In the time to reCaptcha authentication boxes with "I'm not a robot" or make you find the road mark, fire column, traffic light … will no longer appear to harass us every time you log in or fill out a form on a website. Google has updated this reCaptcha system to version 3, just waiting for web developers to deploy widely, but from here, the user privacy issue is again questioned?
reCaptcha V3 works based on web browsing behavior, thus determining whether it is a person or a machine:
Cyan Khormaee, head of Google's reCaptcha division, said: "reCaptcha V3 will bring a better experience to users. Everyone has confirmed failure with Captcha." Accordingly, with the third version of reCaptcha authentication technology, Google will conduct an analysis of how users redirect on websites, thereby establishing a scale called risk score based on the action. vi. Khormaee does not disclose what kind of information or signals used by Google to judge behavior because it is assumed that attackers will be able to easily mimic the behavior of ordinary users. However, he is confident about the new reCaptcha system when it will make those who use bots to fool Google over the Captcha system be discouraged.
He said: "Net bot breeders need to understand the behavior of a real person on a website from which to imitate so that it can really deceive us. The most difficult issue here is" Pretend to be a human "(say bot)". The administrator of a website can access the risk scale from which to decide the next action. For example, if a high-risk user is trying to log in, the site may set up rules to require users to enter additional authentication information through a 2-layer authentication form. Khormaee said it would be a little troublesome if you were an ordinary user, but if you were to face an attacker, we would be able to protect your account from the risk of being stolen.
According to statistics of Built With page, more than 650,000 websites are using reCaptcha V3 in total of 4.5 million pages of reCaptcha application versions. 25% of the top 10,000 websites are using this authentication technology. Google is also testing a business version of reCaptcha V3 with customizable features so businesses can protect their site against malicious code or bots.
However, this risk-based authentication system comes with a big drawback: user privacy!
According to two security researchers who specialize in reCaptcha, one of the ways that Google uses to determine whether users have suspicious behavior is based on Google cookies installed on the browser. This is also a cookie that allows you to open new tabs in your browser without having to log in to your Google account again (you open Gmail and log in, open Google Search or YouTube and the account doesn't need to be logged in again).
However, according to Mohamed Akrout, PhD student in computer science at the University of Toronto, the possibility of Google also uses these cookies to identify human factors with reCaptcha V3. Akrout wrote a report and published in April how reCaptcha V3 simulates what runs on a browser with a connected Google account and as a result, the risk score of this Google account is always lower than The browser does not log in. He said: "If you have a Google account, your chances are higher." . Google still does not respond to questions about Google's role in cookie reCaptcha technology.
Security advisor Marcos Perona also confirmed this when saying the reCaptcha risk point is always lower when surfing the test site with a browser with a Google account login. Conversely, if you open a test site on a secure private browser like the Tor Browser or via VPN, this score is always high.
To make the risk scoring system work correctly, the site administrator must embed the reCaptcha V3 code on all pages of the site, not just on the form or login page. After that, reCaptcha over time will learn the common behavior of users on the site, helping machine learning algorithms to give a more accurate risk score. Because reCaptcha V3 is likely to appear on every page of the website, if you sign in to your Google account, Google may also receive data about every website you visit reCaptcha V3. Since then, none of the message boxes or image authentication frames appear except a small reCaptcha logo hidden in the corner of the site.
Khormaee is not talking about how Google uses data for reCapcha, but only the content of Google's terms of service embedded in the reCaptcha logo is present on most websites. However, there is no reference information about reCaptcha in these terms. After the information was released, Google approached the Fast Company site and said reCaptcha's API function will send software and hardware information including device and application data to Google for analysis and translation. This case is only used to combat spam as well as other forms of abuse.
Enhance security and experience or is it a tool to extract user data?
Google is still encouraging sites to use reCaptcha across the page from which Google will be able to share risk point information for administrators for security purposes. According to Perona, this is a good goal because it will give site owners control and a clearer sense of what is happening before the risk of being attacked by a scammer or bot. Site administrators also get a more accurate risk scoring system instead of relying on reCaptcha data on a single page such as a login page. And while giving users convenience, in return Google will collect more data. Google does not say what they will do with the data obtained about user behavior through reCaptcha, is it only used to improve reCaptcha and security purposes in general?
Perona said that reCaptcha V3 is a tool that helps Google consolidate its dominance on the Internet. reCaptcha is like many other Google products like Accelerated Mobile Pages (AMP) – a program that helps new websites load faster on mobile devices, but also helps Google get traffic from these sites. Similar to the Chrome browser – the Washington Post page called this browser a monitoring tool and advised users to give up.
Perona said: "It's always a double-edged sword. You get something and you have to give Google control of everything on the Internet." It can increase security and user experience but affect privacy.
Google still does not address privacy violations and insists that reCaptcha V3 is a matter of corporate responsibility. Google recognizes this technology as a way to ensure a safe online experience, without hindering users. Khormaee also said: "Google has been deeply integrated into the Internet and we want to do everything possible to protect it."