YouTube Deep SummaryYouTube Deep Summary

Star Extract content that makes a tangible impact on your life

Video thumbnail

Why reCAPTCHA is Spyware

CHUPPL • 2024-12-05 • 17:57 minutes • YouTube

📚 Chapter Summaries (3)

🤖 AI-Generated Summary:

The Hidden Truth Behind "I'm Not a Robot" Checkboxes: How reCAPTCHA Became a Tool for Surveillance and Data Collection

Every day, millions of internet users encounter the familiar "I'm not a robot" checkbox, a simple test designed to distinguish humans from automated bots. But what if this innocuous-looking box is not primarily about stopping bots at all? What if it’s a gateway to pervasive surveillance, data harvesting, and corporate control? This blog post dives deep into the story of reCAPTCHA, revealing the unsettling realities behind the technology that millions trust and interact with daily.

What is reCAPTCHA Really Doing?

At first glance, reCAPTCHA appears to be a straightforward tool to block bots from accessing websites. However, research and investigations suggest otherwise. The traditional idea that bots can’t simply "click" the checkbox because their mouse movements are too linear or mechanical is only a small part of the story.

Humans move their mice in natural, imperfect, wiggly paths, whereas bots tend to move in straight lines. Early versions of reCAPTCHA tracked these movements to differentiate humans from bots. But hackers quickly found ways to bypass these tests with high success rates: 99.1% in 2012, 85% in 2017, and 97% shortly after reCAPTCHA v3 launched in 2018.

The tech giant Google, which owns reCAPTCHA, keeps the inner workings a closely guarded secret, describing it only as an "advanced risk analysis engine." This means it’s not just about detecting bots anymore; reCAPTCHA collects a vast amount of data on user behavior.

A Spy in Plain Sight

ReCAPTCHA doesn’t just appear as a checkbox anymore. The latest versions run invisibly in the background on millions of websites, silently tracking everything you do online — every mouse movement, keystroke, click, and even the pixels you see. This data creates a real-time fingerprint of your browsing habits.

Google can potentially see your interactions on any website using reCAPTCHA, giving them unprecedented visibility into user behavior across the internet. This raises serious privacy concerns, as this level of surveillance extends far beyond what most users expect or consent to.

The Data Economy and Corporate Greed

The collected data isn’t just sitting in a vault. It fuels a sprawling data broker ecosystem where companies buy and sell personal information. This includes everything from government records like birth certificates and voter registrations to your social media activity and browsing history.

These data brokers don’t only sell to advertisers but to anyone willing to pay — including potentially malicious actors. The consequences of such data commodification are profound, affecting privacy, autonomy, and security.

How to Protect Yourself

Thankfully, there are services like DeleteMe that help individuals remove their personal data from hundreds of data broker websites. DeleteMe continuously monitors and removes your information without you having to lift a finger. If you’re concerned about your privacy, consider using such tools to regain control over your digital footprint.

The Unpaid Labor Behind reCAPTCHA

In 2015, a class-action lawsuit accused Google of exploiting users for unpaid labor. Every time you solve a reCAPTCHA challenge, you’re not just proving you’re human—you’re helping to train Google's AI datasets without compensation or explicit consent. For instance, typing words like "morning" or distorted alternatives helps label data for Google’s machine learning, benefiting the world's most powerful surveillance corporation.

Though the lawsuit was eventually dropped, estimates suggest that users have collectively spent over 819 million hours on these tests, equating to roughly $6.1 billion worth of unpaid labor.

What is Google Doing With This Data?

Google claims it does not use reCAPTCHA data for targeted advertising, which ironically raises more concerns. If it’s not for ads, then what purpose does this data serve? Google’s vague terms like "improve general security purposes" leave the door wide open for broad and undefined uses, potentially including cooperation with government agencies.

Federal agencies like the FBI and NSA reportedly have access to data collected through reCAPTCHA, and Google can be compelled by secretive courts to share user information. This clandestine relationship between corporations and government entities blurs the line between consumer service and intelligence gathering.

