ReCAPTCHA: Difference between revisions

This article is about a specific implementation of a CAPTCHA. For the original test, see CAPTCHA.

reCAPTCHA

Original author(s)	Luis von Ahn Ben Maurer Colin McMillen Harshad Bhujbal Manuel Blum
Developer(s)	Google
Initial release	May 27, 2007; 17 years ago (2007-05-27)
Type	Classic version: CAPTCHA New version: checkbox
Website	www.google.com/recaptcha

reCAPTCHA is a CAPTCHA-like system designed to establish that a computer user is human. reCAPTCHA was originally developed by Luis von Ahn, David Abraham, Manuel Blum, Michael Crawford, Ben Maurer, Colin McMillen, and Edison Tan at Carnegie Mellon University's main Pittsburgh campus.^[1] It was acquired by Google in September 2009.^[2]

reCAPTCHA has completely digitized the archives of The New York Times and books from Google Books, as of 2011.^[3] The archive can be searched from the New York Times Article Archive.^[4] Through mass collaboration, reCAPTCHA was helping to digitize books that are too illegible to be scanned by computers, as well as translate books to different languages, as of 2015.^[5]

The system has been reported as displaying over 100 million CAPTCHAs every day,^[6] on sites such as Facebook, TicketMaster, Twitter, 4chan, CNN.com, StumbleUpon,^[7] Craigslist (since June 2008),^[8] and the U.S. National Telecommunications and Information Administration's digital TV converter box coupon program website (as part of the US DTV transition).^[9]

reCAPTCHA's original slogan was "Stop Spam. Read Books."^[10] After the introduction of a new version of the reCAPTCHA plugin in 2014, the slogan is now "Easy on Humans, Hard on Bots."^[11] A new system featuring image verification was also introduced. In this system, users are asked to click on a checkbox (the system will verify whether the user is a human or not, for example, with some clues such as already-known cookies or mouse movements within the frame) or, if it fails, select one or more images from a selection of set of images.^[12] In 2018, Google started beta testing a completely invisible reCAPTCHA system which does not present any human verification visually. Instead, the new system actively monitors user actions across the entire property and returns a score which represents the probability if it is a human or a bot.^[13]

Origin

Distributed Proofreaders was the first project to volunteer its time to decipher scanned text that could not be read by OCR. It works with Project Gutenberg to digitize public domain material and uses methods quite different from reCAPTCHA.

The reCAPTCHA program originated with Guatemalan computer scientist Luis von Ahn,^[14] and was aided by a MacArthur Fellowship. An early CAPTCHA developer, he realized "he had unwittingly created a system that was frittering away, in ten-second increments, millions of hours of a most precious resource: human brain cycles".^[15][16]

Operation

An example of how a reCAPTCHA challenge looked in 2007,^[17] containing the words "following finding". The waviness and horizontal stroke were added to increase the difficulty of breaking the CAPTCHA with a computer program.

Scanned text is subjected to analysis by two different optical character recognition programs. Any word that is deciphered differently by the two OCR programs or that is not in an English dictionary is marked as "suspicious" and converted into a CAPTCHA. The suspicious word is displayed, out of context, sometimes along with a control word already known. If the human types the control word correctly, then the response to the questionable word is accepted as probably valid. If enough users were to correctly type the control word, but incorrectly type the second word which OCR had failed to recognize, then the digital version of documents could end up containing the incorrect word. The identification performed by each OCR program is given a value of 0.5 points, and each interpretation by a human is given a full point. Once a given identification hits 2.5 points, the word is considered valid. Those words that are consistently given a single identity by human judges are later recycled as control words.^[18] If the first three guesses match each other but do not match either of the OCRs, they are considered a correct answer, and the word becomes a control word.^[19] When six users reject a word before any correct spelling is chosen, the word is discarded as unreadable.^[19]

The original reCAPTCHA method was designed to show the questionable words separately, as out-of-context correction, rather than in use, such as within a phrase of five words from the original document.^[20] Also, the control word might mislead context for the second word, such as a request of "/metal/ /fife/" being entered as "metal file" due to the logical connection of filing with a metal tool being considered more common than the musical instrument "fife".^{[citation needed]}

In 2012, reCAPTCHA began using photographs taken from Google Street View project, in addition to scanned words.^[21] In 2019, image identification captchas—such as store fronts, buses, cross-walks, traffic lights—became the only type of captcha offered by the system.

