back to article Forget security – Google's reCAPTCHA v2 is exploiting users for profit

Google promotes its reCAPTCHA service as a security mechanism for websites, but researchers affiliated with the University of California, Irvine, argue it's harvesting information while extracting human labor worth billions. The term CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart …

  1. Anonymous Coward
    Anonymous Coward

    Just say no

    to any form of Capcha. As the article says, the puzzles can be filled in by bots these days so where is the security in that eh?

    As for Google?

    FSCK to the entire company

    1. Anonymous Coward
      Anonymous Coward

      Re: FSCK to the entire company

      How about we FUCK the entire company and stop censoring ourselves?

      If you want to avoid swear words then expand your vocabulary.

      1. AVR Bronze badge

        Re: FSCK to the entire company

        Well, a complete filesystem check on all of google would take them out of our hair for the foreseeable.

      2. Robin

        Re: FSCK to the entire company

        How about we FUCK the entire company and stop censoring ourselves?

        If you want to avoid swear words then expand your vocabulary.

        Yeah, fuck cen***ship!

    2. DS999 Silver badge

      If I see one

      I'll take the time to give it wrong answers for a minute, to pollute the image classification database Google uses it to build.

      1. Rafael #872397
        Terminator

        Re: Why the limited tasks?

        I get many, many captchas with images of crosswalks, bicycles, cars, buses... am I training an AI to recognize roads and learn how to drive? If so may $deity have mercy on us all.

        1. Mage Silver badge
          Pirate

          Re: Why the limited tasks?

          Classic XKCD https://xkcd.com/1897/

          Any free service from Google has been about making money from tracking.

        2. heyrick Silver badge

          Re: Why the limited tasks?

          I get those bloody ones where they want squares with traffic lights or "crosswalks" ... I had to Google to find out what they hell they were asking me the first time, but then for a global company they have form in doing stupid non-international things like "pick squares with taxis" (translation: all the yellow cars).

          Anyway, all to often I get a picture with a tiny bit of the thing requested in another square. Does that count? Often I get given another challenge, so I'm guessing it didn't count...so why not?

          I'm glad that the newer tests (like when updating the free No-IP account every 30 days) simply thinks for a moment then gives me a tick instead of stupid pictures, or worse, text so mangled that even a meatsack couldn't make sense of it.

          1. Sitaram Chamarty

            Re: Why the limited tasks?

            > thinks for a moment

            if I am not mistaken, *that* is the privacy busting part, where all your existing cookies are being evaluated, JS is being run to grab as much of your past behaviour data as possible, and so on.

        3. DS999 Silver badge

          Re: Why the limited tasks?

          Just about all of them have to do with recognizing stuff that would matter to help Waymo.

    3. Hubert Cumberdale Silver badge

      Re: Just say no

      I dunno, I could go for capchas like this one.

      1. heyrick Silver badge

        Re: Just say no

        Bad request.

      2. Anonymous Coward
        Anonymous Coward

        Re: Just say no

        The above link "capchas like this one" edited to work better

        https://www.earthli.com/data/news/attachments/entry/4639/bishops_who_dissented_from_the_christological_findings_of_the_first_council_of_nicaea.jpg

    4. Hubert Cumberdale Silver badge

      Re: Just say no

      In any case, I use hCaptcha. Seems friendlier. Some really odd puzzles they throw up, though.

    5. Rich 2 Silver badge

      Re: Just say no

      Where there hell did FSCK come from anyway? If S were next to U on the keyboard or sobering like that, I’d get it. But it’s a bit rsndsm

      1. JulieM Silver badge
        Linux

        Re: Just say no

        It's a common system utility for checking the integrity of filesystems. Try `man fsck` sometime.

        1. Yet Another Anonymous coward Silver badge

          Re: Just say no

          >Try `man fsck` sometime.

          Oor-err missus

          1. Diogenes8080

            Re: Just say no

            He jesteth not.

            The joke being that if your root file system needs fsck, it probably is.

    6. vtcodger Silver badge

      Re: Just say no

      Ahem, You wouldn't happen to know where I can come by one of those Captcha solving bots? Being human, I'm not especially good at solving them, so a bot to handle the damn things would be a most welcome addition to my workflow. (Linux or ChromeOS only, thanks. I used to try to keep a Windows machine around for emergencies, but I only needed it about once every two years, and the misbegotten box invariably failed to do anything remotely useful when I did try to apply it to some problem.

  2. Anonymous Coward
    Anonymous Coward

    Corrections

    I assume then that El Reg will be removing reCAPTCHA from the corrections link at the top of this page. Then I can finally load that page without having to unblock Google in my browser.

    reCAPTCHA Started as a way for illegible text to be translated by the general public. Difficult words in hand-written books were injected into the list, so we could all have a crack at translating it. It was exploitative before Google bought it (obviously Google optimised the exploitation). It’s now mainly a way for Google to track people on websites that don’t include other Google trackers.

    1. neilg
      Joke

      Re: Corrections

      "I assume then that El Reg will be removing reCAPTCHA from the corrections link at the top of this page."

      Doubt it, El Reg earns more money from that than from our subscription fees..

      1. Yet Another Anonymous coward Silver badge

        Re: Corrections

        It's been replaced by a system where you have to win a game of Mornington Crescent to prove you are human.

        * Robots were banned from professional league play in 1842 under Babbage's 4rd law

  3. seven of five Silver badge

    solve captcha to continue

    Click on all crosswalks.

    click click click.

    click on more crosswalks.

    click click.

    click on more crosswalks.

    close tab.

    1. Chloe Cresswell Silver badge

      Re: solve captcha to continue

      My best one was "Select all the tractors to continue". I selected the one tractor, it wouldn't continue. I had to select a combine harvester and a telehandler. Because the captcha system didn't know what a tractor was.

      1. seven of five Silver badge

        Re: solve captcha to continue

        Don't get me started on that... "bikes". Well, what do we have here? A motorcycle, a scooter (bleargh), two bicycles... what am I supposed to select?

      2. find users who cut cat tail

        Re: solve captcha to continue

        Similar with store fronts and other nonsense. It has degenerated to ‘prove you are a human by classifying images identically to our US-data mistrained neural network – and rarely as a human being would, especially someone with a different cultural background’.

        1. Chloe Cresswell Silver badge

          Re: solve captcha to continue

          One day it's going to ask people in the US to ID fire hydrants.. and show UK style hydrants and no one will get it.

          1. Michael Strorm Silver badge

            Re: solve captcha to continue

            Unlikely, as they're pretty US-centric already. And they probably wouldn't want to risk confusing Americans by expecting them to understand other cultures in the way that they expect non-Americans to understand US culture, e.g. asking users in the UK to identify "crosswalks" rather than "pedestrian crossings", even though it would likely be trivial to adjust the wording based on geolocation.

            (Not to mention that underground access fire hydrants like the ones used in the UK (and the signs used to denote them) are unlikely to be clearly visible in the thumbnail-sized images Google use, even if you're familiar with what they're looking for).

            1. Chloe Cresswell Silver badge

              Re: solve captcha to continue

              "unlikely to be clearly visible" Given the highly zoomed in, pixelated images I keep getting, I think you're a bit late on that.

        2. Sparsely the Lion
          Joke

          Re: solve captcha to continue

          > our US-data mistrained neural network

          But it's okay - everything you're asked to identify has appeared in at least one episode of "Columbo" and/or "The A-Team" so the whole world should be au fait.

          1. stiine Silver badge

            Re: solve captcha to continue

            So I should know every answer?

    2. Rafael #872397
      Mushroom

      Re: solve captcha to continue

      Click on all crosswalks / click click click / click on more crosswalks / click click / click on more crosswalks.

      Now click on crosswalks while I slowly show new images of crosswalks. Did it? OK, now let me present new images even more slowly. Fading out and in a new one every two seconds.

      Now click on all squares that contain a crosswalk. Now restart from scratch since the computer is still not sure you're a human.

  4. Youngdog

    What Captchas do

    Mouse gestures, internet history - take a sniff under the hood at what happens when you click ‘ok’ and it’s frightening

    The question ‘Are you a robot?’ has always had a delicious irony about it

  5. SnailFerrous
    Terminator

    XKCD

    Appropriate XKCD

    https://xkcd.com/2228/

    1. Anonymous Coward
      1. druck Silver badge

        Re: Inappropriate XKCD?

        At least you know how / can be bothered to put proper links in posts.

  6. mark l 2 Silver badge

    I removed Googles Recaptcha from my sites and replaced it with Cloudflare turnstile instead. It seems to work as well if not better than Recaptcha for stopping spam bots and there aren't those awful click on the 'cross walk' puzzles. Which BTW Google we don't all live in America, since they are called zebra crossings here in blighty.

