Must the whole thing be in the square or just part of it. Whatever I try it asks me to do another. And then there's the time it insisted I hadn't selected all the taxis until I reluctantly lied and said a 90s mustard yellow Volvo 240 which isn't a taxi is a taxi.

        If I must complete a captcha I do the audio ones. Much quicker.

        1. Cederic Silver badge

          I find them genuinely rage inducing. Unfortunately I can't afford to sue Google, let alone all the idiots using their anti-accessibility idiocy.

          I have managed to convince a few companies to stop using them though, and/or provide alternate forms of interaction.

          It's still fucking annoying when you want to provide feedback to a company, or contact them for other reasons, and you can't, because they decided that you're not sufficiently human.

          1. Andy Non Silver badge
            Mushroom

            On one occasion I filled my shopping basket with specialist items from an engineering site and went to the checkout only to be presented with one of those Captchas to do, except it wouldn't actually show me any pictures to tick! I ended up abandoning my shopping cart and buying the items from their competitor.

    3. bombastic bob Silver badge
      Pirate

      In most cases, I only have to click a checkbox marked I am not a robot;

      My experience has demonstrated that CAPTCHA does NOT like you to use non-chromium browsers.

      * Nearly every time I use firefox, I have trouble with as many as half of the captchas

      * Specifically, the captchas that involve a slow fade-out and slow-fade in of a picture you might need to click because of an object on it *ALWAYS* *FAIL* whenever I use Firefox. This has been going on (sometimes worse, sometimes just bad) for ABOUT A YEAR now.

      * There does NOT seem to be any kind of reasonable feedback or customer service contact on this [I have tried, in one case an e-mail address]

      * Using FreeBSD and/or Firefox should _NOT_ make you "suspect" nor cause you to get "nothing but the hard ones that require a screen magnifier to solve and involve more than 2 'next/verify' buttons"

      * NOT having "the most bleeding edge browser" should _NOT_ make you "suspect" [and it should STILL WORK PROPERLY]

      * rejecting 3rd party cookies or setting 'private browsing mode' should NOT make you "suspect"

      I have seen government services for the state of California actually USE CAPTCHA which is EXTREMELY ANNOYING because of this sort of thing.

      I have also been waiting for a chance to RANT about this where someone else might actually CONFIRM it independently. I do frequent a particular web site that uses captcha to control user posts to (try to) prevent abuse. So I'm basically FORCED to USE CHROMIUM for this.

      (but I have great hacks in place to prevent everything I do from being tracked by "that one browser" that doesn't have noscript or cookie blocking or private browsing or any OTHER mitigating 'thing' and I use a script to DUMP ALL HISTORY which is comprehensive and seems to work just fine...)

      1. find users who cut cat tail

        This explains why I tend to get those terrible CAPTCHAs. I can tick more or less everything on your list.

        For some of them I actually have no idea what it wants from me – like ‘store fronts’ (is this one an office or a store… and this one looks like laundrette…) or ’vehicles‘ (sure, kick scooters, skateboards and wheelbarrows are all vehicles, but is this how the machine sees them?). Several times I just gave up after getting an apparently endless stream of cropped ambiguous poorly shot rubbish in poor light to identify.

    4. Mage Silver badge

      reCAPTCHA only issues

      Nonsense.

      Problems with it:

      Ebay.co.uk is using it as well as login, but denies it. Not always.

      Sometimes PayPal uses it, like when you click on a link in an email to confirm a new email.

      It's US cultured. Loads of people outside the USA wouldn't know taxis are yellow rather than black or random. Or that a crosswalk is a Zebra crossing.

      It's obviously a parasite using crowd funding to train so called self driving cars.

      The images can be too small.

      ***

      IT'S ABUSIVE, CULTURALLY BIASED and an INVASION OF PRIVACY. It's all about Google, not genuinely anti-spam.

      The real reason for reCAPTCHA

      It's also being misused by website operators. It is NOT part of 2FA. Nuke it from orbit!