Image identification CAPTCHA

In 2014, reCAPTCHA implemented another system in which users are asked to select one or more images from a selection of nine images.^[12]

In 2017, Google claimed to have improved reCAPTCHA to require no interaction for most users.^[22]

No CAPTCHA reCAPTCHA

The NoCAPTCHA reCAPTCHA

In 2014, reCAPTCHA began implementing behavioral analysis of the browser's interactions with the CAPTCHA to predict whether the user was a human or a bot before displaying the CAPTCHA, and presenting a "considerably more difficult" captcha in cases where it had reason to think the user might be a bot. By end of 2014, this mechanism started to be rolled out to most of the public Google services.^[23]

Because NoCAPTCHA relies on the use of Google cookies that are at least a few weeks old, reCAPTCHA has become very burdensome to complete for people who frequently clear their cookies and criticized as yet another Google lock-in strategy.^[24]

In 2017, Google improved this mechanism, calling it an "invisible reCAPTCHA". According to former Google "click fraud czar" Shuman Ghosemajumder, this capability "creates a new sort of challenge that very advanced bots can still get around, but introduces a lot less friction to the legitimate human."^[25]

Implementation

The reCAPTCHA tests are displayed from the central site of the reCAPTCHA project, which supplies the words to be deciphered. This is done through a JavaScript API with the server making a callback to reCAPTCHA after the request has been submitted. The reCAPTCHA project provides libraries for various programming languages and applications to make this process easier. reCAPTCHA is a free-of-charge service provided to websites for assistance with the decipherment,^[26] but the reCAPTCHA software is not open-source.^[27]

Also, reCAPTCHA offers plugins for several web-application platforms including ASP.NET, Ruby, and PHP, to ease the implementation of the service.^[28]

Criticism

Some have criticized Google for using reCAPTCHA as a source of unpaid labor.^[29] They say Google is unfairly using people around the world to help it transcribe books, addresses, and newspapers without any compensation.

The use of reCAPTCHA has been labelled "a serious barrier to Internet use" for people with sight problems or disabilities such as dyslexia by BBC journalist Stephanie Hegarty.^[30]

reCAPTCHA is also a barrier to Internet use in areas of the world where there is heavy Internet censorship and the underlying enabling sites are blocked.

Software engineer Andrew Munsell, in his article "Captchas Are Becoming Ridiculous", states "A couple of years ago, I don’t remember being truly baffled by a captcha. In fact, reCAPTCHA was one of the better systems I’d seen. It wasn’t difficult to solve, and it seemed to work when I used it on my own websites." ^[31] Munsell goes on to state, after encountering a series of unintelligible images that despite refreshing "Again, and again, and again. The captchas were not only difficult for a computer, but impossible for a human." Munsell then provided numerous examples.

Due to particular biases in how reCAPTCHA operates, specifically presenting more challenging tasks to users who use Firefox rather than Chrome, are not logged in with Google or use tracking prevention add-ons, the system has been criticized as yet another anti-competitive and vendor lock-in technique. The reCAPTCHA code is also heavily obfuscated and reverse-engineering attempts demonstrated that it collects enormous amounts of personal data, in line with Google user tracking and fingerprinting practices. Usage of reCAPTCHA, since its acquisition by Google, is subject to Google's general privacy policy, which essentially requires the user to consent to collection of vast amounts of personal data in order to use websites protected by reCAPTCHA.^[24] Google has declared the behavioral data accumulated this way "will not be used for personalized advertising by Google" but Google has withdrawn similar promises in the past.^[32]

Security

An example of how reCAPTCHA challenges were presented in 2010,^[33] containing the words "and chisels"

The main purpose of a CAPTCHA system is to prevent automated access to a system by computer programs or "bots". On December 14, 2009, Jonathan Wilkins released a paper describing weaknesses in reCAPTCHA that allowed a solve rate of 18%.^[34][35][36]

On August 1, 2010, Chad Houck gave a presentation to the DEF CON 18 Hacking Conference detailing a method to reverse the distortion added to images which allowed a computer program to determine a valid response 10% of the time.^[37][38] The reCAPTCHA system was modified on July 21, 2010, before Houck was to speak on his method. Houck modified his method to what he described as an "easier" CAPTCHA to determine a valid response 31.8% of the time. Houck also mentioned security defenses in the system, including a high-security lockout if an invalid response is given 32 times in a row.^[39]

