There is recaptcha v2 and v3. V3 uses V2 if V3 isn’t sufficient to identify you.
What I mean with identify is fingerprinting. recaptcha collects info on how we solve the recaptcha. People have very unique way of solving captchas. You would have hard time seeing this with your own eyes but if there are 100 people who did 100 recaptchas each, then the algorithm will be able to know which recpatchas were solved by which person. This is also in combination with standard browser and device fingerprinting.
So is it possible to avoid being identified? If I’ve done recaptcha thousand times before, can I do it next time in a way that Google won’t be able to link me to the same identity as all the previous thousand times?
I think the solution has to be done automatically in some way. Because if you try to solve the recaptcha manually with your own hand, then chances are high you will be identified. But solving it automatically is precisely what recaptcha is meant to defeat (bots).
I’ve had many many many times experience with recaptcha where I have had to sit there and try solve it manually the way Google intends us to solve it, for more than 1 hour I’ll sit their frustrated and keep tring to solve it but it says I am failing even though I’m really not. This usually happens when I manually click in a non-human way. I might for example move the cursor by pushing the mouse with a pen. This causes mouse movements and timing and click locations to be different. But this only works for a number of times, i guess after thousands of times Google will know that is me messing around.
V3 is scary because it’s first-party fingerprinting and you won’t know it’s there until it throws a v2 recaptcha at you. It tracks your interaction and habits on the website to see if it’s human-like and probably also to uniquely identify you. If it can’t identify you then it will make you solve a v2 recpatcha instead.
Google is also very anti-competitive against browsers that are configured for privacy. That’s probably another reason I often have to spend hours trying to solve them.
I am afraid that the only way to not get identified by v3 recaptcha is to turn off JS. But if you do that then you can’t use the website which is protected by v3 recaptcha. Unfortunately most of the internet is using either mitm cloudflare or recaptcha, so turning off JS means good bye internet.
Protection against 3rd party tracking does not help against these privacy threats because they are first party threats.
Comments URL: https://news.ycombinator.com/item?id=42596976
Points: 1
# Comments: 0
Leave a Reply
You must be logged in to post a comment.