      1. find users who cut cat tail

        Re: reCAPTCHA only issues

        It's obviously a parasite using crowd funding to train so called self driving carsGoogle killer robots.

      2. J27 Silver badge

        Re: reCAPTCHA only issues

        reCAPTCHA has never been about 2FA, it's not an authentication factor. It's about trying lock out bots from your web application. It definitely does work, I've tested its effectiveness personally many times. But the main reason you see it implemented so many places is that they downside is not felt by the people implementing it, it's only an issue for the end user and even then they almost never notice.

        For reference my employer's products all tell you up front that 3rd party tracking cookies are in use, but I don't think hardly anyone actually reads and comprehends that privacy notice. I don't think end users read 1/10 of the text on any web site.

        1. Mage Silver badge

          Re: reCAPTCHA only issues

          So why are eBay.co.uk and PayPal using it on EXISTING Users logging in?

          You enter user name, password and then have the stupid multiple picture quizzes.

          OBVIOUSLY it's useless as a 2FA. It's supposedly authenticating that it's a human logging in.

          There is no valid reason to have 3rd party cookies. I block all of those all the time on laptop and Mobile. They are purely malicious trackers nothing to do with the site. A privacy notice doesn't make them legal in the EU. This can be true for many actual site cookies. A privacy notice with Click Next to Continue is not obtaining consent.

          1. It's just me
            Terminator

            Re: reCAPTCHA only issues

            Probably to block automated credential stuffing attacks, which are rampant. Not that I approve of Google's snooping, but some form of CAPTCHA is necessary for just about any internet facing service now.

      3. Andy Non Silver badge

        Re: reCAPTCHA only issues

        "Ebay.co.uk is using it as well as login"

        I gave up on ebay, it won't even let me enter my postal address (or any address at all!) Whatever I type it just says "Enter a valid address". So I abandoned the sign-up process.

        It must be objecting to Firefox blocking third party cookies or some other privacy setting, but I wasn't going to wade through all the settings to find if one of them was responsible.

        1. Mage Silver badge

          Re: ebay cookies

          No problems with ANY site, including ebay or paypal or Amazon with totally blocked 3rd party cookies.

          Sometimes I have to disable script blocking (uMatrix) for Paypal to work, even if everything is apparently allowed.

    5. heyrick Silver badge

      "Which clearly means that Google is fingerprinting me in order to guess whether I'm a human or not"

      Please do. The less I have to see those bloody things, the better.

      Otherwise I have to remember what a crosswalk is, that when they say identify buses they mean the yellow ones, ditto the taxis, and that Americans put traffic lights in some really weird places (including on what looks like a rope strung across the road?).

      At least be fair, Google, and ask your own country's citizens to select all the Belisha beacons!

    6. big_D Silver badge

      It depends, in Europe, data captured for reCAPTCHA couldn't be used for advertising purposes, unless it is explicitly listed in the T&Cs and the user has explicitly agreed (opt-in) to having it used for advertising purposes.

      There are also things like data retention - it must be deleted as soon as its purpose has been fulfilled or within a reasonable period (probably a maximum of 6 weeks to 3 months, depending on what you can argue is reasonable).

      1. heyrick Silver badge

        It depends, in Europe

        There's the theory, and there's the practice...

  2. Anonymous Coward
    Anonymous Coward

    CAPTCHA is a PITA

    and the only reason that google.com isn't blocked at my firewall.

    Refuzniks of the world unite - avoid Google, Facebook, Amazon etc.

    1. N2 Silver badge
      Mushroom

      Re: CAPTCHA is a PITA

      Yes, I shit 'em, hate their stupid puzzles

  3. Anonymous Coward
    Anonymous Coward

    hCaptcha

    In my quest to reduce my (and that of my users) exposure to Google I have started migrating to hCaptcha. I can recommend it, it works.

