30 votes

Introducing reCAPTCHA v3: the new way to stop bots

35 comments

  1. [14]
    Diff
    Link
    Am I reading this wrong or could this potentially make having a Google account mandatory to access certain sites?

    There are three potential ways you can use the score. First, you can set a threshold that determines when a user is let through or when further verification needs to be done, for example, using two-factor authentication and phone verification.

    Am I reading this wrong or could this potentially make having a Google account mandatory to access certain sites?

    19 votes
    1. [3]
      Comment deleted by author
      Link Parent
      1. [2]
        Algernon_Asimov
        Link Parent
        Actually, I read that phrase "or when further verification needs to be done" as meaning that the webmaster would ask the user whose comment came up with an "action" to then perform further...

        Actually, I read that phrase "or when further verification needs to be done" as meaning that the webmaster would ask the user whose comment came up with an "action" to then perform further verification. "Hi there, User X. Your history of commenting on my website looks suspicious. In order for you to keep commenting, I'm going to require that you start using 2FA when you log in here."

        Paging @Diff.

        8 votes
        1. Soptik
          Link Parent
          I think that it simply means that website can now decide if the visible captcha will run based on the user. For example user that bought something in eshop would need to behave way more...

          I think that it simply means that website can now decide if the visible captcha will run based on the user. For example user that bought something in eshop would need to behave way more suspiciously to trigger the visible caltcha then unregistered user that is there for the first time. In the past it was affected just by user's previous history (that's why you meet more captchas when in anonymous mode, google didn't track you enough yet).

          There is no need to worry about required google account or things like that.

          Why is google doing it? Because it allows them to track users even more (not every website has google analytics) and it makes them look good ("Oh, they gave me free captcha and analytics, they are so nice!"). And of course, they use captcha on their own, so when they improve it, why shouldn't they release it to the whole world.

          9 votes
    2. [11]
      poboxy
      Link Parent
      Yup. Otherwise you'll have recaptcha on every page you want to access. They want to own our lives on the Internet and it seems they are going to get away with it. Google is turning more and more...

      Yup. Otherwise you'll have recaptcha on every page you want to access. They want to own our lives on the Internet and it seems they are going to get away with it. Google is turning more and more evil by the hour.

      You can try it now, use firefox with a clean profile, never log to any Google account on it and see how already unlivable the net will look.

      5 votes
      1. edward
        Link Parent
        Can you give some examples of non-Google sites that require a Google account? Besides the odd site that can't be bothered to make their own secure log in system, so they turn to "Log in with..."...

        Can you give some examples of non-Google sites that require a Google account?

        Besides the odd site that can't be bothered to make their own secure log in system, so they turn to "Log in with..." widgets I haven't seen any. I'm not sure I've even seen any of what I just described.

        What I take from

        when further verification needs to be done, for example, using two-factor authentication and phone verification

        is the site uses the recaptcha score to determine if it should throw up it's own 2FA, not some proprietary Google/recaptcha 2FA. IMO (HOTP/TOTP) 2FA should be done at log in no matter what.

        11 votes
      2. [9]
        Algernon_Asimov
        Link Parent
        I use Chrome, and I never log in to my Google account unless I have a specific need to, such as updating my calendar or reading my email, and I log out immediately afterwards. I therefore spend...

        You can try it now, use firefox with a clean profile, never log to any Google account on it and see how already unlivable the net will look.

        I use Chrome, and I never log in to my Google account unless I have a specific need to, such as updating my calendar or reading my email, and I log out immediately afterwards. I therefore spend almost all my internet time browsing without being signed into a Google account. I have never encountered any difficulties as a result of not being signed into a Google account.

        4 votes
        1. [5]
          obsoletenerd
          Link Parent
          You still have Google cookies letting them know you're the same user who logged in then logged out. Even without the cookies, they also fingerprint you based on browser, plugins, etc etc. I use a...

          You still have Google cookies letting them know you're the same user who logged in then logged out. Even without the cookies, they also fingerprint you based on browser, plugins, etc etc.

          I use a VPN 24/7 on all devices, rotate randomly to different end-points, and use a whitelist-only setup for cookies and JS, and I get captchas EVERYWHERE. They always instantly make me do the "Pick the stop signs" ones (eg "Helping Google train their image recognition AI for self-driving cars") and it's a constant hassle.

          Every site uses Cloudflare now, which also uses Captcha. Thankfully, I don't actually browse the web very much, so it doesn't really bother me too often, and I've adapted what sites I visit to be ones who don't use Recaptcha or other bullshittery, but they absolutely expect users to allow them to fingerprint and track you and/or have a Google account to browse the web these days.

