Why it matters: Captcha tests that require users to duplicate distorted text, solve puzzles, or click on grids of images to prove they aren't malicious bots have drawn scorn for years. Studies have long since shown that bots easily overcome them. Even the simple checkbox tests aren't much better. Recent investigations suggest that Google and other companies use them to track and collect user data.
YouTuber "Chuppl" reports that Google's reCAPTCHA v2 and v3 challenges don't deter bots and do little more than demand users' internet data in exchange for access to the internet. They track browser history, cookies, and more, selling them to advertisers or any other company willing to pay.
Users generally accept that Captcha tests keep armies of bots from flooding websites to deny service or facilitate fraud. However, multiple studies show that bots outperform humans in virtually every variety. Tests have shown that AI-based programs can solve the infamous traffic-light grid test with 100 percent accuracy.
Google's reCAPTCHA v3, which only requires users to click on a checkbox next to the words "I am not a robot," is much less annoying and more common nowadays. However, a 2023 study from the University of California in Irvine found that bots also pass it with flying colors.
The test likely draws curiosity from users due to its notable simplicity. Older Captchas present tasks that should be easy for humans but impossible for bots, but clicking a checkbox is trivial for both.
Most users who investigate reCAPTCHA v3 likely learn that it watches for human-like mouse movements as users navigate toward the checkbox. However, CHUPPL quickly torpedoed that assumption by building a bot that passed the test in one attempt.
Researchers told Chuppl that the so-called security challenge records not just mouse movements but also user agent data and other identifying information. Furthermore, Chuppl's investigation suggested that Captchas block humans who anonymize their browser data better than it does bots. The assertion makes sense for anyone who has tried to browse the web with a VPN.
Tracking data Google collects from Captchas carries an estimated value of nearly $898 billion. Furthermore, when a lawsuit against the search giant for using reCAPTCHA v2 inputs to train AI revealed that the 819 million hours users spent clicking on the tests worked out to about $6.1 billion in unpaid wages.
The UC Irvine study concluded that Google should retire reCAPTCHA v2 and similar tools. An Austrian federal court has already banned the technology, finding that it violates users' privacy rights under the GDPR.
While the research appears pretty conclusive for Google's bot mitigation methods, the security and privacy implications of Guillermo Rauch's Doom Captcha remain unclear.
Google's reCAPTCHA is not only useless, it's also basically spyware
