Google Invisible reCAPTCHA fights robots from the shadows

Pretty much everyone hates CAPTCHA forms, the often-annoying checkboxes or miniature surveys that many web sites force upon a user in order to access a particular page. A CAPTCHA's purpose is to serve as a verification tool to ensure that only conscious entities like living, breathing human beings can access certain internet resources, and prevent bots from spamming contact and e-mail forms. Various flavors of the tool have required unique inputs, from clicking a box that says "I am not a robot," to forcing users to type in words that OCR software couldn't figure out, or categorize different images. Google claims its Invisible reCAPTCHA technology can now keep out bots without requiring any intervention from actual users.

The company has provided little information about how its technique actually works, for fairly obvious reasons. According to Google's video, Invisible reCAPTCHA uses "a combination of machine learning and advanced risk analysis that adapt to new and emerging threats." Whatever exactly that means, it's expected that most users won't have to do anything, while any access that's deemed suspicious will be presented with traditional CAPTCHA challenges. Webmasters willing to try it out can click here to sign up.

If the system works as well as Google says it does, many online activities might become just a little more convenient. Buying event tickets, online banking, and signing up for online gerbil husbandry forums might require jumping through one less hoop in the future.

Comments closed
    • Wilko
    • 3 years ago

    [quote<]Buying event tickets, online banking, and signing up for online gerbil husbandry forums might require jumping through one less hoop in the future.[/quote<] Online gerbil husbandry forums? Is there a secret TR forum I don't know about?

    • HighonLaces
    • 3 years ago

    I’m sure Google had good intentions maybe with some parallel data harvesting on the side, but I’ve just looked up invisible recaptcha and it turns out it’s not invincible (or invisible for that matter)
    Guys at [url<]https://2captcha.com/2captcha-api#invisible[/url<] have already found how to bypass it)) I don't need it in my projects, but sure appreciated their effort describing what it is.

    • Shouefref
    • 3 years ago

    That won’t work without spying on you.
    For me this is a no-go.
    And being invisible, we won’t be able to notice whether a site uses it.
    It should be forbidden as a breach of privacy.

    • tipoo
    • 3 years ago

    Obligatory?

    [url<]https://xkcd.com/810/[/url<]

      • davidbowser
      • 3 years ago

      NAILED IT!

    • brucethemoose
    • 3 years ago

    [quote<] advanced risk analysis [/quote<] In other words Google uses that giant user tracking database of theirs? I bet it starts by trying to match you up: IP, browser footprint, detected hardware, whatever. If it recognizes your online footprint as a known human one, (which is that fancy risk analysis they're talking about), you don't get a captcha.

      • Waco
      • 3 years ago

      Very likely, but user machines get compromised all the time, so it can’t be just that.

      • tacitust
      • 3 years ago

      No it’s not that. It’s to do with identifying cues that can only come from human input as opposed to a bot — similar in the way they already do for the “I am not a bot” checkmark captcha. Combine that with their vast database of comment spam, and the ability to identify thousands of (almost) identical spam comments being sent out over a very short time, it should be very effective, just as their GMail spam filter is.

      As the other commenter said, knowing who the account/ip address belongs to is useless, since (a) they can be compromised by bots at any time, and (b) ip addresses are recycled all the time, especially if you’re using a VPN. This is not an example of Google using their user tracking database.

      My parents’ email account was getting snowed under with spam, so I redirected it through GMail and it filtered it all out, instantly, and I’ve not seen a false positive yet. When it comes to spam, Google are putting their big data resources to good use.

    • EndlessWaves
    • 3 years ago

    It’s got to be better than the image one. It must average five or ten screens long and a quarter of the time refuses to let me progress unless I mark an office entrance as a storefront or something else equally silly.

      • EzioAs
      • 3 years ago

      The worst was when it told you to tick the all picture grid containing a signboard. I could never get that type right, not even once.

        • albundy
        • 3 years ago

        you are not supposed to. you are supposed to select enough boxes to proceed.

          • EzioAs
          • 3 years ago

          Yes, but how do I know how much is enough? I tick every picture that have even little part of the signboard.

    • GrimDanfango
    • 3 years ago

    Being Google, I presume however it works will certainly involve quietly harvesting and storing as much information about you as possible.
    I mean, they may not even have had to actually *do* anything – they probably already have more than enough data to know not just that someone is definitely human, but specifically which human they are, and all of their shopping habits.

    • tacitust
    • 3 years ago

    The Anti-Spam plugin for WordPress has been doing something similar for months. It uses a little bit of JavaScript on pages with comment submission forms to detect whether the submission is coming from a spambot or a real-live person.

    It’s been working a treat for me ever since I installed it.

Pin It on Pinterest

Share This