We've seen ReCAPTCHA pop all over ecommerce, all over benign websites with little to no need to challenge use almost completely because of the increase in privacy-aware users.

ReCAPTCHA essentially flies in the face of the recent blocking features rolling into Safari and Firefox and more privacy-aware users...growing by the day.

In many ways it's a genius structure from Google. 1. Convince people to use your privacy challenge. 2. Serve it when you don't see Google tracking cookies. 3. Offer a way around that with the least privacy-aware browser available (Chrome use is growing steadily month over month.

So good on Cloudflare.

If you blocked cookies or were otherwise problematic, it would sometimes lock you out of all ReCAPTCHA-gated resources not by giving you a message describing what was happening, why, and how to fix it, but rather by simply pretending that your every attempt to solve the captcha failed. Obviously this is extremely frustrating, by design, but it gets even more so with compounding factors like "the library is closed at this hour, so I can't get a fresh connection."

The worst I've seen has been when it happens to people who aren't well equipped to guess what's happening. When my friend's younger brother got hellbanned from his PlayStation account, he spent 30 minutes trying to identify traffic lights (or whatever) and then retreated crying to his room, because he wasn't able to deduce that Google was gaslighting him. He trusted Google. They had him convinced that he was such a failure he couldn't even identify traffic lights correctly, and he was -- quite reasonably -- inconsolable for a while.

Thanks a lot, Google.

After a while I usually need to ask friends in the US to help me, because it asks me a non-localized question.

My favourite question was: Select all fire hydrants.

I selected only the classic red one's you see in movies. Fail.

I selected the one's that were yellow too. Fail.

I sent a picture of the grid to a friend. He spotted that some of the pipes on a wall were fire hydrants, which I didn't know. Pass.

In my country we don't have hydrants. We have holes in the ground that are covered by a lid. After removing it you can attach the water hose there.

If I get a bunch of failures in a row, I'll first try the refresh button built into the captcha, and then re-solve a number of times. Then I'll try re-loading the page and re-solving, then I'll try in a different browser with cleared state and re-solving, then I'll try a different device and re-solving, and finally I'll try a different connection, device, and cleared browser state and re-solving.

I'll consider something a hellban if I get persistent failures across several different challenge types but switching to a clean connection+device+state results in immediate success with the captcha.

Look, I get it, they can't be too explicit with the errors or they tip their hand to the botters and effectively give them a "to-do" list. Still, the gaslighting is persistent enough that there's just no way it's marginally beneficial all the way through. At some point, everyone figures it out: bots, techies, and normies. My guess is that they figure it out in this order, from quickest to slowest: smart bots, techies, normies, dumb bots. I'm not calling normies dumb here, they just don't have much background knowledge about the inner workings of captchas, so it takes longer. By that point, they're so far past the typical number of captcha attempts that only the very dumbest of bots, those without heuristics to detect this sort of thing, are going to be fooled along with them. Surely having the captcha tip its hand at this point -- which only gives an advantage to the dumbest of bots, because the smart bots figured it out long ago -- is the right thing to do.

Re:CAPTCHA has no mercy on the normies, and I really think they could do a lot better.

OTOH, it is hard to figure out for sure what makes a difference. I use a proxy/VPN with a fixed IP address that only I use and Google eventually seems to have figured it out; I used to get the hard or impossible ones on Google Scholar at times but now never do. So possibly in my case they decided to stop giving them to me around when I changed strategies, but I suggest giving it a try at least.

I’m not sure what they’re measuring, but I doubt it has much to do with image recognition performance.

My new strategy is to just file support requests to any company using them, complaining that I did their test correctly but it still rejected me. My idea is quite simply to make reCaptcha unfeasibly expensive to use.

Why does the Deezer app installed on my desktop PC need a daily captcha?

That said, I use it myself on all of my companies' customer support forums to discourage people from sending me those pesky requests. In that sense, it's the new "please hold the line".

In any case, I'm glad that Google's motto is "don't be evil". That reassures me that using reCaptcha is morally acceptable ;)

I would have thought ReCAPTCHA would take into account human factors (e.g. speed of clicking) as higher priority to the accuracy of the selection.

