Last year, Google introduced reCAPTCHA V3, the latest version of its verification technology that confirmed whether a website is being accessed by a bot or a human. However, the new version puts a person’s privacy at risk.
Surrendering privacy
reCAPTCHA v3 is very different from its previous versions. Earlier, people had to complete a simple challenge, like writing a distorted text into a box, in order to be verified as a real person. However, the updated version does not pose such challenges at all. Instead, it tracks the Internet activity of a person over a period of time and assigns a risk score based on their activity. Users with the least risk score will be able to access the website, while those who are “high risk” will either be blocked from the website or will have to go through additional verification.
While the idea of avoiding quizzes for verification seems appealing, you should realize that the tradeoff is essentially your privacy. “To me, it feels like Google’s entire strategy behind reCAPTCHA is to make it harder to protect your privacy… We’ve basically given up on the idea that there are tasks only humans can do, and to me v3 feels like Google openly saying, ‘You know how we can prove you’re not a robot? Because we literally know exactly who you are.’ I don’t even know if it should be called a CAPTCHA — it feels like it’s just identity verification. I don’t think this is an acceptable tradeoff,” a developer said in a post.
More than 5 million websites have already implemented reCAPTCHA V3 as a security measure. These include a good portion of the top 10,000 websites in the world. In the U.S., over 500,000 websites use this verification process. Google is also developing an enterprise version of reCAPTCHA V3 through which every associated business will be provided with a custom reCAPTCHA code that will give more detailed information about a user’s risk level. The increasing use of reCAPTCHA has been criticized by several industry experts.
“Having a lot of reCAPTCHA prompts feels like punishment for blocking tracking cookies. If you maintain a website that uses them, you’re penalizing people who are protecting their privacy,” Frederic Jacobs, a cryptographic and security engineering expert, said in a tweet (@FredericJacobs). His views got support from Edward Snowden who tweeted that unnecessary captcha use is equivalent to user abuse (@Snowden).
Cracking reCAPTCHA
Earlier this year, a team of researchers published a paper that presented a possible method for bypassing Google’s reCAPTCHA V3. They used Reinforcement Learning (RL) to train machines to mimic human browsing movements, thereby tricking the reCAPTCHA into thinking that they are not bots.
“The results presented in the paper are success rates across different 1000 runs. For the experiment to be successful, the agent would have to defeat the reCAPTCHA and obtain a score of 0.9. According to the results of the experiment, the discount factor achieved was 0.99, thereby, successfully defeating the reCAPTCHA,” according to Packt.
To simulate a human-like experience, the reCAPTCHA environment set up in the study did not involve the use of browser automation tools. Neither is it connected to a proxy or logged in with a Google account. The researchers now plan on using their Reinforcement Learning methodology on multiple pages to see whether the reCAPTCHA adaptive risk analysis engine will be able to detect that the website is being accessed by a bot by looking at the activities across the different pages.
