Technology @beehaw.org ooli2 @lemm.ee 3d ago

CAPTCHAs are 'a tracking cookie farm for profit that made us spend 819 billion hours clicking to generate nearly $1 trillion for Google

www.pcgamer.com A 2023 study concluded CAPTCHAs are 'a tracking cookie farm for profit masquerading as a security service' that made us spend 819 million hours clicking on traffic lights to generate nearly $1 trillion for Google

Is that good?

A 2023 study concluded CAPTCHAs are 'a tracking cookie farm for profit masquerading as a security service' that made us spend 819 million hours clicking on traffic lights to generate nearly $1 trillion for Google

News @lemmy.world mox @lemmy.sdf.org 3d ago

www.pcgamer.com /gaming-industry/a-2023-study-concluded-captchas-are-a-tracking-cookie-farm-for-profit-masquerading-as-a-security-service-that-made-us-spend-819-billion-hours-clicking-on-traffic-lights-to-generate-nearly-usd1-trillion-for-google/

43 comments

I'm a simple guy. If a website I visit uses any kind of captcha other than Cloudflare's Turnstile, then I close that website and don't use it ever again. I'm not interested in wasting five minutes picking which squares have busses in them because ReCaptcha has decided I have to do the captcha 200 times.
- What is infuriating, is that some government official website in my country used google captcha
  
  This happened to me recently. Worse, there's an error message saying I didn't solve the CAPTCHA...but I wasn't prompted for the CAPTCHA!
  
  I opened a bug report and the gov said "works for me"
  
  So, yeah, people breaking laws because they can'tsubmit legally required data to the gov due to reliance on faulty Google services is real.
- Is that cloudflare one the one that just verifies you're human automatically? Like it pops up with a check box you sometimes don't even have to manually click? How does that one even work? 🤔
  
  The code basically tracks mouse movements, or the lack thereof. If a bot is using a cursor, it might move in a straight line at constant speed to the "I'm not a robot" checkbox. Most bots though just check the HTML and jump directly to the checkbox. There are other checks it might do as well, e.g. the user-agent of the browser, whether the user came from a search engine, etc.
  
  That being said it's that not difficult to break, e.g. Puppeteer has a plugin specifically for getting around Captchas and Cloudflare's offerings.
  
  All this is to say: automatic captchas are better at allowing legitimate users than they are at blocking bots entirely.
  
  Yes, that's the one. It works by just using Javascript to check that the browser is OK.
It is incredibly obvious that CAPTCHAs are at the very least a way of exploiting distributed labor to train AI.
- They had been used to help with text recognition for book scanning for more than a decade. It has never been secret, it was explained on them time ago.
  
  This is the logical progression, regardless of your feelings with "AI"
- That was their selling point.
A reminder that recaptcha is no longer free, but since a few months ago now the website owner needs to pay $0.001 each time a verification is performed

https://cloud.google.com/recaptcha/docs/compare-tiers

Free tier is only 10k verifications per month and must link a valid credit card so they can charge you immediately when you reach higher level.

Hopefully this kills the product in the long term as bots solve recaptcha faster than humans, so it's just for slowing down humans than actual security. I personally use a browser extension that solves them with a click in a second.
- Do you pay for successful verification only, or even for failed ones?
  
  Probably only sucessful ones.
  Google captchas have had multiple rounds (with it faking you out claiming you failed) for probably a decade. Every round of the game updates some confidence score which if you get it high enough lets you pass.
  This conversely means there is no way to fail, you just get stuck in an infinite loop of challenges if your score doesn't get high enough.
  
  The only other alternative means of pricing it would see even valid users consume way more than one "verification" per actual completed captcha, since so many users have low enough scores to need multiple rounds of captcha even when completing them with perfect accuracy.
  I doubt they do this, but if they do it's a scandal waiting to happen, besides also being very weird for any kind of statistic google certainly offers for their captcha.
- Lol so now site admins pay more than the bot farm companies pay to solve each one
- Does that also work for the puzzle captchas? Do you have a link if so?
  
  No it exclusively works with recaptcha https://github.com/dessant/buster
Since Cloudflare published Turnstile I've hated Captchas even more, because Turnstile does it so much better. Captchas are such a hassle. One website I occasionally visit does not keep me logged in and then presents one of the worst captcha puzzle systems. Shitty captchas are a huge barrier.