The Digital Toll Booth: Why Robots Can't Just Click the Box

The reality is that reCAPTCHA functions less as a bot-blocker and more as a digital toll booth. It’s designed to identify and track you, the user, rather than just distinguishing humans from bots. If you try to mask your identity—by clearing cookies, browsing incognito, or using privacy-focused browsers—reCAPTCHA flags you as suspicious. Ironically, bots are often better at solving these tests than privacy-conscious humans.

If Google can’t identify you, it forces you to laboriously solve challenges, thereby generating more data to train their systems. The more you resist, the more you inadvertently contribute to their data collection efforts.

The Bigger Picture: Antitrust and the Future of the Internet

Google’s overwhelming dominance in online advertising and data collection has caught the attention of the U.S. Department of Justice and several state attorneys general, leading to the largest antitrust trial in 25 years. One proposed solution is to force Google out of the ad business, but this could have unpredictable effects, potentially making privacy worse if data falls into more unscrupulous hands.

The story of reCAPTCHA is a window into the future of the internet — a future where access is gated by massive corporations using sophisticated surveillance tools under the guise of security and convenience.

Conclusion

Next time you see the “I’m not a robot” checkbox, remember: it’s not just a test. It’s a complex, often opaque system designed to surveil, profile, and monetize your data. The internet is not as open as it seems, and reCAPTCHA exemplifies how corporate interests can shape user experiences in ways that compromise privacy and autonomy.

If you value your digital privacy, stay informed, use tools like DeleteMe to protect your data, and push for greater transparency and accountability from tech giants.

This post was inspired by an in-depth investigation into reCAPTCHA’s technology and implications, highlighting the urgent need for awareness and action in the digital age.

📝 Transcript Chapters (3 chapters):

📝 Transcript (412 entries):

