It appears it pays people to use the captchas by providing data labeling. This is similar to Google's business case for running ReCAPTCHA, just labeling others' data instead.
ReCAPTCHA decided to start charging for their service (which they have every right to do, but it was a surprise). Just to use ReCAPTCHA on our Free customers would have cost us $10M+/year, which was untenable. We’d been concerned about the privacy issues around using a Google service for some time, and this was the kick in the butt we needed to move off of them.
hCAPTCHA has been incredibly responsive so far to improving their service, something even at our scale we had a tough time getting from the ReCAPTCHA team.
Ultimately, we’re working toward entirely eliminating visual/audio CAPTCHAs. But, until then, we are enjoying working with the hCAPTCHA team.
Thanks for the response. I hadn't previously heard of ReCAPTCHA charging users. Is it only large enterprise customers? The people I know who use it in applications haven't mentioned it, but they're nowhere near Cloudflare's scale.
> Ultimately, we’re working toward entirely eliminating visual/audio CAPTCHAs. But, until then, we are enjoying working with the hCAPTCHA team.
This sounds very interesting; are you able to comment on this further?
> If you wish to make more than 1k calls per second or 1m calls per month, you must use reCAPTCHA Enterprise or fill out this form and wait for an exception approval.
I recently switched my phone to route all internet traffic through Tor and the DDG browser on Android, but the hCaptcha challenges are even more exasperating than the ReCaptchas, and I've found my bounce rate close to 100%.
Is the abundance of hCaptcha challenges for those of us browisng CF-fronted properties in such a manner going to change any time soon?
Off topic here but since you seem knowledgeable can you point me in the direction of some good resources I can read to become informed on how to use tor? I worry I will have issues as you described. My kids school just moved online. The teacher was considering using google classroom then I voiced my concern which she thanked me and she ended up going with a Canadian company (I am Canadian) called myblueprint.ca and their privacy policy can be found here [1]. Reading their privacy policy it is quickly apparent they are a giant data collection machine and I want to throw up. I plan on sharing some of the key points but if I have to go forward want to try use like a tails live CD or what ever is recommended in 2020 to avoid their tracking. Thanks for any insight
[1] https://myblueprint.ca/privacy
I’m curious, what about their privacy policy has you convinced that they’re a “giant data collection machine”? I just read it and it seems pretty reasonable to me.
They clearly outline all the purposes they need to use your data for, most of which are just to operate their site.
I would encourage you to think twice before implementing measures that are going to o add more friction to your kids’ schooling. (Live CD? Tor? Really?)
I worry a lot about my kid writing or saying something that would be innocent child's play when in person but might be construed as domestic terrorism if seen in the wrong data dump by the wrong enforcement agency.
How can you teach right and wrong in an environment like this?
Perhaps I misunderstand it as one person commented but the part that creeps me out was this one part (iii) the pages of the Site a user visits; and (iv) other sites a user visited before visiting our Site.
So they not only track what you do on their site but will be tracking the rest of my internet browsing history or am I misunderstanding this? There was more I didn't like to be honest but I am on my way to bed so will leave it at this point for tonight. This is my kids privacy I worry about they don't know how to and if I have to use a service for their school because of covid I don't want my kids and my internet browsing habits known. Other then a basic cookie for log in purposes there is no need to be doing a bunch of tracking on kids personal computers on there personal home networks. And since this is HN we have all see the many articles that basically say yes most of the time anonymous data can be tied to you. Yes I am sure it is so mundane to most but I really wish we had the privacy laws like gdpr because I really do not think our kids deserve to be snooped on. I appreciate your thoughts.
This seems paranoid. The kids are all surely already using Google for everything else. Tor and Tails would not only be an immense hassle for them which would make it much harder to get anything done, or use most school-relevant software, it also doesn't even help prevent any tracking in this case. If a service requires you signing up for an account with your real name, then that's all they need right there, because then they can just tie everything you do to your name.
Using Tor in this scenario really makes no sense, unless you plan to have them all use fake names, a fake school name, redacted/altered school material, etc.
And if you don't want to use Google, the privacy policy for that other service seems totally normal and fine. Respectfully, I think you may want to have your school consult with a technologist, rather than trying to give them software guidance based on your own understanding of the issues.
Wonder if there was a business case for making a captcha service that labels open data for the social good. IMHO even a pay-for-hosted open source model sounds feasible. I would have initially expected that the labels and not the security would provide the cash flow ( I know a company who puts labelling tasks in online games and actually pays the game host)
> We’d been concerned about the privacy issues around using a Google service for some time, and this was the kick in the butt we needed to move off of them.
Do you think this would have ever happened without a financial incentive?
As someone who’s been in a similar position, there aren’t really any alternatives that don’t piss people off. reCAPTCHA is a pain to get past for a small number of visitors, typically those using public proxies (e.g. Tor), but the majority just click a checkbox and are in.
Cloudflare already has a lengthy complaint thread on their forums with people insisting they switch back to reCAPTCHA for this very reason.
But after years of suffering last year I made an effort to get over it. Nowadays more often than not I just close the tab and go someplace else. F 'em.
Some people have workarounds for recaptcha or at least understand how it behaves to not bother solving impossibly hard puzzles, but not for hcaptcha. I got hit by hcaptcha today on a digitalocean website I think which is served via cloudflare and struggled to solve it. After clicking "I'm not a robot" it started asking me to find dogs in pictures a couple of times, pretty awful experience. I don't know what to say, it's been many years and cloudfare is still pretty incompetent in that area ruining the web for a lot of people.
With my pretty aggressively tuned privacy settings in Firefox I'm getting captchaed CONSTANTLY, and everybody is apparently using cloudflare. Here's hoping hCaptcha is less aggressive..
That’s almost certainly unrelated to your Firefox settings. The rate at which you get captcha’d is mostly based on the level of suspicious activity from your IP address and nearby IP addresses—though if you mess with headers too much, that can also do it. I’m decked out for privacy in Firefox, and I never get captcha’d. You may have a malicious extension or other malware on your network that’s doing something nefarious.
That's entirely false. It is primarily related to how easy it is for google to determine whether you're a real human. If they have to keep reidentifying you as human (due to for example fingerprint resisting or tracker blocking).. surprise you get captcha'ed
If no content blocker like µBlock is used, Google will probably find out about the website visit through Google Analytics. But the important difference is that Analytics is not essential for visiting a website while the CAPTCHA from the CloudFlare page in front of the website is.
But the change is especially good for Tor users as they are often blocked from using Google reCAPTCHA (due to "suspicious" activity from the network) at all.
Finally I hope more companies follow the lead of CloudFlare and change some parts of their services to not solely use Google so that the web becomes more diverse again.
hCaptcha is annoying! Even when I'm not logged into Google, I rarely get a captcha when I click "I'm not a robot". With the new captcha, I get promoted 100% of the time.
I'm glad Google is out of the picture (although their DNS, Google analytics/ tag manager, chrome, maps, etc) would know my history anyways. But hCaptcha needs to be less greedy when it wants free labeling labour.
Yep, I noticed the new captcha a few days ago on a game wiki site just to view it but I think the site owner has the most strict option however where every visitor gets a captcha.
But anyways, felt the captcha lasted longer then it should. Was kinda starting to wonder if it’s ever end where very close to just exiting that tab.
I wish there was a more open way to stop spammers and abuse. For my project I want to do, you’d need to be logged in for most things anyways so probably just need it for signup, password reset and contact form - but plan is to only do that based on some private risk algo maybe, so not every user gets it.
27 comments
[ 4.2 ms ] story [ 45.5 ms ] threadIt appears it pays people to use the captchas by providing data labeling. This is similar to Google's business case for running ReCAPTCHA, just labeling others' data instead.
ReCAPTCHA decided to start charging for their service (which they have every right to do, but it was a surprise). Just to use ReCAPTCHA on our Free customers would have cost us $10M+/year, which was untenable. We’d been concerned about the privacy issues around using a Google service for some time, and this was the kick in the butt we needed to move off of them.
hCAPTCHA has been incredibly responsive so far to improving their service, something even at our scale we had a tough time getting from the ReCAPTCHA team.
Ultimately, we’re working toward entirely eliminating visual/audio CAPTCHAs. But, until then, we are enjoying working with the hCAPTCHA team.
> Ultimately, we’re working toward entirely eliminating visual/audio CAPTCHAs. But, until then, we are enjoying working with the hCAPTCHA team.
This sounds very interesting; are you able to comment on this further?
According to https://developers.google.com/recaptcha/docs/faq#are-there-a...
Is the abundance of hCaptcha challenges for those of us browisng CF-fronted properties in such a manner going to change any time soon?
They clearly outline all the purposes they need to use your data for, most of which are just to operate their site.
I would encourage you to think twice before implementing measures that are going to o add more friction to your kids’ schooling. (Live CD? Tor? Really?)
How can you teach right and wrong in an environment like this?
So they not only track what you do on their site but will be tracking the rest of my internet browsing history or am I misunderstanding this? There was more I didn't like to be honest but I am on my way to bed so will leave it at this point for tonight. This is my kids privacy I worry about they don't know how to and if I have to use a service for their school because of covid I don't want my kids and my internet browsing habits known. Other then a basic cookie for log in purposes there is no need to be doing a bunch of tracking on kids personal computers on there personal home networks. And since this is HN we have all see the many articles that basically say yes most of the time anonymous data can be tied to you. Yes I am sure it is so mundane to most but I really wish we had the privacy laws like gdpr because I really do not think our kids deserve to be snooped on. I appreciate your thoughts.
Using Tor in this scenario really makes no sense, unless you plan to have them all use fake names, a fake school name, redacted/altered school material, etc.
And if you don't want to use Google, the privacy policy for that other service seems totally normal and fine. Respectfully, I think you may want to have your school consult with a technologist, rather than trying to give them software guidance based on your own understanding of the issues.
Do you think this would have ever happened without a financial incentive?
Cloudflare already has a lengthy complaint thread on their forums with people insisting they switch back to reCAPTCHA for this very reason.
But after years of suffering last year I made an effort to get over it. Nowadays more often than not I just close the tab and go someplace else. F 'em.
But the change is especially good for Tor users as they are often blocked from using Google reCAPTCHA (due to "suspicious" activity from the network) at all.
Finally I hope more companies follow the lead of CloudFlare and change some parts of their services to not solely use Google so that the web becomes more diverse again.
I'm glad Google is out of the picture (although their DNS, Google analytics/ tag manager, chrome, maps, etc) would know my history anyways. But hCaptcha needs to be less greedy when it wants free labeling labour.
But anyways, felt the captcha lasted longer then it should. Was kinda starting to wonder if it’s ever end where very close to just exiting that tab.
I wish there was a more open way to stop spammers and abuse. For my project I want to do, you’d need to be logged in for most things anyways so probably just need it for signup, password reset and contact form - but plan is to only do that based on some private risk algo maybe, so not every user gets it.