289 comments

[ 1902 ms ] story [ 1157 ms ] thread
I prefer the newer captchas personally.
turn on comments on your blog without recaptcha, i dare you.
There are other techniques that do a reasonable job at stemming the flood. The "hidden field" technique still reduces spam by quite a lot.
That technique hasn't worked for years. Try setting up a vanilla WordPress installation with the most popular forms plugins. The only anti-spam measure that works is reCaptcha v. 3.
From experience, Akismet works well, so reCaptcha is not the only anti-spam measure that works for WordPress.
I wrote about another technique at the end of my own captcha rant: https://inimino.org/~inimino/blog/kill_captcha

The proposed solution would replace captcha entirely, but to my knowledge nobody has tried it.

How about different revocable secret keys to your mailbox given only to those who you wish to contact you
If people have to request to be able to contact you, it is not a public inbox anymore. This is the way most walled gardens work, you have a separate step before you can interact, so it works, but it lacks some of the affordances of the public inbox model of email or blog posts, such as allowing anonymity.
better yet, get rid of the comments all together. having no comments saves you from having to moderate them and it's just not worth it. if you're writing anything tech related and worthwhile you can just proxy the discussion to HN ;)
Not really a great option. People only really see stuff on HN that's relatively fresh so anyone coming in after the initial wave of engagement dies down won't see any discussion.
Also you can't discuss on old content anyway. It's blocked.
Yeah, somewhere around 2 weeks after a post they completely seal the comments on HN.
For WordPress there are plugins like Akismet (a service), Antispam Bee (local), etc, that are pretty good at filtering spam without the need to display annoying captchas.
While sending comment bodies to these services :) what a privacy
that's just a tell that you value ease of moderation and selling your potential community members out to G more than inviting new members to your community. certainly telling of the person running the blog.

i've had success with bayesian filters and shadowbanning myself, but it does require some effort.

It's quite the rant, meanwhile I don't quite remember the last time I did something where I had to solve a captcha that wasn't the "click once" one.
if you aren't logged into a google account, you will always get escalated to puzzle challenges
Or if you are using tor, are blocking tracking, etc. I regularly have to solve 5 or 6 puzzle challenges in a row.

I would happily pay a monthly fee to get around these ridiculous captchas, even though it's absurd to have to do so.

Is that particularly surprising though? Coming from a TOR exit node where a bunch of spam also comes from and blocking tracking so it looks like you're appearing on the site from no where... Both of those are pretty suspicious and reasonable things to crater your humanness score.
Except solving reCAPTCHA shouldn't be necessary in order to read a website. I get (though still don't like) the justification for any modification actions, but GETs shouldn't ever trigger a reCAPTCHA check.

Of course, the Tor folks told the CloudFlare folks about this many years ago and CloudFlare still acts as a giant censorship machine and continues to block anonymous users from reading content on the internet. Not to worry though -- you can install their extension[+] to "protect your privacy" to bypass the reCAPTCHA that CloudFlare themselves erected in front of other people's websites! It's definitely not in any way comparable to an arsonist selling fire insurance as a side gig -- at least with fire insurance you actually got something out of the exchange!

[+] Which does have a paper that explains the security of the cryptosystem, but a single paper does not make a protocol secure by default. I'm not a cryptographer, but the Tor folks did raise some concerns in the issue where PrivacyPass was discussed, and there's no doubt that combining Tor with a system that is nowhere nearly as battle-tested should be a major point of concern.

It is also problematic when you wish to use external download managers (which I always do).
Let me present an alternative framing: A business doesn't have to allow you to access and use it's content in any way you would prefer to access and use it. Part of the bargain of the web is you get a lot of content for free at your fingertips because someone else is paying for the servers. Right now that's mostly ad money because it's simple to add and doesn't require companies to change their content much. Ad blocking, tracking blocking, and anonymizers are all circumventing the funding model that makes a lot of the web possible.

Do I wish there was an alternative to aggressive ads and tracking? Hell yes. Do I want to pay every website individually for what I view? Nope, and companies don't either because it would massively hurt their growth for people coming in new.

I don't know why you're talking about online advertising. People use Tor for a wide variety of reasons, many of which are completely unrelated to whatever business model the target website has. In addition, my comment was about CloudFlare (a MITM) putting reCAPTCHA on other people's websites -- I don't see how advertising is even slightly related to that topic.

