Google's reCAPTCHA favors – you guessed it – Google: Duh, only a bot would refuse to sign into the Chocolate Factory Google's reCAPTCHA v3 system, designed to separate people from bots during website interactions, is more likely to give you the benefit of the doubt as a human if you happen to be signed in to your Google Account – and is more likely to deem you dubious if you're trying to protect your privacy, recent research suggests. …
I do it one better, sometimes I click random boxes, several times, and then abandon the page.
In the old days, when I was single and broke, I would log into the original captcha site and do them for hours because they were fun and challenging. These days, I just fuck with them.
"I do it one better, sometimes I click random boxes, several times, and then abandon the page."
While it would be nice to think this screws up their system, I expect Google poses the same challenges multiple times over different requests until they can be statistically confident about the right answer.
The scary part is the realisation that they can't get computers to recognise traffic lights so they have to ask a human to train it.
What does that say about the hype coming from Google, Tesla and others how we'll all be driven around by computers in a few years? The obvious answer is its all kool aid. Any self driving car will be a simulacrum, only one bad recognition away from doing something completely nuts for the circumstance.
I wonder if future versions of reCAPTCHA will challenge users to ID pregnant women, wheelchair users, carjackers and crazy homeless people so they can tune the car's behaviour when a human steps out in front of a vehicle.
I'm going to buy some popcorn. Will be fascinating to see how the people in IT who like to call themselves engineers using crowd-sourcing and AI, fare against the people with engineering degrees who design cars and roads and traffic management systems with 80 years of experience and methodologies.
My money is on the latter because a significant amount of their training and their career success is about not killing anyone. And I think the former are going to relearn the hard way things that the latter already know. We will see....
Thank you for taking the time to do this. I think our best chance to thwart Google and Facebook is to pollute their data. Their automation and minimisation of staff combined with the size of their data set make this a fatal weakness they could not recover with their current business models.
However data pollution would need to occur on a significant scale to achieve this. Maybe we need browsers that don't just protect our privacy but automate the process of sending misleading tracking data to Google, Facebook and the ad brokers.
That would make a nice add-on for someone to write for Firefox (hint hint)
Just set it loose going to sites from your site history that use Google CRAPTCHAs and have it click random boxes for a minute and then abandon it. It would need to be clever with random delays and varying behavior so Google couldn't suss it out. Maybe even fake the browser identification to claim it is Chrome so Google can't simply ignore non-Chrome users.
> But if a site is using reCAPTCHA, then that site is unavailable to me.
I follow the same rule, however things are coming to a head recently, as now websites that I find critical have starting using it.
Case in point, two days ago I tried to transfer money out of my savings account to cover some unexpected expenses. However turns out earlier this month they "updated" their website, and now use recapcha to prove I am not a bot.
I had no choice but to try to use the damn thing, but I kept coming across the following message:
"Your computer or network may be sending automated queries. To protect our users, we can't process your request right now. For more details visit our help page"
So basically ReCaptcha thinks I am a bot. I am using PaleMoon, noscript (temporarily disabled for this login) and no Google account. I guess they had no record of me because of the lack of Google account, never touched their recaptcha before, and their JS has been blocked on my machines for as long as noscript has been around.
However, this meant that I was essentially blocked from accessing my own savings, not by the law, or the courts, or even the savings provider themselves, but by Google, a company that has nothing to do what-so-ever with this transaction.
Luckily it was Friday before closing time, and they had a telephone number, so I phoned them up and did the transfer. However what if it was out of hours? Or what (like more and more services, including Google itself), they are going online only with no telephone number? What then?
Google now has the power to control my access to third parties, had I not been able to transfer by phone I would be looking at a bunch of late payment fees and fines come Monday.
Apart from the fact I despise having to give my time and effort to train up Google AI Image detection, apparently Google now gets to play gatekeeper, and decide whether I can use third party websites or not.
And all this to stop bots. Honestly I am coming to the point where I think the cure is worse than the disease. So what if bots access a damn web page? Either they hit the page so hard they get blocked, or they behave and access like a human would, in which case who gives a toss whether a bot or human is at the end of the other line?
They may spew spam out, but you can just as easily hire some cheap labour to sit there and post spam comments anyway, so captchas don't help there.
For me, the ability to freely and lawfully transact without some random third party (be it Google, Facebook, or others) arbitrarily deciding whether I am "authorised" to do so is worth far more to me than the inconvenience of bots.