Mouse: They could then try to analyze human delay randomness -- it's probably not uniform.

Cat: And then someone will come up with a replacement to randomDelay that mimics the above pattern.

Mouse: And then they will look for changes in the distribution itself from person to person

etc.

A few years ago the client stopped sending mouse data back to Jagex altogether. Luckily, I don't think there's many poor developers tasked with trying to recover any signal out of that anymore. :)

I write the site owner short note when they go bad explaining why they just lost a customer and go somewhere else. Life is too short to put up with shitty tech.

I'm always curious to hear what other approaches might be worth considering. CAPTCHAs tend to tick the boxes of performing well enough for website-controllers and being low-effort for them to deploy.

There's a lot of ground between "error messages precise enough to effectively give botters a to-do list" and "faking failures 100 times in a row." What was the marginal utility of the 99th fakeout? Are there really enough otherwise effective bots that get persistently tripped up by this particular fakeout to justify sending the poor kid crying to his room?

Almost certainly not. What really happened is that someone removed (or never added) user communication in order to maximize their score against botters and gave little thought to mitigating their false positives. Minimizing them, yes, mitigating them, no. "Humans are smart, they'll figure it out," they rationalized to themselves, and called it a day. They never bothered to calculate (or even guess) when the marginal utility of the fakeout dropped far enough to allow them to have mercy on the poor humans still caught in their web.

As for specific things one can do, like anything, more effort means better results. I'm not going to talk about this much, but we do look at a lot of different behavioral and other signals for fraud detection, as that's an important aspect of our business.

If others are fine with annoying their customers to offload risk, they can make that call. I don't have much sympathy about lost sales, though - it is literally choosing to waste customers' time and increase frustration for one's own benefit.

Now I just deliberately give bad answers and get to “pass” the challenges... not sure why

Yeah, most of the time it's "just" really, really obnoxious, not to mention coercive in a way that aligns with Google's interests.

Thanks, Google.

> How, in your opinion, should Google have handled the matter in a way that does not give spammers or other abusive users ways to get around the measure?

"Our anti-spam systems believe that you might be a robot. Your profile has been locked for (x) minutes. Sorry for the inconvenience. Go _here_ to learn tips & tricks for avoiding lockouts in the future." X gets exponentially ramped.

Note how vague the message is. It sacrifices the opportunity to tarpit a really dumb robot in exchange for not being awful to humans.

Based on ReCAPTCHA's design decisions, it's abundantly clear that eeking out every sliver of a percent of marginal efficacy is the priority over treating users humanely. That's why I have a problem with ReCAPTCHA.

Thank you for sharing! Have you considered the possibility that presenting any message at all - especially one with a clear block time - is sending a very clear message to bot controllers? I'm sure you've considered this, and I am just failing to understand. Wouldn't that remove any real gains from being vague with tips & tricks?

Wouldn't there also be the real chance that vague tips & tricks would leave an actual human being in tears, convinced that they're just too dumb to understand them properly?

I'll bite: maybe it's good at identifying obedient drones and letting them through :)

It trips up the normies in my life often enough that I suspect being technically inclined is actually a net advantage because it makes you quick to detect the problem and quick to apply workarounds. Those advantages are significant enough to outweigh even the cost of the semi-regular dance where I try to protect myself and Google jerks my chain.

> Have you considered

The fact that I phrased my proposal as a tradeoff should have strongly hinted that I did, in fact, consider.

> Wouldn't that remove any real gains from being vague with tips & tricks?

One bit of information -- locked vs not -- is hardly the same as disclosing the inner workings, or even the information inputs, of the classifier, and smart botters have access to that bit of information anyway because they've built a gaslight detector by leveraging their legions of diverse bots and endless supply of dirt cheap human labor.

Gaslighting humans is really bad. A minimal courtesy would only cost a sliver of efficacy, and ReCAPTCHA still rejects it. That decision earns it the bad will directed its way.

Do you use any sort of privacy protection while browsing? I do a few simple things like browse in private mode by default, and ReCAPTCHA just cannot deal with it. It instantly brands my connections as a bot. It is obnoxious. Using private mode shouldn't ban you from the web. There's no reason that most web sites need to save data on my computer to identify me later.

