- cross-posted to:
- technology@beehaw.org
- cross-posted to:
- technology@beehaw.org
Research Findings:
- reCAPTCHA v2 is not effective in preventing bots and fraud, despite its intended purpose
- reCAPTCHA v2 can be defeated by bots 70-100% of the time
- reCAPTCHA v3, the latest version, is also vulnerable to attacks and has been beaten 97% of the time
- reCAPTCHA interactions impose a significant cost on users, with an estimated 819 million hours of human time spent on reCAPTCHA over 13 years, which corresponds to at least $6.1 billion USD in wages
- Google has potentially profited $888 billion from cookies [created by reCAPTCHA sessions] and $8.75–32.3 billion per each sale of their total labeled data set
- Google should bear the cost of detecting bots, rather than shifting it to users
“The conclusion can be extended that the true purpose of reCAPTCHA v2 is a free image-labeling labor and tracking cookie farm for advertising and data profit masquerading as a security service,” the paper declares.
In a statement provided to The Register after this story was filed, a Google spokesperson said: “reCAPTCHA user data is not used for any other purpose than to improve the reCAPTCHA service, which the terms of service make clear. Further, a majority of our user base have moved to reCAPTCHA v3, which improves fraud detection with invisible scoring. Even if a site were still on the previous generation of the product, reCAPTCHA v2 visual challenge images are all pre-labeled and user input plays no role in image labeling.”
No one makes a company use reCAPTCHA.
I bypassed 35000 google recaptcha v2 using bots. Don’t ever rely on this for security
Where can I learn this power?
I just spent 3$ worth of bitcoin on NoCaptchaAI. I used their web extension on a server which had a browser opened and controlled by a custom webextension I made so that a solved challenge would be returned to a swarm of clients upon request
Your extension is archived, I’d rather not use it.
It’s a custom extension solving my very specific problem on a specific internal website. It was never meant for you to use it, it’s just there to serve as inspiration to others
It is neither intended nor even stated to be intended for security.
Except, that’s most of its ad copy on Google’s own website?
reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep malicious software from engaging in abusive activities on your website. Meanwhile, legitimate users will be able to login, make purchases, view pages, or create accounts and fake users will be blocked.
It’s literally billed as a security measure for a website.
I see your perspective, but I don’t consider that security in the context of software, which may also explain why they don’t use that word, though I readily admit that it is technically security of a sort. The term usually implies authentication, authorization, and isolation.
I mean, except they do. Just because their simple ad copy omits it, doesn’t mean that’s not what they’re implying. It’s literally listed as one of their security products and also uses the term to talk about demos
I’m sorry I wasn’t more agreeable. You’re absolutely correct. I take it back.
I honestly thought it was common knowledge that these things were essentially free labor for training AI.
The original reCAPTCHA from Carnegie Mellon University was helping to digitize books. It showed one known word and one unknown word, and if enough people answered the second word with the same answer, that’d be marked as the correct value.
It’s basically always been outsourcing labor while checking. I guess they don’t want to provide that service for free.
But now that it doesn’t work, all it does is attempt to source free labor by refusing to show what you want to see. Cloudflare’s verification doesn’t show the puzzle because it’s not trying to make money off you.
Also, the books one reminds me of 4chan’s attempt to hijack it. Wasn’t a fan of the way they did it, but the intent was interesting.
V3 of the Google one doesn’t always show a puzzle to you. In fact it’s designed to not be noticed by users at all. Whether that is successful or not is a different discussion.
It might well be if it’s being used, but the site itself still uses v2 a lot. I get the picture one a lot when searching things up.
That actually makes me feel all the more strongly that it’s just there to extract free labor— they have something else, but still use v2 for what seems like most purposes
the site
What site?
I assume it’s up to the website owner to implement V3 and not Google. V3 also has puzzles but only when it’s not sure. I rarely see capchas so I don’t really have anything to complain about.
I expect they mean the site google.com, because that’s been my experience. Whenever I get captcha’d there for using a VPN (which is getting more and more common), I always see the Maps image style captcha. Like 60% of the time it tells me I’m wrong anyway and I just give up.
Yeah my b, I get captcha’d for VPN use. It’s almost always the “train our self driving car” one, and it tells me I’m wrong all the time too. Very frustrating
Alright, I don’t use google.com
Why is that no news to me? How did so many people not know that? Should I have spread the word more, even if all people I told that where likr “yea, yea, of course, but, what can I do? 🤷🏻♀️”?
Is it only 7200 people solvning reCAPTCHA every hour for the past 13 years? Feels like it should be more?
I thought this was old news 20 years ago?
The conclusion can be extended that the true purpose of reCAPTCHA v2 is a free image-labeling labor and tracking cookie farm for advertising and data profit masquerading as a security service,” the paper declares.
I thought this was known since it came out. It seemed even more obvious when the images leaned in heavily to traffic related pictures like stoplights.
Gonna have to disagree hard with this, based on extensive first-hand experience (web dev). I’ve added CAPTCHA to dozens (hundreds?) of web forms, and it all but eliminates spam.
