60 comments

[ 3.0 ms ] story [ 125 ms ] thread
The judge's argument makes sense to me, and seems right.

But I'd argue that the CAPTCHA itself is a greater benefit to the end user than the cost (not just Gmail or Google Maps). If Google had to stop using OCR CAPTCHA tomorrow, they would have to use an alternative, and frankly most of the alternatives are worse. Further still without the ability to hinder bots services like Gmail couldn't exist.

Arguing that Gmail is a greater benefit than the CAPTCHA costs to complete is fine, but potentially leaves the gate open to sue later because someone finds a service which they claim doesn't benefit the end user (e.g. paying a bill). Arguing that the CAPTCHA method itself has more benefit than cost completely destroys any future lawsuits.

> Arguing that the CAPTCHA method itself has more benefit than cost completely destroys any future lawsuits.

The judge said that.

> > Moreover, users’ transcriptions increase the utility of other free Google services such as Google Maps or Google Books. Plaintiff has failed to allege how these numerous benefits outweigh the few seconds it takes to transcribe one word.

What a sad world. We have pretty reasonable judge with an reasonable verdict that seems obviously right but you can be sure there is automatically a bunch of lawyers looking for loopholes to crash it all and make money on it.

Sometimes I have the feeling like the whole judicial apparatus has gone from solving real life problems to creating absurd problems that allow you to sue somebody.

Like everything in life, there are two sides of the coin. When I was in law school, I worked with a small town in central Illinois that Big Chemical Co. had left polluted with heavy metals after a decades-long mining operation. Making headway in the lawsuit was extremely difficult because of all the legal barriers put in place to protect defendants. The legal system has become very unfriendly to plaintiffs over the last 20-30 years and it's affecting a lot of legitimate cases.
Why would the EPA not be taking that case? And extract a financial penalty for Superfund cleanup?
EPA and state departments of environmental protection have limited resources to take on these cases, prove them up, and follow-through over the years it takes to do cleanup. In our case, Illinois EPA actually entered into a consent decree with defendants regarding the site, and defendants argued that the consent decree preempted our common law clams. But IEPA pretty much ignored enforcement for 15+ years. So we were stuck in a situation where enforcement power had been shifted from the courts to the agency, but the agency wasn't interested in acting.[1]

What ultimately happened was that regime change happened at IEPA and they got serious about enforcing the consent decree. But that still doesn't compensate the townspeople. Good luck getting someone to buy your house in a former superfund site, even if the heavy metals on the school grounds have been cleaned up to a reasonable, cost-effective standard.

[1] This problem is recurring. Agency enforcement is a lot more efficient than lawsuits. But agencies only have the resources to go after the biggest fish for the most egregious violations. And they're far more susceptible to political pressure ("you can't sue XYZ, they have 10,000 jobs in our state!")

Thanks for taking the time to respond, I appreciate it.
I wish people would stop feeding the class action lawyers.

There are plenty of legit class actions and stuff like this diminishes them.

It really does serve to make lawyers look like extortionist thugs. Had the lawsuit gone forward, it would have been funny if Google had proposed compensating everyone -- lawyers and "victims" alike -- with free Gmail accounts.
Even better, it should have offered exactly what the plaintiffs claim was stolen from them. It would tell the plaintiffs what word is in an image of their choice.
What a bizarre lawsuit. Even if the CAPTCHA required 30 mins of work for a free gmail account and that work was used for significant gain for Google only, why would you be entitled to compensation?
Not that I agree with it, but the premise is this...

- reCaptcha presents 2 words for the end user to solve

- the purpose of the second word has nothing to do with security. The word itself is not known to Google.

- the "fraud" is that Google is deceiving you into helping them decipher the second word for their own financial gain

(paraphrasing from http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?articl...)

Edit: Please note that I am not in agreement with the premise above...just trying to summarize it.

Not mentioned is that it actually does have something to do with security, because once enough users have transcribed a word, in addition to it being returned to the digitization project, it can be used for future CAPTCHAs as a known word. According to Wikipedia, this was at least historically the case for reCAPTCHA.
What exactly constitutes fraud? The captcha interface (http://www.captcha.net/) has a clickable tagline "stop spam. read books." that takes you to an explanation of what it is and how it works.