    Still looking for a European alternative so no data gets send to the other side of the planet at all but this is a start.

  4. SlippyBuckfast

    Helping Google

    Privacy aside, the reason I hate them is I'm effectively helping google build it's AI by finding fire hydrants, traffic lights, etc. They have effectively built the world's largest free human labour image recognition machine - and that's what gets my goat most.

    1. hoola Silver badge

      Re: Helping Google

      Along with the assumption that the entire world speaks or translates to American English. What the hell is a cross walk?

      I know it is obvious but they have so much "intelligence" with language settings and tracking then have the courtesy to make the stupid puzzle appropriate to the region the request is coming from.

      1. Anonymous Coward
        Anonymous Coward

        Re: Helping Google

        > What the hell is a cross walk?

        It's what you do when you missed the last bus home.

        1. Teiwaz Silver badge

          Re: Helping Google

          > What the hell is a cross walk?

          I assume it's one of those New York cultural gags, where someone goes 'I'm Walking here!' in an annoyed voice.

      2. Sgt_Oddball Silver badge

        Re: Helping Google

        Or ask you to confirm buses and all you see is long yellow single decker things... Nothing at all like the cream and purple hued double decker beasts I see trundling around my neck of the world.

    2. Brewster's Angle Grinder Silver badge

      Re: Helping Google

      Never give the right answer first time; sometime it will succeed. (Although, if you're reading this Google, failures on the second round are my natural incompetence allied with your insistence that 1 pixel of a traffic light in one square means there is a traffic light in it.)

      1. J27 Silver badge

        Re: Helping Google

        It's not Google who decides which squares are considered the correct answer. The answers come from an amalgamation of all the previous reCAPTCHA answers from other users the system has deemed "human". That's right, half the time when it asks you those questions it doesn't even know the answer.

      2. Jellied Eel Silver badge
        Terminator

        Re: Helping Google

        Never give the right answer first time; sometime it will succeed.

        Everyone should give the wrong answer, several times. I miss the old days (ok, not really) when captchas were bits of books that machine translation was struggling with. At least our work had the potential to increase the digitised store of human knowledge.

        Now, we are contributing to the decline in driving standards, hence why captchas like asking about traffic lights. We're helping train the next generation of bad drivers. But we may be able to subvert this and delay the rise of the machines.

        So given the volume of image fragments, I doubt the images are screened (initially) by humans, and they need to be challenging enough that less sophisticated image recognition systems fail. Which potentially means there's some doubt in the AI's mind as to what it's looking at, which could be exploited. So fail to identify traffic lights. Or identify parking spaces next to fire hydrants. Or identify fire hydrants as traffic lights. If enough people do this, the system may be subverted, and we find self-driving cars stopped at red fire hydrants with their 'drivers' looking confused.

        1. heyrick Silver badge

          Re: Helping Google

          "At least our work had the potential to increase the digitised store of human knowledge."

          Yeah, about that. I have somewhere (from about a decade ago) a screenshot of where it gave me two words and wanted them entered. One was Hebrew (I think, could have been Arameic for all I know), the other was Hangul (Korean). And I do that on my British QWERTY keyboard how, exactly?

    3. J27 Silver badge

      Re: Helping Google

      You guys seem to have missed this, but reCAPTCHA uses photos from all over the world, so being familiar with American crosswalks/busses/taxies isn't always helpful.

      1. John Brown (no body) Silver badge

        Re: Helping Google

        Does it? I don't recall seeing anything other US street scenes. If they do, then it seems odd that they know which country I', in but never seem to show any UK street scenes. Maybe it's only a tiny fraction of a percentage that is non-US and I've not been lucky enough to get a localised one.

        1. heyrick Silver badge

          Re: Helping Google

          I'll +1 to John.

          Buses are yellow.

          So are taxis.

          Always.

          Zebra crossings? Could be anywhere but they are always called crosswalks, even when your browser is set to prefer en-GB.

