Debugger

Google Promises reCAPTCHA Isn’t Exploiting Users. Should You Trust It?

An innovative security feature to separate humans from bots online comes with some major concerns

Credit: Alexey Bezrodny/iStock/Getty Images Plus

A surprising amount of work online goes into proving you’re not a robot. It’s the basis of those CAPTCHA questions often seen after logging into websites: blurry photos of crosswalks, traffic lights, and storefronts that users are tasked with identifying through a series of clicks.

They come in many forms, from blurry letters that must be identified and typed into a box to branded slogans like “Comfort Plus” on the Delta website — as if the sorry state of modern air travel wasn’t already dystopian enough. The most common, however, is Google’s reCAPTCHA, which launched its third version at the end of 2018. It’s designed to drastically reduce the number of challenges you must complete to log into a website, assigning an invisible score to users depending on how “human” their behavior is. CAPTCHA, after all, is designed to weed out bot accounts that flood systems for nefarious ends.

But Google’s innovation has a downside: The new version monitors your every move across a website to determine whether you are, in fact, a person.

A necessary advancement?

Before we get into the how of this new technology, it’s useful to understand where it’s coming from. The new reCAPTCHA disrupts a relatively ancient web technology that has been harnessed for plenty of things beyond security.

CAPTCHA — which stands for Completely Automated Public Turing test to tell Computers and Humans Apart — first appeared in the late ’90s, and it was designed by a team at the early search engine AltaVista. Before CAPTCHA, it was easy for people to program bots that would automatically sign up for services and post spam comments by the thousands. AltaVista’s technology was based on a printer manual’s advice for avoiding bad optical character recognition (OCR), and the iconic blurry text in a CAPTCHA was specifically designed to be difficult for a computer to read but legible for humans, thereby foiling bots.