Google addressed the claims in this paper last year, and one of the authors challenged the company's responses.
See:
<a href="https://www.theregister.com/2024/07/24/googles_recaptchav2_labor/" rel="nofollow">https://www.theregister.com/2024/07/24/googles_recaptchav2_l...</a>
The problem with this paper is that, while technically true, there are many website owners who have found that CAPTCHAs have effectively reduced the spam on their site to zero. The fact that a CAPTCHA _can_ be bypassed doesn't mean that it _will_, and most spam bots are not using cutting-edge tech because that's expensive.<p>To say "it's worthless from a security perspective" is a pretty harsh and largely inaccurate representation. It's been tremendously useful to those who have used it. If it wasn't valuable, it wouldn't be so widely used.<p>Definitely agree with the whole "tons of free $$$ for Google", but that's kind of their business model, so yeah, Google is being Google. In other breaking news, water is still wet.
The "cookie farm for profit" point is worth elaborating on. From the original paper <a href="https://arxiv.org/pdf/2311.10911" rel="nofollow">https://arxiv.org/pdf/2311.10911</a> :<p>> More concretely, the current average value life-time of a cookie is €2.52 or $2.7 [58]. Given that there have been at least 329 billion reCAPTCHAv2 sessions, which created tracking cookies, that would put the estimated value of those cookies at $888 billion dollars.<p>The cited paper is <a href="https://www.sciencedirect.com/science/article/pii/S0167811623000708" rel="nofollow">https://www.sciencedirect.com/science/article/pii/S016781162...</a> - but it doesn't deal with CAPTCHAs, just with the general economics of third-party cookies.<p>In practice, many of these cookies will have already been placed by other Google services on the site in question, with how ubiquitous Google's ad and analytics products are. And it's unclear whether Google uses the _GRECAPTCHA cookies for purposes other than the CAPTCHA itself (in the places where this isn't regulated).<p>But reCAPTCHA does gives Google an ability to have scripts running that fundamentally can't be ad-blocked without breaking site functionality, and it's an effective foot in the door if Google ever wanted to use it more broadly. It's absolutely something to be aware of.
I get that people are here to hate on Google, but I am just here to say that reCAPTCHA albeit acquired, is an absolutely brilliant idea. The kind that solves two (three? if you count tracking) problems so elegantly
Naive question: how can clicking on the motorbike or traffic light image help to train an ML algorithm if they already know what image has a motorbike in it, or otherwise the captcha would not make sense.
Maybe they put 3 image which are already with a score of >0.90 and one which is just 0.40?
What proof of humanity is sufficient? Today it is a phone call, or a verification sent to a real address (limit one registration per household), or a video call. How will we verify humanity in 20 years when audio and video emulation is foolproof?<p>We'll have to have in-person attestation or make all services paid, perhaps.
Wouldn't some sort of proof of work be a good solution to the captcha problem?<p>Specially since all of the sudden, a bot service running hundreds of thousands of requests will suddenly and inadvertedly have to compute cryptographic hashes at the cost of the user running the bots?
To prevent the cookie wall with no 'reject all': <a href="https://archive.is/oHc1e" rel="nofollow">https://archive.is/oHc1e</a>
819 million hours of unpaid labor. And just think, a large chunk of that was performed by children. CAPTCHAs are slave labor in small doses. It's also a way of avoiding paying taxes on that labor. But hey, what's a few billion dollars in unpaid taxes and unpaid wages and child labor violations between friends?