For all the crap the bots of pre AI-captcha days caused, they never stopped me interacting with who I wanted to on the net.
Complain to your savings provider and tell them you will find another savings provider if/when they don't cancel that Google ReCaptcha. And don't hesitate to make good on your word. And if you are living in the EU (or California) or hold EU-citizenship or that savings provider is based in the EU, you should also mention GDPR (or the Californian equivalent) and report to the appropriate authority.
I did contact them, first thing before asking for the manual transfer was to have a go at them about the recaptcha, but the thing is, the guy on the phone did not even understand the problem. He was just a normal support worker, not even techie. For him it always "just let him in", no problem.
Their argument was "security is most important for our clients", and "It is the industry standard", and "there must be something wrong with your system". Basically just trying to deflect and placate me without offering anything concrete.
Even if I do move my money to one of their competitors (which I may well do, because 24+ hours later, Google still isn't letting me in), there is no guarantee their competitors will not follow "industry standards" and use Google anyway.
I can moan at them all I want to, and even take my money out, but unless other people collectively do the same, I am basically pissing against the wind. And as most people are fully plugged into FB and/or Google, they won't even have this issue. It may well all work seamlessly for them, which in their eyes makes it something "wrong" with me or my systems.
And that is another issue, just like with DRM, and Spyware (FB, Android, etc...), and our rallies against constant global surveillance, and everything else techies get worked up on, normal people just don't get it.
They didn't get our objections to Microsoft in the 90s (until they got locked into an ecosystem that bled them dry of money, was insecure and unreliable). They didn't get DRM (until they started getting kicked out of their itunes/pandora/etc... collection ). And now, they don't get our objections to Google and FB (although they are waking up a bit to the "oh crap" moment, mostly due to Cambridge Analytica).
By the time the masses figure out what we have been screaming at them for the last 10 years, it is already too late to change things. Like now, when they are waking up to maybe FB/Google are not being quite so good, pure and innocent, their JS is already injected all over the web, controlling and logging as much as they can, while they pretty much got entire peoples lives in photos/videos/messages/locations/etc... all stored up.
I mean, Google wants to be in your car (it already is in some modern ones) with the goal to eventually be your car in complete.
AI is working on remotely identifying people based on their gait, or even the pattern of their heartbeat.
Facebook wants to be your one stop bank/transaction broker with Libra.
The way things are going, in future you may find yourself either plugged into FB/Google or unable to function in most of society.
normal people just don't get it
Well written rant thank you, and I've had the same for years. Fortunately we still have bank branches in the town nearby.
Some people are beginning to wonder whether they should be handing over all this personal information, but if it's not Google, it's Facebook and if it's not Facebook it's Microsoft, and if it's not Microsoft it's... well, there'll be another along in a minute.
I went to the "try it out" link in the article. I had to enable some Google script to get the thing to run, and then it seemed to oscillate between giving me scores of 0.3 and 0.7. Was it supposed to give me the "I'm not a robot" box to click, or the "identify the shopfronts" puzzle to complete?
M.
Come the day when data leakage occurs due to reCaptcha sharing your details in a non-GDPR compliant way, then let the recriminations begin.
Until then we've all got to sit tight and try to do the secure thing. --->>>
Icon meaning: Put on your coat and walk to your nearest retail outlet.
Difficult: Santander are shuttering many of their retail outlets lately. Why? Because they think we all want to go online...
Perhaps they should have called it GOTCHA.
The same happened to me last election cycle. I went to the city website to obtain a sample ballot and could not progress without passing google's reCAPTCHA. Actually, I didn't know what the problem was until I disabled my script blocker. So I sent them an email asking why essential services relied on Google. I must really be an outlier because the response was amazing. The election was only a couple days away, and they emailed me a couple hours later. It was an apology with my proper sample ballot attached as pdf. Kudos to them. I doubt that level of service could be achieved for the masses.
"Or what (like more and more services, including Google itself), they are going online only with no telephone number? What then"
I solution I have in mind for when this happens to me is using a machine dedicated to that one task and no other.
I'm already doing this with YouTube -- I have a tablet that is used for YouTube and nothing else, and I never use YouTube on any machine except that one. It wouldn't be that big of a deal to do the same for critical websites. I could see having a device that is used exclusively for interacting with my bank, for instance. It wouldn't even need much grunt, so it could be a very cheap device.
