reCAPTCHA

Distributed Proofreaderswas the first project to volunteer its time to decipher scanned text that could not be read byoptical character recognition(OCR) programs. It works withProject Gutenbergto digitizepublic domainmaterial and uses methods quite different from reCAPTCHA.

The reCAPTCHA program originated with Guatemalancomputer scientistLuis von Ahn,^[13]and was aided by aMacArthur Fellowship.An early CAPTCHA developer, he realized "he had unwittingly created a system that was frittering away, in ten-second increments, millions of hours of a most precious resource: human brain cycles".^[14]

Scanned text is subjected to analysis by two different OCRs. Any word that is deciphered differently by the two OCR programs or that is not in an English dictionary is marked as "suspicious" and converted into a CAPTCHA. The suspicious word is displayed, out of context, sometimes along with a control word already known. If the human types the control word correctly, then the response to the questionable word is accepted as probably valid. If enough users were to correctly type the control word, but incorrectly type the second word which OCR had failed to recognize, then the digital version of documents could end up containing the incorrect word. The identification performed by each OCR program is given a value of 0.5 points, and each interpretation by a human is given a full point. Once a given identification hits 2.5 points, the word is considered valid. Those words that are consistently given a single identity by human judges are later recycled as control words.^[16]If the first three guesses match each other but do not match either of the OCRs, they are considered a correct answer, and the word becomes a control word.^[17]When six users reject a word before any correct spelling is chosen, the word is discarded as unreadable.^[17]

The original reCAPTCHA method was designed to show the questionable words separately, as out-of-context correction, rather than in use, such as within a phrase of five words from the original document.^[18]Also, the control word might mislead the context for the second word, such as a request of "/metal/ /fife/" being entered as "metalfile"due to the logical connection of filing with a metal tool being considered more common than the musical instrument"fife".^{[citation needed]}

In 2012, reCAPTCHA began using photographs taken fromGoogle Street Viewproject, in addition to scanned words.^[19]It will ask the user to identify images of crosswalks, street lights, and other objects. It has been hypothesized that the data is used byWaymo(a Google subsidiary) to train autonomous vehicles, though an unnamed representative has denied this, claiming the data was only being used to improve Google Maps as of mid-2021.^[20]

Google charges for the use of reCAPTCHA on websites that make over a million reCAPTCHA queries a month.^[21]

In 2013, reCAPTCHA began implementingbehavioral analysisof the browser's interactions to predict whether the user was a human or a bot. The following year, Google began to deploy a new reCAPTCHA API, featuring the "no CAPTCHA reCAPTCHA" —where users deemed to be of low risk only need to click a singlecheckboxto verify their identity. A CAPTCHA may still be presented if the system is uncertain of the user's risk; Google also introduced a new type of CAPTCHA challenge designed to be more accessible to mobile users, where the user must select images matching a specific prompt from a grid.^[2][22]

In 2017, Google introduced a new "invisible" reCAPTCHA, where verification occurs in the background, and no challenges are displayed at all if the user is deemed to be of low risk.^[23][24][25]According to former Google "click fraudczar "Shuman Ghosemajumder,this capability "creates a new sort of challenge that very advanced bots can still get around, but introduces a lot less friction to the legitimate human."^[25]

reCAPTCHA v1 was declaredend-of-lifeand shut down on March 31, 2018.^[26]

The reCAPTCHA tests are displayed from the central site of the reCAPTCHA project, which supplies the words to be deciphered. This is done through aJavaScriptAPIwith the server making a callback to reCAPTCHA after the request has been submitted. The reCAPTCHA project provides libraries for various programming languages and applications to make this process easier. reCAPTCHA is a free-of-charge service provided to websites for assistance with the decipherment,^[27]but the reCAPTCHA software is notopen-source.^[28]

Also, reCAPTCHA offers plugins for several web-application platforms includingASP.NET,Ruby,andPHP,to ease the implementation of the service.^[29]

The main purpose of aCAPTCHAsystem is to block spambots while allowing human users. On December 14, 2009, Jonathan Wilkins released a paper describing weaknesses in reCAPTCHA that allowed bots to achieve a solve rate of 18%.^[31][32][33]

