Google's reCAPTCHA v3 System Prompts Privacy Criticism
The widely used Google reCaptcha V3 bot-detecting login system has come in for some criticism after two security researchers claimed that one of the ways that Google determines whether you’re a malicious user depends on whether you have a Google cookie installed on your browser, which could also mean that the privacy of your browsing habits may also be at risk in using the system.
What Is reCaptcha V3?
Google’s reCaptcha V3 is the latest version of Google’s bot-detecting login system, introduced last autumn, that can detect abusive traffic/malicious user-behaviour on your website without user friction i.e. without the need to tick an ‘I am not a robot’ box, or identify items in pictures. With this version of the reCaptcha system, background monitoring assigns a risk score to a user, which then enables the system to decide how to handle that user e.g. if a user with a high-risk score tries to log in, they may then be required to use two-factor authentication. From Google’s point of view, the idea is to give users a better experience and avoid the kinds of interactions that can inhibit users from intuitively and painlessly reaching their goals within a digital interface. With reCaptcha V3, Google may be happy with the trade-off between the possibility of some inconvenience for legitimate users versus greater protection for websites.
It has been reported that 650,000 websites already use reCaptcha v3, including 25% of the top 10,000 sites. This makes any concerns about the system a potentially serious issue.
What’s The Problem?
The concern suggested by the two researchers, Marcos Perona and Mohamed Akrout, who have studied reCaptcha V3 is that, being a Google product, not only does it appear likely to deem a user less of a risk if they have a Google cookie on their browser i.e. they have a Google account and are signed in, but that cookies like these can also pass on data which is unnecessary for login, about a person’s browsing habits, thereby posing a possible threat to privacy.
The research found, for example, that those who went to a website with reCaptcha v3 while logged into their Google account were given a low-risk score by the system, whilst those who visited using private browsers such as Tor or a VPN were scored as high risk. Also, the research found that to make the risk-score system work properly, web admins need to embed reCaptcha v3 code on all pages on the website. This will enable reCaptcha to learn about how website users act on the site over time, thereby assisting the machine learning algorithm to generate more accurate risk scores. Unfortunately, installing reCaptcha v3 every page of a website could mean that those signed into their Google account are unwittingly passing on data about every web page they go to that has embedded reCaptcha v3, thereby potentially having their privacy compromised to an extent.
What Does This Mean For Your Business?
It should be remembered that these are the conclusions of pieces of research which may or may not have valid points, but it certainly wouldn’t be the first time that Google has been accused of potentially causing concern in matters of user privacy. For example, a microphone was discovered in Google’s Nest Guard product that was not listed in tech spec (which was put down to an erroneous omission by Google), and in December last year, research by Internet Privacy Company DuckDuckGo reported evidence that could show that even in Incognito mode, users of Google Chrome can still be tracked, and searches are still personalised accordingly.
Users and businesses appreciate the value of frictionless interactions and positive experiences with websites, as well as both appreciating the need to keep introducing new versions of products with improved security to stay one step ahead of attackers. Privacy, however, is also an important issue, both legally and personally, and the heightened concerns about it may mean that Google gets a little bad publicity where users feel that data may be unnecessarily gathered, or is collected in a way that doesn’t appear to be made entirely obvious.