This implies that reCAPTCHA is any of these. Sure you read the article? Plus if you read what Codinghorror wrote about captchas you have to despair.
The tradeoff between allowing only human users in and denying human users access by making the method more difficult is substantial, for the users and the websites. Still, the simple bots get filtered out by a challenge like e.g. Shamus Young (twenty sided.com, I think) had implemented for his comments. It was as static text challenge. Not sure what he uses these days, though. Anything more complex increases the likelihood of turning away legimate users, and only slightly impairs the robots. It is, unfortunately, a losing game.
The bank, which holds my accounts, has a small gadget, which you plug into your computer using USB and which can read your bank card. You verify it is you by entering your PIN and pressing OK to confirm the number and total amount of the transactions. It fits all your requirements and preferable options.
A previous version (and this version when not plugged in) required entering a couple of codes into the gadget and the browser, making that slightly less user friendly, but still very workable.
Enjoy it as long as it lasts... I'm pretty sure using this gadget costs them money, whereas reCAPTCHA is free. Ergo, it's only a matter of time until this gets "optimized". I've seen two banks pulling them so far.
Never forget: "Our customers security is important to us, but not enough for us to lose money over it".
I have hell with it. Don't know if it's me or it, but on the rare occasions I bother with a web site that uses it, it always takes me 3 or more tries before it decides I'm a real meatbag. When I see one of those show up on a web site, I usually just forget it and move on, and I know I'm not the only one. (Hey, web site developers, any of you listening?)
> it always takes me 3 or more tries
Same here: One round of "click on stuff till there is no more", then another, then a third for the fun, and sometimes a couple more, just in case. I think it's the SOP.
After all humans have all day, and bots are known to be impatient and have short attention spans, don't they.
I struggle too with the hidden letters ones and often give up. I recently bought (or tried to buy) some items from an online engineering parts site. Must have spent half an hour sorting out all the parts I wanted and filling my basket. However, before I could finalise payment I had to solve a captcha - except there wasn't one there to solve. Refreshed a few times after clicking the "I'm not a robot" etc but the captcha stubbornly refused to appear. So I abandoned my order and bought the items from one of their competitors.
I contacted them by phone to tell them about the problem and try order over the phone instead, but they said they only accept orders via their website. Apparently they'd introduced the captcha because someone (or a bot) had supposedly conned them by placing a large order abroad but payment subsequently was cancelled leaving the vendor out of pocket. How precisely introducing a captcha was supposed to eliminate such cons I don't know. It didn't help that it wasn't even implemented properly; it certainly didn't work for me, so they lost my order.
Flawed logic there. Fraudsters are willing to go to great lengths to steal thousands of dollars. Genuine customers are not willing to go far our of their way to spend a little money legitimately.
Their finance department instead need to get and stay up to speed with the latest scams.
That's because once it's determined you're human, it throws a few others at you so you help their machine learning.
And the order is randomized too, so it may be the first one that is used for training if subsequent ones determine you are human..
You are doing unpaid work for them!
Three...? You have it lucky. Yes, sometimes it lets me in with three, but more often than not it's more like three dozens - tiles after tiles after tiles after tiles... just an unending stream of "do another one!". Not acknowledging I'm human. Not deciding that I'm not. Just an endless refusal to make any decision whatsoever (while gleefully forcing me to do useful work for them for the privilege), the absolute purest evil any gatekeeper can do - not even wrongfully keeping you out but outright refusing to acknowledge your existence, the epitome of how powerless you are compared to Its Gatekeeping Omnipotence. Strictly figuratively speaking, Google's CAPTCHA devs are definitely lucky for having an ocean between their throats and my hands...
Because in Safari in normal browsing mode and signed in to a Google account, that little test tool returned 0.7. From a little known privacy focussed browser with ad blocking and privacy protections on full blast and not a Google account having ever dated to sully it’s cache I get 0.9.
I use Pale Moon on Windows for most browsing, I tried after running CCleaner, got 0.9. Installed Brave for the first time on my PC, also got 0.9. Updated my Vivaldi, got 0.7 At least in the case of the last two, I've never visited any Google sites, logged in or otherwise, but they still gave me vaguely human sounding scores.
