Facepalm: Thanks to machine learning and bot-based automation, CAPTCHAs now provide very little protection against complex spam operations. But they are still playing a major role in the opsec of many websites, and Google is still trying to improve the technology with some questionable privacy choices.

Google is working on a new kind of challenge to improve its reCAPTCHA system, using biometric identification to confirm that the user is indeed human. The new method is officially named "hand gesture verification" (HGV), and, according to early testing, is mostly useless. Even worse, HGV might pose a significant risk to a user's privacy, especially if you don't trust Big Tech with managing your biometric data.
Google explains that HGV requires access to the device's webcam so that it can record "one or more" video clips of a user's hand. The user needs to wave to the camera, or perform other gestures, to let Google process the video and properly extract the most relevant biometric data points. The hand-wave gesture should allow the reCAPTCHA system to confirm that the user is not a bot.

Biometric identification should enhance reCAPTCHA safety, but HGV doesn't seem to work as intended. Some users have already tested the feature, confirming that the enhanced protection can be bypassed with just a few stock images and the "virtual camera" functionality provided by OBS Studio. A potential attacker would just need to "mimic" the hand gesture with a stock photo, while OBS' virtual camera can eliminate the need for a physical webcam on the system.
Machine learning and other advanced automation technologies can now defeat ID systems such as reCAPTCHA most of the time. The early failure of HGV highlights how biometric-based challenges are likely to follow the same path. The virtual camera bypass method should be pretty easy to automate through stock images and a bit of Python scripting.
– PatRyk (@Patrosi73) June 28, 2026
Furthermore, HGV might prove to be a rather controversial choice for people who care about their privacy. Some users highlight how these types of features tend to normalize continuous background surveillance by Big Tech, providing unrestricted camera access just to visit a website.
Google said that the videos recorded by HGV are only processed to detect the hand gesture and are deleted soon after the verification process. Videos are "never" associated with a user's identity, while audio is not recorded.
As the recent case of the "deleted" and later recovered Nest video clearly shows, Google's cloud platform might retain some data in its backend system even when the user has no access to it. Whatever the EULA says, Mountain View will likely try to feed as much user data as possible into Gemini despite the potential privacy implications.