How to annoy your customers with Google ReCaptcha

Google

For many years now there has been a steady proliferation of Google ReCaptcha - A free service provided by Google which is used to verify that a human is actually filling out your form. It was annoying when it first arrived on the internet, but the latest rendition takes annoyance to a whole new level with poor quality images, multiple pages to select and more. So why do so many websites choose to irritate their visitors with Google ReCaptcha?

Well, firstly its free, and readily integrates with most hosting platforms. Secondly its perceived to be effective and Finally for whatever reason people think it's a good idea. In reality, that's not at all the case, it is free, but there are serious privacy concerns and its not effective as it can be bypassed easily with a browser plug-in, broker service, or pretty much any bot and finally I don't think there's a complete understanding of just how annoying it is especially for those on small screens or those with imperfect vision or hearing. But first let's talk about privacy as that's a hot topic these days. 

Privacy Concerns

If you click Privacy or Terms from the Google Re-Captcha box then your taken to generic Google Privacy or Terms which make no reference to ReCaptcha or what it will collect. This odd behaviour could only be by design. If you dig deeper into the Privacy Policy for ReCaptcha which is nearly impossible to find you discover the following. 

• reCAPTCHA is a free service from Google that helps protect your website and app from spam and abuse by keeping automated software out of your website.


• It does this by collecting personal information about users to determine whether they’re humans and not spam bots. reCAPTCHA checks to see if the computer or mobile device has a Google cookie placed on it. A reCAPTCHA-specific cookie gets placed on the user’s browser and a complete snapshot of the user’s browser window is captured.


• Browser and user information collected includes: All cookies placed by Google in the last 6 months CSS information The language/date Installed plug-ins All Javascript objects

Blimey, who knew? After reading that do you still believe Google Re-Captcha is a good idea for your website? 

• The Google reCAPTCHA Terms of Service doesn’t explicitly require a Privacy Policy. However, it has the requirement that if you use reCAPTCHA you will “provide any necessary notices or consents for the collection and sharing of this data with Google

But this is often if not always overlooked by website owners, in fact I cannot think of a single website using ReCaptch that actually notifies you prior to its use that your going to be sharing a bunch of data with Google just by clicking "I'm not a Robot". Let's review and expand on the Privacy Policy and what is collected...

• A complete snapshot of the users browser window captured pixel by pixel


• All Cookies placed by Google over the last 6 months are captured and stored and an Additional Cookie is stored. 


• How many mouse clicks or touches you've made


• The CSS Information for the page, including but not limited to your stylesheets and third party style sheets. 


• The Date, Time, Language, Browser you're using and of course your IP Address. 


• Any plug-ins you have installed in the browser (for some browsers)


• ALL Javascript including your own custom code and that of third parties. 

So at this point, you as a website owner are obligated to disclose to your users that by clicking on the I'm not a robot re-captcha you as a visitor AGREE to all the above being shared with Google, which is not only an inconvenience but pretty much no one does it because in most cases they don't fully understand what data is being shared. This can be a real problem especially in the EU now where GDPR has caused many websites to display mandatory and equally annoying cookie confirmations, and even restricts access to a large number of really useful sites from within the EU.

Knowing that Google recaptcha is pretty useless at preventing bots, what possible purpose does it fulfill? Well, to the website owner, it annoys your visitors, but for google, its a goldmine or tracking and profiling information that is uploaded to their platform by every single visitor even if they don't engage with the box at all - yes, even if you don't click 'I'm not a robot' and waste your time clicking pictures, google has already profiled you and uploaded data. Click the checkbox and waste more time clicking vague images and even more data is uploaded, and you have no choice in it.

Annoyance

In a recent survey conducted by GEN with our business customers we included a question about Google ReCaptcha and asked users to rate how annoying it was from 1 to 10 with 10 being the most annoying, and we came back with 94% who though it was the most annoying. Now its a small sample set of a few thousand users but it does indicate a general appreciation of the inconvenience it presents. Personally, when I see the 'Im not a Robot' box unless its absolutely critical I'll just close the page and move on to something else, and this is a view shared collectively at this office as it probably is a most. 

For those outside of the USA, a crosswalk is what the Americans call a pedestrian Crossing, in the pictures its the white lines across the road but of course in most of the rest of the world these are black and white or black and yellow. This is a regular mis-understanding as is Palm Trees which are the trees with the leaves at the top, and never seen in many countries. 

If your Not a Robot and I am certainly not then its easy to wind up with the dialogue to the right after getting a couple of images incorrect, after which your screwed and cannot continue to submit your form without closing the browser, re-opening and filling the whole thing out again. That is really really Annoying. 

Alternatives

There are a whole myriad of alternatives to Google ReCaptch, most of which are self hosted and have none of the privacy issues associated with Google ReCaptcha. The general trend these days with Captcha is that its not required anymore since form submission mechanisms have evolved to use a hidden captcha which is in fact a generated seed on the form that is passed and validated server side on submission. A robot (or bot) would want to POST the form without filling it in which this hidden captcha easily defeats. Further validation of field types can pretty much eliminate bot POSTing and removes the need for anyone to click traffic lights, fire hydrants, store fronts or any other collection of images whilst providing Google with your personal information. 

Consider reading our extensive article on preventing form spam 20240911

Summary

• Google Re-Captcha is not infallible and can be easily defeated. 


• Google Re-Captcha has serious privacy issues especially in Europe. 


• Google Re-Captcha is annoying to visitors and deters customers. 


• Google Re-Captcha can present images of such poor quality that no one can accurately guess them. 

If you are using Google Re-Captcha on your website then look for alternatives, there are many out there and many of those will not require the customer to enter anything and work silently in the background. If you have a GEN Hosted website and would like assistance in replacing your Google Re-Captcha then please raise a ticket at the HelpDesk and we'll do our best to assist you. 

In writing this article, we rely on sources from Google's website and others. We make every effort to ensure accuracy but things do change especially terms and policies so be sure to check the current status. 

Blog Index   PermaLink   Comment           18 Votes