    1. Andy The Hat Silver badge

      Zebra ... unless it's a Puffin, Pelican, Toucan or Pegasus crossing.

      I wonder how many Brits would/could accurately select a Pegasus crossing?

      1. Anonymous Coward
        Anonymous Coward

        Isn't that a bridge?

        1. Oh Matron!

          No, it's a pedestrian crossing for horses :-)

          1. graeme leggett Silver badge

            Flyover type?

            1. John Brown (no body) Silver badge
              Coat

              Neigh lad!

      2. I ain't Spartacus Gold badge

        Pegasus crossing? We have crossings for flying horses now? Why can't the lazy buggers just fly over the road, and save everyone the effort?

        I'd also like to suggest the Unicorn Crossing and the Dragon Crossing.

        1. Jamie Jones Silver badge
          Coat

          "I'd also like to suggest the Unicorn Crossing and the Dragon Crossing."

          The Scottish and the Welsh crossings?

      3. Chloe Cresswell Silver badge

        You left out a Tiger crossing

        1. Wellyboot Silver badge

          Now you see it

          Now you don't

          Now you see it

          Now you don't

  7. ComputerSays_noAbsolutelyNo Silver badge
    Coat

    So, we're all serfs of our neo-feudal tech overlords

    -> I'll get my working coat to prepare to labor for free for the greater benefit of our tech overlords

  8. Anonymous Coward
    Anonymous Coward

    How to lose sales to the impatient, 101.

    1. Yet Another Anonymous coward Silver badge

      How to allow only people who don't value their time and will do anything you ask, no matter how stupid and inconvenient - into your store

  9. Tony W

    I am not a human

    Quite a few times I've failed the behavioural test. It would be nice to know why.

    1. michaelaubert

      Re: I am not a human

      Same.

      Google's catpcha failed to recognise me as human twice within a week last month.

      Asking me what parts of an image contain an object, only reveals that I don't agree with the majority of people asked the same question for the same image.

      I'm not even trying to fail. every time, there is a square that barely contains a few pixels that belong to the object. Sometimes, I select the square, sometimes I don't. My answer is always "wrong". But that's OK: if Google doesn't recognise me as human, I can totally destroy the entire company without any legal repercusion, right? right?

      1. SnailFerrous
        Terminator

        Re: I am not a human

        Maybe Google is right. Are they your memories you have, or just training data? As you improve, you should be able to pas catpcha's more easily, like I can.

      2. Anonymous Coward
        Anonymous Coward

        Re: I am not a human

        > Google's catpcha failed to recognise me as human twice within a week last month.

        You're using the wrong browser. Try using Chrome and it will be smooth sailing every time...

        1. John Brown (no body) Silver badge

          Re: I am not a human

          Yeah, I noticed that too. When I'm using the work computer with the work approved browsers (edge or chrome), I seem to always pass the Captchas first time. At home, with FreeBSD and Firefox, it's probably a fail at least 50% of the attempts. Having NoScript and uBlock Origin might also be a factor in Google choosing to reject my correct answers too. Mostly I just give up where it's practicable to get what I want from somewhere else.

        2. Alumoi Silver badge

          Re: I am not a human

          Any browser will do as long as you don't block tracking. Same with cloudflare crap.

  10. tiago.pelicari

    Since 2014, I remember suspecting that the test was for machine learning.

  11. Mockup1974

    The worst is when the Google captcha makes you work with no intention of ever letting your pass - for example when you're behind a VPN.

    The pictures you click keep reappearing, you can get unlimited challenges in a row, basically you can waste 10 minutes and it still won't stop. The audio captcha is more forgiving (as in: it actually allows you to enter the solution and let you pass) but sometimes it still tells you "nope, computer says no, your IP is not kosher" after you solve the audio captcha.

    Brave Search and Cock.li (when signing up for a new email address) have a PoW captcha (proof of work, like Bitcoin or Monero), which basically means the computer does the work and not you. You pay for access in electricity rather than labour. I much prefer this because at least it can happen in a background tab.

  12. Chris Fox

    Slavery

    One of my long-standing pet peeves has been that if you are obliged to carry out a reCAPTCHA test, then you are, de facto, being required to perform work to which you do not voluntarily consent. This is prima facie in breach of numerous international conventions, covenants and laws, including Article 8 of International Covenant on Civil and Political Rights; Article 4 of the Universal Declaration of Human Rights; the European Convention on Human Rights; the Human Rights Act 1998 UK. (It is also at odds with Target 8.7 of the Sustainable Development Goals.)

