Security

Google reCAPTCHA service under the microscope: Questions raised over privacy promises, cookie use

Web giant insists anti-bot service isn't used for personalized ads – but cookie claims don't quite add up


Analysis Six years ago, Google revised its reCAPTCHA service, designed to filter out bots, scrapers, and other automated web browsing, and allow humans through to websites.

The v2 update in 2014 added an iframe or HTML Inline Frame, which is a way of embedding one web page in another. Then there was the v3 update in 2018, which added machine learning to the mix, to reduce the need for interaction with bot detection challenges.

reCAPTCHA makes it possible for the internet giant to challenge netizens to prove they are real people, by completing picture puzzles and the like, while providing plumbing to potentially funnel information about folks into its advertising business. Google insists it doesn't use reCAPTCHA data for personalized adverts, and says as much in the reCAPTCHA terms of service.

Yet the Silicon Valley corp's fine-print and other disclosures stop short of saying reCAPTCHA is completely quarantined from all ad-related data collection. And privacy researchers now argue that the company needs to clarify that point.

Zach Edwards, co-founder of web analytics biz Victory Medium, found that Google's reCAPTCHA's JavaScript code makes it possible for the mega-corp to conduct "triangle syncing," a way for two distinct web domains to associate the cookies they set for a given individual. In such an event, if a person visits a website implementing tracking scripts tied to either those two advertising domains, both companies would receive network requests linked to the visitor and either could display an ad targeting that particular individual.

Two different domains generally shouldn't have access to the same set of cookie data, based on the distinction between first-party and third-party resources in the web browser security model. But triangle syncing dissolves that separation.

Triangle of ad success?

"Triangle syncs expand an advertising universe and make it possible to target someone across more domains," Edwards told The Register.

It's a common practice in advertising, he said, so that two separate companies with two separate domains can share data, such as the identifiers associated with a particular individual. And it's also done within a single company like Google that operates more than one domain and wants to track internet users across the different domains.

"So reCAPTCHA's gstatic.com domain doing a triangle sync to google.com basically ensures that a user can be found/tracked if either of those domains is embedded into a website," Edwards said.

Cloudflare dumps Google's reCAPTCHA, moves to hCaptcha as free ride ends (and something about privacy)

READ MORE

According to Google, the company doesn't use reCAPTCHA for triangle syncing and reCAPTCHA loads static resources from two places on gstatic.com, with no cookies written or read. No triangle request or sync is done as part of this process, we were told. And the gstatic.com domain is supposedly "cookieless," in that it has been designed to be unable to collect cookie data.

Yet, reCAPTCHA JavaScript code hosted at Google's gstatic.com domain includes multiple references to cookies. And visiting a web page embedded with a reCAPTCHA widget does set a google.com "NID" preference cookie, even if you try to block third-party cookies.

Edwards says what's going on isn't typical triangle syncing. He says if you embed a reCAPTCHA on a site like ncrts.com, for example, the gstatic.com requests then redirect to a new request to google.com and then google.com sets its cookie. "It's a triangle sync not in a traditional cookie match sync on both sides, but in a request + cookie match," he said.

He also points out that Google's privacy policy identifies the gstatic.com domain specifically as one of many domains used to set cookies for its advertising products.

Google maintains gstatic.com doesn't read or write cookies, but it appears the domain invites google.com to set them.

T&Cs

Edwards argues Google isn't being straightforward about how it handles cookies, noting that in a Safari browser test he conducted, the Google domain sets session keys, a form of temporary browser data storage linked to a server, instead of cookies.

Google's reCAPTCHA terms of service state that the service sends device and application data to the company. It specifies how it handles that data thus: "The information collected in connection with your use of the service will be used for improving reCAPTCHA and for general security purposes. It will not be used for personalized advertising by Google."

The Register specifically asked Google whether reCAPTCHA data might be used for some aspect of the ad business other than personalized advertising. It might, for example, be helpful to fight ad fraud.

Google's spokesperson cited the policy spelled out above – the data improves reCAPTCHA and may be used for general security purposes, whatever that means.

Via Twitter, Ashkan Soltani, a privacy researcher and former Federal Trade Commission technologist, said what Google is doing looks a lot like what the company did in 2011 and 2012 to bypass Safari's third-party cookie blocking.

In 2012, America's consumer watchdog the FTC fined Google $22.5m for misrepresenting to Safari users that it would not place tracking cookies.

Solanti also suggested Facebook's 2019 settlement with the FTC may be relevant. In that case, Facebook was penalized for collecting data for one purpose (security) and also using it for another (ads).

In an email to The Register, Soltani said he had tested Edwards's claims and confirmed that reCAPTCHA sets google.com cookies even when the user's browser has been configured to block third-party cookies.

