Google’s stealthy reCAPTCHA v3 detects humans – no questions asked

After 20 years of impertinently asking web users to prove they’re human beings, Google thinks it has finally worked out how to rid the web of CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) forever.

Called reCAPTCHA v3, it’s an API that claims it can model a website’s interaction with users so well that it will never need to ask anyone to tick a box let alone drain their will to live by solving a tedious visual puzzle that keeps repeating itself.

Instead, it will risk-score each visitor from 0.0 (bad) to 1.0 (good), passing that score back to the website owner to decide how to react.

Google hasn’t explained how it arrives at the score (presumably to make it harder to game) but the implication is that once it has modelled each site’s visitor traffic, humans should score 1.0 or thereabouts and be allowed through without interruption.

As far as the visitor is concerned, nothing will have happened. They will log in as if there were no CAPTCHA at all bar the logo telling them it’s running.

Anything below a threshold chosen by the site owner, say 0.7, and the website can block or restrict access to certain parts of the site or ask for additional verification by implementing an “action” tag to pages.

Not now Google

Websites have long been plagued by bots that scrape email addresses and content, post spam and, more recently, try to brute-force user passwords on a huge scale.

The fight back began in the early 2000s through the CAPTCHA, which made visitors decipher squiggly text.

It was universally hated.

A version called reCAPTCHA was bought by Google in 2009, which turned it into a free service for websites and added more complicated visual puzzles for visitors to solve – that’s where the “select all images with a street sign” puzzle squares originated.

Visitors still hated it. Worse, bots and scammers eventually hit on simple ways to beat it including paying real humans to fill in the CAPTCHAs.

In 2014, reCAPTCHA v2 went live and the “I’m not a robot” click box was born with the claimed innovation that it studied the user’s “entire engagement” with the website to separate friend from foe.

Finally, in 2016, Google announced “invisible” reCAPTCHA, the first appearance of the technology that turned into reCAPTCHA v3 this week.

There are two advances here – more sophisticated background bot detection courtesy of Google’s magic cloud and a lot more control for website owners as to how they fine-tune Google’s API.

From the point of view of the website visitor, v3 means that CAPTCHAs have gone from interactive tests to click boxes to – Google promises – something they shouldn’t even be aware of.

However, as far as the website owner is concerned, there’s a lot more going on here.

Until now, implementing CAPTCHA was a case of taking it as one size fits all.

Website owners now have to define their scoring thresholds for different parts of a site (login, social, payment), which might include transaction histories and use profile culled from non-Google data.

Google says that you can even…

…use the reCAPTCHA score as one of the signals to train your machine learning model to fight abuse.

(You do have one of those, right?)

These changes make this as much a cultural change as a technical one: website owners must learn to own their bot traffic and not simply outsource the problem to a third party. Developers have been warned.