The latest version of the bot detector reCaptcha is invisible to users and has spread to more than 650,000 websites. It’s great for security—but not so great for your privacy.According to tech statistics website Built With, more than 650,000 websites are already using reCaptcha v3; overall, there are at least 4.5 million websites use reCaptcha, including 25% of the top 10,000 sites. Google is also now testing an enterprise version of reCaptcha v3, where Google creates a customized reCaptcha for enterprises that are looking for more granular data about users’ risk levels to protect their site algorithms from malicious users and bots.But this new, risk-score based system comes with a serious trade-off: users’ privacy.According to two security researchers who’ve studied reCaptcha, one of the ways that Google determines whether you’re a malicious user or not is whether you already have a Google cookie installed on your browser. It’s the same cookie that allows you to open new tabs in your browser and not have to re-log in to your Google account every time. But according to Mohamed Akrout, a computer science PhD student at the University of Toronto who has studied reCaptcha, it appears that Google is also using its cookies to determine whether someone is a human in reCaptcha v3 tests. Akrout wrote in an April paper about how reCaptcha v3 simulations that ran on a browser with a connected Google account received lower risk scores than browsers without a connected Google account. “If you have a Google account it’s more likely you are human,” he says. Google did not respond to questions about the role that Google cookies play in reCaptcha.To make this risk-score system work accurately, website administrators are supposed to embed reCaptcha v3 code on allof the pages of their website, not just on forms or log-in pages.Then, reCaptcha learns over time how their website’s users typically act, helping the machine learning algorithm underlying it to generate more accurate risk scores. Because reCaptcha v3 is likely to be on every page of a website, if you’re signed into your Google account there’s a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3—and there many be no visual indication on the site that it’s happening, beyond a small reCaptcha logo hidden in the corner.This kind of cookie-based data collection happens elsewhere on the internet. Giant companies use it as a way to assess where their users go as they surf the web, which can then be tied into providing better targeted advertising. For instance, Google’s reCaptcha cookie follows the same logic of the Facebook “like” button when it’s embedded in other websites—it gives that site some social media functionality, but it also lets Facebook know that you’re there.Previously, Google has said that the data captured from reCaptcha is not used for ad targeting or analyzing user interests and preferences. After this story was published, Google said that the information collected through reCaptcha will not be used for personalized advertising by Google.So to sum it up..The way that reCAPTCHAs work is that they track your online activities in a way. Google compiles the data collected from users that are selecting images in order to prove that they are human and puts it in a library that can be used to monitor how the internet is being used on a regular basis, and there is a lot of controversy surrounding the anonymity of this data as well as the fact that Google is basically profiting off of people proving that they are not bots whilst not giving them an option to opt out of what is essentially a data collection scheme.Google has stated that it is in no way trying to exploit users, but several users have reported that using Google Chrome in the incognito mode results in a much more complicated reCAPTCHA process compared to when they use the regular version which shows that Google is using some kind of tracking to figure out whether or not you are a bot.This information has been extracted from these two sites below and re-purposed for discussion on Google & Captcha Privacy:https://ift.tt/2k29ZsT curious, what other Captcha alternatives are there?----------------This was posted on r/privacy and I wanted to point out a pretty good contender that solves this (Blockchain based)Google is using your free labor. reCAPTCHA questions have been used to train Google’s AI services since i believe.. 2009? I mean the cost to label a single image ranges from $0.03 to $1.00 or more. By any conservative estimate, Google has extracted billions of dollars of free labor... I emphasize .. For FREE. Not to mention now with word about it being an indirect pixel as you've sourced.Would totally recommend hCaptcha instead since labour is placed into an anonymous open market for bidding for AI/ML companies who want their stuff labelled. So they basically bid for labour to complete these tasks and site owners who put it up can earn for visitor solves that are genuine.Not sure if there are other implementations out there, but it's a very interesting conversation.
Submitted July 16, 2019 at 05:59PM
No comments:
Post a Comment