CAPTCHAs: 'a tracking cookie farm for profit masquerading as a security service'

Original Article ↗ Hacker News Discussion ↗

Scale, “unpaid labor”, and dystopian framing

  • Commenters highlight the study’s claim of 819M hours spent on reCAPTCHAv2, equating it (using rough lifespan math) to over a thousand human lifetimes.
  • Several frame this as uncompensated labor used to train AI and build tracking profiles, with dystopian comparisons (humans kept around just to annotate data for machines).
  • One person notes the $1T figure is mostly attributed to tracking cookies; that value is realized even without users solving the image challenges.

Security value vs. “tracking first” criticism

  • Strong disagreement here:
    • Many site operators report CAPTCHAs (especially reCAPTCHA) dramatically reduce spam, card‑testing fraud, and brute‑force login attempts. They stress security is about raising cost/probability, not absolute prevention.
    • Others say most bots are trivial and could be stopped by any low‑effort measure (simple math question, honeypot field, rate limiting), so Google-scale CAPTCHA is overkill and unnecessary data exposure.
    • Critics argue the paper’s “worthless for security” framing ignores this practical middle ground where CAPTCHAs stop unsophisticated bots but not well-resourced ones or paid-solving services.

Alternatives and technical debates

  • Suggested alternatives: homegrown CAPTCHAs, simple questions (“what color is snow?”), CSS-hidden honeypots, rate limiting, proof-of-work (e.g., mCaptcha, Tor’s PoW), Cloudflare’s “Attestation of Personhood,” behavioral/ML-based bot detection, and just turning forms off or centralizing comments.
  • PoW gets heavy pushback:
    • Hardware disparity makes it cheap for attackers with GPUs/ASICs but painful for users on old phones.
    • Some argue algorithms like RandomX narrow this hardware gap; others doubt practicality in JS on low-end devices.
  • Accessibility and cultural bias in puzzles are major concerns; “simple” questions can exclude disabled users or those from different regions/cultures.

Privacy, law, and the open web

  • Several EU-based commenters say reCAPTCHA is effectively or explicitly illegal under GDPR decisions; some governments nonetheless use it (and Cloudflare) for essential services.
  • There’s tension between:
    • Users who now abandon any site that shows a CAPTCHA.
    • People warning this response disproportionately harms small sites that can’t “eat” bot traffic like big platforms.
  • Some propose regulating both invasive CAPTCHAs and disruptive bot traffic; others are pessimistic about enforceability across jurisdictions.

How reCAPTCHA works and its “elegance”

  • Explanations note dual use: mixing known and unknown images to both validate users and gather new labels, plus extensive device/behavioral fingerprinting.
  • A minority admire reCAPTCHA’s “elegant” multi-purpose design (spam defense, AI training, tracking), while others call it a global-scale Trojan horse for unavoidable Google scripts.