          9 votes
          1. [4]
            Algernon_Asimov
            Link Parent
            I know that. That's not what I was talking about. @poboxy was saying that the net would be "unlivable" if we don't log in to Google accounts, and I was explaining that that hasn't been my experience.

            You still have Google cookies letting them know you're the same user who logged in then logged out. Even without the cookies, they also fingerprint you based on browser, plugins, etc etc.

            I know that. That's not what I was talking about. @poboxy was saying that the net would be "unlivable" if we don't log in to Google accounts, and I was explaining that that hasn't been my experience.

            2 votes
            1. [4]
              Comment deleted by author
              Link Parent
              1. [3]
                Algernon_Asimov
                Link Parent
                Captchas on what? I'm lucky if I encounter a captcha or "I'm not a robot" tick box once a month. How are you encountering them every single day? And I still don't understand @poboxy's assertion...

                it sure is getting very annoying to have to fill the captchas every single day.

                Captchas on what? I'm lucky if I encounter a captcha or "I'm not a robot" tick box once a month. How are you encountering them every single day?

                And I still don't understand @poboxy's assertion that the internet would be "unlivable" without signing in to a Google account, when I use the internet every day and almost never sign in to a Google account.

                1. [2]
                  666
                  Link Parent
                  I think all the answers you got missed the point of your question. Lots of websites use CloudFlare for their DDoS protection, when you browse behind a VPN or Tor (as is the case of @ducks)...

                  Captchas on what? I'm lucky if I encounter a captcha or "I'm not a robot" tick box once a month. How are you encountering them every single day?

                  I think all the answers you got missed the point of your question. Lots of websites use CloudFlare for their DDoS protection, when you browse behind a VPN or Tor (as is the case of @ducks) CloudFlare can't easily tell whether you are a nice user or yet another attacker under the same IP (since it's a shared IP) so they prevent you from visiting the website and ask you to solve a CAPTCHA. That CAPTCHA happens to be a Google reCAPTCHA. Since most of the people who browse behind a VPN or Tor have third party cookies blocked (and some may configured their browsers to autodelete cookies) this means they get several CAPTCHAs per day, and at least one per website that is protected by CloudFlare. CloudFlare has recently started playing nicer with Tor users and has been displaying less CAPTCHAs per day. You can read more here and here.

                  5 votes
                  1. Algernon_Asimov
                    Link Parent
                    Thank you. That does answer my question. It's not that the internet itself becomes "unlivable" without a Google account, it's that certain browsing habits encounter difficulties. Thank you.

                    Thank you. That does answer my question. It's not that the internet itself becomes "unlivable" without a Google account, it's that certain browsing habits encounter difficulties. Thank you.

                    1 vote
        2. [2]
          Kiloku
          Link Parent
          In a recent update, they made it so when you log into any Google site, it logs your account into Chrome. Make sure it isn't happening to you

          In a recent update, they made it so when you log into any Google site, it logs your account into Chrome. Make sure it isn't happening to you

          2 votes
        3. bhrgunatha
          Link Parent
          I'm on firefox and I abandoned my google accounts when they forced youtube to be linked to G+. Not 100% but pretty close. I only use thunderbird for my google mail accounts. I'm not naive enough...

          I'm on firefox and I abandoned my google accounts when they forced youtube to be linked to G+. Not 100% but pretty close. I only use thunderbird for my google mail accounts.

          I'm not naive enough to think they can't connect the dots or track me, but I can't remember the last time I logged in to any google account in my browser.

  2. [2]
    Algernon_Asimov
    Link
    All I see here is that Google is providing a plug-in which will suck up all the data from your website's comments - oh, and by the way, tell you if any of those comments look suss. But... data!...

    All I see here is that Google is providing a plug-in which will suck up all the data from your website's comments - oh, and by the way, tell you if any of those comments look suss. But... data! All that lovely lovely data that Google gets to scrape.

    Because you can't analyse comments for suspicious behaviour if you don't get to read all the comments first.

    They must be rubbing their hands with glee at having come up with yet another way to obtain internet users' data.

    17 votes
    1. pseudolobster
      Link Parent
      What stood out to me is the part where they said something to the effect of: "Since this works in the background, you should add the recaptcha script to as many of your pages as possible". Knowing...

      What stood out to me is the part where they said something to the effect of: "Since this works in the background, you should add the recaptcha script to as many of your pages as possible".

