Dear web developers and admins,
please stop embedding Google's hideous #ReCaptcha into your websites. Its algorithm is faulty, forcing regular users to click dozens or even hundreds of fire hydrants, bicycles, or traffic lights each day. It puts a 'suspicious activity' flag on users who won't obey to Google's business model - such as people who don't sign into Chrome, use anonymity VPNs, or use browser extensions to suppress common tracking mechanisms. Enough is enough. Stop it.
@JackMeinoff Exactly! 👍 My strategy at the moment is to stop using all websites on which ReCaptcha shows up.
@kernpanik some months ago i had to solve exactly 4 sets of 4 captchas (which i assume was the maximum?) every single time just because i dared to use firefox mobile
can't imagine what it's like for tor users
@kernpanik something that happens on certain tor exits and high traffic VPNs is the captcha will refuse to run. i don't mean that it breaks, i mean it'll say "your computer or network may be sending automated queries. try again later," and you're just, not allowed to use the website (or any website with google's captcha)
if your network is sending lots of traffic, you don't get to take their "automated traffic detection" test
ableism re: google
@kernpanik i don't get locked out in this way normally, because i don't generally use any high traffic networks, but because of my setup (linux, privacy addons, fireFox, sometimes low traffic VPN, etc.), when i click the "listen" accessibility option, i will then get a lock out
i have no idea what their non visual captcha sounds like (without looking it up) because i'm only allowed to do the visual captcha. i get punished for trying to use the auditory captcha
@kernpanik And, because you don't care about your users, bots can defeat it, especially if they can get some of the data Google has given out or leaked that was trained on the ReCaptcha stuff.
Just make someone do a basic maths thing like old forums.
@kernpanik not only is it very inaccessible to people with limited vision, it also excludes users with older/atypical devices/browsers (including screen readers), and is so america-centric that people from other places have to guess what American fire hydrants, traffic lights, crossings, parking meters etc look like!
@kernpanik same for cloudflare and their shitty hCaptcha. (The biggest issue with that is, that it has terrible performane on mobile)
@faoluin @kernpanik yep. But that's not the worst thing. The "trains" are the problem itself because people are lazy and some of photos have a quality so low you can barely see anything. And usually you have to do this on every single site especially when they are being hosted somewhere on cloudflare. I don't really care but I know a lot of people who just close the tab when they see this
@kernpanik A very good article about why "You probably don't need reCAPTCHA": https://kevv.net/you-probably-dont-need-recaptcha/
There is so much wrong w/your comment. If you're logged into #Google, the #reCAPTCHA pushes fewer puzzles. Of course that tracking abuses #privacy & defeats the reason for using #Tor, but #CloudFlare is a bigger threat to Tor users than Google. No one who is informed & groks privacy visits CF sites. Also, #hCAPTCHA *pays* CF for CAPTCHA solutions, so you financially feed the biggest Tor adversary when you solve an hCAPTCHA.
@koherecoWatchdog "No one who is informed & groks privacy visits CF sites."
How does one know if a given site is CF-backed or not?
@kernpanik As a developer, I've pledged to stop using all google tools on all my clients' sites. True story: google now flags as malvertising sites who use their privacy-focused competitors (Matomo) for analytics.
Have you ever had the responsibility for a project that was flooded by spambots? Do you know how much work and how much pain it is, to clean it up?
Do you know other measures to distinguish bots from humans or more precisely help against fraud and spam that are as nearly effective and easy to use as ReCaptcha?
Instead of telling people what to do, why don't you try to understand their reasons and then provide other ways of archiving their goals.
@jamalaka @kernpanik Well,I do have the responsibility.I run a public PeerTube instance and our moderator has to remove several spam videos of the same sort every day.But I'd rather discontinue the service completely than embedding Google spyware bullshit in the page.That's simply a no go.And yes,there are alternatives,for example https://hcaptcha.com which isn't that hostile to Tor users and I think at least a little bit more privacy friendly.And I also like https://captcheck.netsyms.com which is open source and could even be self-hosted.
Not my problem. As an end user, I know that there's usually a competing site that figured out how to avoid #CAPTCHA as abusive & obnoxious as reCAPTCHA & hCAPTCHA. Those sites win my business/interaction. Some of them use a simple math or text CAPTCHA, which is relatively tolerable. Some web admins are clever enough to isolate the CAPTCHA just to form submissions, in which case I just don't use the forms.
@kernpanik Also it's illegal under the scope of GDPR (without consent), because the NID Cookie is set an used for personalized ads.
And that's no only a law theory. I already forced a huge mobile carrier and a huge car parts reseller in germany to remove it.
I love you! We need more of this for sure.
Most CloudFlare sites push hCAPTCHA on users. hCAPTCHA.com claims they are GDPR-compliant. I also imagine your actions cause web admins to simply replace reCAPTCHA with hCAPTCHA (which may be progress for privacy but harmful to impaired ppl). Have you investigated whether hCAPTCHA uses a NID cookie?
The NID cookie is just a google specific ad profiling cookie.
hCaptcha uses the quite well known cfduid which is used also for the general bot protection service by cloudflare. It uses a hash of the IP adress and some fingerprinting. This seems to be effective and if we trust the claims that it is not used for analytics and ads, its probably GDPR compliant.
But from technology site its quite privacy intrusive. I would prefer bot detection without fingerprinting.
@kernpanik it's not faulty, it's working as intended. By filling out a reCAPTCHA, you're training the neural network for self-driving cars. Both of these things absolutely terrify me.
@kernpanik also it puts Google at a major advantage; they could quite easily sell bits of the AI model to companies like Tesla, which would make billions.
chaos.social – a Fediverse instance for & by the Chaos community