On May 26, 2012, Adam, C-P and Jeffball of DC949 gave a presentation at the LayerOne hacker conference detailing how they were able to achieve an automated solution with an accuracy rate of 99.1%.^[40] Their tactic was to use techniques from machine learning, a subfield of artificial intelligence, to analyse the audio version of reCAPTCHA which is available for the visually impaired. Google released a new version of reCAPTCHA just hours before their talk, making major changes to both the audio and visual versions of their service. In this release, the audio version was increased in length from 8 seconds to 30 seconds, and is much more difficult to understand, both for humans as well as bots. In response to this update and the following one, the members of DC949 released two more versions of Stiltwalker which beat reCAPTCHA with an accuracy of 60.95% and 59.4% respectively. After each successive break, Google updated reCAPTCHA within a few days. According to DC949, they often reverted to features that had been previously hacked.

On June 27, 2012, Claudia Cruz, Fernando Uceda, and Leobardo Reyes published a paper showing a system running on reCAPTCHA images with an accuracy of 82%.^[41] The authors have not said if their system can solve recent reCAPTCHA images, although they claim their work to be intelligent OCR and robust to some, if not all changes in the image database.

In an August 2012 presentation given at BsidesLV 2012, DC949 called the latest version "unfathomably impossible for humans" – they were not able to solve them manually either.^[40] The web accessibility organization WebAIM reported in May 2012, "Over 90% of respondents [screen reader users] find CAPTCHA to be very or somewhat difficult."^[42]

reCAPTCHA frequently modifies its system, requiring spammers to frequently update their methods of decoding, which may frustrate potential abusers.^{[citation needed]}

Derivative projects

reCAPTCHA had also created project Mailhide, which protects email addresses on web pages from being harvested by spammers.^[43] By default, the email address was converted into a format that did not allow a crawler to see the full email address; for example, "mailme@example.com" would have been converted to "mai...@example.com". The visitor would then click on the "..." and solve the CAPTCHA in order to obtain the full email address. One could also edit the pop-up code so that none of the address was visible. Mailhide has been discontinued in 2018 because it relied on reCAPTCHA V1.^[44]

Automated solvers

In response to the difficulty for users with disabilities and regular users alike, automated solvers such as Buster have been created, which solve the reCAPTCHA for the user, without them having to complete a challenge. Buster uses the audio part of reCAPTCHA and solves that instead of selecting visual elements, and can be installed as a browser add-on.