Tried the v.3 score test, which showed a bunch of code stating at the end:
Received response from our backend:
{
"success": false,
"hostname": "recaptcha-demo.appspot.com",
"challenge_ts": "2019-06-29T01:14:18Z",
"apk_package_name": null,
"score": 0.1,
"action": "examples/v3scores",
"error-codes": [
"score-threshold-not-met"
]
}
Means I'm most certainly a robot, doesn't it? Fortunately my parents are deceased, i wouldn't know how to break it to them... :'-(
Edited to add, just using Firefox, nothing fancy.
Instead, a Google spokesperson provided this statement: "We do not disclose our security methods because we want to prevent bad-actors from using that information to evade detection and attack sites across the internet."
Suppose one thinks Google is the Internet Bad-Actor ?
I got SO fed up with it I starting putting it on my channel. Record holder is humblebundle wasting nearly 10 Minutes of my life... The sole reason I don't by anything from humblebundle any more except for the occasional free stuff.
If you use a "google tracking friendly" browser and disable all privacy and anti-tracking settings google treats you better.
Are companies even aware Captcha is a denial of service for their customers? Perhaps you could forward the videos to HB.
If you use a "google tracking friendly" browser and disable all privacy and anti-tracking settings google treats you better.
Go on, say Chrome.
Ah, so I am not alone there.
I had long ago signed up for the Humble Bundle promos to one of my throwaway email accounts, and I wanted to see if I could set it to only inform me about products with a Linux version. I soon found that I couldn't get into the damned website... the ReCaptcha thing kept messing with me until it finally said (after many painful minutes of being told that I was wrong on each puzzle) that it could not verify me, and told me to try again later. Of course, the audio recaptcha is never available, as it just gives me the nonsense "your computer may be sending automated queries" (I guarantee you it isn't, Google). So much for accessibility.
I messed around until I finally got in to Humble Bundle, and I was so angry by then that I just unsubscribed and sent them a sharply-worded message explaining my issue. As in some of the examples in the comments above, the person who eventually read the message (if that ever happened) probably just thought that since they never have any trouble, and most of their customers never have any trouble, it must be on my end. They probably use Chrome without any privacy addons and just let it track their happy arse all over the web, which is what Google ReCaptcha wants the peons to do. Good little peon!
I guess there is an element of truth in the "it must be something with your system" explanation. If my system would just let Google track me and harvest my personal data, I'd be allowed to be human too. Humans get tracked by Google, don't you know that?
The Register asked Mozilla to comment on whether anyone has complained that reCAPTCHA has hindered Firefox users excessively for their technology choices, as some have claimed, but we've not heard back.
Waterfox users are certainty being hindered by reCAPTCHA, just check the latest release entries in their Waterfox blog.
I've also had my suspicions about reCAPTCHA punishing Firefox for Android users, not helped by me getting 0.3 just now.
If you're not using A) Chrome, or B) native Android browser, you basically can't even log into many sites. They specifically blocked the others on the Android platform. This has nothing to do with JS support, etc. They don't get to do their special snowflake methods or just don't want to bother using a less proprietary code. It's getting to where if you're not using Chrome and allowing their heavy JS mess(i.e. Pixiv!), many sites will not work even in a non-interactive fallback. It's Microsoft's old EEE method.
I thought it was explicitly made plain that Google were using your activity on Google properties to inform their CAPTCHAs back when they moved reCAPTCHA from its own domain to be hosted instead on google.com, where they can potentially access the cookies from any other google.com property.
As another reason not to use it, this means that using Google's CAPTCHA means that you lock out everyone in China from using your service, where google.com is blocked by the Great Firewall, and using VPNs can get you arrested (or worse, your humanity^Wsocial score reduced).
Could someone please tell my why Google should have access to my mouse movements and how that is possible or legal ?
Oh right, it's not illegal, so anything goes.
I hate companies who just decide that whatever is possible is fair game.
It's MY computer, dammit. What will it take for you to understand that, pitchforks and torches at sundown ?
Websites might benefit from these humans-only barriers but the main beneficiary is and always has been Google.
The first iterations of reCAPTCHA used humans to correct OCR errors in scanned books. Now they're using humans to fix / train systems to recognize real world objects like signs, store fronts, buses, bicycles etc.
I assume somewhere in Google-land, they are trying to make every single signpost & crossing and produce AI that recognizes other traffic to perfect the simulacrum that is their self-driving effort.