I have not found them to ban me from the web. I'm sorry that has happened to you.

That said, I also expect to be treated with more suspicion when I behave more like a bot. So I'm neither surprised nor bothered when Firefox Private gets me an uptick in ReCAPTCHAs. I understand that this is a highly unusual expectation.

I for one am getting quite tired of trillion dollar corporations getting things for free out of me. Hard pass.

Is this still true? I keep seeing the same type of images for years and there might be 7 or 8 different categories but that's it. To me reCaptcha looks like a service well in its maintenance phase. If it was actually in use for training purposes you might expect images to match a wider range of tasks.

Hell, for a little while Google had a game (can't remember the name of it) which was labeling images with another person to get points and people loved it.

Though we're still just talking about a few HNers here who complain about doing "free work for Google", not the broad population.

There's a vast army of computers doing their best to pretend to be human. The whole point of any kind of CAPTCHA is to try to catch them out - and every measure gets worse over time. So companies like Google look at everything they can see that helps them distinguish typical humans from robots.

This has a nasty side-effect. A lot of measures intended to preserve privacy have the incidental effect of making the privacy-sensitive user look more like a computer and less like a human. Not saving cookies and not executing JS are classic bot moves. This plays directly into the sensitivity that has been engineered over time in order to catch more computers posing as humans.

I don't know any easy resolution to this tension. Maybe you do? I really hope so. The internet is overrun with abusive behavior and the amount of work that goes into keeping it at bay is staggering.

It is understandable and I expect HCAPTCHA to do the same thing. The goal of a CAPTCHA is to identify you as a human. I don't know how ReCAPTCHA works, but I expect it to be like spam filters: they have a sample of bots, a sample of humans and assign weights to every aspect, in the end, the algorithm spits out a probability of you being human, and it will challenge you until it reaches a set value.

The thing is: if you hide everything for privacy reasons, you are making yourself indistinguishable from anything else using HTTP, including bots. That's the point, but it also means the only way to prove you are human is through a challenge.

Think of it like a private club. If you a regular and the bouncer is likely to recognize you and let you in without asking anything. But if you don't want to show your face, you will need to show your membership card every single time. That's the price of anonymity.

Just to be clear: Cloudflare is only changing the _provider_ of CAPTCHA's. They are not changing the _criteria_ for showing CAPTCHA's.

So users who have robust cookie blocking in place will continue to be penalized.

Even in the article they say... "Google provided reCAPTCHA for free in exchange for data from the service being used to train its visual identification systems." ... I thought this was one of those win/win things... Google gets something, websites get something... what's changed? Is Google not getting much out of reCAPTCHA now?

> Again, this is entirely rational for Google. If the value of the image classification training did not exceed those costs, it makes perfect sense for Google to ask for payment for the service they provide.

This might be exacerbated in the case of Cloudfare. Imagine a system where 99% of the visitors being challenged are human. The data gathered from such visitors is quiet, quality data. That fits the usecase of validating an anonymous poster on some random blog. Now consider the Cloudflare usecase. Visitors will only be challenged when Cloudflare already expects you're a bot. Most of the challenges are served to bots. The data is much lower quality, but their cost per challenge has remained the same.

It could just be that as this type of usecase became dominant, the balance of value tipped.

The only case where we see up to 3% solved is on rules targeting networks which contain mostly free (as in beer) VPN providers (the new pest of the internet). Those networks sent a lot of malicious and automated traffic with the mixed in 3% of real users.

To put this into numbers of the past 24h: ~ 76 Million requests served ~ 1 Million of those were captchas ~ 0.5 Million were outright blocked Captchas solved: 1233

I don't think this aspect did matter much because it was always the sites decision to use reCAPTCHA and that didn't change.

I also don't think Google gets much profit out of the image tagging part anymore, they already have a huge database of tagged images.

On the other hand, I've been effectively banned from several sites because I don't accept third-party requests to Google from non-Google sites as a result of this change.

The original reCAPTCHA corrected errors in scanned books published decades/centuries ago. At some point, they're all fixed.

