Google’s reCAPTCHA service, known for presenting users with small puzzles to distinguish humans from bots, is under scrutiny for potentially exploiting user labor worth billions. Its main goal is to prevent fraud and cyber crimes.
However, researchers from UC Irvine, including Andrew Searles, Renascence Tarafder Prapty, and Gene Tsudik, argue otherwise in their paper “Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2.”
The research, spanning 13 months since 2022, analyzed 9,141 reCAPTCHAv2 sessions and surveyed 108 individuals. Users found the checkbox puzzle relatively easy, scoring 78.51 out of 100 on the “System Usability Scale,” while the image selection test scored only 58.90.
This indicates users find these tests inconvenient, supporting the paper’s claim that these tests are a waste of time and resources.
The paper concludes that reCAPTCHA tests are ineffective and should be discontinued. Over 13 years, users spent 819 million hours on these tests, equating to at least $6.1 billion in wages.
Additionally, the traffic from reCAPTCHA consumed 134 petabytes of bandwidth, requiring 7.5 million kWhs of energy, which translates to 7.5 million pounds of CO2 emissions. Despite these costs, Google has reportedly profited $888 billion from cookies created during reCAPTCHA sessions and an additional $8.75–32.3 billion from selling labeled data sets.
Despite these significant costs, the tests fail to serve their purpose effectively. The paper cites a 2016 experiment where researchers defeated reCAPTCHA v2 image challenges 70% of the time and the checkbox challenges 100% of the time.
reCAPTCHA v3, introduced later, was also found vulnerable, with a 2019 study showing it could be defeated 97% of the time using reinforcement learning attacks. Notably, these vulnerabilities were known before these systems were publicly introduced.
The researchers are puzzled by Google’s continued use of reCAPTCHA despite evidence of its ineffectiveness, suggesting the primary motive is to gather image labeling data for commercial purposes. Google responded, claiming it tracks user data only to enhance user experience and that most websites have now adopted the more secure reCAPTCHA3.