A spokesdrone for the evil empire wrote:
"The information collected in connection with your use of the service will be used for improving reCAPTCHA and for general security purposes. It will not be used for personalized advertising by Google."
Right. So you won't be using the data collected during ReCaptcha harassment to deliver ads, but you will use ReCaptcha-based denial of service as punishment for the person not allowing collection of data used for personalized advertising by Google at all other times. Got it.
Site operators that use Google value their own convenience over the privacy and time of people.
It's also a scummy cheap dodgy way of getting crowd funded Machine Learning.
Google has been doing this for years already. Logging is in fact a recommended way to get less CAPTCHAs, if you don't care about privacy, since years ago.
I lost count of the many times all I needed to prove that I human was just to click in the capcha box and I get an automatic pass because I was logged in my Google account.
This seems to be a reverse Turing Test. Rather than having a human evaluate how human a machine is, the machine evaluates how machine-like a human is.
Well, Google rated me as 0.7; Chrome, logged into Google. I suppose that I can now brag to those who accuse me of being too much "like a computer", that a computer finds me 70% human. Progress!
I listened to a Planet Money podcast about repatcha 3, where they interviewed someone from google about it
(paraphrased)
"Given that recaptcha will use data on if the user is behaving normally for a user of a given site, do you really need to know whether the user has a google account to verify that they are human"
"[Extremely long pause]"
I use Linux/Firefox/AdBlocklPlus/NoScript and am unable to pass a reCaptcha test no matter how many times I click on the correct boxes or twiddle settings (short of removing protection completely). This results in me simply refusing to patronize sites that have a reCaptcha test.
On a separate note: Similar to user JonFen (above) in order to mitigate the risk of malicious apps (any app that snoops on data originating in another app), I also use the strategy of keeping apps segregated on multiple devices and no overlapping logins.
Financial and other sensitive activity is relegated to a privacy-oriented Linux desktop (NEVER a mobile OS).
A bare Android Pie phone with the minimum number of necessary contacts and no add'l apps installed for voice calls.
An iPad with a soft-phone app, also used as audiobook player with side-loaded media.
An HP-Touchpad (webOS) as a bluetooth music player (just because I love webOS and the ability to use a device that isn't trying to mine all my data.) [Once upon a time you could keep a calendar, to-do list, contacts, and notes WITHOUT GIVING ALL THAT DATA TO GOOGLE, et al. Imagine that!]
Google's reCAPTCHA v3 system, designed to separate people from bots during website interactions, is more likely to give you the benefit of the doubt as a human if you happen to be signed in to your Google Account – and is more likely to deem you dubious if you're trying to protect your privacy, recent research suggests.
Like the title, I fail to see how this will even work. More than a decade ago, I saw someone using an automated computer to test our internal web pages. The "robotic functions" simulated the mouse and keyboard. It used actual real web browsers (such as FireFox, Internet Explorer, and has been updated to use the latest version of Chrome and Edge) that would login and test for functionality. This means that someone really wants to defeat a bot, then have to permanently prevent users from getting into their system, and that defeats the true purpose.
We coded the bots to have human like randomized delays in them to show authenticity. So, I would say that stopping a bot is impossible. If you really want to try, then you have already lost by more than 12 years.
The bot was coded at the time to be completely capable of reading doctors handwriting, so the humans already have lost.
"Unfortunately, because Google is so tight-lipped about reCAPTCHA's privacy implications, we're left to guess which data sources it uses to determine your humanity (or 'risk score' in reCAPTCHA v3)" Yeah, reverse-engineering that should be a priority. I mean it's not OK that people are just taking their "trust me" attitude. The fact that web of trust concept is entirely being ignored tells you they want a centralized solution with one API to rule them all - they're basically 1990's Microsoft all over again!
"Google maintains that reCAPTCHA is only used to fight spam and abuse." Until it's not. Or until they define abuse in a way that includes "tracking evasion". Or start using it as their own personal Carnivore to out TOR/I2P users, leakers, etc.
It's time for an addon (or filters for uBlock Origin) that just puts ReCaptcha in the timeout corner until you actually need to login. If they start blocking people for that, going to be some huge lawsuits for the levels of coercion involved, even if 'insulating' themselves by getting a third party to help them do it. Realize: There's government websites that require it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