Are we saying that fraud is not going out of your way to carefully explain exactly what you're doing as you're doing it?

Saying that Captchas are in any way misleading or fraudulent calls into question "free" software paid for by ads, any app that has a ToS contract, pretty much every financial agreement on the planet, most repair shops, and just about anywhere else that you agree to something without 100% ELI5 in your face explanation before you pull the trigger.

Fraud generally requires that the victim rely on the "fradulent" statement to decide to move forward (e.g. solving the captcha). So even if you assume that the terms "free" and "security" were intentionally meant to deceive, you'd have to prove that the user would not have otherwise signed up for Gmail if those labels had been different.
The argument probably hinges on Google's use of the word free. If it actually went forward then we'd probably see the end of the use of the term "free" and start seeing "Ad supported" or "task supported" as labels instead.
So what is the future?

Will all site who used google captcha be affected by the result of this case?

The "result of this case" is its being tossed out of court, leaving it with zero effects.
> As Google suggests, it strains credulity that Plaintiff or class members would forego access to a free Gmail account and higher quality Google Books or Google Maps because their brief transcription of a single word might, indirectly or directly, facilitate Google’s profit earning

Call me a data point to the contrary. I don't use gmail or Google Books at all, and Google Maps rarely. I contribute to OpenStreetMap. It sticks in the craw that whenever I use any Google Captcha-enabled site (even if the site's not owned by Google) I'm helping to increase the quality divide between Google Maps and OSM.

It really sticks in your craw that you are improving the quality of data, just because that data belongs to Google? Seems petty.
Same as wanting to put your money in a credit union that invests your deposits in the community instead of a bank that spends it on executive bonuses.
Credit Unions tend to merge with each other instead of just growing organically, I think at least in part because the administrative employees can use the increase in size to justify larger compensation.
Depends on where you are. I live in an isolated college town with many regional banks and one well-liked credit union. I can't speak for people who live in big cities.
I'm a member of a relatively rural credit union that is merging with one of the other regional credit unions.
Why should I help Google make money, for free? I'll gladly discuss their employment options if they need my help.
""Plaintiff has not alleged any facts that plausibly suggest the few seconds it takes to type a second word is something for which a reasonable consumer would expect to receive compensation," US District Jacqueline Scott Corley wrote Wednesday in dismissing the suit.

I guess you are in the same category as the plaintiff?

You are helping Google make money for free whenever you are using one of their services. I fail to see the moral issue with that. If you don't want to help Google make money, don't use them.
In their defence, reCaptcha are fairly ubiquitous. Very difficult to avoid.
> Why should I help Google make money, for free?

Not for free, that's the point. You get access to Gmail.

ReCaptcha is not only used for GMail. I've never used GMail, in fact, yet I'm still filling out ten recaptchas a day.
I partly make my living through OSM. The better Google Maps gets, the less compelling OSM is, and therefore my earning power is reduced. Google has the right to compete, of course, it's just not in my interests to help them.
If OSM is only compelling if Google Maps is equally inaccurate aren't we all a little less better off? And if Google maps is more accurate, aren't we all a little better off even if you prefer OSM?
He just said that his livelihood partly depends on OSM.

That means that the answer to your questions is a resounding no. While on average we're better off, not everybody is, he in particular is worse off.

Can I call you someone that's invented a zero-sum scenario and is getting annoyed at their own misconception?

You contribute and therefore probably benefit OSM, you're using a google captcha enabled site so you're benefiting from something on that site, that site benefited from the captcha service because they didn't have to write one themselves so could spend their time improving the site you're benefiting from.

You're a link through which google captcha is benefiting OSM :)

It doesn't usually though. It only contributes when you're asked to enter house numbers. The usual CAPTCHAs I see from them are the ones coming from their book scanning project, which I see as a public good.

Are there any CAPTCHA providers out there who OSM could team up with to do the same?

Surely the spare word allows the dictionary of potential CAPTCHA words to add a new word for every CAPTCHA solved (sure they probably run them past many users for validation purposes). This effectively allows the CAPTCHA service's dictionary to scale/evolve continuously, preventing an anti-CAPTCHA service from 'learning' the whole dictionary.