Similarly, more recent images have all been of traffic images. And they probably have way more than enough now -- at least of the type that can be done by reCAPTCHA.

So unless Google comes up with a new mass-categorization problem easy enough for literally everyone to do and simple and small enough to fit in a reCAPTCHA... then they charge.

Overall I would like to see these checks removed and Cloudflare is using them quite excessively.

Has this been true lately? Every time I see it, it gives me the same images from a set of 3. 90% of the time it's classifying street lights, and it's the same street lights every time. About 7% of the time, it's pictures with cars in them, and again, it's the same pictures most times (but in a different order, I think). The remaining times it's fire hydrants or store fronts, often in a language I can't read, so I don't know if it's a store or not. (And again - mostly the same images each time.)

But I've now attained zen-like clarity on the issue: the complaints are coming only, and always were coming mostly, from people whose idea of appropriate change over time is to still complain about Google Reader almost a decade after it happened.

Anyway, hopefully hCaptcha works with Tor.

I'm wondering about other use cases, using it to prove you've paid for something, or donated perhaps. Or passed a daily quiz/challenge. I feel like there's some fun ways of using this.

The pattern seems to be 2/3 'right' guesses. on sites like eBay, the captcha is broke on firefox. I complete it, and it says "you need to resubmit this form again", and reloads the entire page.

That's the cost of privacy; broken pages and refused access because Google says "NO!".

And businesses are okay with Google denying them money. I wonder if they did a cost/ben analysis if they find it worthwhile.

Thanks to Google, I've actually saved quite a bit of money, they lost out hundreds recently when their automated systems decided to refuse my transaction. Their loss and my gain.

I frequently run into the same issue of having correct answers rejected, and have read posts from many others who experience the same. At some point I started intentionally picking random squares for the first couple image sets. Interestingly, it doesn't seem to end up taking any more submissions overall than when I try to pick the right answers from the start.

Plus, polluting Google's free work data set ever so slightly gives me a small amount of pleasure.

(Disclaimer, I work at msft. Nowhere near this though).

Make sure they know. I write to sites and tell them they just lost a customer because Google doesn't give a shit. I've gotten replies from smaller outfits that had no idea what was going on.

Browsing an "I'm under attack"-mode website behind Cloudflare has been super annoying for me since last week. To the point that I usually close the page when I see a HCAPTCHA. Their visual challenge is harder to navigate than reCAPTCHA, and because this is their business model I suspect they have incentive to make it easier.

- Ad blocking extension not installed or rules too lax - Script blocking not enabled - no VPN used - stores tracking Cookies

If all of those do not apply to you, I would feel discriminated against by Google, even more so, than usual.

1. I do have an ad blocker installed, but it's not very aggressive.

2. All scripts are enabled. I already have trouble with some sites due to my fairly lax ad blocker.

3. I do not use a VPN (since it just transfers who is able to see my traffic from one party to another). Additionally, virtually every service provider penalizes VPN IPs to the point where it's probably not worth the hassle.

4. Not sure what you mean by "stores tracking Cookies".

---

> If all of those do not apply to you, I would feel discriminated against by Google

I do not agree with that (mostly because of point 3). The reality is that VPN traffic is significantly more "spammy"/bot-filled than non-VPN traffic. It's a perfectly rational and justifiable way to protect sites (albeit ReCAPTCHA is of dubious effectiveness).

Doing all of the stated things these days has become a minimum for protecting your privacy online. The current situation is a quite bad for privacy conscious people. Even if we only trust first party scripts and do not allow them being loaded from a subdomain, which actually has all the third party scripts again, we still face issues, for example fingerprinting.

I can only laud websites, which can be used completely without third party scripts or perhaps even without scripts at all, making sure it all works with REST, offering alternatives, when scripts are blocked.

It's good to see some "competition" in this area, even, if I do not trust cloudflare either. More competition means less Google monopoly. Hopefully in the long run it will lead to better solutions for casual users.

Not to wax cynical, this seems like it might not encourage better behavior in every possible scenario.

reCaptcha is wildly sophisticated under the hood[1]. I use it on all three major browsers and find the number of challenges varies from 0 to 4: sometimes it says I'm verified without doing anything, other times I need to go through 4 screens.

