1080

Research Findings:

  • reCAPTCHA v2 is not effective in preventing bots and fraud, despite its intended purpose
  • reCAPTCHA v2 can be defeated by bots 70-100% of the time
  • reCAPTCHA v3, the latest version, is also vulnerable to attacks and has been beaten 97% of the time
  • reCAPTCHA interactions impose a significant cost on users, with an estimated 819 million hours of human time spent on reCAPTCHA over 13 years, which corresponds to at least $6.1 billion USD in wages
  • Google has potentially profited $888 billion from cookies [created by reCAPTCHA sessions] and $8.75–32.3 billion per each sale of their total labeled data set
  • Google should bear the cost of detecting bots, rather than shifting it to users

"The conclusion can be extended that the true purpose of reCAPTCHA v2 is a free image-labeling labor and tracking cookie farm for advertising and data profit masquerading as a security service," the paper declares.

In a statement provided to The Register after this story was filed, a Google spokesperson said: "reCAPTCHA user data is not used for any other purpose than to improve the reCAPTCHA service, which the terms of service make clear. Further, a majority of our user base have moved to reCAPTCHA v3, which improves fraud detection with invisible scoring. Even if a site were still on the previous generation of the product, reCAPTCHA v2 visual challenge images are all pre-labeled and user input plays no role in image labeling."

top 50 comments
sorted by: hot top controversial new old
[-] someguy3@lemmy.world 271 points 4 months ago* (last edited 4 months ago)

I kinda figured. It was annoying to do one, but then they wanted you to do two or three and that's absurd. Whenever it comes up now, I usually just close out.

[-] Bezier@suppo.fi 82 points 4 months ago

they wanted you to do two or three and that's absurd

Yea how about 20

[-] LucidNightmare@lemm.ee 53 points 4 months ago

VPN? Google will just go in a loop with these things, so I just stopped using Google completely.

[-] Bezier@suppo.fi 12 points 4 months ago* (last edited 4 months ago)

No. But it's also not like I get 20 constantly, it was just the worst I've seen. Usually it's 2 to 5, I think.

I assume they're just collecting data on how many are users willing to do.

[-] LucidNightmare@lemm.ee 20 points 4 months ago

One time I did five in a row, because I use VPNs for everything, and realized after the 5th time that it would have been easier to just use bing so I do that first now. Google has turned into my last last resort, which is quite funny, because that’s where Bing used to be. Lmao

[-] ICastFist@programming.dev 10 points 4 months ago

Whenever I'm on a private window the captchas just keep on coming. Trying to reset your Steam password via the program will also trigger an infinite loop of captchas, you HAVE to use a browser.

[-] Dudewitbow@lemmy.zip 10 points 4 months ago

if you have to do that many, you either have some privacy setting on or on a flagged ip given from a VPN

[-] Landsharkgun@midwest.social 31 points 4 months ago

Well yah of course I do. Why the hell is that 'abnormal'?

load more comments (4 replies)
load more comments (3 replies)
load more comments (11 replies)
[-] Fisch@discuss.tchncs.de 25 points 4 months ago

Some captchas have also just gotten obvious AI training. "Click on the living being in this image", "Select every image of the same object as in this example image". And the images you have to select look obviously AI generated.

[-] cm0002@lemmy.world 15 points 4 months ago

Heh, I got one just the other day "Select the images containing structures built by people" lmao

[-] SkaveRat@discuss.tchncs.de 15 points 4 months ago

"click on all people not helping with the robot uprising"

load more comments (1 replies)
load more comments (1 replies)
[-] unexposedhazard@discuss.tchncs.de 21 points 4 months ago

Im surprised that this is in the news right now. This has been acknowledged as fact for a decade or so.

load more comments (9 replies)
[-] dinckelman@lemmy.world 12 points 4 months ago

At a certain point I did like 10 of them, and then ended up closing the page, cause it never let me in, all because I was on a vpn

load more comments (1 replies)
[-] Churbleyimyam@lemm.ee 117 points 4 months ago

Getting served a captcha often results in me closing the tab. I'm not doing stupid puzzles for you.