      Knowing that this script is very probably collecting actions, keystrokes, who knows what else, and it gets embedded on a huge number sites because of its usefulness, coupled with Google's recent "We totally don't track your phone when your location settings are turned off, except when we do" policy coming to light, this doesn't sound good to me.

      11 votes
  3. [3]
    Happy_Shredder
    Link
    I'm interested/concerned in how this will affect tor users. Right now many sites (often those behind CloudFlare) prompt users accessing the website over tor to pass a recaptcha v2. This is...

    I'm interested/concerned in how this will affect tor users. Right now many sites (often those behind CloudFlare) prompt users accessing the website over tor to pass a recaptcha v2. This is annoying, but arguably justified. Suppose CloudFlare moves to v3. Suppose that v3 then scores the user low. Would this tor user then have no option to access the website? This makes me uncomfortable.

    10 votes
    1. [2]
      s4b3r6
      Link Parent
      Is this going to make using Tor or other means of anonymisation even more painful than it needs to be?

      Suppose that v3 then scores the user low. Would this tor user then have no option to access the website? This makes me uncomfortable.

      Is this going to make using Tor or other means of anonymisation even more painful than it needs to be?

      4 votes
      1. Shirley
        Link Parent
        Yes, absolutely. Depending on the site, even through a commercial VPN, it often takes me multiple minutes to pass a reCAPTCHA gate. And this is whilst logged into my 5 year+ old Google account in...

        Yes, absolutely.

        Depending on the site, even through a commercial VPN, it often takes me multiple minutes to pass a reCAPTCHA gate. And this is whilst logged into my 5 year+ old Google account in my primary browser and all that jazz.

        There are sites I know not to even bother trying to log in to via Tor because it's simply impossible to do so.

        The problem got so much worse with v2 compared to v1. And bots are already bypassing v2. I dread to think how v3 will behave.

        2 votes
  4. [3]
    ali
    Link
    Curious if this is just for the UX, which will definitely benefit greatly or if the data can be used for something else. Recaptcha 1 being used for text recognition and 2 for image tagging

    Curious if this is just for the UX, which will definitely benefit greatly or if the data can be used for something else. Recaptcha 1 being used for text recognition and 2 for image tagging

    8 votes
    1. alessa
      Link Parent
      At a minimum they'll probably grab every bit of data they can regarding how every unique user interacts with the various actions tagged and use it for their own ends, but that might extend to...

      At a minimum they'll probably grab every bit of data they can regarding how every unique user interacts with the various actions tagged and use it for their own ends, but that might extend to literally everything a user does while browsing the site, a complete picture of what you're doing and typing at all times (with the exception perhaps of passwords or other super sensitive info). I'm not sure. But on principle I know that if something Google gives you can track data they're going to use it and this seems to be a much more pervasive way to track your behavior across multiple unrelated sites. There are already commonly employed methods of tracking every action you make with your mouse, keyboard, or touchscreen. Facebook does that afaik.

      It would seem that if they're letting you define Actions that you want to watch, this reCAPTCHA would want to track everything else done in relation to that action as well, to check for suspicious typing speeds and mouse movement, for automatically generated text ... so it seems really feasible for me that if you're browsing a website with reCAPTCHA v3, you're submitting the totality of your browsing behavior and data (excepting sensitive data like passwords, probably) to google so they can at minimum use it to improve their machine learning algorithms. But once they have it, who knows. Maybe they'll use it to train their new virtual assistant or create an AI overlord to produce the singularity.

      14 votes
    2. talklittle
      Link Parent
      If it successfully improves the UX to the point where challenges aren't necessary, then it could be used to validate more passive things like ads. Wonder if the long term plan is to make it a...

      If it successfully improves the UX to the point where challenges aren't necessary, then it could be used to validate more passive things like ads. Wonder if the long term plan is to make it a requirement for AdSense?

      5 votes
  5. Octofox
    Link
    The best way to stop bots thats almost perfect is an invite only system. If loads of bots come in just look at who invited them.

    The best way to stop bots thats almost perfect is an invite only system. If loads of bots come in just look at who invited them.

    3 votes
  6. [3]
    alexandre9099
    Link
    I don't see this as a good thing. More data for a single company?! Every website with a recaptcha is literally a tracker for google, like those fb like buttons are. I know that generating own...

    I don't see this as a good thing. More data for a single company?!
    Every website with a recaptcha is literally a tracker for google, like those fb like buttons are.

    I know that generating own captchas is kinda "complicated" cpu wise, and "wasting" cpu cycles to generate images is not something the most web admins want, though relying on external services is never a good option for clients privacy wise

    EDIT: also, since this recaptcha v3 only gives a "score" wouldn't the website have to do any kind of thing to prevent spam(captchas, blocking the user, etc)? If so it would be a little bit useless, no?