## The rabbit hole [00:00] how does this checkbox know that I'm not a robot I didn't click any motorcycles traffic lights I didn't even type in distorted words and yet it knew this Infamous Tech is called recapture and when it comes to reach few tools rival its presence across the web it's on 12 and2 million websites quietly sitting on pages that you visit every day and it's actually not very good at stopping [Music] BTS which of course led me to the question if it's not stopping Bots what is it doing this simple question sent us down a rabbit hole that was deeper and more complicated than we ever imagined the Box test isn't really about the Box a single check box it turns out recapture isn't what we think it is and the public narrative around recapt is an impossibly small sliver of the truth and by accepting that sliver as the full truth we've all been misled TR your mouse movements for months we followed the data We examined gloss over research and uncovered evidence that most people don't know exists this isn't the story of an inconsequential box it's the story of a seemingly innocent tool and how it became a Gateway for corporate greed and mass surveillance we found buried lawsuits Whispers of the NSA and goes of Edward Snowden this is the story of the future of the internet and who's trying to control it why can't a robot work out how to tick a box marked I'm not a robot in the largest antitrust trial in the United States in 25 [Music] years let's start here what you've been told is wrong journalists told you such a small sliver of the truth that I would consider it to be deceptive why can't a robot just click I'm not a robot the Box test isn't really about the box it actually tracks your mouse movements right before you check the box see if you run code to make an object move to a certain point like a cursor the simplest version will make it move in a straight line robots move like this but humans naturally aren't that accurate we don't move in a perfect L straight line but humans move kind of like this humans tend to move their mice in Wiggly imperfect ways and that is what this version of capture was looking for okay Mouse macro software find image look for the checkbox move Mouse to checkbox and make it click play [Music] I mean it's so easy it's so easy to test this okay you're probably thinking why does any of this matter and I agree with you I did agree with you I actually halted this investigation for a few weeks because I thought it was quite boring until I went to renew my [Music] passport passport status. state.gov I got a capture not a checkbox not fire hydrants but the old one and I clicked it and it took me here recapture seems to have become a spyware it might be also that its primary purpose is doxing of us residents and spying on everyone [Music] else I don't know what led me to do it it felt like my mouse was moving itself an entire page dedicated to documenting the horrors of recapture alleging National Security implications for the US and foreign governments its ability to Doc's users mentioning secret fisa orders the same type of orders that Edward Snowden risked his life to warn us about it is one of the most secretive places in America a federal court of 11 judges with the power to allow government to conduct electronic surveillance on you who put this together Anonymous if you're a web native journalist looking to get in touch we doubt you're going to have a hard time figuring out who we are anyway this felt like a key left in plain sight Whispering there's a door nearby and it's meant to be open this is what we're good at this is what we do it felt like someone on the other side already knew that as if they'd been waiting for someone to come along and notice okay let's get this out of the way recapture is not and really has never been very good at stopping Bots recapture was founded in part by this guy in 2007 version one looked like this in 2009 Google bot recapture but in 2012 hackers were able to get bots through with a 99.1 % success rate V2 dropped in 2014 it was the first time we saw the infamous check boox this is also when it allegedly became spyware in 2017 version 2 was cracked with an 85% success rate the code to do so was made public and still works To This Day 2018 was the launch of V3 according to researchers at UC Irvine there's practically no difference between V2 and V3 a few months after the launch of V3 it was beaten with with a 97% success rate Google doesn't tell us how recapture Works besides using an advanced risk analysis engine but these hackers they spelled it out do you believe that recapture should be thrown out yeah I think it's time to deprecate this technology this is Dr Andrew surles and he's the lead author of this study and so I essentially developed a mirror of recapture that would make you have to solve m mple in a row and would tell you that you're wrong regardless of what you said and showed some of the data that you can actually scrape you can scrape so much data from somebody's user interaction from a website whoa this has been my big question what data is Google collecting they can collect all sorts of data right any information any keystroke any click IP address user agent string all the websites all the browsing history cookie information recapture takes a pixel by pixel fingerprint of your browser a realtime map of everything you do on the internet I think it's like 10 million websites employ this technology they essentially get access to any user interaction on that web page are you saying that Google can see anything that anyone is doing on any website that has recapture embedded in it there's a very good chance they have that capability is what I will say recapture doesn't need to be good at stopping Bots because it knows who you are the new recapture runs in the background is invisible and only shows challenges to bots or suspicious users if there's any part of this video you should listen to It's this stop making dinner stop scrolling on your phone and please listen when I tell you that recapture is watching you I'm not saying that in some abstract metaphorical way right now recapture is watching you it knows that you're watching me and it doesn't want you to know it's not just Google now there is this whole sketchy Market about Brokers advertising Brokers that like to purchase large amounts of people's information these Brokers have ## Sponsorship [08:16] information on probably all of us they get this data from a variety of sources government records like your birth certificate your voter registration court documents or social media the posts you've made the post you liked the quizzes you've taken the websites you visited they package all of this together and they sell it they're not just selling this to advertisers many are selling it to whoever will pay for it so I use a tool called delete me they're also graciously sponsoring this portion of today's video delete me goes through the strenuous steps of getting your data removed from hundreds of these data broker websites just in my first month delete me searched 3 and a 12,000 listings for my personal information and they found data on me on 55 different data broker websites and then they got it removed on my behalf my favorite thing about this is that it's not a one-time deal delete me routinely checks different data broker websites to