Google's New ReCAPTCHA Has a Dark Side

An anonymous reader quotes a report from Fast Company: We've all tried to log into a website or submit a form only to be stuck clicking boxes of traffic lights or storefronts or bridges in a desperate attempt to finally convince the computer that we're not actually a bot. For many years, this has been one of the predominant ways that reCaptcha -- the Google-run internet bot detector -- has determined whether a user is a bot or not. But last fall, Google launched a new version of the tool, with the goal of eliminating that annoying user experience entirely. Now, when you enter a form on a website that's using reCaptcha V3, you won't see the 'I'm not a robot' checkbox, nor will you have to prove you know what a cat looks like. Instead, you won't see anything at all.

Google is also now testing an enterprise version of reCaptcha v3, where Google creates a customized reCaptcha for enterprises that are looking for more granular data about users' risk levels to protect their site algorithms from malicious users and bots. But this new, risk-score based system comes with a serious trade-off: users' privacy. According to two security researchers who've studied reCaptcha, one of the ways that Google determines whether you're a malicious user or not is whether you already have a Google cookie installed on your browser. It's the same cookie that allows you to open new tabs in your browser and not have to re-log in to your Google account every time. But according to Mohamed Akrout, a computer science PhD student at the University of Toronto who has studied reCaptcha, it appears that Google is also using its cookies to determine whether someone is a human in reCaptcha v3 tests. Akrout wrote in an April paper about how reCaptcha v3 simulations that ran on a browser with a connected Google account received lower risk scores than browsers without a connected Google account. 'Because reCaptcha v3 is likely to be on every page of a website, if you're signed into your Google account there's a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3 -- and there many be no visual indication on the site that it's happening, beyond a small reCaptcha logo hidden in the corner,' the report adds.

Read more of this story at Slashdot.