Google reCAPTCHA Service Isn’t Secure – It Might Be Exploiting Users

• A group of researchers from UC Irvine wrote a paper that suggests Google's reCAPTCHA Service is not an effective security solution.
• It also says these tests come at a huge cost - both in terms of human labor and environmental impact. It might also be used to mine user data.
• Google has responded to these allegations and said that it doesn't sell user data to third parties and that reCAPTCHA3, which is mostly used by websites, is more secure than reCAPTCHA2.

Google's reCAPTCHA service might be secretly harvesting user information at the cost of human labor worth billions.

We have all used the reCAPTCHA service. It presents us with a small puzzle to solve and uses our response to differentiate between humans and robots. The purpose of these tests is to prevent fraud and cyber crimes.

However, researchers from UC Irvine have a different story to tell. Andrew Searles, Renascence Tarafder Prapty, and Gene Tsudik came together to pen down a paper titled Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2."

The research was conducted over a period of 13 months starting from 2022. A total of 9,141 reCAPTCHAv2 sessions were tracked and analyzed in addition to a survey completed by 108 individuals.

The respondents of the survey rated the checkbox puzzle 78.51 out of 100 on the System Usability Scale" while the image selection test only managed to score 58.90. In simple terms, users find these tests inconvenient.

What Does the Paper Conclude?

The paper argues that these tests should be discontinued because it's a waste of time and resources and is vulnerable to bots (which entirely defeats its purpose).

• During the 13 years of its use, users have spent more than 819 million hours taking these tests which equals at least $6.1 billion in wages.
• That's not the only cost of the test. The traffic resulting from reCAPTCHA takes up 134 petabytes of bandwidth which equals 7.5 million kWhs of energy which in turn corresponds to 7.5 million pounds of CO2.

While the world was bearing these costs, Google kept making profits. Approximately $888 billion from the cookies created by the reCAPTCHA sessions and an additional $8.75-32.3 billion/sale of their total labeled data set.

Maybe we could find a way to turn a blind eye to all this if only the tests served their purpose. But that doesn't seem to be the case.

It's not as secure as it's made to seem.

• The paper refers to an experiment from 2016 during which a group of researchers were able to defeat reCAPTCHA v2 image challenges 70% of the time.
• The reCAPTCHA checkbox challenge was even more vulnerable -it could be defeated 100% of the time.
• reCAPTCHA v3, which is the latest version, is no better. In 2019, another group of researchers designed a reinforcement learning attack that can break reCAPTCHAv3's behavior-based challenges 97% of the time.

The worst part is these systems were beaten before they were introduced publicly but are still used by Google. Take the image selection problems for example. They were beaten by computers in 2009 yet used by Google in 2014.

So ultimately, it seems like all the effort and resources that are poured into these tests are of no use.

What boggles the researchers is that if there's proof that these tests are not effective, then why does Google continue to use them? There's only one possible answer to this - obtaining image labeling data, which are the results of users identifying CAPTCHA images that Google happens to sell as a cloud service.

Google released a statement responding to these allegations and said it only tracks user data to improve the overall quality of user experience, not to sell them. Furthermore, most of the websites have switched to reCAPTCHA3 which is more secure than reCAPTCHA2.

The post Google reCAPTCHA Service Isn't Secure - It Might Be Exploiting Users appeared first on The Tech Report.