He subsequently posted the video depicting the network requests from visiting the hubspot.com/abuse-complaints page, which calls a google.com-hosted reCAPTCHA script that runs gstatic.com-hosted code for invoking a reCAPTCHA puzzle.

Discussing what was going on, Soltani said the main issue is whether those who rely reCAPTCHA for security are exposing users to profiling by Google for the purpose of advertising.

Google's privacy disclosures may be adequate to cover reCAPTCHA's role if it were found to play a role in the company's ad business. Google does disclose that it sets advertising cookies via its gstatic.com domain.

Data CAPTCHA

Edwards however argues that Google hasn't been sufficiently clear that reCAPTCHA uses this domain.

"It's problematic for publishers who care about user privacy," he said, because if you implement reCAPTCHA on your website and don't disclose that you set google.com cookies, that runs the risk of violating some aspects of the "right to know" requirement under the California Consumer Privacy Act.

Edwards contends that websites in Europe will need to rethink how they use reCAPTCHA for bot defense.

"In my opinion, organizations in Europe that use reCAPTCHA for spam protection now need to move reCAPTCHA behind their consent walls," he said.

"It's a huge stretch to call syncing cookies to google.com mandatory in any way, and it doesn't seem possible to deploy reCAPTCHA in any way anymore that doesn't do that sync."

Google already recommends that in reCAPTCHA's terms of service, which state, "For users in the European Union, you and your API Client(s) must comply with the EU User Consent Policy." ®

Send us news
68 Comments

The secret to speaking to customers across multiple channels … is to speak with one voice

Smooth your path to CX nirvana with this ebook

Sponsored Customer interactions these days are ongoing and dynamic, constantly taking place across multiple channels and touch points from the web to social media, from chatbots to call centers.

That might suggest you need an ever-expanding tool box – and budget – just to keep pace with the competition and your customers’ expectations.

Yet some of the companies poised to be most successful connecting with their customers, may be the ones who trim their tech spend and consolidate their CX tooling and technologies this year, Forester has suggested.

Continue reading

ASUS patches ROG Armoury Crate app after researcher spots all-too-common flaw

It tries to load a file from a location any old user can write to

A flaw in ASUS's ROG Armoury Crate hardware management app could have allowed low-privileged users to execute code as administrator.

The now-patched privilege escalation vulnerability was uncovered by "Federico" from Italian hacker collective APTortellini.

Federico discovered the vuln after taking a close look at ROG Armoury Crate, finding a DLL hijacking vuln that allowed ordinary users to execute code with SYSTEM privileges after pasting a crafted file into a directory used by the app.

Continue reading

Azure Purview is a preview no more: Microsoft is ready to sniff your sensitive data

Governance and compliance are the watchwords here

Azure Purview has hit general availability, affording assistance to admins facing governance data overload.

The service is pointed at an organisation's data estate, offering up a map of data assets over the likes of SQL Server, Oracle and Salesforce regardless of their location (on-prem or – heaven forbid – some cloud that is not Microsoft's).

AWS S3 scanning is present in the generally available product while scans for Erwin, IBM DB2, Salesforce, Google BigQuery, Looker, and Cassandra remain in public preview.

Continue reading

Oracle flexes its hardware muscles with beefed-up Exadata X9M appliance

Kicking sand in the faces of less mighty systems, it is only worth the price tag if stellar performance is a must

Oracle has released the latest upgrade to its Exadata database appliance series, claiming to better earlier iterations on I/O and throughput.

Building on the heritage of tightly integrated hardware and software it acquired with Sun Microsystems back in 2009, Big Red's beefed-up Exadata X9M claims online transaction processing (OLTP) with more than 70 per cent higher input/output operations per second (IOPS) on its earlier release, the X8M. Oracle also reckons the system performs with 19µs I/O latency from database to storage, 10 times faster than flash memory.

Exadata X9M is pitched as enabling customers to reduce the costs of running transactional workloads by up to 42 per cent, and analytics workloads by up to 47 per cent, compared with the previous generation, Oracle said. Meanwhile, analytical workloads performed 87 per cent faster.

Continue reading

Ofcom unveils broadband switching plans, but providers claim it's not so easy

‘One Touch Switch’ is great, but logistics are an issue for BT, while Virgin cites data protection worries

Switching broadband providers could be about to become a lot easier if proposals unveiled by Ofcom today are put into place.

But even as the plans were announced it's clear there are some providers in the industry that are unhappy with them – citing issues such as data protection and concerns it could lead to people being switched without their consent.

Ofcom hopes the scheme – dubbed "One Touch Switch" – will streamline the way people chop and change providers as new services are launched.

Continue reading

Latest FinFisher spyware upgrades 'particularly worrying,' says Kaspersky

Eight-month analysis finds four-layer obfuscation, two-stage loader, and a new UEFI attack

Kaspersky has presented the findings of an eight-month probe into the FinFisher spyware toolset – including the discovery of a UEFI "bootkit" infection method and "advanced anti-analysis methods" such as "four-layer obfuscation."

FinFisher, also known as FinSpy, is a product from Anglo-German spy firm Gamma International and supplied exclusively to law enforcement and intelligence agencies for use as a surveillance tool. The software was allegedly used by the former Egyptian government of Hosni Mubarak to spy on dissidents and by the Bahraini government to spy on Bahraini activists in Britain – the latter resulting in the software having been found in breach of human rights.

The toolkit receives frequent updates to evade detection and add new functionality, with Kaspersky having previously investigated a 2019 update which boosted its spying capabilities to include chat, physical movement, microphone, and camera access, alongside locally stored data capture and exfiltration.

Continue reading

Texas cops sue Tesla claiming 'systematic fraud' in Autopilot after Model X ploughed into two parked police cars

Five officers seek $20m in damages from car maker and local restaurant

Five Texas residents have filed a lawsuit against Tesla and a local restaurant after an alleged drink-driver ploughed a Model X into the back of two parked police cruisers.

The complaint [PDF] accuses the company of "defects in Tesla's safety features," the functionality of which has been "vastly and irresponsibly overstated" to "pump Tesla's share price and sell more cars."

According to the suit, filed by the five police officers involved in the incident, the unnamed driver crashed his Tesla Model X into the back of two parked police cruisers at 70mph (112kph) after they had stopped to investigate a fourth vehicle for suspected narcotics offences in February.

Continue reading

A crypto-trading hamster is outperforming the S&P 500, Nasdaq, Bitcoin

As much as I wanted to be Gordon Gekko, I'll always be Mr Goxx

A cryptocurrency-trading hamster is sending shockwaves through the financial world by generating returns that outperform the S&P 500 index, the Nasdaq 100, and Bitcoin.

Goxx Capital, fronted by Mr Goxx, a small brown hamster said by his colleague to be "nearly one year old", has been trading since June this year using a specially constructed "office" enclosure. It is claimed that he has been involved in hundreds of trades worth literally tens of Euros.

His trading office, known as the Goxx Box, includes a number of special tools used to action his keen financial decisions. The largest of these is known as the "Intention Wheel", a hamster exercise wheel demarcated to determine which of around 30 different assets he will pick to trade. Then there are two "Decision Tunnels", one marked "Buy" and one marked "Sell", which determine which trade he will make with the chosen currency.

Continue reading

Typical. Crap weather halts work on subsea fibre-optic cable between UK and France

Summer was good while it lasted

Strong winds and choppy seas have delayed the deployment of a new subsea fibre cable running under the English Channel connecting data centres in France and the UK.

The cable – called CrossChannel Fibre – is due to link Equinix data centres in London and Paris via Brighton on the South Coast of England and Veules-les-Roses near Dieppe.

Work was due to start this week, but the arrival of autumn storms has meant that cable laying has been put on hold until calmer weather is forecast.

Continue reading

The indie RPA dream is over for Blue Prism after being gobbled by private equity

UK firm failed to make an impact against the market leaders

Blue Prism, poster child of the UK's modest tech boom, has been bought by Vista Equity Partners (VEP) to be merged with Tibco, the integration and buiness intelligence vendor.

Known for its robotic process automation (RPA) wares, Blue Prism is to be acquired for £1.1bn as interest in the RPA software segment hots up.

According to Forrester, the market for RPA software will be worth $2.9bn in 2021, up from $125m in 2016. The two biggest independent players – those that don't also sell big chunks of the enterprise stack – are US-based Automation Anywhere and UiPath (founded in Romania, but now based in New York), which have a combined valuation of around $39.2bn

Continue reading

UK umbrella payroll firm GiantPay confirms it was hit by 'sophisticated' cyber-attack

Tech contractors fume at lack of info as company says it will 'try' to get them paid by Friday

Giant Group, the umbrella company that has thousands of contractors on its books, has been targeted by a "sophisticated" cyber-attack that floored systems and left workers out in the cold, the biz has now confirmed.

The attack happened last Wednesday (September 22) and forced the outfit – known to many as Giant Pay – to shut down its whole network, including its phone and email systems, as well as its IT infrastructure.

It said last night it was still working on a "technical issue that is preventing us from getting the giant umbrella and giant accounts portals back up and running."

Continue reading