Turnstile is, in almost all cases, one checkbox to click (I've never been challenged beyond that). All captcha puzzles should be replaced with Turnstile or similar simple (for the user to solve) tech.
- How's that work anyway. Fingerprinting?
  
  The announcement blog post linked on the bottom of the linked Turnstile page has some info on that
  
  For Turnstile, the actual act of checking a box isn’t important, it’s the background data we’re analyzing while the box is checked that matters. We find and stop bots by running a series of in-browser tests, checking browser characteristics, native browser APIs, and asking the browser to pass lightweight tests (ex: proof-of-work tests, proof-of-space tests) to prove that it’s an actual browser. The current deployment of Turnstile checks billions of visitors every day, and we are able to identify browser abnormalities that bots exhibit while attempting to pass those tests.
- Cloudflare turnstile is also the only captcha system that works ok with most browsers and adblockers.
  
  Especially Google recaptcha freaks out if you use Firefox or an adblocker or anything and asks you the hardest possible questions.
  
  That’s a feature, not a bug.
  
  Better than not asking you any questions and just going in an infinite loop!
- Turnstile is worse. Its just an infinite loop. Literally clicking for hours
Okay, this "$1 trillion" metric is a bit of a reach, and seems to be based on an arbitrary value assigned to an estimated amount of data Google has collected, and not actually $1,000,000,000,000 in revenue. It does not appear that Google has actually made a trillion dollars from CAPTCHA data.
This sounds like a conspiracy theory but I’d like to know more.
- The study that they reference: https://arxiv.org/abs/2311.10911 [PDF]
  
  They don't seem to actually identify the cookies as tracking (as opposed to just identifying that the account can bypass further challenges), just assuming that any third party cookie has a monetary tracking value.
  
  It also appears to be unreviewed and unpublished a few years later. Just being in paper format and up on arXiv doesn't mean that the contents are reliable science.
  
  we do so via a large-scale (over 3, 600 distinct users) 13-month real-world user study and post-study survey
  
  results indicate that the website context directly influences (with statistically significant differences) solving time between pass- word recovery and account creation.
  
  We explore the cost and security of reCAPTCHAv2 and conclude that it has an immense cost and no security. Overall, we believe that this study’s results prompt a natural conclusion: reCAPTCHAv2 and similar reCAPTCHA technology should be deprecated.
- It’s true. They make us work to identify data, we are checking for them not confirming, then they also track us.
Past tense?
It's a lot easier to determine the intent of this hed with the quote being closed somewhere. Just after "service" would have been my guess, but it's a disservice to remove that and leave people dangling.

My larger issue is that when I'm faced with traffic lights -- or, god forbid, motorcycles -- this is performative nonsense wherein I'm supposed to guess percentage coverage on a given square without having been provided parameters.

At this point, CAPTCHAs feel designed to make sure you can never get through the first time, thus needing to continue training image models several times before I can just fucking do what I originally came to the site for.
- I already hate them for access gating based on unnecessary labour, and deliberately making access more cumbersome for people not using chrome and using VPNs
  
  But what really peeves me off, even though it's much less important, is that they don't localise them.
  
  Where are the crosswalks? What the hell is a crosswalk. How many trolleys in this picture? None, that's a picture of a tram!
  
  "I see no trucks, only lorries." Being on a VPN has been getting worse and worse with CAPTCHAs, almost like I'm being punished for telling my ISP they have no right to sell the details of my internet use since I'm paying them.
- At this point, CAPTCHAs feel designed [...] training image models
  
  It was never a secret:
  
  The reCAPTCHA program originated with Guatemalan computer scientist Luis von Ahn, and was aided by a MacArthur Fellowship. An early CAPTCHA developer, he realized "he had unwittingly created a system that was frittering away, in ten-second increments, millions of hours of a most precious resource: human brain cycles"
  
  https://en.m.wikipedia.org/wiki/ReCAPTCHA#Origin
  
  I was fine with it when it was wavy text to digitise old works. This shit is just asinine and a time sink.
Does this apply to hCaptcha?

43 comments