SOVLED: What is Google reCaptcha Version 3, How Does it Work & What is Wrong With It?

Even if you don’t think you know what a Captcha is, I will guarantee you have used them before.  A Captcha is a program or system intended to distinguish human from machine input, typically as a way of thwarting spam and automated extraction of data from websites.  Let’s quickly go over the differences between Captcha’s and reCaptcha’s.

What does Captcha Stand For?

CAPTCHA is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart.  “Turing” relates to British computer visionary Allan Turing who proposed a simple test to figure out if a computer had reached Artificial Intelligence.  It was called the Imitation Game and all it does is have average people converse with a computer (usually through a keyboard and screen) and if the human could not tell if the computer was a human or not, AI had been achieved.  The term CAPTCHA was described in 2000 by researchers at Carnegie Mellon University and IBM.

What is the Difference Between a Captcha and a reCaptcha?

The difference between a Captcha and a reCaptcha is the usefulness of what is entered:

• Captcha’s are random information you type into a system to validate you are human, and then what you entered is discarded as useless
• reCaptcha’s are text or pictures (like small excerpts from the scan of page in a book or pictures of license plates) from a system that wants you to enter what you interpret the images to be which BOTH proves you are human AND helps train optical character or object recognition systems

Most people think Google invented reCAPTCHA’s but they did not, they just perfected it and now run all of them.  For the rest of this article we will be referring only to the Google implementation of reCAPTCHA’s

What Are the Differences Between reCaptcha v1 v2 and v3?

• reCaptcha version 1 is a simple word or picture with a field for you to answer a question in.
  • reCaptcha V1 have a binary output, meaning that they determine you are or are not a bot.  There is no grey area or scale.
  • It was shut down in 2018 so you should not see them anymore.
• reCaptcha version 2 is a checkbox that says something like, “I am not a robot” .
  • reCaptcha V2 is a heavily obfuscated system using JavaScript that confuses most bots so they cannot click on the checkbox as if they were human
  • reCaptcha version 2 came out in December of 2014 and is still in use with full support in 2020
• reCaptcha version 3 was released in late 2018 and is an update to version 2 that uses an “advanced risk analysis engine” which considers things like the amount of time it takes you to type to give you a grade between 0 and 1.  Zero is definitely a bot and one is definitely a human.  In 2020 most systems will consider activity to be coming from a bot if the score is less than .5.
  • reCaptcha version 3 is code that should be present on all (or many) pages and not just a login page so that more information is collected to determine if the something is human or bot behavior.
  • Google will not provide much detail on how its AI Risk Engine works because hackers would just use that information to get around it and because they are frequently updating and enhancing it

What is the Downside to reCaptcha version 3?

reCAPTCHA v3 is a very powerful way to block malware bots from successfully attacking your website.  But with great power comes great responsibility and that responsibility goes to Google.

In particular, You are giving Google more control over your systems.  Because version 3 reCaptcha is tracking how your site is being interacted with, Google is collecting a lot of information about both your site and the people that are on it.  While we have not found any details on this, it seems unlikely that Google would not combine reCAPTCHA v3 tracking information with users Google accounts to build a very very detailed profile of your on-line life.

If you want more comments on the Dark Side of reCaptcha v3, THIS FastCompany article might interest you.