          And as for traffic lights, my god, it's a game of hide and seek! (and they're often yellow too).

          Never ever, not ONCE seen a bolisha beacon nor a roundabout.

          I will grant you, sometimes the shopfronts don't always look like they're in English...or shops... but that's probably just the Googlemobile wandering through Chinatown, little Italy...

    4. DS999
      Stop

      Which is why I usually take a minute

      to pollute their results with a lot of incorrect information, only getting it "right" after I get tired of spamming them. If more people did this the information would become completely useless to them and they'd stop trying to use us as forced labor to help their AI efforts.

    5. Anonymous Coward
      Anonymous Coward

      Re: Helping Google

      I've always wondered: does that free labour break any laws? Would love to see a minimum wage law complaint succeed against them on that one...

  5. Mr Anonymous

    Google are lying

    I can prove Google are lying, when I need to log in to a site using recaptcha, but also when I use two different accounts to do so.

    One is a personal account, I have a dedicated email address for it used only there, not used for anything but this one site. As a general standard, I delete cookies from all sites I visit after I leave (I have about 6 sites that I allow primary domain cookies, but block all third party) . I have blocked all Google domain and advertising sites for years and if a site uses resources from a Google domain like fonts or scripts and it doesn't work with the blocks in place, I go else where. I do not use any Google services, except my Android phone does have an account that's not used anywhere else and that doesn't work too well as it likes to continually nag me, as though there is a virus running, "App permission management is running" and I have blocked as much as I can there too.

    The second account is a work colleague's address. Although he occasionally does add blocking, he does little else and remains logged in to many sites/services.

    When I use the target site, I have to allow Google.com and gstatic.com (used to be recaptcha.net and gstatic,com, I wonder why that changed?). I login, order some parts I need, log out, delete cookies and re-block the two domains and the main site I just used. I do this whether I use my account or my colleagues, there is NO data on my machine to show if I have visited before and that I passed the recaptcha.

    When I login as me, I need to select the images to prove I'm not a bot, when I use my colleague's account, all I need to do is check the box. This is from the same Linux PC, both accounts, I don't use my colleagues machine to login.

    How do they know it's a human when I use my colleague's email, but not when I use my mainly Google protected email, I have to be tested? Where are they getting the data from to decide my colleague with lots of Google data is human, but my low profile account needs a bot test?

    The simplest explanation is that as on other occasions, Google are lying, they are using their trove of personal data and making the experience of non Googled people worse. I'd give this as evidence in a legal hearing.

    1. J27 Silver badge

      Re: Google are lying

      Google are literally tracking your activities across every site that links anything from Google. Including mouse movements and keypresses. This is how the automatic reCAPTCHA works (it's spelled out in the dev documentation for reCAPTCHA). Illegal? Not right now. 1984? Getting close in my opinion.

  6. Anonymous Coward
    Anonymous Coward

    reCRAPTCHA

    If I run into reCAPTCHA then I'll try once and when I fail then I leave the web site, I recently unsubscribed from The Guardian when they started using it - I could swear that I was answering the problems correctly but it just kept asking a new question all the time.

    1. Oldgroaner

      Re: reCRAPTCHA

      Had the same problem with the Guardian sent them a hissy email and had a soft-soap answer, a great way to reward subscribers.

  7. poohbear

    I don't mind ticking a box but no one is paying me to count the blue cars.

    So I leave.

  8. sitta_europea Bronze badge

    So companies lie to make money. Big surprise. Nothing to see here, move along please.

    1. Craig 2

      At first I thought you'd misspelt `like` but then I realized your original sentence also made perfect sense :(

  9. Simian Surprise

    v1

    Anyone here remember when reCAPTCHA was an independent service and the answers used for book digitizing?

    Pepperidge Farm remembers.

  10. Fruit and Nutcase Silver badge

    gstatic.com

    Recently, I had to allow gstatic.com in noscript and uBlock Origin when I want to load google.com, and it did appear to be related to accepting their T&Cs, so, I presumed it involved more snooping/cookies.