    3 votes
    1. Archimedes
      Link Parent
      I think if the score is over a threshold, then you need to do extra steps, but it doesn't interrupt human users as much.

      also, since this recaptcha v3 only gives a "score" wouldn't the website have to do any kind of thing to prevent spam(captchas, blocking the user, etc)? If so it would be a little bit useless, no?

      I think if the score is over a threshold, then you need to do extra steps, but it doesn't interrupt human users as much.

    2. nsz
      Link Parent
      I have a suspicion recaptchas is those buttons as an opportunity to gather data that is sold for use in image recognition algorithms, particularly any of the self-driving car systems that require...

      I have a suspicion recaptchas is those buttons as an opportunity to gather data that is sold for use in image recognition algorithms, particularly any of the self-driving car systems that require some sort of computer vision.

  7. [6]
    dainumer
    Link
    Does this mean no more clicking on the squares with cars/ buses/ stop signs? I kind of liked having a small contribution to the ML models that let Waymo build self-driving cars.

    Does this mean no more clicking on the squares with cars/ buses/ stop signs? I kind of liked having a small contribution to the ML models that let Waymo build self-driving cars.

    2 votes
    1. [5]
      edca5
      (edited )
      Link Parent
      No, now for passing the captcha you'll have to film yourself live doing 30 jumping jacks. Jokes aside, it is starting to get ridiculous: you can spend minutes trying to pass the captcha v2 if it...

      No, now for passing the captcha you'll have to film yourself live doing 30 jumping jacks.
      Jokes aside, it is starting to get ridiculous: you can spend minutes trying to pass the captcha v2 if it decides it doesn't like you. It's a lot of fun clicking blurry pictures for more than 10 seconds. To be honest even 10 seconds are too much sometimes.

      2 votes
      1. [4]
        Deimos
        Link Parent
        For me, a lot of the annoyance comes from the task it gives you being so ambiguous. "Click the photos with cars"... well, this one has a van in it, should I be clicking it? What about this one...

        For me, a lot of the annoyance comes from the task it gives you being so ambiguous.

        "Click the photos with cars"... well, this one has a van in it, should I be clicking it? What about this one with half a car?

        "Choose the squares with traffic lights"... only the lit-up traffic light? All the squares that make up the whole thing? The back side of traffic lights?

        7 votes
        1. [2]
          talklittle
          Link Parent
          Funnily enough I think that's why it makes sense to train those scenarios on human input, because humans can make judgment calls in those ambiguous situations. By tallying up enough data points,...

          Funnily enough I think that's why it makes sense to train those scenarios on human input, because humans can make judgment calls in those ambiguous situations. By tallying up enough data points, Google can assign a probability that a given pixel is a given object.

          1 vote
          1. Catt
            Link Parent
            Interesting enough, I always fail these! I think I must always over think these, because I can never pass them.

            ...because humans can make judgment calls in those ambiguous situations.

            Interesting enough, I always fail these! I think I must always over think these, because I can never pass them.

            3 votes
        2. Shirley
          Link Parent
          I just do whichever requires the least effort. It usually works out pretty well.

          I just do whichever requires the least effort. It usually works out pretty well.

  8. [2]
    Archimedes
    Link
    Ironically, many of the comments on the blog post appear to be bot-generated.

    Ironically, many of the comments on the blog post appear to be bot-generated.

    2 votes
    1. Wes
      Link Parent
      That's just how Google+ comments work. It's people re-sharing it to their circles while also posting publicly. So every comment is basically just rehashing the title in different words.

      That's just how Google+ comments work. It's people re-sharing it to their circles while also posting publicly. So every comment is basically just rehashing the title in different words.

  9. 666
    Link
    This is extremely worrisome. If anyone remembers when browser fingerprinting was a huge privacy issue they should be even more worried now that the one of the biggest players in machine learning...

    This is extremely worrisome. If anyone remembers when browser fingerprinting was a huge privacy issue they should be even more worried now that the one of the biggest players in machine learning has the possibility to record every interaction with a website (including but not limited to mouse and keyboard), and teach a machine to individually identify each visitor. This means that if you have ever interacted with Google while logged in on computer A and then you interact with them through a third party using reCAPTCHA on computer B behind a VPN they may still be able to personally identify you. Not even the Tor Browser in its current default settings can protect you against this, the only solution is to completely block reCAPTCHA and be unable to use many of the websites that depend on it.

    2 votes