The real “sounds like a conspiracy” bit is that current captchas (the ones where it just ok’s you automatically) dig through your browser history for “suspicious activity”, and with google being the one’s behind the “service”, it’s absolutely feeding into their already massive data harvesting.
From the FAQ page on their own site (bolded for relevancy):
How do reCAPTCHA tests with a single checkbox work?
Some reCAPTCHA tests simply prompt the user to check a box next to the statement, “I’m not a robot.” However, the test is not the actual action of clicking the checkbox – it’s everything leading up to the checkbox click.
This reCAPTCHA test takes into account the movement of the user’s cursor as it approaches the checkbox. Even the most direct motion by a human has some amount of randomness on the microscopic level: tiny unconscious movements that bots can’t easily mimic. If the cursor’s movement contains some of this unpredictability, then the test decides that the user is probably legitimate. The reCAPTCHA also may assess the cookies stored by the browser on a user device and the device’s history in order to tell if the user is likely to be a bot.
If the test is still unable to determine whether or not the user is a human, it may present an additional challenge, such as the image recognition test described above. However, most of the time the user’s cursor movements, cookies, and device history are conclusive enough.
How does reCAPTCHA work without any user interaction?
The latest versions of reCAPTCHA are able to take a holistic look at a user’s behavior and history of interacting with content on the Internet. Most of the time, the program can decide based on those factors whether or not the user is a bot, without providing the user with a challenge to complete. If not, then the user will get a typical reCAPTCHA challenge.
Google offers a monthly paid service called reCAPTCHA Enterprise, which uses a score-based detection system to distinguish between humans and bots. reCAPTCHA Enterprise interacts with the customer backend and webpages to trigger a sequence of JavaScript, HTML, and token authentication events. The system then derives the visitor’s risk “score”, from 0.0 through 1.0, and the website developer determines what action should be taken based on the score.
The lower the score, the more likely the “visitor” is actually a bot. A reCAPTCHA Enterprise score of 0.0 indicates that the interaction might be fraudulent and high risk, whereas 1.0 indicates that the interaction is very likely legitimate and low risk.
The real “sounds like a conspiracy” bit is that current captchas (the ones where it just ok’s you automatically) dig through your browser history for “suspicious activity”, and with google being the one’s behind the “service”, it’s absolutely feeding into their already massive data harvesting.
Wait how can they access that data?
From the FAQ page on their own site (bolded for relevancy):
How do reCAPTCHA tests with a single checkbox work?
Some reCAPTCHA tests simply prompt the user to check a box next to the statement, “I’m not a robot.” However, the test is not the actual action of clicking the checkbox – it’s everything leading up to the checkbox click.
This reCAPTCHA test takes into account the movement of the user’s cursor as it approaches the checkbox. Even the most direct motion by a human has some amount of randomness on the microscopic level: tiny unconscious movements that bots can’t easily mimic. If the cursor’s movement contains some of this unpredictability, then the test decides that the user is probably legitimate. The reCAPTCHA also may assess the cookies stored by the browser on a user device and the device’s history in order to tell if the user is likely to be a bot.
If the test is still unable to determine whether or not the user is a human, it may present an additional challenge, such as the image recognition test described above. However, most of the time the user’s cursor movements, cookies, and device history are conclusive enough.
How does reCAPTCHA work without any user interaction?
The latest versions of reCAPTCHA are able to take a holistic look at a user’s behavior and history of interacting with content on the Internet. Most of the time, the program can decide based on those factors whether or not the user is a bot, without providing the user with a challenge to complete. If not, then the user will get a typical reCAPTCHA challenge.
Google offers a monthly paid service called reCAPTCHA Enterprise, which uses a score-based detection system to distinguish between humans and bots. reCAPTCHA Enterprise interacts with the customer backend and webpages to trigger a sequence of JavaScript, HTML, and token authentication events. The system then derives the visitor’s risk “score”, from 0.0 through 1.0, and the website developer determines what action should be taken based on the score.
The lower the score, the more likely the “visitor” is actually a bot. A reCAPTCHA Enterprise score of 0.0 indicates that the interaction might be fraudulent and high risk, whereas 1.0 indicates that the interaction is very likely legitimate and low risk.