What is the dark side of 'reCAPTCHA v3' that automatically identifies bots and humans?


Jonny Lindner

There should be many people who have checked “I am not a robot” on the authentication screen of the website, or have selected an image of a traffic light or pedestrian crossing and clicked, but the latest version of the bot exclusion tool “reCAPTCHA With v3 it is possible for human users to prove that they are human, even without doing anything. However, IT-based economic media Fast Company has warned that there is a troublesome point in such 'reCAPTCHA v3'.

Google's new reCaptcha has a dark side

Unlike the traditional 'reCAPTCHA', the new version of the bot exclusion tool 'reCAPTCHA v3' provided by Google uses the risk analysis engine to evaluate user behavior on the site as a score to distinguish whether it is a bot or not. There is no need to do any troublesome operations such as looking at distorted letters and typing into the input field.

The mechanism of reCAPTCHA v3 can be understood well by reading the following articles.

Bot's Exclusion Tool New 'reCAPTCHA v3' Appears, By Implementing on All Pages, User's Work Evolves All the Way-GIGAZINE

The system is very convenient and hassle-free, but technology consultant Marcos Perona points out that 'user privacy is at the expense of convenience.' The reason is that reCAPTCHA v3 uses cookies to rate users.

Perona tested the behavior of reCAPTCHA v3 and found that it found that 'reCAPTCHA always evaluates that the risk of bots is low when accessing a Google account with a logged-in browser'. On the other hand, it is also

known that accessing from a browser using Tor or VPN will cause the bot to be considered to be at high risk, without asking questions.

The more annoying thing is that 'reCAPTCHA v3 is basically introduced to all the web pages of the site, not limited to the login screen etc.' There are rational reasons for doing this by observing the user's behavior within the site in an exhaustive manner, which improves the accuracy of the risk assessment to identify bots. However, this also means that if you change the point of view and visit the site that has introduced reCAPTCHA, all the behavior of the user will be missed by Google.

by geralt

Furthermore, since reCAPTCHA embedded in the web page supports social media functions in the same way as Facebook's 'Like' button, the impact of reCAPTCHA may extend beyond a specific site to SNS. . Google also pays attention to this point, and Google has announced that 'data acquired by reCAPTCHA will not be used to target advertising and analyze user interest and interest.'

Perona says that the convenience on the Internet is not limited to reCAPTCHA, 'it is always like a double-edged sword' and that privacy can be a trade-off to enjoy a safe and stress-free Internet It states that it is unavoidable.

in Web Service,   Security, Posted by log1l_ks