On August 1, 2010, Chad Houck gave a presentation to theDEF CON18 Hacking Conference detailing a method to reverse the distortion added to images which allowed a computer program to determine a valid response 10% of the time.^[34][35]The reCAPTCHA system was modified on July 21, 2010, before Houck was to speak on his method. Houck modified his method to what he described as an "easier" CAPTCHA to determine a valid response 31.8% of the time. Houck also mentioned security defenses in the system, including a high-security lockout if an invalid response is given 32 times in a row.^[36]

On May 26, 2012, Adam, C-P, and Jeffball of DC949 gave a presentation at the LayerOne hacker conference detailing how they were able to achieve an automated solution with an accuracy rate of 99.1%.^[37]Their tactic was to use techniques from machine learning, a subfield of artificial intelligence, to analyze the audio version of reCAPTCHA which is available for the visually impaired. Google released a new version of reCAPTCHA just hours before their talk, making major changes to both the audio and visual versions of their service. In this release, the audio version was increased in length from 8 seconds to 30 seconds and is much more difficult to understand, both for humans as well as bots. In response to this update and the following one, the members of DC949 released two more versions of Stiltwalker which beat reCAPTCHA with an accuracy of 60.95% and 59.4% respectively. After each successive break, Google updated reCAPTCHA within a few days. According to DC949, they often reverted to features that had been previously hacked.

On June 27, 2012, Claudia Cruz, Fernando Uceda, and Leobardo Reyes published a paper showing a system running on reCAPTCHA images with an accuracy of 82%.^[38]The authors have not said if their system can solve recent reCAPTCHA images, although they claim their work to beintelligent OCRand robust to some, if not all changes in the image database.

In an August 2012 presentation given at BsidesLV 2012, DC949 called the latest version "unfathomably impossible for humans" —they were not able to solve them manually either.^[37]The web accessibility organization WebAIM reported in May 2012, "Over 90% of respondents [screen reader users] find CAPTCHA to be very or somewhat difficult".^[39]

The original iteration of reCAPTCHA was criticized as being a source ofunpaid workto assist in transcribing efforts.^[40]

Google profits from reCAPTCHA users as free workers to improve its AI research.^[41]

The current iteration of the system has been criticized for its reliance ontracking cookiesand promotion ofvendor lock-inwith Google services; administrators are encouraged to include reCAPTCHA tracking code on all pages of their website to analyze the behavior and "risk" of users, which determines the level of friction presented when a reCAPTCHA prompt is used.^[42]Google stated in itsprivacy policythat user data collected in this manner is not used for personalized advertising. It was also discovered that the system favors those who have an activeGoogle accountlogin, and displays a higher risk towards those using anonymizing proxies and VPN services.^[23]

Concerns were raised regarding privacy when Google announced reCAPTCHA v3.0, as it allows Google to track users on non-Google websites.^[23]

In April 2020,Cloudflareswitched from reCAPTCHA to hCaptcha, citing privacy concerns over Google's potential use of the data they recollect through reCAPTCHA fortargeted advertising^[43]and to cut down on operating costs since a considerable portion of Cloudflare's customers are non-paying customers. In response, Google toldPC Magazinethat the data from reCAPTCHA is never used for personalized advertising purposes.^[21]

Google's help center states that reCAPTCHA is notsupportedfor thedeafblindcommunity,^[44]effectively locking such users out of all pages that use the service. However, reCAPTCHA does currently have the longest list of accessibility considerations of any CAPTCHA service.^[45]

In one of the variants of CAPTCHA challenges, images are not incrementally highlighted, but fade out when clicked, and replaced with a new image fading in, resemblingwhack-a-mole.

Criticism has been aimed at the long duration taken for the images to fade out and in.^[46]

reCAPTCHA also created the Mailhide project, which protectsemail addresseson web pages from beingharvestedbyspammers.^[47]By default, the email address was converted into a format that did not allow acrawlerto see the full email address; for example, "[email protected]" would have been converted to "[email protected]". The visitor would then click on the "..." and solve the CAPTCHA to obtain the full email address. One could also edit the pop-up code so that none of the addresses were visible. Mailhide was discontinued in 2018 because it relied on reCAPTCHA v1.^[48]

^[1]

• Dzieza, Josh (February 1, 2019)."Why CAPTCHAs have gotten so difficult".The Verge.
• Schwab, Katharine (June 27, 2019)."Google's new reCAPTCHA has a dark side".Fast Company.

• Official website