For the first time in the history of the CAPTCHAS the need disappears that the user has to introduce an illegible text in a verification field, that he has to mark that “I am not a robot” box or worse, that he has to indicate what images of a mosaic correspond to that of a cat.
As explained by Google engineers, the new version of reCAPTHA does not demand anything from the user. It will run in the background, and will automatically identify and classify users among robots or humans, using a scoring system based on the guidelines of their activity, elaborating different risk profiles.
All this sounds of course very well. Navigation becomes a much more fluid and transparent experience and the webs that make up the new reCAPTCHA «bother» less its users. So everyone wins: Or not?
Well, it’s not so clear. As a group of experts in cybersecurity has already denounced, the new thing of Google has a much less kind face: the intrusion in the privacy of the users . To understand why this is so, the first thing is to explain how this new system works.
The supercookie of Google
Google like most of the sites we visit on the Internet for the first time, usually ask us if we are willing to accept their cookies. For them and for us, it is important. The Google cookie allows us among other things that your services “remember” that we have already authenticated before in one of their services, so that we do not have to enter our name and password every time we visit them .
And up here fine. But of course the Google cookie does more things, almost all “harmless” so far . And we say so far, because what these researchers denounce is that in order for reCAPTCHA to work without having to “interact” with the user, what it does is to take good note of all its browsing habits.
In this way, if you verify that you are sailing as a human being would, you will be awarded a high scoring and therefore will consider it trustworthy. On the other hand, if you suspect that you do not surf as you would a person, the score will be much lower and in this case the service will launch other authentication measures, such as a double factor.
This means that we are or not users of Google products, the websites that implement the new system will “force” their users to accept your cookie whether they want it or not. And this is not exactly good news for friends of privacy.
As these researchers have verified, when using a VPN service or the TOR network to access the sites that have included this security measure, the system responds automatically indicating that the visitor is at high risk and either completely prevents access or Launches other authentication measures.
At present, of the 4.5 million web pages that are using the reCaptcha system , approximately 450,000 have implemented the latest version of this system.