To make sure you’re not a robot, please look at these pictures and identify the street signs, the cars, the fire hydrants, the shop fronts, the numbers on the front doors, and the ever-growing sense of frustration. Why all this?
In the late 90s the most popular search engine AltaVista had a spam problem. People were writing automated scripts to send in spam and malicious links to their database, and they needed to add a test that only humans could pass. Their solution was to add a question to the submission form that, only a human could answer. In their case, it was to identify a warped string of letters and numbers. Image processing wasn’t that good, that it could easily identify the letters, but it was trivial for a human. That was one of the first public versions of what became known as a CAPTCHA: a Completely Automated Public Turing Test to Tell Computers and Humans Apart.
A version called reCAPTCHA came along a few years later. It was used to scan old books and newspaper When a CAPTCHA was needed, the team would send one scanned word that they knew was right, deliberately distorted, and another word that their scanning systems weren’t sure about. The user would have to type in both, the known word was to check it was a human answering, they had to get that right, but the unknown word – after maybe a dozen people had agreed on what it was – that would be logged as part of the book scan. Google ended up buying reCAPTCHA.
The bot makers looked at reCAPTCHA as a challenge, and they rose to it admirably. First, they could train computers to read those messed up words. This was before the recent breakthroughs in machine learning, If the test was still too difficult, though, they could just pay humans. The bot makers set up systems where automated bots would fill in all the details, ready to send spam, and then when the CAPTCHA appeared, the bots would show it to human operators, hired from countries where the average income is low.
So then Google released reCAPTCHA version 2. Which is where you’re presented with a single checkbox, that you have to click on to prove you are not a robot. It’s not really about clicking the box. When you complete one of these new CAPTCHAs, extra data is sent.
And Google is very cagey about what that data is because everything they reveal is a clue for the people trying to break it. But that box is loaded into your browser from google.com, which means it can look at any login cookies that Google already have on your browser.
Certainly, if you clear your cookies, you are way more likely to get that secondary check that asks you to identify buses or fire hydrants. And maybe it checks how your mouse moves in the moments before clicking the box? The only people that know for sure are the designers, and they aren’t telling.
The CAPTCHA solving services, of course, are already offering a cost per thousand to solve these. It may be harder, but it’s not unbreakable. Using machine learning, bots can be trained to pass those secondary checks themselves, and to hide as humans, well, identifying the correct sections of the presented images is something that you can throw cloud machine learning at. And given that Google Cloud sells machine learning systems, it’s very likely that some of their servers are creating CAPTCHAs, and others are trying to break them.
So at the end of 2018, Google released reCAPTCHA version 3. And you might have already passed, or failed, one of those without knowing it. There’s no box to tick, no puzzles to solve. When you browse around a site, version 3 works in the background and watches what you do. It assigns you a score based on how likely you are to be human. And again, Google is being very careful about saying how they’re working that out. But the answer is very likely “it’s a machine learning system they’re throwing everything into “and they don’t know it works either”. The bot makers, of course, are already working on the challenge. Bots are becoming more and more indistinguishable from humans. Successful CAPTCHA methods are having to be more and more intrusive.
– Akashdeep S