I would love to see someone put some numbers behind this claim, because I think it is false.

[1] https://www.blackhat.com/docs/asia-16/materials/asia-16-Siva...

EDIT: Are you downvoting because you don't like reCaptcha, or because you can't (or won't) set up an experiment to demonstrate this claim and prefer to just jump on the bandwagon?

That is my repeatable experience as the end user.

I get why Firefox won’t sue Google. I wish end users would.

So it came down to cost.

> Over the years, the privacy and blocking concerns were enough to cause us to think about switching from reCAPTCHA. But, like most technology companies, it was difficult to prioritize removing something that was largely working instead of brand new features and functionality for our customers.

I like that they're upfront about this. In most companies / teams of this size, these issues are always swept under the carpet until something ugly forces you to clean up at a later point in time. It's just unavoidable.

Nice.

And now I'm wondering if this may not be a spectacularly useful tool to raise standards of education world-wide. Imagine, say, the French government buying them and asking every person on the internet twice a day to match some vocabulary to images: Identify "le baguette"! Lingua Franca, le sequel.

Or a maps puzzle: "Please identify Equatorial Guinea, Papua New Guinea, and Guinea-Bissau".

Also, I don't want to solve any script captchas anymore because of a traumatic experience with script Recaptcha. I had a portable Chromium with login cookies for a few websites. I didn't use that Chromium for other websites than these few. Suddenly, one service almost always demanded a new login after just 1 day. On each login I had to solve a script Recaptcha. I didn't find a way to get non-script Recaptcha. According to the service evil spambots had attacked it. Once, Recaptcha let me solve captchas for minutes, just to eventually tell me I was a bot. I had an IP of a large internet provider. I deleted cookies, got a VPN IP, tried it again, worked on the captchas in the exact same way as before and managed to log in to my account. A website operator wrote in a forum thread that Recaptcha was the only solution to the bot problem. One user suggested "email login as an optional alternative". This was not implemented, because apparently Recaptcha was really specifically the only solution. I then switched to another service, which cost me a few hours of work. This traumatic experience has made me completely unwilling to solve any script captcha.

[1]: https://www.hcaptcha.com/#plans

Cloudfront might get a discount for running some of the infrastructure on their own servers, on the other hand that might also be an integration hassle that actually costs them money.

This seems unwise, because many captcha farms charge less than this. A quick Google search shows one service offering $0.50/1000 challenges. If it's 2x cheaper for an attacker to solve a captcha than it is for a provider to display it, it sounds like the attackers win.

Spammers don't want to hurt the company they attack if they can help it, they need them!

I don't understand why ReCAPTCHA cost so much though. A human solving them is cheaper than a computer/human hybrid creating them?

Regardless of the actual price multiple, it costing anywhere near the price to serve as the price to solve just seems to defeat the point. Really, it costing any money per captcha served just punishes sites that happen to face a higher volume of bots, even if they're a small site. It's just going to push the company to switch to a different captcha service, which may be even cheaper for attackers to solve.

I think they meant “bot or human”, not “malicious or good”. Bot != malicious. And these challenges will do no good to non malicious bots.

"We evaluated a number of CAPTCHA vendors as well as building a system ourselves."

and

"We worked with hCAPTCHA in two ways. First, we are in the process of leveraging our Workers platform to bear much of the technical load of the CAPTCHAs and, in doing so, reduce their costs. And, second, we proposed that rather than them paying us we pay them. This ensured they had the resources to scale their service to meet our needs. While that has imposed some additional costs, those costs were a fraction of what reCAPTCHA would have. And, in exchange, we have a much more flexible CAPTCHA platform and a much more responsive team."

So Cloudflare are basically cloud hosting hCAPTCHA's services. I wonder why Cloudflare didn't just buy them, as it seems like it would be a win-win with getting an excellent CAPTCHA service, and not have to build it themselves?

CF probably has zero interest in that part of the product: It doesn't fit with their existing products nor customers, and it's just too small relative to their other business to devote much attention to it.

At the same time, the business opportunity is probably too large for hCAPTCHA's founders to just forget about it, or for CF to compensate them on the hot-new-technology assumption when they're only looking for peace-of-mind-utility tech.