I thought this was the entire point of re-captcha, so regardless of the 'time necessary to complete' element, their case doesn't seem very well thought out.

The issue about this is that it is already being targeted in Antitrust suits, too.

Why? because Google, through their almost-monopoly in some areas (including captchas) has gotten an unfair advantage in computer vision.

I personally would prefer if Google would be forced to publish any training data and parameters for neural networks that were trained with data created by the public.

anti captcha (against recaptcha) works via captcha farms, the biggest being deathbycaptcha.com. $10 gets you about 10k solved captchas.

They work quite well. I tend to get about a 1 out of 5 correct of the squiggly words, whereas the service is more like 4/5

I am not aware of any successful dictionary attack on recaptcha. And the only OCR techniques to bypass recaptcha was by xrumer[0] but that was a few years ago

[0]xrumer: once popular forum spamming software waned in popularity / effectiveness in recent years

deathbycaptcha.com is ...

> A hybrid system composed of the most advanced OCR system on the market, along with a 24/7 team of CAPTCHA solvers. An average response time of 11 seconds,...

My understanding is that this is mostly humans in third-world countries staring at a screen and working for peanuts (or maybe less than the value of a peanut). I don't see how any system for recognizing humans can succeed against real humans.

This bit from the judge's ruling underscores how ridiculous the lawsuit is:

> In addition, at oral argument, Plaintiff did not represent that if given leave to amend she could allege that had she known the second reCAPTCHA word was used to assist Google with its other services she would not have completed the reCAPTCHA. To the contrary, counsel represented that he had not asked Plaintiff and he did not know what she would say. (Dkt. No. 60 at 20:23-25.) Such question, of course, should have been asked and answered before this lawsuit was filed and pursued in two states. Regardless, it defies common sense that the answer would be yes.

[1] http://boothsweet.com/wp-content/uploads/2016/02/Google-Orde...

This. Fraud generally requires that the victim rely on the "fradulent" statement to decide to move forward (e.g. solving the captcha). So even if you assume that the terms "free" and "security" were intentionally meant to deceive, you'd have to prove that the user would not have otherwise signed up for Gmail if those labels had been different.

The fact that they didn't cover this important point is ridiculous.

Just playing devil's advocate, but look at the UI. The box I saw says "CAPTCHA" and "type these two words". So the argument for fraud would be that 50% of words Google solicited under the guise of CAPTCHA were actually used for the sole economic benefit of Google's other services. Maybe on a count for fraud the plaintiff's can't prove that they would not have created a Google account having known the 2nd word was not for CAPTCHA; however, the Plaintiffs could certainly prevail on a unjust enrichment claim.

As the company who invented the anti-trust defense "competition is only a click away", Google should equally be capable of acknowledging there in absolutely no burden on Google to create 2 boxes for new users, one identified as CAPTCHA, and the other as a crowd-sourced word to be used for Google's other services.

(comment deleted)
Is it just me, or does it seem like Google is being the target of a large number of obscure law suits lately (especially in Europe)?
Distorted text isn't even used in reCAPTCHA all that much anymore -- Google used a Deep Convolutional Neural Network and got over 90% accuracy in reading street numbers in Street View, and 99.8% accuracy in solving distorted text reCAPTCHA (http://arxiv.org/abs/1312.6082).

Most users will just check a "I'm not a robot" box now; and if you do get a test, it will likely be a computer vision / image labeling problem: https://googleonlinesecurity.blogspot.com/2014/12/are-you-ro...

Really annoying too - I seem to always get the test and I hate the computer vision tests so much more than the old text based ones, they seem to always take way longer for me and I always miss an image or two the first time.
I wonder what will happen once there are no more problems left that 99.9% of humans can solve in a short time, but computers can't.
Generally, the point of a CAPTCHA is to prevent automated use of a service. If we get to the point where CAPTCHA's no longer work in preventing automated access to services, we need to look for atypical use of services.

For example, if a computer passes a CAPTCHA in order to use gmail to automate the sending of spam emails, look for users that mass-spam; typical users won't do that. On the other hand, the computer may try to approximate the usage of a typical user to avoid detection. But if you cant distinguish automated use of your service from typical use of your service, then at that point maybe it doesn't matter so much.