It works against basic bots, but if you’ve got a dedicated adversary, it doesn’t do anything
(Granted, most people do not have dedicated adversaries, but when they come, you’re in trouble)
OK, sure, but that’s like saying it’s pointless to use a secure password online because the NSA could hack you if they wanted to.
My experience matches yours. I don’t enjoy putting recapcha v3 on my sites but it takes contact form spam from 70-80 messages per day to 0-2.
I’d switch to other services if they could be as effective. If anybody has real-world experience with another option working I’d love to hear it.
Honestly at first read, the paper feels like a bunch of whining text to prove a point the author believes in without any alternate proposal.
Right, so similar to locks? Usually can be easily bypassed if you know how, but it at least filters out the people who aren’t determined enough to put in the effort.
Basically, yeah. The vast majority of spambots are simple and lazy.
I thought the whole point of reCaptcha was to provide a reliable set of data to train bots. Entering a fuzzy scanned word, identifying bikes and traffic lights, etc.
The fact that they’ve now got that, and the bots are trained is hardly a surprise.
Without captchas the problem of spambots would still be a million times worse.
Yup. I like Cloudflare’s checkbox, it works well and probably catches more bots than reCaptcha while being simple for humans.
How does that checkbox work? Does it just look at your cookies?
No, it tracks things like mouse movements to see if it looks human or like a bot. Humans don’t move the mouse in a straight line, there’s some jitter and whatnot, whereas bots will look quite a bit different.
That’s super easy to fake for a bot…
It’s a ton more than mouse movement. Lots of browser fingerprinting for example and tracking.
Yup. It does do a lot more than the checkbox, but the checkbox itself mostly does mouse movement and click tests.
It is undoubtedly a new piece of research, but the cause is always the same: corporations exploit people because they are taken out of government and democratic control effectively everywhere.
Some corporations employ more people and have bigger budgets than some countries and they often influence people’s lives more than the government. Yet they’re effectively electoral monarchies where electors and monarchs are just a bunch of rich assholes who respond to nobody.
Only when we change that system then those headlines will stop.
There’s nothing that can express my disdain for Google’s reCaptcha.
😒 We’re training its AI models 😒 It’s free labor for Google 😒 Sometimes it wants the corner of an object, sometimes it doesn’t 😒 Wildly inconsistent 😒 Always blurry and hard to see 😒 Seemingly endless 😒 It’s the robot asking us humans if we’re the robots
Remember the good old days when it was just malformed text you have to solve? I miss those days. AI was complete garbage and they had to use farms of eyeballs to solve them for bots, making it a costly operation. We’ve now totally gotten away from all of that.
that was also to train ai.
No it wasn’t… It was human-assisted OCR to help digitize books. Initially for Project Gutenberg, but then for Google Books once Google acquired it in 2009.
OCR is a form of AI.
I thought it was detecting bots based on how you are moving your mouse, etc to solve it, but if they can be solved by AI do they want their AI trained by other AI?
I don’t really get where this article is going. They are all over the place.
Let’s start with a fuck google. They are a evil company. But:
-
Other captchas are also not very effective against bots. Arguably most traditional systems would be worst that recaptcha at fighting bots.
-
Recaptcha agent validation while a privacy violation is faster than solving any other captcha and if you are hittes with puzzle is not that much more time consuming that every other captcha.
-
That profit number is very questionable and they know it. Anyway, that’s no much different and probably less profitable that most google services.
Also is ridiculous how someone can say in the same article that the image puzzle can be solved by bots 100% of the time and that is a scheme to get human labor to solve the puzzle. I’m the only one seeing the logical failure here?
And what’s the purpose of all this? Just let bots roam free? Are they trying to sell other solution? What’s the point?
I hate google as much as the next guy. But I don’t really share this article spirit.
If I were to make a point. They point will be that people and companies should stop making registration only sites and dynamic sites when static websites are enough for their purposes. And only go for registration or other bot-vulnerable kind of sites of there is no way around it. But if you need to make a service that is vulnerable to bots, you need to protect it, and sadly there’s not great solutions out there. If your site is small and not targeted by anyone malicious specifically you can get with simpler solutions. But bigger or targeted sites really can’t get around needing google or cloudfare and assume that it will only mitigate the damage.
But if anyone knows a better and more ethical solution to prevent bot spam for a service that really need to have registrations, please tell me.
Also is ridiculous how someone can say in the same article that the image puzzle can be solved by bots 100% of the time and that is a scheme to get human labor to solve the puzzle. Am I the only one seeing the logical failure here?
Most solvers aren’t bots. Logical, right?
Also worth noting that Google has always been extremely open about the fact that they use recaptcha for that purpose. It’s never been a secret.
Their service to the website owners is the meaningful reduction in effectiveness of bots in places bots are harmful. The website’s service to you is the content that that’s being used to protect (and the stuff that has recaptcha on it is stuff like games where there’s a competitive advantage, things like search engines where there’s a meaningful cost to heavy bot use, and login pages where there’s a real security cost to mass bot use. I use a VPN, which increases the rate of captchas a lot, and I think it’s a pretty reasonable way to do thing, personally.
-
We already knew that, but it’s nice re to have data.