I would argue a "better" framing designed to emotionally manipulate would be "why are you trying to block people in oppressive regimes from being able to read about the outside world and organise themselves, putting them in danger of being murdered by their government"? But it would be dishonest to make the discussion about "why do you want to kill people", just as it is dishonest to make the discussion about website business models.

CloudFlare isn't just going around randomly putting their caching/filtering in front of websites they're choosing to have it there though. The sites are choosing it.

Advertising is related here because recaptcha's use of tracking, primarily used for advertising, as a factor in determining their score for users and also because blocking ads/tracking is part of the cause behind people's issues with recaptcha.

Many site operators try to spend the absolute least amount of money on servers, so it's common for simple "GET request spam" DDOS attacks to take down a website (especially on dynamic, DB-driven sites). CF in this situation is helping these site owners take the easy road and recaptcha DDOS attacks instead of scaling up servers or having to implement smart caching strategies.
I have to solve captchas all the time these days; typically, several in a row. It's aggravating as get-out.
I've had the picture ones once it twice this year and it only took a couple seconds. The pictures don't take much longer than the text did for me but I wonder if it gets worse on certain configurations (I've heard recaptcha is super bad if you use TOR).
(comment deleted)
Firefox user, rolling with uBlock and blocking all Google cookies.

Picture captcha every time.

Try setting privacy.resistFingerprinting for the extra challenge.
I've found that breaks things in subtle ways. I have a Plex server connected to my terrestrial antenna to watch TV and the TV guide was showing everything an hour out and I couldn't not for the life of me work out why. Turns out that "privacy.resistFingerprinting" makes your JS timezone UTC, whereas I'm BST.

I'm not sure why they bother, since I'd find it more suspicious if say someone is coming from a Russian IP address but has UTC set and not a Russian timezone...

You absolutely should open an issue about this on FF's issue tracker. Assuming you're not hiding your IP this indeed is actually privacy.helpFingerprinting and should be fixed.
I get the puzzles quite often, pretty much every time I deal with a captcha. Private mode browsing, logging in from my pc, firefox vs chrome... I'm not even particularly tracking sensitive. I don't even have extensions more extreme than ublock origin and a strict popup blocker on firefox.
To offer a counter-experience, I don't remember the last time I actually HAD the "click once" captcha. It's always "click the buses/traffic lights/store fronts" etc.
Your experience will differ based on how much Google tracking you block. If you're not letting them surveil your every move, they're less convinced you're human by default (or perhaps spite).
I have lots of blocking turned on.

I imagine it's partly because I don't block cookies (I whitelist sites that get to store them across sessions and everything else is then session only).

I have a hard time assigning malice to the recaptcha more blocking = lower score because while it's a fun conspiratorial position it's also true that the more you block the less you look like the average user who doesn't. Also the less info they can pull from to determine how likely it is you're an actual person so of course people without a trail are going to be more suspicious.
Wow this makes sense now. I switched to Firefox as my primary browser 7-8 weeks ago and enabled strict blocking; and as of the last ~week, I've been greeted with reCAPTCHAs on a ton of websites which previously just let me in.
Same here. I'm pretty aggressive in trying to block trackers (ublock, Firefox containers, privacy badger), so perhaps it's due to that.
Try using Tor for a day or two, you'll get reCAPTCHAs on almost every website and in many cases you need to fill multiple out with increasing levels of distorted images. The best one is CloudFlare which can not only ask you to solve a reCAPTCHA once -- but several times when trying to load a single page. And sometimes Google will even refuse to give you a challenge at all because your exit IP is "especially dangerous"!

If 10% of web developers used Tor on weekends, no website would use reCAPTCHA because they'd realise how painful it is to certain users. I run a Tor relay (non-exit) at home, and now I get more reCAPTCHA even though there's no possible reason to assume my home IP is "bad". I'm still going to run my Tor relay -- I just think it's interesting to note that users are being punished by a giant MITM-as-a-Service company for trying to help other people use the internet anonymously.

I love competition, but I hate Google.

So I wish them luck while hoping that they’ll go die in a fire.

Manifest v3, tracking everything, this... Only validates my decision to scrap all Google services 2 years ago.

I can’t get behind this google hate. I can think of many companies that aren’t providing any sort of public good.
What's the next best alternative to reCaptcha? this is something I will be in need of soon.
People on the other side of the world that solve captchas for $1 an hour. Sadly, I’m not kidding.
There's plenty to write about this, but this is just a rambling rant that struggles to stay coherent
What's the alternative to the recaptchas? Is the difference to just to use a different captcha service?
Proof of Work is one that can help, but the HN crowd does not like those.
The title mentions reCAPTCHA v3 but then the article goes on to rant about the challenges you have to solve. reCAPTCHA v3 is completely automatic, there are no challenges at all. Of course, it's not perfect either, because occasionally actual humans fail the challenge too.
> reCAPTCHA v3 is completely automatic, there are no challenge at all.

Yeah, if you're signed into Chrome and Google has enough information to know who you are (yes, I know the new one is score-based…this just means that anyone who isn't the above is going to get a poor score and be blocked.)

You can actually set the minimum score requirements to whatever you want. The default is 0.5, but there's nothing stopping you setting it to 0.0 and letting everyone through.
Can you set it to only allow people with score < 0.5?

No, I'm not joking.

The challenge is looking at your privacy and deciding it's not worth a few seconds clicking on store fronts
Isn't the author talking about recaptcha v2? My understanding of recaptcha v3 is, that it just gives you a score for how well google can track you and then leaves it up to the site operator to block users who aren't transparent enough.

What I really hate about recaptcha v2 are those artificial delays before loading the next image (which it can happen to several times on a single card). And then in the end you frequently fail, despite answering everything correctly.

> Isn't the author talking about recaptcha v2?

Yes.

> My understanding of recaptcha v3 is, that it just gives you a score for how well google can track you and then leaves it up to the site operator to block users who aren't transparent enough.

Yeah, that's the one where you're supposed to put it on every page of your website so that Google can collect more information on your users. If they can't, they'll return a low score that you'll use to mark users as "bots".

> What I really hate about recaptcha v2 are those artificial delays before loading the next image (which it can happen to several times on a single card). And then in the end you frequently fail, despite answering everything correctly.

I think this is just what Google does when it thinks you're a "bot": i.e. they don't know who you are.

> I think this is just what Google does when it thinks you're a "bot": i.e. they don't know who you are.

I do wonder why though. For a long time, I assumed it was a rate limiter, but then another HN commenter pointed out to me that time is more valuable to humans than bots. Bots can work on multiple captcha's in parallel.

My thoughts exactly. A bot doesn't care if it takes 2 seconds to fade the images out and in for another challenge round, but a human viewing it perceives it as a frustrating delay.

I've become accustomed to just closing any page that presents me with a v2 reCAPTCHA.

Unfortunately one of those pages was the Equifax settlement. And other similar “important” sites. I never seem to come across them when it’s a service I could easily quit or avoid.
Why would anyone protect an "unimportant" site with a captcha? The value of the information, to someone, in bulk, is exactly why some throttling is needed.
This might not be so sinister. It so happens that "important" operations, like a class action lawsuit settlement, are also the type of thing you'd particularly want to protect from bots.
Good CAPTCHAs are solved by farming them out to low-paid workers, not bots.
Why? Maybe Google hopes that if reCAPTCHA is sufficiently annoying and prevalent that users will disabled any and all tracking extensions they've enabled?
Or maybe they notice that they don't get the same problems on Chrome, so they move to that...
Probably neither explicitly as a human judgment, but both constructively - some A/B experiments noticed favorable numbers went up by doing the crappy thing, and so it has been decided.

I'm waiting for the day when it pops up "find the humans" and there's someone clearly wearing CV-camouflage. For anyone that doesn't get it: you let that human hide, because it could be you in twenty years.

A lot of bots use humans to solve captchas, so the human time is important.
The bot is delegating what it presents to the human, though. So just present the human with images that have already faded in (and if no image has finished fading in, switch to the images from the other captcha).

Edit: Unless, it occurs to me now, Google is monitoring how the user responds to the fade in. When in the fade process do they click the square, for instance.

Still seems like it wouldn't be all that helpful, though.

If you have strict privacy features enabled in firefox they block recaptcha and force you to do hard puzzles. It really sucks, but I'm not disabling the privacy features.
> I think this is just what Google does when it thinks you're a "bot": i.e. they don't know who you are.

Maybe this is to prevent adversarial learning? If the images reload immediately, then the bot can learn (via a neural network) whether its solution was good or not. If there's a delay, it's the same, but the learning is slowed down by the same factor.

No idea if this is true, it just popped out of my head.

As I said below, this is what I thought too, but another HN'er pointed out that a bot could load up a thousand captcha's in parallel and just switch between them while waiting for the fade in.
Sure, they can, but putting a small delay forces an arms race on how big a cluster you need to operate those parallel bots and how cheaply you can offer a cracking service.
Google's pretty well done with the reCaptcha or are counting on a lot of sites to keep using v.2 for a while.

There's more saleable data to be collected tracking people's interactions in a website, under the guise of predicting who's a bot.

That's correct. ReCAPTCHA v2 is the one where if your opaque, invisible ML humanity score is below a threshold it makes you squint at weird little photo squares and try to figure out whether the part of a bumper at one edge is enough to count as a car. ReCAPTCHA v3 is the one where if your opaque, invisible ML humanity score is below a threshold the website just breaks in unpredictable ways until you either give up or (for highly technical users) notice that ReCAPTCHA is at fault and interact with enough Google services to raise your score before trying again.
> or (for highly technical users) notice that ReCAPTCHA is at fault and interact with enough Google services to raise your score before trying again

Or, for absolutely everyone: pretend you're blind and click on the audio captcha option. It takes seconds to solve and is trivial 90% of the time :)

Won't work if Google doesn't trust you enough. Which is, by the way, also a major problem.
I delete all cookies outside of a few whitelisted domains every time I close a tab, which is why reCaptcha is so annoying to me in the first place. Still, at least for me, the audio fallback is always there and much less annoying.
How does that help when Google has decided you’re a bot and you fail no matter how many challenges you solve?
Never happened to me. I've been getting "point out the hydrants" over 5 times in a row sometimes because of the amount of anti-tracking I have set up, but the audio option was always there letting me on the first try.
So, you’re saying that everyone should be happy because you’re ok?
No – I'm saying that I don't have an answer for you if I never encountered what you're describing.
No. It gave me like 17 attempts before it realized that I wasn't a bot.
ReCAPTCHA v3, the version I was referring to in what you quoted, doesn't have an audio CAPTCHA or any kind of fallback option at all, which is part of what makes it so much worse than v2. (The other part is the privacy implications of adding thorough behavioral tracking to every part of a website.)
Curious. Do you have any example of a site using it? I noticed that reCaptcha has become much, much worse recently and I assumed that this must be this v3, but I've never encountered one that would actually have no fallback and prevent me from using the site.
Adidas uses it on yeezy releases when you stand in queue on each page refresh.

Can't think of a "normal" website using it.

Tried it a few times, it just told me something to the tune of "this option is not available", with no button to return to the picture-solving option.
But if you fail on v3, don't you get v2? For example, I constantly get v2 when using a VPN. It's terrible.
Not directly. The dev decides on your punishment but sure most likely throwing in a v2
With some of these I'm left debating what is a traffic light. Is the pole itself a traffic light? I really don't know.

Also when it asks to select all the cars. Is a bus a car? Is a truck a car? I really don't know what it is expecting and I must pick wrong as I often fail.

Perhaps that's Google's intention. They are using your human intelligence to make educated guesses, rather than using AI. Your choices will be added to their dataset.
Yes, but my guess would be much more educated if they would tell me the question in sufficient detail.
It's very frustrating that there's no "your AI is an idiot, there isn't one" button. I saw an example of one that said "click the tiles containing the bus" where it was clear what the AI thought was a bus, but it definitely wasn't.
This reminds me of Janelle C. Shane's work on AI[1]. Computer vision's been learning based on the photos that people take, not the visions that people see, and this is giving AI a preference for photogenics instead of reality.

People generally don't take pictures of rolling green hillsides. But they very often take pictures of rolling green hillsides with sheep on them. So if you ask the robot to draw a picture of rolling green hillsides, it will include sheep. Or, if you ask it to draw a picture of the savanna, it will want to include giraffes.

Now you're being asked to find a bus in a photo without a bus because it's a street scene, and every street scene has a bus in it.

I haven't read her book, yet, but her Twitter[2] is often full of amusing anecdotes like this.

[1] https://aiweirdness.com/

[2] https://twitter.com/JanelleCShane

Thank you, I ordered her book on the strength of your comment!
> People generally don't take pictures of rolling green hillsides. But they very often take pictures of rolling green hillsides with sheep on them. So if you ask the robot to draw a picture of rolling green hillsides, it will include sheep. Or, if you ask it to draw a picture of the savanna, it will want to include giraffes.

Don't humans do this too, though? If I asked someone to draw a picture of rolling green hills, they may well add sheep as an additional detail.

Well, personally, I had the "bliss" image from the Windows wallpaper collection in my head while I was writing this. But I'm cognizant that most of the photos of hillsides I took in Ireland had sheep in them.
I wonder if that would still be true, though, if "bliss" wasn't a default Windows wallpaper. In other words, you're still referring to common pictures, you're just particularly biased to one in particular that you've seen a lot.

I haven't done the experiment, but I'd posit that if you walked up to a group of 8-year-old children, gave them crayons, and asked them to draw pictures of "rolling hills", a significant portion would add sheep, cows, flowers, or some other details—even though a majority of rolling hills in the world don't have any of these features.

I wonder if you ran into something I deliberately mislabeled as a bus.

Your goal shouldn't be to answer the question earnestly, but to confirm the machine's biases. Going with the flow is expedient, as well as giving Google less support.

In this case, it was obvious what it wanted someone to do.

It gets more frustrating when it's less clear. Is "click the hills" with a picture of a mountain a mistake, or a trick? Should I click all the tiles that contain a bus, even if it's only one pixel, or should I only click the ones that mostly contain a bus? etc.

The most frustrating is “select all pictures with bridges” when not one picture contains more than one bridge.
are you joking?
No, it's pretty regular. It will even tell you to "try again" if you correctly don't select anything.
They probably assume that the vast majority of the population are not massive pedants and will do what they expect.
That is, they assume the vast majority of the population is indistinguishable from their AI. I believe that view also informs their customer service procedures.
They probably don't assume anything, and it's just a corner case in their automated system.
Right, but it's why fixing it is not a priority.
I think it's pretty clear what it's asking for and you are misinterpreting the request.
I actually thought I experienced that this morning. But then I looked closely, and there were actually photos containing sections of what I was left to assume were actually bridges. So I think you're technically wrong, but the spirit of your comment is correct!
The worst part is the self doubt afterwards when you get presented with ANOTHER reCAPTCHA, leaving you questioning whether you got something wrong.
I always see complaints about recaptcha like this, but I've never experienced this struggle, certainly not to such a degree as to be outright frustrating. It's always seemed pretty obvious to me what the right answers are. My personal take to your examples are that that a traffic light's pole is not a traffic light, but any part of the box that contains the lamps/leds is (even if facing away from the camera), and that neither large trucks nor buses are cars, but would include vans, pickups, and SUVs.

Hopefully these rules of thumb will help someone reading this find these captchas less frustrating.

For those of you asking for alternatives, I've tried a few of the things posted in https://kevv.net/you-probably-dont-need-recaptcha/ to some success, but obviously it depends on your use case.
thanks for your overview !

Does anyone knows a recapthca2-like service/software, that would help solve such tasks (OCR, object recognition..) on a custom provided dataset ?

It could provide an alternative to recaptcha, and a "Mechanical Turk"/crowdsourcing for universities, institutions or companies to help solve some of their repetitive tasks.

Not true. Google has made a new capture system that only requires you to click a checkbox.
…which will only work if Google can track you.
Try using Tor with one of those captchas -- you will get a whole load of puzzles and picture matching goodness (usually having to solve multiple in a row). It can easily take me several minutes to pass a reCAPTCHA challenge when using Tor. And even then, sometimes Google will even refuse to give you a challenge at all!
That article aside, what are everyone's experiences with reCAPTCHA? We are using it to secure one of our contact forms and get a lot of spam through it. Upon research (googling) I found that reCAPTCHA is "broken", e.g. https://threatpost.com/uncaptcha-googles-recaptchas/140593/
I can’t reliably pass them without altering browser settings (and even then, answering correctly doesn’t seem to matter one way or another shrug).

I switch services whenever it is possible and I see a reCAPTCHA prompt.

(I am a human.)

My experience is pretty much the same as the article.

And because I value my time you risk simply not having me contact you if you use any kind of captcha.

We use it to stop bots from opening thousands of trial accounts. We don't have bots anymore, but instead we have humans who open hundreds of trial accounts hourly. I guess it's an improvement.
Whats the service fir? I know game miners and some other niche services that attract these kind of actors. Do you know what they want from your site?
An email provider. Interestingly enough they don't even send anything. They just... sit there. And who knows why. Not really doing anything harmful afaik, but obviously fradulent so our support still kills them in bulk just in case they were a proper threat waiting for the activation.
Huh, interesting, thanks for sharing. Maybe they're just using it as an address to open up accounts for other stuff?
Perhaps – but I'm pretty sure there's some that don't even receive emails either. It's as if someone was just creating a "standing army" of accounts in preparation to unleash something. Spooky :)
Companies should just use bogofilter and not submission blocking on contact forms if they're annoyed about receiving spam all the time. That and then just go through the detected spam once in a while (once per week perhaps).

Basically the same they'd do with e-mail.

Several times I was prevented from complaining about something to a company that didn't have a public e-mail address, but only a contact form with captcha, just because that day, google decided they'll fail all my recaptcha attempts, and tell me "sorry we think your computer is sending automated queries" and wouldn't even allow me to try any futher.

It really doesn't help if I'm in a negative midnset about the company already. I've completely stopped using shipping companies that put tracking info behind recpatcha, for the same reason, although that's a different thing from contact forms and a bit harder to manage. But contact forms should not be blocked with recaptcha.

Outright blocking communication is a poor taste. Accept all communication and use automated mechanisms to filter through it on your side.

BTW, this is even worse for users that block re-captcha via adblocker or something, because you often lose the entire text you were about to send. So the next attempt you're even angrier.

The current new captcha is invisible. It's no less evil since Google recommends to put it on all your pages...
Well, it's only invisible if all pages / tabs you visit share the same cookie / session store. With browsers implementing more and more of privacy-focusing features this becomes less and less frequent.

If I use Safari private mode (each tab has its own cookie store) or Firefox with containers and cookie auto delete extension every tab I open, every page I visit gets a brand new Google session. Obviously, Google treats my like a bot.

It's such a shame that this poor article is getting attention, given that reCAPTCHA v3 is actually a terrible privacy violation.

Sadly, I don't think the author knows the difference between v2 and v3. The article is definitely not talking about v3.

Yes, I thought the article would be about privacy concerns. Instead it was a rant about v2, not mentioning v3 at all (except for mistaking v2 for v3). Ultimately there was little substance here.
A lot of articles posted on hacker news are by people who don't really understand what they're talking about, but use a lot of emotionally charged language. A lot of times this is fine, because it's articulating something that bothers a lot of people and wastes their time. But in this case it's absurd. I don't think he understand just how much crap bots were/are putting out there, especially before we had good services like cloudflare and the whole web hosting cloud to filter it. It's not Google's fault every small/medium sized company decided to put important customer services on a web portal which could be easily abused, they just capitalized on it. Sys admins can't stop random executives from making crap decisions like having an inherently insecure system, but at least they can pitch on reCaptcha to fix it a tiny bit. But they wrote an article where they used a lot of CAPS LOCK, so they must be an authority.
> A lot of articles posted on hacker news are by people who don't really understand what they're talking about, but use a lot of emotionally charged language.

This seems to be the best strategy for getting to the top of the front page these days. Even better if the target of the emotionally charged language is Facebook, Google, or Amazon.

The article really should have focused on this, it's the only valid concern. There's no proof or references behind the later claims like "THE AVERAGE TIME IS OVER 30 SECONDS!" and " It doesn't matter if you're logged into your Google account and allowing all manner of cookies.", not even anecdotal or personal videos of trying to solve a recaptcha like this post[0] had from two months ago.

> I don't think the author knows the difference between v2 and v3

The author doesn't seem to have ever visited google.com/recaptcha to know what Google refers to as different versions of its service. The author instead is talking about "versions of bot detection", ie. The "detect human mouse movement" was v2, "scan your Google history to see how human-like your activities are" is v3, and the author envisions "v4" as doing the silly things from the latter half of the article.

0: https://news.ycombinator.com/item?id=20158386

Google moved puzzles from interviews onto random Internet users ;-) There must be some sophisticated internal metrics registering increase of puzzle takers somewhere, with a hidden goal of increasing general intelligence levels, adversarial-style. It's the only scientific explanation! :D
the tone of this article is awful. it also has the history of recaptcha wrong.

I can't imagine it actually taking 30 seconds to solve a reCAPTCHA. That needs a citation.

In Firefox, log out of your google account, block cookies and enable the anti-fingerprinting features. Or just browse with Tor Browser.

You will start getting challenged more often, you'll find you're asked to solve several multi-select challenges in a row even if you get them right, the multi-select challenges will replace tiles after you select them, and the tiles will start fading in and out very slowly.

See https://www.youtube.com/watch?v=en5KSZSpDFY for an example video.

These are (AFAIK) intentional features deployed Google - you just don't see them if they can already track you via something like your Google account.

Ok I did as you suggested and then went to https://www.google.com/recaptcha/api2/demo

Took me all of 5 seconds to solve

The most insidious thing about this two-tiered surveillance society is that its effects are invisible to people in the "good" class, and they insist on remaining ignorant of what happens if you're not in that class.

Google still has plenty of other tracking points on you. And of course reCAPTCHA looks reasonable to a prospective developer - it wouldn't be adopted otherwise!

If someone tells you it routinely takes 30 seconds to solve, you should really just accept their experience rather than discarding it with "works fine for me!". If you still need to see it with your own eyes, go setup a TOR browser and become one of the undesirables, rather than just imagining. You just might end up adopting the marginalized view.

Try using Tor and a real website that is using reCAPTCHA (I don't think they have their actual scoring system enabled on the demo). GP posted a link to a video of someone solving a single reCAPTCHA prompt for 2.5 minutes. I also regularly have to solve several CAPTCHAs in a row, often with increasing levels of image distortion.

Before being so brazenly dismissive of other people's experiences, take the few measly minutes it would take to actually try it out. Even doing a simple Google search with Tor Browser usually gives you a reCAPTCHA to solve.

> being so brazenly dismissive of other people's experiences, take the few measly minutes it would take to actually try it out

?? I did try it exactly as was requested of me. I didn't know where to find a recaptcha so I went to the demo page.

It's possible the video is the result of a bug and not normal behaviour. I wouldn't know as I don't often browse with tor.

I've experienced that in the past, without using tor, but using Firefox. I go to great lengths to block anything Google. Google Fonts, Google CDNs (and I now use Decentraleyes so CDNs are mostly not even reached). I have to explicitly unblock reCAPTCHA scripts for it to even work - or use a clean and disposable browser profile. I've occasionally seen the behavior on the video when I really need to access the page (though usually I just complain to the webmaster).

I once had to request a new password for my online bank account. I ended up asking the bank manager to reset my password, pretending that reCAPTCHA is preventing me from resetting the password myself. My bank is not paying me for solving captchas for Google's benefit (this is so screwed up…).

The biggest offender is CloudFlare for me.

> I didn't know where to find a recaptcha so I went to the demo page.

Well, now you do (though I was a bit of an asshat in my parent comment, sorry about that):

> Even doing a simple Google search with Tor Browser usually gives you a reCAPTCHA to solve.

You can get the Tor Browser from [1].

[1]: https://www.torproject.org/

I have noticed recently that when using Firefox the need to repeatedly spot traffic lights or fire hydrants 5 or 6 times in a row seems to have gone away. It now seems that I only need to do it once now so perhaps someone at Google fixed the glitch?
It sounds like you intentionally are making it very hard to distinguish if you are a bot or a human?
No, I'm intending to make it hard for sketchy third-party ad companies to track me. Some ad networks can't even avoid serving malware, it's not realistic to expect them to competently safeguard my data.

It just so happens that Google's method for telling if I'm a bot or a human isn't just to show me mangled text, but also to use ad-network-style tracking.

In Google's defence this is probably an attempt to deal with captcha-solving-by-humans-as-a-service or something like that. I can't imagine Google employs many privacy enthusiasts who would spot a problem like this by dogfooding.

Forget your password a few times on a site that uses it (logMeIn and its products). You'll get an endless stream of challenges. I usually just give up and try again later
> I can't imagine it actually taking 30 seconds to solve a reCAPTCHA.

It happens to me quite frequently... but I block a lot of tracking. Sometime I give up if I was browsing just for fun... but my bank sometime use reCAPTCHA.

They have been putting some users through multiple challenges with a forced delay/throttling - so you need to actually answer 4 or 5 challenges with a minimum time per challenge of perhaps 5-8 seconds etc.

These users appear to be Firefox users who sandbox Google cookies. That said, it seems to have improved a lot recently (only one challenge)

In the past, I often spent more than 30 seconds on each recaptcha. It really is a problem. That improved by allowing google cookies but now every webpage with recaptcha I visit is being tracked by Google. :(
reCAPTCHA is turning into a punishement for those who don't want to consent to full tracking by Google.

Apple is working on their SSO project (Sign in with Apple); I hope they will also consider the use-case of being able to tell a site that you're a human without sending any information.

Recaptcha is a free mechanical turk for Google. Right now they re training waymo's cars, but soon they 'll need to train other networks. Prepare for "Click on all images showing intraductal papillary biliary neoplasm". C'mon, don t be lazy
(comment deleted)
This conspiracy theory has been debunked many times.
The conspiracy theory of "google is doing what they promised to do"? Half the point of recaptcha was classifying images.
What conspiracy theory? That's what Google say it is for:

> Hundreds of millions of CAPTCHAs are solved by people every day. reCAPTCHA makes positive use of this human effort by channeling the time spent solving CAPTCHAs into annotating images and building machine learning datasets. This in turn helps improve maps and solve hard AI problems.

https://www.google.com/recaptcha/intro/v3.html (under "Creation of Value - Help everyone, everywhere - One CAPTCHA at a time.")

Just wondering but does this explain why the images always seem to be driving related like traffic lights, crosswalks, bridges, etc.
My payment provider (Braintree) required me to implement reCAPTCHA v3, despite the fact that I had already implemented server-side fraud checks (MaxMind). I didn't have a choice if I wanted to continue taking credit card payments.
Do they specifically require reCAPTCHA v3, or just any sort of bot-prevention CAPTCHA?
The specifically told me to use reCAPTCHA v3. I don't know if they would have accepted another one. I didn't want to take the time to research them. Honestly, from a UX perspective I also preferred the "no user interaction" part of reCAPTCHA.
I’m curious, what’s the best option for protecting web forms if not using reCAPTCHA? Specifically for things like account sign ups?
It depends what value there is in an account, but for a service I run, I just let the bots sign up accounts.

Accounts don't really cost me anything, and they get automatically deactivated if they didn't get any activity in the first 30 days anyway. Activity on my service costs money, so if someone wants to make a bot that pays me money, I have no problem with that.

The only time I'd consider implementing something like reCAPTCHA is if I was giving something away for free (e.g. a free trial) such that a signup actually had a cost for me.

I was more concerned about triggering activation emails to people
If you collect email addresses, then yeah that's a concern. Then again, if you send a single activation email and never send another email unless the link is clicked, there's no value to the bot in signing up accounts, so it's unlikely to be a major problem.
I'm glad someone is talking about this and we can have a healthy discussion about it. Things like PrivacyPass[0] are a step forward, but for those who don't know about such a tool, they will continue to be 'tortured' and get repetitive strain injury from constantly having to solve recaptcha v2, at least, well if they browse under Tor heavily and will have to pass recaptcha's test multiple times, and even after proving they were not a bot countless times.

[0] https://privacypass.github.io/

You will find the Google ecosystem is more joined up than you realise. If you use the DNS it will make the search engine results more personal, if you block everything to do with google at the firewall level, you will find recaptures don't actually work, you can spend an hour before it comes up with a web page where you have reached the end of all the recaptures you could possibly do. If you use Firefox, and write addons, you will find the addons don't work, their website api's, analytics, absolutely everything to do with Google is joined up so the internet is one giant Google Panaopticon. Don't believe me, try it for yourself, lock everything down at the firewall and see for yourself.
> If you use the DNS it will make the search engine results more personal

Google claim not to use DNS in this way:

> Is any of the information collected stored with my Google account?

> No.

> Does Google correlate or combine information from temporary or permanent logs with any personal information that I have provided Google for other services?

> No.

https://developers.google.com/speed/public-dns/faq

The problem with PrivacyPass is that it is a (not nearly as peer-reviewed as Tor) privacy-related cryptosystem that lets you bypass the reCAPTCHA that CloudFlare put in your way in the first place.

Using it with Tor is almost certainly not a good idea because it changes your own behavior from other Tor users thus compromising your anonymity (and the Tor folks are not in favour of PrivacyPass, because they think the solution is that CloudFlare shouldn't be putting the reCAPTCHA in the way in the first place). And that's assuming that the cryptography is actually solid and there is no way to distinguish between different PrivacyPass users. Tor has decades worth of research put into it -- what level of scrutiny does PrivacyPass have? How many people actually use it and how many have tried to break it?

I've said this before but:

> When 80% of traffic from an IP is malicious and the other 20% is regular traffic, but both sources look like the same traffic (impersonating browser headers, sometimes running headless chromium), what else can you do? Cookies and stateful cookie-like objects, such as privacy pass.

I agree that reCAPTCHA (all versions) are terrible. (At least, sometimes it is possible to avoid the problems by selecting the audio CAPTCHA, which tends to work better as far as I can tell.)

Instead, use the protocol-independent CAPTCHA. It is a SASL mechanism, which sends a challenge with plain ASCII text (and may include line breaks), and then accepts a single response of plain ASCII text, and then the server decides whether or not the response is acceptable. The similar thing can also be done with a simple HTML form, but using SASL would then allow working with any protocols and work with command-line interface just as well as HTML interface, too.

(comment deleted)
>Select all pictures of storefronts.

Hmm, if only I could read Bengali, I could tell if this were a storefront or not.