  11. 2+2=5 Silver badge
    Joke

    I'm pretty sure they're not using Captcha for tracking...

    I've had to use Captcha lots of times and I've never yet been served-up an ad trying to sell me a traffic light or a cross-walk, so clearly it's not being used for tracking. ;-)

    1. NetBlackOps Bronze badge

      Re: I'm pretty sure they're not using Captcha for tracking...

      Unfortunately, I have only one up-vote to give thee!

  12. Mage Silver badge
    Flame

    Utter Bollocks

    ""In my opinion, organizations in Europe that use reCAPTCHA for spam protection now need to move reCAPTCHA behind their consent walls," he said.

    No, they need to stop using it. It's abusive even if not used somehow for adverts. Also giving consent or not accessing the resource is toxic. Very many cookie consent forms are actually illegal.

  13. Mike 137 Silver badge

    Quite apart from privacy...

    "reCAPTCHA makes it possible for the internet giant to challenge netizens to prove they are real people"

    The reality is more like "reCAPTCHA makes it possible for the internet giant to challenge netizens to prove they are real Americans".

    Most of the images are parochially USA-biased and culture bound, which indicates the level of care with which they are chosen for a supposedly "universal" service.

  14. Pascal Monett Silver badge

    "I'm classifying Google's Recaptcha service as an *Advertising Network* "

    He's only noticed now ?

    Anything Google does is for advertising.

    Always has been, always will.

  15. Claverhouse Silver badge
    Thumb Down

    Fuck Google

    The abominable reCAPTCHA always shows up when I'm using a VPN and going to Google Search. Several times in a row.

    It is a great time-waster, and if one leaves the page whilst waiting it reverts to Are You A Human and serves up another dumb selection of blocky American Buses, Bicycles, and Fire Hydrants [ whatever they may be ]. I reckon Google just wants to discourage VPNs to maintain it's perfect spying record.

  16. Missing Semicolon Silver badge
    Unhappy

    The wrong people are paying.

    reCAPTCHA has the same problem that Google Analytics has. Both are free for the web-site operator to use, and they provide useful services (bot prevention and usage stats). But we, the users, pay with our PII. And we didn't agree to help pay for the website like that.

    Even the UK Government does it!.

  17. Anonymous Coward
    Anonymous Coward

    I'm pretty sure that I'm not the only one who considers reCAPTCHA to be a 'denial of service' tool - I actively avoid any sites which employ it.

    If the Great Satan of Mountain View wants me to help train their neural networks then all they need to do is ask - my rates are pretty reasonable.

  18. Compression Artifact

    reCAPTCHA in government website

    There's a place in the Colorado Secretary of State's website where users who have just entered private information into a form have to solve a Google reCAPTCHA to submit it. Private information for the government and Google are two things that do not go well together.

  19. LenG

    I hate the stinking things

    They always seem to ask me for several iterations, possibly because I use an obscure browser. There is one particular site which invariably runs through several challenges, tells me I am not a robot then locks up until the session times out and I have to start again, which doesn't help because the same thing happens every time.

  20. Infi 1

    I hate reCaptcha. If a site uses it, there's about an 80% chance I'll see one of its stupid popups and then, depending on how it's set up, I may have to 'solve' 4 or 5 different reCaptcha's before it will let me log in.

    Pisses me off. It's not like I'm hiding behind a dodgy VPN. I have a static IP, with reverse DNS that matches the domain I own. I don't do anything particularly dodgy using on my connection, yet Google's rePester constantly targets me.

    If I was paranoid, I'd say they had it in for me!!!

    Who said that?!??!?!?!

  21. Anonymous Coward
    Anonymous Coward

    two out of three ain't bad

    reCaptcha is just more pointless techno-shit. If in doubt which is a traffic light remember there are usually three correct " humanising answers" so,if you must,include the pole.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021