[-] NOT_RICK@lemmy.world 50 points 4 months ago

Do them wrong and then close out

[-] hddsx@lemmy.ca 46 points 4 months ago

I do it right and it says I’m wrong =\

[-] Gormadt@lemmy.blahaj.zone 38 points 4 months ago

I have bad news for you friend...

You might be a robot

[-] hddsx@lemmy.ca 18 points 4 months ago

What do you mean? I am a fleshy human and do fleshy human things like being made of flesh.

load more comments (4 replies)
load more comments (10 replies)
load more comments (1 replies)
[-] interdimensionalmeme@lemmy.ml 80 points 4 months ago

When they slow fade in the picture, I add one more software engineer to my kill list.

load more comments (2 replies)
[-] Mubelotix@jlai.lu 59 points 4 months ago

I bypassed 35000 google recaptcha v2 using bots. Don't ever rely on this for security

load more comments (9 replies)
[-] 4grams@awful.systems 58 points 4 months ago

I honestly thought it was common knowledge that these things were essentially free labor for training AI.

[-] dan@upvote.au 25 points 4 months ago

The original reCAPTCHA from Carnegie Mellon University was helping to digitize books. It showed one known word and one unknown word, and if enough people answered the second word with the same answer, that'd be marked as the correct value.

load more comments (7 replies)
load more comments (1 replies)
[-] hiramfromthechi@lemmy.world 38 points 4 months ago

There's nothing that can express my disdain for Google's reCaptcha.

😒 We're training its AI models 😒 It's free labor for Google 😒 Sometimes it wants the corner of an object, sometimes it doesn't 😒 Wildly inconsistent 😒 Always blurry and hard to see 😒 Seemingly endless 😒 It's the robot asking us humans if we're the robots

[-] serenissi@lemmy.world 35 points 4 months ago

The objective of reCAPTCHA (or any captcha) isn't to detect bots. It is more of stopping automated requests and rate limiting. The captcha is 'defeated' if the time complexity to solve it, whether human or bot, is less than what expected. Now humans are very slow, hence they can't beat them anyway.

[-] nickwitha_k 14 points 4 months ago

There are much better ways of rate limiting that don't steal labor from people.

load more comments (4 replies)
load more comments (8 replies)
[-] polonius-rex@kbin.run 33 points 4 months ago

Google should bear the cost of detecting bots, rather than shifting it to users

how?

[-] radivojevic@discuss.online 30 points 4 months ago

Yeah. Written by someone who doesn’t really understand the internet.

[-] siph@lemmy.world 13 points 4 months ago

Considering the article states that reCAPTCHA v2 and v3 can be broken/bypassed by bots 70-100% of the time, they are obviously not the solution.

load more comments (12 replies)
load more comments (1 replies)
[-] umbraroze@lemmy.world 31 points 4 months ago

reCAPTCHA is exploiting users for profit

Well duh.

reCAPTCHA started out as a clever way to improve the quality of OCRing books for Distributed Proofreaders / Project Gutenberg. You know, giving to the community, improving access to public-domain texts. Then Google acquired them. Text CAPTCHAs got phased out. No more of that stuff, just computer vision rubbish to improve Google's own AI models and services.

If they had continued to depend on tasks that directly help community, Google would at least have had to constantly make sure the community's concerns are met. But if they only have to answer to themselves for the quality of the data and nobody else even gets to see it, well, of course it turned into yet another mildly neglected Google project.

load more comments (1 replies)
[-] KingThrillgore@lemmy.ml 26 points 4 months ago

I will gladly solve a reCAPTCHA for you today if you pay me for it today.

load more comments (1 replies)
[-] KingThrillgore@lemmy.ml 21 points 4 months ago* (last edited 4 months ago)

Remember the good old days when it was just malformed text you have to solve? I miss those days. AI was complete garbage and they had to use farms of eyeballs to solve them for bots, making it a costly operation. We've now totally gotten away from all of that.

