It’s a happy day for reCAPTCHA haters who can’t stand repeatedly having to prove they’re not bots by clicking all the pictures that contain a kitten. As of last week, sites could choose to make all that testing slip below the surface and go invisible.
Back in December, Google said that it was working on a new version of the are-you-a-human-or-a-bot test, and as of last week, Google made it available for website developers.
Called Invisible reCAPTCHA, the free service is designed to protect sites and apps from spam and abuse without any need for users to click in a quivery human fashion, select all the images that depict a given object, or whatever other thing developers have had us do to prove we’re real.
Google says that Invisible reCAPTCHA uses advanced risk analysis technology, combined with machine learning, to separate humans from bots. That means no more need for us to click on anything at all (or to select images associated with a clue image, as mobile users have been doing).
Google’s been using risk analysis to fend off bots for years. In 2013, it revealed what it called its Advanced Risk Analysis backend for reCAPTCHA.
That back end doesn’t just look at whatever gobbledygook we type into a box or how human-like our mouse clicks are. Rather, it observes our entire engagement with a CAPTCHA, from start to finish – before, during, and after we click anything – to determine whether we’re carbon-based.
Specifically, the difference between bot and human can be revealed in clues as subtle as how a user (or a bot) moves a mouse in the brief moments before clicking the “I am not a robot” button, according to Vinay Shet, the product manager for Google’s Captcha team.
Without realizing it, humans also drop clues that can establish whether we’re automated or not: IP addresses and cookies show our movements elsewhere on the web and can help prove that we’re not a bad actor.
As it is, reCAPTCHA hasn’t proved infallible.
The image challenge was gamed about a year ago when researchers used Google’s own massive image search database in reverse, finding words to match an image, rather than images to match a word, to help them find images in a reCAPTCHA set that shared a particular characteristic.
More recently, the reCAPTCHA audio challenge purportedly fell, and yet again, it stumbled on one of Google’s own services: this time, it was Google’s speech recognition API.
Then, in January, somebody apparently rigged up a robotic arm using a capacitive stylus to move across a mousepad in that quivery, human-like manner that reCAPTCHA risk analysis uses to help figure out if we’re human.
As sites switch over to invisible reCAPTCHA, most users won’t see CAPTCHAs at all, not even the “I’m not a robot” checkbox. But you can expect to jump through those hoops again if you’re flagged as “suspicious” and the system presents you with the usual challenges.
Will researchers still be able to game invisible reCAPTCHAs now that they’ve slipped out of view? Time will tell, but here’s hoping they can’t. If researchers fail to game Invisible reCAPTCHAs, it hopefully means that bot masters can’t, either.
And stopping bots is, of course, the ultimate goal.
Bots tirelessly work to harvest email addresses from contact or guestbook pages, scrape sites and reuse the content without permission on automatically generated doorway pages, take part in Distributed Denial of Service (DDoS) attacks, and automatically try to log into sites with reused passwords ripped off from breaches.
Hopefully, Invisible reCAPTCHA is going to prove tougher to game than previous reCAPTCHA iterations, and present a high enough hurdle that bots fall flat on their bot faces.