Google's reCAPTCHA Turns 'Invisible,' Will Separate Bots From People Without Challenges

Google is making CAPTCHAs invisible using "a combination of machine learning and advanced risk analysis that adapts to new and emerging threats." Ars Technica reports: The old reCAPTCHA system was pretty easy -- just a simple "I'm not a robot" checkbox would get people through your sign-up page. The new version is even simpler, and it doesn't use a challenge or checkbox. It works invisibly in the background, somehow, to identify bots from humans. Google doesn't go into much detail on how it works, only saying that the system uses "a combination of machine learning and advanced risk analysis that adapts to new and emerging threats." More detailed information on how the system works would probably also help bot-makers crack it, so don't expect details to pop up any time soon. When sites switch over to the invisible CAPTCHA system, most users won't see CAPTCHAs at all, not even the "I'm not a robot" checkbox. If you are flagged as "suspicious" by the system, then it will display the usual challenges.

Up until it tags the handicapped as bots

I believe there are accessibility laws most parts of the world ....

Don't know how I feel about this

For one thing, I never get the checkbox from my residential IP connection. But once I switch to my vpn on my own assigned /24 I get recaptcha's all day. This isn't new, I've been browsing from the same /24 for the last 5 years. Yet for some reason, Google things when I'm coming from there I'm a threat. I know I'm a minority that's going to be drowned out because who cares about the few users caught in the net. It's just an annoying feature that kills any competition for my business. Any remote sites using a squid cache connection get the reCaptcha flag. They switch to a different provider or move the cache server to GCE then everything magically works.

What's a BOFH to do.

Lots of work to do

[arth1]

For some reason, I get flagged for captchas all the time, but no matter how vigilant I am at choosing storefronts, mountains, street signs and house numbers, I have to go through at least a dozen pages of them before it believes me.
I wonder whether being behind load balanced proxy servers might have anything to do with it.
Anyone else having similar problems?

Re:Lots of work to do

[MatthiasF]

Yep. I constantly need to do them because I have my browser locked down to stop tracking.

I have a feeling most of Google's new "invisible" method has more to do with the fact they are tracking you as a unique user and following your path to the page. If it looks legit, they don't challenge.

But if you're one of the many of us who actively fight being tracked, we're going to be relegated to second-hand internet user thanks to Google's monopoly.

Re:Lots of work to do

[hcs_$reboot]

Yes, and this is because you do, on Google behalf, some picture recognition as well, in order either to confirm some other person recognition "work", or to be the initiator. The percentage distribution between "recognition work" and "actual recaptcha" is not clear, but the more you have to recognize, the more you work for Google at no charge.

Re:Lots of work to do

[93+Escort+Wagon]

Yep. I constantly need to do them because I have my browser locked down to stop tracking.

I have to do them all the time, and I'm not even that aggressive regarding blocking tracking. I mostly just clear things out after the fact, every few days - I'm not even running noscript (but I am running an ad blocker, and don't use Google for much).
I'll be curious to see how many of us this disenfranchises...

Re:Lots of work to do

[MatthiasF]

That's a really nice attempt at an apologist's view of Google's monopoly, except credit card companies can only track WHERE you spend money, not the specifics of what you actually bought. Whereas Google literally knows what sites you are browsing, what pages on that site you are browsing, even what parts of the page you read through it's AdSense product and then takes all of that to determine what parts of the Internet it wants to show you through it's Search product. Then there's the email product, and the social media, etc. etc.

No other entity has ever been able to get that much information in that detail on a "customer" (quotes intentional, since let's face it you're the product to Google, not the customer).

The fact that Google is pushing an internet standard that would require accepting the use of their invasive business practices to maintain a normal experience on the Internet is pretty abusive of their monopoly in my opinion.

Re:Lots of work to do

[AmiMoJo]

The invisible ones seem to be using things like mouse movements and other measurements of human interaction, which can be difficult to fake. They must have some way to prevent replay attacks. Not sure how they will handle people disabling Javascript, probably fall back to the old HTML5 method.

I find what triggers to endless captcha loops is:

- Privacy settings in your browser, especially Privacy Badger and uBlock
- Blocking Flash/WebGL/Canvas fingerprinting
- Disabling Javascript
- Using a VPN
- Especially using TOR

reCAPTCHA is simply another tracker

reCAPTCHA is triggered if you take basic precaution when browsing the web, e.g. blocking unnecessary scripts, cookies, trackers, beacons, and of course ads
If you do, reCAPTCHA will force you to complete a broken AI-training job, collect your behavioral data, and monetize your labor.
It's purpose: to force you to become a PRODUCT of Google, the all-grabbing data company.

And now it's even worse.

Do not endorse reCAPTCHA. Don't put it on your website.

There goes anonymous browsing

[cfalcon]

The current "identify some bullshit" captchas can be done without javascript. This seems unlikely to have that failsafe. It will be a wad of purposefully hard to reverse engineer javascript, probably with some timing crap to make it hard to do anything with, and that will be that. It will of course ultimately end up generating telemetry.

I sound pessimistic, but this has been the direction we've been heading for some time.

Re:There goes anonymous browsing

[jbn-o]

Perhaps this is the latest PR initiative to try to get the public to defend "invisible" spying. Google makes considerable money and maintains relationships with powerful organizations on the basis of spying. Spying is very much a part of Google's business. Google could probably use a way to get more people to (even indirectly) defend Javascript-based spying by turning the public into ignorant supporters who say things like 'We *need* this invisible reCAPTCHA' when we could actually choose to do without it.

Without knowing what the code does (and keeping up with all the changes, changes which can happen at any time) we can't confirm this code only does the job Google claims it does.

Re:Google knows who you are already

[Black+Parrot]

Speak for yourself. Insofar as Google knows, I am a dog.

No, on the internet nobody knows that.

Re:Given that Google not infrequently flags me...

[ayesnymous]

Google always thinks power users (people who use quotes around phrases, or who use the site:domain.com filter, or who are fast typers able to submit more than 1 search every 5 seconds) are suspicious.

Re: "suspicious" by the system

[Spazmania]

yeah... display the usual challenges and then reject correct answers two or three times in a row before accepting a correct one. And by the way Linux = suspicious. It's a POS.

Re:reCAPTCHA sucks

[molarmass192]

I'm pretty sure you meant Hertzfeld, not Herzog in that SJ citation.

The inverse Turing Test

[goombah99]

So now we have an AI trying to decide who is the human, the inverse of the turing test. What it comes down to then is it easier to create an AI that can pass the Turing test or the inverse turing test. If it's easier for a bot to fool a bot then this AI strategy will meet it's match in another AI. On the other hand if it's easier to do the inverse turing test then this new strategy will work. I'm not really sure if it's obvious which test is harder.