Tell HN: In NSW, if Google doesn't track you, you can't pay Public School fees
I have recently enabled the "resistFingerprinting" option in Firefox[1], in order to prevent tracking based on browser fingerprinting. However I have found out that once I've done that, Google's reCAPTCHA becomes almost impossible to solve.
Normally I wouldn't care too much about Google, the problem is that in Australia, reCAPTCHA is used by Westpac bank, for processing payments on behalf of the Department of Education of New South Wales. In other words, you can't pay your child's public school fees online, unless you agree to Google tracking you.
How to test:
create a form with reCAPTCHA or just use a pre-existing one like [2], then try and solve the reCAPTCHA while resistFingerprinting is set to false (default setting)[1]. Now change it to true, and try to solve the reCAPTCHA once again.
[1] https://support.mozilla.org/en-US/kb/firefox-protection-agai...
86 comments
[ 3.3 ms ] story [ 140 ms ] threadWhere are you running into this problem. I spend an embarrassing amount of time online and I'd probably estimate that I average around 1 minute a month "clicking pictures"
Sure, you might break them if you pay a team of computer vision scientists for a few months but that isn't profitable for spammers, so even though they are technically breakable, in practice they're still good enough to thwart spam & bruteforce.
I really like the idea of Tor and would like to use it as my daily driver. When I try, nearly every website I visit (thanks cloudflare) forces me to spend several minutes trying to solving recaptchas. Despite my best efforts at solving them correctly it usually takes several attempts.
I've written scripts that use the APIs of human-powered captcha solving services but even those can often take a couple minutes so I'm stuck sitting around waiting for a result.
I really wish recaptcha would die. I understand that they're intended to stop scrapers and bots (or at least it's marketed as such). I'd gladly pay a few satoshis to websites to bypass these things.
It's not black and white. Turn off blocking when logging in and turn it off when you have the access cookie. Yes, it might be a tracking event, but you are not forced into having your privacy blockers turned off all the time for Google.
I get the original post's argument of not willing to be tracked by Google, but what hurts you so much in training Google's AI?
FTFY
I would also be surprised if the work wouldn't be beneficial to other AI related work that can be used to build detailed profiles among other things.
> what's the issue with semi-passively contributing to a potential technological advancemet.
You're wastly overestimating your contribution to the technological advancement though this channel.
I went through a phase of trying to use tor just for the principle of it. So I was hit with a lot of recaptchas. And I really couldn't see how they were testing AI directly.
Usually, its the 'pick pictures of road signs' and 'pick pictures of cars' and so on. Almost all images seem to be taken from streetview cars, or possibly waymo cars.
So, the human doing the recatcha has to parse an image to extract the implicit depth information to pick out cars etc.
Whereas google know the exact location of the image so know where the roads are etc, and probably have lidar scan so they know the depth information etc too.
Picking a road sign out of a picture is kinda hard for a 2D image. Picking it out from a 4D scene created from all the different sensors their cars have, on the other hand, is a piece of cake.
google can use their 4D datasets to select a gazillion real still images that contain what they _know_ are road-signs or not road-signs or whatever.
And then they can feed these to their image classification stuff.
How does humans clicking on tiles help train their image classification AI?
Have any academic groups looked at offering a replacement?
Someone should write a fiction on it.
"Squiggly letters" captchas are still fine. There's a lot of FUD around AI & ML breaking them but I have yet to find an off-the-shelf tool that can break them; and so do the spammers. Sure, you might break them if you pay a team of computer vision scientists for a few months but that isn't profitable for spammers, so even though they are technically breakable, in practice they're still good enough to thwart spam & bruteforce.
Most Google products provide me services in exchange for tracking me, offering a reasonable compromise. With reCAPTCHA, they exploit me as an unpaid worker helping classify and train their ML algorithms, cost me time and wreck privacy leaving Google and the captcha hosting website as the only beneficiaries. Google in this case is more like a corrupt gatekeeper preventing you from entering the town. The town can employ more friendly options, but they don't care as long as the undesirables are kept at bay.
For those who have experience with using reCAPTCHA, is it so easy to setup and deploy that more and more sites are switching to them? Are there no decent non-exploitative alternatives which are tough on bots but solvable in reasonable time for humans without being a test of patience?
It really doesn't matter at all, especially now that even Edge is switching to chromium.
which I don't know what to do about that. I use an iphone and I see no benefit to getting FF on my phone, which I guess I would say is due to monopolistic behavior by Apple.
I could be the odd one out here - but whilst on desktop choice is fairly normal, web browser on a phone feels like a core OS tool. Realistically this is probably due to how shitty IE was, along with the enforced browser choice dialogs on Windows?
On android, Firefox Mobbile has uBlock Origin, whereas Browser, Chrome and any other one do not.
Anyone not using an ad blocker is out of their mind, especially on mobile; The simplest way to do that is Firefox Mobile + uBlock Origin.
(I use uMatrix on the desktop, but only surf casually on mobile, so I find uBO sufficient).
What would once be a certain no, I now question whether google is actively weaponizing reCAPTCHA in the new browser wars. After all, Chrome has such a large market share in the right places that I'd be surprised if the model didn't take into account user agent to determine non-automated users.
The worst pattern I'm seeing now is when login forms decide to add it after just one incorrect password attempt. I completely understand registration forms -- but login forms?
Limiting the number of errors before sending a link to reset your password (for example, I agree there might be different ways to deal with that) is no rocket science, and being dependent on third party for such a trivial thing is, in my opinion, a bad idea.
Rate limiting alone isn't a solution. But it can be part of a solution that doesn't require reCAPTCHA.
> If you lock people out after a certain number of failed login attempts, you allow an adversary to DOS your users by constantly trying to log in as them.
That isn't how the pattern works. On next successful login you basically inform the user that they need to confirm it's them with an email token. It works well. ReCAPTCHA doesn't.
I can only hope that firms will eventually figure out that reCAPTCHA is a bad user experience.
But I agree.
Unfortunately, it has side-effects like disabling site-specific zoom levels[1], since it can be used as a fingerprinting mechanism.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1369357
Sure, it's just 1 cent worth of work in the grand scheme of things - but the distance from zero to anything is much larger than the distance between 1 cent and 1 dollar.
That's something that courts dislike much more than any tracking.
I'm also curious about how this works internationally. Surely not everyone know what a 'crosswalk' looks like.
Recaptcha will often make you retry multiple times despite obviously correct answers. It really feels like Google is punishing users for trying to opt-out of their data collection.
However I fear a future in witch Windows scenario of the '90s replicate tomorrow with websites and that's far worse since actual IT grow rate and general situation...