WE ARE THE EYEBALLS AND I AIN'T GETTING PAID IN WOW GOLD TO DO IT EITHER

[-] 0laura@lemmy.world 11 points 4 months ago

that was also to train ai.

load more comments (3 replies)
[-] Petter1@lemm.ee 18 points 4 months ago

Why is that no news to me? How did so many people not know that? Should I have spread the word more, even if all people I told that where likr “yea, yea, of course, but, what can I do? 🤷🏻‍♀️”?

[-] daniskarma@lemmy.dbzer0.com 17 points 4 months ago* (last edited 4 months ago)

I don't really get where this article is going. They are all over the place.

Let's start with a fuck google. They are a evil company. But:

  • Other captchas are also not very effective against bots. Arguably most traditional systems would be worst that recaptcha at fighting bots.

  • Recaptcha agent validation while a privacy violation is faster than solving any other captcha and if you are hit with the puzzle is not that much more time consuming that every other captcha.

  • That profit number is very questionable and they know it. Anyway, that's no much different and probably less profitable that most google services.

Also is ridiculous how someone can say in the same article that the image puzzle can be solved by bots 100% of the time and that is a scheme to get human labor to solve the puzzle. Am I the only one seeing the logical failure here?

And what's the purpose of all this? Just let bots roam free? Are they trying to sell other solution? What's the point?

I hate google as much as the next guy. But I don't really share this article spirit.

If I were to make a point. They point will be that people and companies should stop making registration only sites and dynamic sites when static websites are enough for their purposes. And only go for registration or other bot-vulnerable kind of sites of there is no way around it. But if you need to make a service that is vulnerable to bots, you need to protect it, and sadly there's not great solutions out there. If your site is small and not targeted by anyone malicious specifically you can get with simpler solutions. But bigger or targeted sites really can't get around needing google or cloudfare and assume that it will only mitigate the damage.

But if anyone knows a better and more ethical solution to prevent bot spam for a service that really need to have registrations, please tell me.

load more comments (2 replies)
[-] aaaaace@lemmy.blahaj.zone 16 points 4 months ago
[-] brbposting@sh.itjust.works 24 points 4 months ago

Finally heard a clear audio CAPTCHA for the first time in my life this past month. It was glorious. There was slight garbling before and after the characters were read, but that’s it.

Besides that singular experience, all audio CAPTCHAs have been utterly 100% impossible to interpret. Blaring white noise followed by a small squeak of “threeve” or “eleventeen”.

load more comments (2 replies)
[-] fmstrat@lemmy.nowsci.com 13 points 4 months ago

No one makes a company use reCAPTCHA.

[-] snooggums@midwest.social 11 points 4 months ago

The conclusion can be extended that the true purpose of reCAPTCHA v2 is a free image-labeling labor and tracking cookie farm for advertising and data profit masquerading as a security service,” the paper declares.

I thought this was known since it came out. It seemed even more obvious when the images leaned in heavily to traffic related pictures like stoplights.

[-] cygnus@lemmy.ca 10 points 4 months ago

Gonna have to disagree hard with this, based on extensive first-hand experience (web dev). I've added CAPTCHA to dozens (hundreds?) of web forms, and it all but eliminates spam.

load more comments (6 replies)
[-] FlyingSquid@lemmy.world 10 points 4 months ago

I had to deal with one yesterday that wouldn't let me in no matter what I did.

So it isn't even good at figuring out who isn't a robot.

load more comments (2 replies)
[-] PanArab@lemm.ee 10 points 4 months ago

They were using us to label the data.

load more comments (1 replies)
load more comments
view more: next ›
this post was submitted on 24 Jul 2024
1080 points (98.4% liked)

Technology

59710 readers
3569 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS