Google reCaptcha new version: double-edged sword for users

For years, whenever you want to log into a website or upload a registration form, internet users have to patiently click on images containing traffic lights, bicycles or retail store fronts. , to prove to the computer that I am not a computer bot.

It is a popular way of reCaptcha tool for many years to distinguish people and computers. But since last fall, Google has released a new version of this tool, with the aim of reducing the inconvenience of users for this authentication step.

Better user experience in the web world

Now when you enter a registration form on the website using the reCaptcha V3 tool, you will no longer see the “I’m not a robot” checkbox anymore, nor will you have to find and click on the pictures with children. cat. In short, you will no longer have to see anything unpleasant.

“ It will be a better experience for users. Everyone doesn’t like Captcha . ”Said Cy Khormaee, head of reCaptcha at Google.

According to Khormaee, Google analyzes how users navigate through a website and assigns them a risk score for their behavioral toxicity. Although not sharing details about Google’s determination, Khormaee said that reCaptcha will make it difficult for people to “trick” Captcha (or Captcha farmer) or bots to trick Google systems.

According to Built With, a website of technology statistics, there are more than 650,000 websites using reCaptcha V3 out of more than 4.5 million websites using reCaptcha tool (25% of the top 10,000 websites also use this tool) . Google is also testing an enterprise version for reCaptcha V3, with the ability to analyze data more closely on the level of malicious behavior in users, to protect the business website from bots and users. toxic.

If you have a Google account, you’re more likely to be a human being

According to two security researchers about reCaptcha, one of the ways Google determines whether you are a malicious user is that you have a Google cookie preinstalled on your browser. That same cookie will allow you to log into your Google account without retyping the information each time you enter a new window.

But in an article published in April, Mohamed Akrout, Ph.D. in computer science at the University of Toronto, who studied reCaptcha V3, wrote about how to simulate reCaptcha V3 to run on a program. Browsers connected to a Google account will have a lower risk score than browsers that are not connected to a Google account.

In other words: ” If you have a Google account, you’re more likely to be a human being .”

With reCaptcha V3, both Akrout’s tests and technology consultant Marcos Perona show that reCaptcha scores are always lower when they use a browser that is logged into a Google account to access a test website. . If they access that test site using a private browser like Tor or VPN, their scores are always lower.

In order for the system to score risk points correctly, website administrators must embed reCaptcha V3’s code on all pages of their website, not just in the registration form or login page. After that, reCaptcha will learn over time about how users typically operate on their websites, helping the machine learning algorithm below it create more accurate risk scores.

Because reCaptcha v3 is present on every page on the website, if you log in to your Google account on your browser, Google will be able to collect data from every website you visit with the reCaptcha v3 code embedded – and that happens without a visual indication of it, except for a small reCaptcha logo hidden in the browser corner.

According to Perona, while reCaptcha and its risk score system help administrators and website owners better control what is happening before attacks with bots or scams, but it must hit exchange with one thing.

Double-edged sword for users

He said: “ It becomes more meaningful and user-friendly, but it also gives Google more data .” Google doesn’t say, what do they do with the data they’ve collected about behavior? users through reCaptcha, instead they just said that, they are used to improve reCaptcha and for security purposes in general.

This type of data collection cookie is available everywhere on the internet. Technology giants use it to determine where users come when they surf the web, helping provide better advertising goals. For example, Google ‘s reCaptcha cookies have the same logic as Facebook’ s like button when it is embedded in other websites – it gives websites more social networking functionality, but it also allows Facebook to know that you are there.

Previously, Google said that the collected reCaptcha data would not be used to target advertising or analyze user concerns. Even currently in Google’s terms of service page, there is no mention of reCaptcha.

But after this report of Fast Compnay was announced, Google said, reCaptcha’s APIs will send hardware and software information, including device and application data to Google for analysis, and that the translation This case is only used to combat spam and other abusive behaviors. Google also emphasized that information sent through reCaptcha will not be used by Google to personalize ads.

Perona sees Google’s goal for reCaptcha similar to ” an online landlord ” that is strengthening Google’s ownership of the internet. reCaptcha is similar to Google’s AMP product (Accelerated Mobile Pages), a program that helps news sites download faster on phones but has caused much suspicion from publishers about whether Google will get traffice. Their web or not. The same thing happened with Google Chrome, when the Washington Post recently called it the browser a ” spy software “.

Perona said: “ It’s always a double-edged sword. You get something, but you also have to give Google a little more control over everything online . ”In this case, it is better security and user experience, but a return of privacy can violated.

Refer to Fast Company