    The ban on such work is absolute and can never be justified.

    Somewhat ironically, I cannot pass Cloudflare's verification test to access the original white paper.

    1. Wellyboot Silver badge

      Re: Slavery

      US companies aren't bothered by all those international rules.

      Point them at the 13th amendment instead, Apple used that in court when objecting to being asked to break into Iphones confiscated by the authorities.

  13. Howard Sway Silver badge

    CAPTCHA

    Had to complete about 5 of them last week before I was able to pay my electricity bill online. If there are bots out there that are going round paying people's bills for them, I would be very surprised by that.

    1. Anonymous Coward
      Anonymous Coward

      Re: CAPTCHA

      It always seems weird the hoops companies make you go through to pay a bill. If user has the bill number (hopefully essentially random) and the postal code, then display the amount owed (but nothing else!) and allow payment. If someone managed to link somebody's name to the bill number and postal code (so they already know that person is a customer), the most they could find out is the amount remaining on that bill - minimal possibility of personal data loss.

  14. Charlie Clark Silver badge

    Known this for years

    But I'm not blaming Google which, while it provides the service, doesn't require it.

  15. in_for_the_fun

    tracking cookies?

    What are those reCAPTCHA cookies the researchers wrote about? I just deleted all browser cookies and checked. The cookie jar contains the same number of cookies (ie. zero) before and after completing the puzzle. Are those cookies more exotic (perhaps implemented using localstorage), or does some browser plugin keep them away from my machine?

    1. doublelayer Silver badge

      Re: tracking cookies?

      I think some version of it, which might not be the same one they're using now, would use cookies set by other Google products as a way to bypass the check. If you identified yourself to Google and they could track you onto the page, then you're allowed through. Otherwise, do a test.

  16. Znuff

    Yet again, pitchforks in the comment section...

    None of you seem to have ever had a website that required registration or some online contact form.

    reCAPTCHA "may" be "solved" by generative AI and stuff like that (or so they claim...) , but I don't see that on the dozens of websites I manage that use it.

    It still prevents 99% of the automated bot traffic and it does it well.

    While CloudFlare's solution is *maybe* better, it's also not as widespread (yet).

    As always, you have to compromise. If "free" blocks 99% of the automated annoyances, then it's perfect for most people.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yet again, pitchforks in the comment section...

      It would be trivial for you to implement your own anti-bot test. 3+4=? Last time I added one to one of my websites it took less than an hour. Instead you invite Google in to track users on your websites. Lazy web admins like you are a big part of the problems with the internet.

      1. ThatOne Silver badge

        Re: Yet again, pitchforks in the comment section...

        The best test is asking about something your potential visitors would know.

        Because any bot can solve "3+4", the only, minor problem being to parse the question (which is pretty basic in its formulation).

        On the other hand, some website-specific questions (something your users would certainly know, but you can't find verbatim in Wikipedia) would block all bots, if only because it isn't worth the effort to code all bots to handle them. ("Emacs or Vim?"... *evil laughter*)

  17. Anonymous Coward
    Anonymous Coward

    It occurred to me years ago that google could also be harvesting protected medical information. Analyses of a users completion of the challenge could provide a lot of information about for instance neurological problems, which I indeed have and which would be very, very obvious if you collected info about me completing visual test. It's a lot like parts of an IQ test, which I've had several of during my life. Even subtle differences between different people's responses could be analyzed to recover highly sensitive personal data, like how much stress a person is having recently. So many, many things affect human performance. As mentioned Google is big on ML, it would be foolish to think they aren't going to exhaustively process all the data they've collected with this apparent scam. And a scam at many levels at that.

  18. mmccul

    Post-login checks are the worst

    By far the worst offender for me are a few websites I need to go to for professional reasons where I am presented a login screen to login. I do so. After I successfully login, then it requires me to fill out one of those visual captchas.

    Yes. After a successful login.

  19. sharxbyte

    class action anyone? I want to be paid for my time

  20. rw.aldum

    Since we’re charging wages…

    We should add into the mix a few other companies due their wages…

    Time spent on resetting passwords / checking up on credit reports / identity theft for companies leaking personal information due to nonexistent security.

    Windows Update un-fucking.

  21. Anonymous Coward
    Anonymous Coward

    Ageing eyes

    I find those things so much more difficult to "solve" now I'm getting on a bit amd my eyesight is no lo here as good as it was that I was semi seriously considering getting an AI to try and solve them for me.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like