References

1. "reCAPTCHA: About Us". Archived from the original on June 11, 2010. Retrieved August 14, 2018.
2. "Teaching computers to read: Google acquires reCAPTCHA". Retrieved September 16, 2009.
3. "Deciphering Old Texts, One Woozy, Curvy Word at a Time". The New York Times. March 28, 2011. Retrieved November 20, 2017.
4. "New York Times Article Archive". The New York Times. September 25, 2007. ISSN 0362-4331. Retrieved November 21, 2017.
5. "Massive-scale online collaboration". www.ted.com. Retrieved October 24, 2015.
6. "reCAPTCHA FAQ". Retrieved June 12, 2011.
7. Rubens, Paul (October 2, 2007). "Spam weapon helps preserve books". BBC.
8. "Fight Spam, Digitize Books". Craigslist Blog. June 2008.
9. "TV Converter Box Program". dtv2009.gov. Archived from the original on November 4, 2009.
10. "reCAPTCHA: Stop Spam, Read Books". Archived from the original on July 4, 2013. Retrieved July 10, 2013.
11. "reCAPTCHA: Easy on Humans, Hard on Bots". www.google.com. Retrieved February 1, 2018.
12. Greenberg, Andy (December 3, 2014). "Google Can Now Tell You're Not a Robot with Just One Click". Wired. Retrieved October 1, 2015.
13. "Google no Captcha + INVISIBLE reCaptcha – First Experience Results Review". TehnoBlog.org. Retrieved January 11, 2019.
14. ""Full Interview: Luis von Ahn on Duolingo", Spark, November 2011". Canadian Broadcasting Corporation. November 30, 2011. Retrieved July 10, 2013.
15. Hutchinson, Alex (March 2009). "Human Resources: The job you didn't even know you had". The Walrus. pp. 15–16.
16. Hutchinson, Alex (March 12, 2009). "Human Resources: The job you didn't even know you had". The Walrus. Retrieved December 7, 2015.
17. "reCAPTCHA: Using Captchas To Digitize Books". TechCrunch. September 16, 2007.
18. Timmer, John (August 14, 2008). "CAPTCHAs work? for digitizing old, damaged texts, manuscripts". Ars Technica. Retrieved December 9, 2008.
19. Luis; Maurer, Ben; McMillen, Colin; Abraham, David; Blum, Manuel (2008). "reCAPTCHA: Human-Based Character Recognition via Web Security Measures" (PDF)". Science. 321 (5895): 1465–1468. CiteSeerX 10.1.1.141.6563. doi:10.1126/science.1160379. PMID 18703711.
20. ""questionable validity of results if words are presented out of context", Google Groups, August 29, 2008". Retrieved July 10, 2013.
21. Perez, Sarah (March 29, 2012). "Google Now Using ReCAPTCHA To Decode Street View Addresses". TechCrunch. Retrieved July 10, 2013.
22. "Digital Certification: The Digital Rating For Websites". Digital Certification | Blog. March 14, 2017. Retrieved March 14, 2017.
23. "Are you a robot? Introducing "No CAPTCHA reCAPTCHA"". December 3, 2014. Retrieved April 14, 2015. {{cite web}}: Cite uses generic title (help)
24. Davis, Kevin (June 11, 2019). "You (probably) don't need ReCAPTCHA". kevv.net. Retrieved June 13, 2019.
25. "Google just made the internet a tiny bit less annoying". Popular Science. March 10, 2017. Retrieved April 5, 2017.
26. "FAQ". reCAPTCHA.net. Archived from the original on July 16, 2012.
27. "reCAPTCHA: Stop Spam, Read Books". Retrieved January 14, 2014.
28. "Developer's Guide – reCAPTCHA — Google Developers". Retrieved January 14, 2014.
29. Harris, David L. (January 23, 2015). "Massachusetts woman's lawsuit accuses Google of using free labor to transcribe books, newspapers". Boston Business Journal.
30. Hegarty, Stephanie (June 20, 2012). "The evolution of those annoying online security tests". BBC News. Retrieved September 22, 2014.
31. Munsell, Andrew (July 28, 2012). "Captchas Are Becoming Ridiculous". AndrewMunsell.com. Retrieved September 22, 2014.
32. Williams, Owen (July 9, 2019). "Google Promises 'reCAPTCHA' Isn't Exploiting Users. Should You Trust It?". OneZero. Retrieved July 10, 2019.
33. Greenberg, Andy (June 18, 2010). "Those Scrambled Word Tests For Stopping Spambots Are Tough For Humans Too". Forbes.
34. "Strong CAPTCHA Guidelines" (PDF).
35. "Google's reCAPTCHA busted by new attack".
36. "Google's reCAPTCHA dented".
37. "Def Con 18 Speakers". defcon.org.
38. "Decoding reCAPTCHA Paper". Chad Houck. Archived from the original on August 19, 2010.
39. "Decoding reCAPTCHA Power Point". Chad Houck. Archived from the original on October 24, 2010.
40. "Project Stiltwalker".
41. Claudia Cruz-Perez; Oleg Starostenko; Fernando Uceda-Ponga; Vicente Alarcon-Aquino; Leobardo Reyes-Cabrera (June 30, 2012). "Breaking reCAPTCHAs with Unpredictable Collapse: Heuristic Character Segmentation and Recognition". In Carrasco-Ochoa, Jesús Ariel; Martínez-Trinidad, José Francisco; Olvera López, José Arturo; Boyer, Kim L (eds.). Pattern Recognition. Lecture Notes in Computer Science. Vol. 7329. México. pp. 155–165. doi:10.1007/978-3-642-31149-9_16. ISBN 978-3-642-31148-2.
42. "Screen Reader User Survey #4 Results".
43. "Mailhide: Free Spam Protection".
44. "Mailhide: Service discontinued".

Further reading

• Dzieza, Josh (February 1, 2019). "Why CAPTCHAs have gotten so difficult". The Verge.
• Schwab, Katharine (June 27, 2019). "Google's new reCAPTCHA has a dark side". Fast Company.

External links

• Official website
• Repository
• ReCAPTCHA: The job you didn't even know you had Two-page article in The Walrus magazine
• Luis; Maurer, Benjamin; McMillen, Colin; Abraham, David; Blum, Manuel (2008). "reCAPTCHA: Human-Based Character Recognition via Web Security Measures". Science. 321 (5895): 1465–1468. CiteSeerX 10.1.1.141.6563. doi:10.1126/science.1160379. PMID 18703711.
• Massive-scale online collaboration, a TED talk by Luis von Ahn