see if they post anything new on me and then they get it removed I don't have to do a thing because they've sponsored this portion of today's video delete me is offering a 20% discount to you if you use the link down below it's join delet me.com ch20 or you can use code chule 20 at checkout so if you don't like the idea of Corporations selling your personally identifiable information for financial gain and you see the potential risks of the data economy use that link you'll get 20% off and you'll get your first report back in 7 days thank you to delete me I'm seriously genuinely really impressed with what you all do ## Implications [09:58] [Music] in January of 2015 a class action lawsuit was filed against Google the allegations claim that every time someone solved a recapture challenge they weren't just proving that they were human but they were performing unpaid labor for Google without their knowledge look at this typing mourning overlooks would get you a passing grade obviously but so would adorning overlooks and pouring overlooks looks even egg overlooks horse overlooks Blue Man Group overlooks all of them will get you a passing grade and confirm you're a human recapture is testing you on this word alone it has no idea what this one is you on the other hand do and when you submit the word morning you are fulfilling a contractual obligation that Google has with one of its clients like the New York Times and when you do this you are helping to train one of Google's AI data sets as one researcher says you are doing unpaid labor that directly benefits the world's most powerful surveillance Corporation and even though the judge acknowledged this to be true the class action lawsuit was dropped in large part because the time involved for each user is extremely small as a part of Dr sur's study they estimated that users have spent more than 819 million hours taking these tests which results in $6.1 billion of unpaid labor maybe we could find a way to turn a blind eye to all of this as long as the tests served their purpose but that doesn't seem to be the case Google has said that they don't use the data collected from recapture for targeted advertising which actually scares me a bit more if not for targeted ads which is their whole business model why is Google acting like an intelligence agency so I I dove into Google's 32,000 word terms of service when you're writing a legal document syntax matters they only collect data as necessary but because of this comma the words as necessary only apply here not here the word improve General security purposes those are keywords where you're like okay I see you clearly say it's not being used for personalized advertising congratulations great what does improve mean in that context what is that security purpose entail that's where Google is the art of saying nothing this is Zack he's a privacy Watchdog but he's also the co-creator of this website a central Hub dedicated to documenting the US's antitrust case against Google Google has allowed themselves this General security purposes allowance to use the decisions and the data it collects for anything that they deem US security related in 2015 Google failed an audit by the United Kingdom's I Co saying that Google is too vague when describing how it uses personal data gathered from its services and products is sharing to the government considered security related it probably could be defined that way by a creative lawyer check this out if you want to submit a tip to the FBI you're met with this notice acknowledging your right to anonymity but even though the state department doesn't use recapture the FBI and the NSA do a federal court of 11 judges with the power to allow government to conduct electronic surveillance on you and if they want to know who submitted the anonymous report Google has to tell them but the federal intelligence surveillance court is anything but public it's here somewhere inside this sprawling federal court complex this is a court so secret we don't even know exactly where it convenes inside the building these companies when they engage in a clandestine relationship with the government as soon as they begin cooperating in part uh they will ultimately end up cooperating in full look at this I realize most people aren't submitting anonymous tips to the FBI but listen earlier this month 404 media got its hands on internal emails from the Secret Service they confirmed that the intelligence agency used a technology called locate X which uses location data harvested from ordinary apps installed on phones because users agreed to an opaque terms of service page the Secret Service believes it doesn't need a warrant despite those apps often not saying that their data may end up with the authorities any information any keystroke any click IP address all the websites all the browsing history a real time map of everything you do on the internet it knows who you are Google has essentially created a digital toll booth with recapture they hide in the background watching whatever you do before during and after you interact with it then it puts emphasis on the question which human is this user rather than the ordinary is this user human if it can figure out who you are it lets you through it's also why this happened why can't a robot just click I'm not a robot robots move like this okay for the checkbox it's so easy to test this if Google can't figure out exactly who you are let's say you clear your cookies you're browsing Incognito maybe you're using a privacy focused browser they flag you as suspicious you're grouped in with the Bots who are actually better at solving recaptures than you are and you still have to pay the toll in a different way today that means labeling Google's machine machine learning data sets in my experience the more that I tried to hide my identity from Google the more data sets they make me train finally if you reject those two prior options recapture the toll booth stops you right there the Internet isn't open for you in short recapture isn't about Bots it's about you and USV Google what's the top down on this situation here in the United States there are a group of attorney generals and the Department of Justice are basically suing Google for a variety of monopolistic practices and so the government's response was we want you Google to get out of the advertising industry so Google as you can imagine that being their one of their primary sources of revenue said okay it looks like we're going to trial over this I realized the irony of posting this video on YouTube which is wholly owned by Google we reached out to Google for comment and by the time of filming this they still haven't responded so if they have you'll see it on the screen somewhere right now Google has all this power what they have currently is empowering the data broker ecosystem tons of this data flowing into government and and data broker hands what's interesting is if Google is forced to sell their adex Bas it may actually make privacy outcomes worse in the short term depending on who they sell it to that company may be more evil than Google and thanks again to delete me for sponsoring a portion of this [Music] video thanks so much to our patreon supporters you are my pride andjoy my muse if you want to support us hang out with us on Discord I'd love to see you over there thanks for watching