- cross-posted to:
- technology@beehaw.org
- cross-posted to:
- technology@beehaw.org
Research Findings:
- reCAPTCHA v2 is not effective in preventing bots and fraud, despite its intended purpose
- reCAPTCHA v2 can be defeated by bots 70-100% of the time
- reCAPTCHA v3, the latest version, is also vulnerable to attacks and has been beaten 97% of the time
- reCAPTCHA interactions impose a significant cost on users, with an estimated 819 million hours of human time spent on reCAPTCHA over 13 years, which corresponds to at least $6.1 billion USD in wages
- Google has potentially profited $888 billion from cookies [created by reCAPTCHA sessions] and $8.75–32.3 billion per each sale of their total labeled data set
- Google should bear the cost of detecting bots, rather than shifting it to users
“The conclusion can be extended that the true purpose of reCAPTCHA v2 is a free image-labeling labor and tracking cookie farm for advertising and data profit masquerading as a security service,” the paper declares.
In a statement provided to The Register after this story was filed, a Google spokesperson said: “reCAPTCHA user data is not used for any other purpose than to improve the reCAPTCHA service, which the terms of service make clear. Further, a majority of our user base have moved to reCAPTCHA v3, which improves fraud detection with invisible scoring. Even if a site were still on the previous generation of the product, reCAPTCHA v2 visual challenge images are all pre-labeled and user input plays no role in image labeling.”
You must log in or register to comment.
I always thought they are just getting the training data for AI using these.
I thought this was old news 20 years ago?
Is it only 7200 people solvning reCAPTCHA every hour for the past 13 years? Feels like it should be more?
The conclusion can be extended that the true purpose of reCAPTCHA v2 is a free image-labeling labor and tracking cookie farm for advertising and data profit masquerading as a security service,” the paper declares.
I thought this was known since it came out. It seemed even more obvious when the images leaned in heavily to traffic related pictures like stoplights.
reCAPTCHA is exploiting users for profit
Well duh.
reCAPTCHA started out as a clever way to improve the quality of OCRing books for Distributed Proofreaders / Project Gutenberg. You know, giving to the community, improving access to public-domain texts. Then Google acquired them. Text CAPTCHAs got phased out. No more of that stuff, just computer vision rubbish to improve Google’s own AI models and services.
If they had continued to depend on tasks that directly help community, Google would at least have had to constantly make sure the community’s concerns are met. But if they only have to answer to themselves for the quality of the data and nobody else even gets to see it, well, of course it turned into yet another mildly neglected Google project.
Then Google acquired them. Text CAPTCHAs got phased out
Google kept the text version for five years after the acquisition though. They used it to digitize books on Google Books, to allow full-text search of their book archive.
Gonna have to disagree hard with this, based on extensive first-hand experience (web dev). I’ve added CAPTCHA to dozens (hundreds?) of web forms, and it all but eliminates spam.
It works against basic bots, but if you’ve got a dedicated adversary, it doesn’t do anything
(Granted, most people do not have dedicated adversaries, but when they come, you’re in trouble)
OK, sure, but that’s like saying it’s pointless to use a secure password online because the NSA could hack you if they wanted to.
Right, so similar to locks? Usually can be easily bypassed if you know how, but it at least filters out the people who aren’t determined enough to put in the effort.
Basically, yeah. The vast majority of spambots are simple and lazy.
Honestly at first read, the paper feels like a bunch of whining text to prove a point the author believes in without any alternate proposal.
My experience matches yours. I don’t enjoy putting recapcha v3 on my sites but it takes contact form spam from 70-80 messages per day to 0-2.
I’d switch to other services if they could be as effective. If anybody has real-world experience with another option working I’d love to hear it.
reCAPTCHA v2 visual challenge images are all pre-labeled and user input plays no role in image labeling
That’s funny, because when I’m faced with this, I keep adding/removing one of the image randomly and it keeps accepting them as ok.
I like this strategy.
I mean, duh? With proof of work captchas existing, there’s no reason to have those image selection captchas… Ever…
How those work is by having the server generate a puzzle. Server side this is cheap to generate, while client side solving is “hard”. The server can even choose the difficulty of the puzzle, and even set it dynamically. This means that when your website is under light load the captcha can be really easy/fast to solve. If your website is under attack however the captcha can be set to take seconds to solve.
