this post was submitted on 24 Jul 2024
1075 points (98.4% liked)

Technology

57895 readers
4958 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
1075
Forget security – Google's reCAPTCHA v2 is exploiting users for profit | Web puzzles don't protect against bots, but humans have spent 819 million unpaid hours solving them (www.theregister.com)
submitted 1 month ago by [email protected] to c/[email protected]
173 comments fedilink hide all child comments
 

Research Findings:

  • reCAPTCHA v2 is not effective in preventing bots and fraud, despite its intended purpose
  • reCAPTCHA v2 can be defeated by bots 70-100% of the time
  • reCAPTCHA v3, the latest version, is also vulnerable to attacks and has been beaten 97% of the time
  • reCAPTCHA interactions impose a significant cost on users, with an estimated 819 million hours of human time spent on reCAPTCHA over 13 years, which corresponds to at least $6.1 billion USD in wages
  • Google has potentially profited $888 billion from cookies [created by reCAPTCHA sessions] and $8.75–32.3 billion per each sale of their total labeled data set
  • Google should bear the cost of detecting bots, rather than shifting it to users

"The conclusion can be extended that the true purpose of reCAPTCHA v2 is a free image-labeling labor and tracking cookie farm for advertising and data profit masquerading as a security service," the paper declares.

In a statement provided to The Register after this story was filed, a Google spokesperson said: "reCAPTCHA user data is not used for any other purpose than to improve the reCAPTCHA service, which the terms of service make clear. Further, a majority of our user base have moved to reCAPTCHA v3, which improves fraud detection with invisible scoring. Even if a site were still on the previous generation of the product, reCAPTCHA v2 visual challenge images are all pre-labeled and user input plays no role in image labeling."

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 1 month ago

I like them, it's a nice mini puzzle break built into my daily grind

[–] [email protected] 10 points 1 month ago (1 children)

I thought the whole point of reCaptcha was to provide a reliable set of data to train bots. Entering a fuzzy scanned word, identifying bikes and traffic lights, etc.

The fact that they've now got that, and the bots are trained is hardly a surprise.

Without captchas the problem of spambots would still be a million times worse.

[–] [email protected] 6 points 1 month ago (1 children)

Yup. I like Cloudflare's checkbox, it works well and probably catches more bots than reCaptcha while being simple for humans.

[–] [email protected] 1 points 1 month ago (1 children)

How does that checkbox work? Does it just look at your cookies?

[–] [email protected] 2 points 1 month ago (1 children)

No, it tracks things like mouse movements to see if it looks human or like a bot. Humans don't move the mouse in a straight line, there's some jitter and whatnot, whereas bots will look quite a bit different.

[–] [email protected] 2 points 1 month ago (1 children)

That's super easy to fake for a bot..

It's a ton more than mouse movement. Lots of browser fingerprinting for example and tracking.

[–] [email protected] 2 points 1 month ago

Yup. It does do a lot more than the checkbox, but the checkbox itself mostly does mouse movement and click tests.

[–] [email protected] 4 points 1 month ago

I thought it was detecting bots based on how you are moving your mouse, etc to solve it, but if they can be solved by AI do they want their AI trained by other AI?

[–] [email protected] 3 points 1 month ago* (last edited 1 month ago) (2 children)

Alright, I don't use google.com

Edit: this was in reply to someone. I guess my app fucked up the reply.

[–] [email protected] 7 points 1 month ago (2 children)

Sites you visit use Google, their recaptcha, their analytics, their ads.

[–] [email protected] 1 points 1 month ago

How often do you get capchas?

It doesn't happen often at all for me.

[–] [email protected] 1 points 1 month ago

Yup, and Epic Games' is the absolutely worst. I can't pass it on my phone regardless of what I do, and I can pass it occasionally on my desktop. I only claim their games, so if it stops working on the two computers it apparently likes, I'll probably stop visiting their site.

It seems to have something to do with Firefox and/or my ad blocker.

[–] [email protected] 7 points 1 month ago

But you might still be using their captcha

[–] [email protected] 9 points 1 month ago

We already knew that, but it's nice re to have data.

[–] [email protected] 10 points 1 month ago (1 children)

They were using us to label the data.

[–] [email protected] 6 points 1 month ago

That's why you always make sure that labeling is "garbage in" and label whatever

load more comments
view more: next ›