Maybe if you are big and essential for some users, you can afford that. But if not, be aware that users will turn their back on you if you add obstacles between them and your service.

Edit: meant to say “be aware that some users will turn their back to you”

You have to balance that against how many users you'd lose if the site was down/vandalized/compromised by an attacker if the captcha protection wasn't there to keep it out.

It's often worthwhile moving the captcha away from the initial login or signup form and only putting it on the second or third attempt to login, or on features that put significant load on the server.

Though if your service is a lucrative target for {uname,pass} combolist spam, you'll see that each attempt comes from its own IP address and only makes that one request. It's pretty sobering.

What is the non-lazy solution to having a basic website contact form that _doesn't_ receive hundreds of spam submission per day?

Captchas prevent bots from submitting spam, but they don't prevent humans from submitting spam. In 99% of cases, your problem is the spam, not who is submitting it. The non-lazy solution is to look at the content itself and directly determine whether it's spam, instead of relying on a related heuristic (e.g. who submitted it) to make an informed guess.

For example, let's look at an actual service for identifying spam payloads: Akismet. It still lets a lot of spam through, especially in non-English languages.

Obviously, it's an extremely hard problem that is hard to do 100% correctly. But it's a viable non-lazy solution (that still needs a lot more work than the current state-of-the-art implementations) compared to the lazy solution of just putting captchas on the page.

The ideal solution would get rid of spam without inconveniencing users who aren't submitting spam, I'd think, which means captchas aren't it.

I'm thinking it would probably reduce the number of users who successfully contacted you legitimately, but CAPTCHAs also do that. Do spammers actually have the email accounts they claim to and respond to confirmation emails?

The solution gets around potential vendor lock-in and privacy issues with a service like Google's, but it still fundamentally shifts the problem from the service to the user (the original commentor's gripe).

So there is no non-lazy solution.

I get your point about shifting the problem, but that's kind of the only option for the vast majority of website operators (particularly small ones).

I have zero love for CAPTCHA myself, I have put time and effort in to other, server-side solutions but none perform even remotely as well.

I had a customer where we had to migrate away from Cloudflare for this reason - this was about 5 years ago and the issue has been there to this day. Glad to hear they've finally done something about it. Even if it took Google starting to charge money for ReCAPCHA to trigger it.

> We also had issues in some regions, such as China, where Google's services are intermittently blocked. China alone accounts for 25 percent of all Internet users. Given that some subset of those could not access Cloudflare's customers if they triggered a CAPTCHA was always concerning to us.

They are explicitly saying that China's blackmailing of Google is working so well it even affects decisions on using Google products outside of China.

I'm not a Google fan and think this move is a great improvement for the web and user privacy, but that this was explicitly motivated by China's blackmailing tactics is terrifying.

And we can from this post even make another case that also doesn't paint a nice picture: Cloudflare does not care enough about 25% of internet users to move away from reCAPTCHA - until it affects their bottom line in a visible and immediate way.

I'm not going to link to them, but you can find them yourself by googling "buy recaptcha solver". The prices for the top two results are $0.50 and $1.39 per 1000 solves (respectively, $0.0005 and $0.00139 per solve).

At that price point, it's feasible for the truly determined to just use those solvers to bypass ReCAPTCHA (or similar services).

This is also why Git’s history is easy to edit when it’s only on your machine. But once you push to GitHub and others clone your repo, it becomes a lot harder to edit history. Yes, Git isn’t a blockchain, but it does use the idea of hashing the previous “block” (commit) and storing it in the current “block.”

Wait. Is this news? I don’t see other article about this. What is the pricing?

And given spammers a lot of the time are messing with Google, it's also in Google's interest to do this for free!

What are they thinking? Is this one department make $100 internally while killing $1000 in another internal department?

I’ve been seeing hcaptcha in more and more places recently. It’s a bit rough around the edges still, but it works well and feels far less hostile than recaptcha.

It's intriguing they said Google will charge for reCaptcha, any information on that? I can't imagine all the small business owners will have to start paying, but perhaps if they did they'd just remove it altogether (a net win!).