No one makes a company use reCAPTCHA.
Why is that no news to me? How did so many people not know that? Should I have spread the word more, even if all people I told that where likr “yea, yea, of course, but, what can I do? 🤷🏻♀️”?
There’s nothing that can express my disdain for Google’s reCaptcha.
😒 We’re training its AI models 😒 It’s free labor for Google 😒 Sometimes it wants the corner of an object, sometimes it doesn’t 😒 Wildly inconsistent 😒 Always blurry and hard to see 😒 Seemingly endless 😒 It’s the robot asking us humans if we’re the robots
deleted by creator
deleted by creator
Sites you visit use Google, their recaptcha, their analytics, their ads.
I don’t really get where this article is going. They are all over the place.
Let’s start with a fuck google. They are a evil company. But:
-
Other captchas are also not very effective against bots. Arguably most traditional systems would be worst that recaptcha at fighting bots.
-
Recaptcha agent validation while a privacy violation is faster than solving any other captcha and if you are hittes with puzzle is not that much more time consuming that every other captcha.
-
That profit number is very questionable and they know it. Anyway, that’s no much different and probably less profitable that most google services.
Also is ridiculous how someone can say in the same article that the image puzzle can be solved by bots 100% of the time and that is a scheme to get human labor to solve the puzzle. I’m the only one seeing the logical failure here?
And what’s the purpose of all this? Just let bots roam free? Are they trying to sell other solution? What’s the point?
I hate google as much as the next guy. But I don’t really share this article spirit.
If I were to make a point. They point will be that people and companies should stop making registration only sites and dynamic sites when static websites are enough for their purposes. And only go for registration or other bot-vulnerable kind of sites of there is no way around it. But if you need to make a service that is vulnerable to bots, you need to protect it, and sadly there’s not great solutions out there. If your site is small and not targeted by anyone malicious specifically you can get with simpler solutions. But bigger or targeted sites really can’t get around needing google or cloudfare and assume that it will only mitigate the damage.
But if anyone knows a better and more ethical solution to prevent bot spam for a service that really need to have registrations, please tell me.
Also worth noting that Google has always been extremely open about the fact that they use recaptcha for that purpose. It’s never been a secret.
Their service to the website owners is the meaningful reduction in effectiveness of bots in places bots are harmful. The website’s service to you is the content that that’s being used to protect (and the stuff that has recaptcha on it is stuff like games where there’s a competitive advantage, things like search engines where there’s a meaningful cost to heavy bot use, and login pages where there’s a real security cost to mass bot use. I use a VPN, which increases the rate of captchas a lot, and I think it’s a pretty reasonable way to do thing, personally.
Also is ridiculous how someone can say in the same article that the image puzzle can be solved by bots 100% of the time and that is a scheme to get human labor to solve the puzzle. Am I the only one seeing the logical failure here?
Most solvers aren’t bots. Logical, right?
-
Remember the good old days when it was just malformed text you have to solve? I miss those days. AI was complete garbage and they had to use farms of eyeballs to solve them for bots, making it a costly operation. We’ve now totally gotten away from all of that.
that was also to train ai.
No it wasn’t… It was human-assisted OCR to help digitize books. Initially for Project Gutenberg, but then for Google Books once Google acquired it in 2009.
OCR is a form of AI.
I thought the whole point of reCaptcha was to provide a reliable set of data to train bots. Entering a fuzzy scanned word, identifying bikes and traffic lights, etc.
The fact that they’ve now got that, and the bots are trained is hardly a surprise.
Without captchas the problem of spambots would still be a million times worse.
Yup. I like Cloudflare’s checkbox, it works well and probably catches more bots than reCaptcha while being simple for humans.
How does that checkbox work? Does it just look at your cookies?
No, it tracks things like mouse movements to see if it looks human or like a bot. Humans don’t move the mouse in a straight line, there’s some jitter and whatnot, whereas bots will look quite a bit different.
That’s super easy to fake for a bot…
It’s a ton more than mouse movement. Lots of browser fingerprinting for example and tracking.
Yup. It does do a lot more than the checkbox, but the checkbox itself mostly does mouse movement and click tests.