Another alternative to CAPTCHA is the obvious three-factor authentication. Send a random code to your mobile number, if its really you, you can verify yourself by entering that number on the web-page.

Another way is to send the same using email which is a bit more convenient than sending it to cell-phone.

In other words, we need to keep inventing more sophisticated ways of telling the difference between humans and computers (and the great progress in the field of AI is certainly going to push us to do that more frequently)

Looking for atypical use of services is something that we should be already doing, but there are limits to those. The said users you are talking about keep churning new email addresses and hide behind dynamic IP ranges of countries like Mongolia or Kyrgyzstan over which we have no control. We can't tell the difference between good/bad IPs for traffic coming from there, otherwise there is no need for Google to keep re-inventing the CAPTCHA every few years.

Sure, but the point of a CAPTCHA is to pre-emptively detect the user as a human or computer. Waiting until the account sends a boat-load of spam, and then saying 'must've been a computer, let's disable the account' does nothing - the culprit has accomplished their task, and moved on. We want to be able to prevent the spam from being sent in the first place, somehow, and determining if it's a real human opening the account is (was?) a very good check.
Ot but arstechnica is now using the shitty mobsweet ad network making reading the article impossible on mobile - and they complain when the users fight back!
Quite a frivolous case, nice to see the legal system working for once.

One interesting thing I've learned from the court rule though: apparently software delivered online and through downloads does not qualify as a good or service under the California's Consumer Legal Remedies Act, unlike boxed software delivered on physical media (pp.14-16)

At least captcha worked and helped digitalize books.

After google bought them and moved to useless training for their image classification, which helps nobody, i was simply banned from contributing to all sites that demand captcha. Because it simply refuses to work with my phone.

What concerns me is the attitude that users can be used and manipulated without their permission or knowledge; they have no choice or right to be informed, in this or in tracking or in many other situations. They are just objects of commerce to the developers, not human beings. This leads to bad practices like widespread confidentiality violations, free-to-play user manipulations [1], and the sorts of manipulation of customers practiced in places like Wall Street.

My feeling these days is that either you're on the inside or you're a sucker.

(On the level of fairness and justice - I don't know enough to comment on legality - I don't think this particular incident rises to the level of damages. However, Google could just display, In return for our free service, please help our computers read this word! Even Google's computers can't do everything - read more about it <here>. - Why not disclose it if you are doing nothing wrong? If you don't disclose it, you're manipulating people.)

[1] http://toucharcade.com/2015/09/16/we-own-you-confessions-of-...

I have to agree here. What's wrong with disclosure? It seems to me that the judge ruled on the implementation and missed the concept- and may have set an unwitting precedent.

Suppose Microsoft used a small bit of your unused processing power for some of their own work in order to increase their profits. It's likely few would ever know of this. Is that ok? Somehow I would feel...violated. Like somebody else just took rights to something I thought was under my control.

Note: I don't use gmail, and I view ads on google. The reCaptcha I've seen has been on third-party sites. So their doing this seems to be outside of the 'contract' I have with them. I'm not doing this to pay for a service of theirs that I use- at least not directly.

From the reCAPTCHA site itself:

> reCAPTCHA offers more than just spam protection. Every time our CAPTCHAs are solved, that human effort helps digitize text, annotate images, and build machine learning datasets. This in turn helps preserve books, improve maps, and solve hard AI problems.

That seems like disclosure to me?

Thanks for pointin that out. Having filled in many CAPTCHAs, I was unaware of that disclosure. Assuming I'm representative, I don't think it's meaningful to disclose something where very few will see it - for example, burying it in a EULA doesn't help either.
I have always found Google's way of getting data at the same time as some other activity pretty clever. Offering a free 4-1-1 (directory) service for phones so that you can collect millions of minutes of voice recognition code with various accents? Seemed pretty brilliant to me. Using a security technique to fix hard to fix otherwise OCR errors? also pretty clever.

When you think like that, all sorts of interesting things come out. For example, something I don't think anyone has done but could be pretty amazing, put a camera in a store which tracks gazes, set up a set of mannequins with different looks and compare male and female gaze time. Sure it used to be you could change the window display and count sales, this is so much more informative than that.

So are you using their interactions for your own benefit? Sure. Is this a new phenomena? No. I totally think the judge called it on this one.