From space exploration to analyzing data and vacuuming the house, robots can do all kinds of complex tasks. So how is it that checking a box on a webpage is what stumps them? Well… technically, it doesn’t. In a quest to make it harder for bots to slip through, what was once a security check has now evolved into a tool for Google to snoop on you and your browser history at any time.

What is CAPTCHA exactly? CAPTCHA (loosely) stands for “completely automated public Turing test to tell computers and humans apart.” The software was initially designed as a challenge-response authentication protocol — a procedure where one party presents a puzzle that requires a solution from a second party for access — to stop spammers and hackers from using bots to interact with webpages.

If you remember, before the now-infamous I’m Not a Robot box, CAPTCHAs used to look something like this. But as robots got smarter, CAPTCHA got harder, and eventually became inaccessible to most of us humans. By 2014, CAPTCHAs looked like this, and Google had developed AI that could pass 99.8% of the tests… While humans were only passing 33%.

That’s why Google invented The Box. CAPTCHA’s more sophisticated successor, reCAPTCHA, introduced a simple clickable test to make authentication more seamless. Why can’t a robot do that? Well, they can. But the click isn’t the test, the way you click is. The trajectory of your cursor is a good indicator of whether or not you’re human — a cursor controlled by a bot moves in a suspiciously straight line at a consistent speed, while human cursor movements are… well, human.

Think you have bot-level control over your mouse? If you have to click on picture CAPTCHAs, that may actually be the case. If you’ve had to identify fire hydrants or crosswalks or traffic lights, it means that the site may still be unsure whether your cursor movements are automated or not. But let’s not forget to look at the big picture…

Google can track your movements. Using reCAPTCHA means that the company has the facilities to potentially funnel information from users, even from sites that aren’t technically affiliated with the tech giant. And that’s not all. Modern reCAPTCHAs don’t require user interaction at all — they just examine your browsing history. Internet activity is the clearest indicator of who’s human and who’s a bot. For example, it’s unlikely that bots will Google their own names, EGP to USD rates, or the most shocking Met Gala look this year.

Your browsing history is a goldmine for anyone in the advertising business (and Google is). This raises serious privacy concerns, since 77.4% of Google’s revenue comes from its ad business. Google insists that it doesn’t use information gathered from reCAPTCHA’s peeks into our internet history for personalized ads — it says as much in the reCAPTCHA terms of service. It’s up to you whether or not you choose to believe a company that just recently removed “Don’t Be Evil” from its code of conduct.

Or one that saved browser records from users using Incognito mode. Incognito mode on Google Chrome alleges that it keeps your browsing private by not saving activity data onto your device or linking it to your Google account. Chrome also states that once you close all of your Incognito windows, the browser discards any site data and cookies gathered during your search. A lawsuit filed against Google in 2020 accused the company of saving “bns of data records” from Incognito users.

“Hold on, I didn’t give Google permission to track my cursor or my internet history.” Yes, you did. If you check Google’s privacy statement and informational video (watch, runtime: 0:57), whenever you use a Google service, you allow the company to collect information that includes the searches you make, the ads you interact with, and visits to any website that also uses Google services. That includes 30 mn websites that use Google Analytics, 14.5 mn sites run by any of the 5 mn companies that are subscribed to Google Workspace, Google Docs, and any other collaborative tools, and any of the 58.8 mn pages that use Google Ads for advertising purposes. Did we mention that that includes information about your location?

As a result, Google assumes permission to track you. All. The. Time. It doesn’t even need you to interact with reCAPTCHA anymore — they just use your tracking info. If you think that not using Chrome will help, you are sorely mistaken. Users have reported that while using browsers that aren’t affiliated with Google, like Firefox, they’re noticed having to complete more reCAPTCHA challenges. This begs the question of whether Google is simply trusting their browsers to be better at bot detection, or trying to usher users over to Chrome. There’s no way to opt out of reCAPTCHA on a site you need to use, so we’re either forced to accept being tracked, or drop off the grid entirely. We’re not sure which choice is more radical.

Tags: