Cover Image for "A Tracking Cookie Farm for Profit"
Mon Feb 10 2025

"A Tracking Cookie Farm for Profit"

The Captcha system is also not very effective in stopping bot traffic.

Numerous people on the internet are familiar with CAPTCHAs, which are tests designed to distinguish humans from machines by requiring simple tasks, such as selecting certain images. However, a new study has revealed that these tests, known in their enhanced version as reCAPTCHA, are not only ineffective at blocking bot traffic but have also caused a loss of millions of hours for users. Even more surprisingly, these tests have generated an estimated $888 billion in tracking cookie data for Google.

CAPTCHAs have evolved over time and are mainly divided into two types: traditional ones, which require the interpretation of distorted characters, and reCAPTCHA, which involve selecting relevant images from Google Street View. Since Google acquired this technology in 2009, it has been used to benefit various services, including improving Google Street View and digitizing Google Books.

Despite their initial usefulness, CAPTCHAs have lost their effectiveness due to advancements in AI tools, allowing bots to solve these challenges more easily. Since 2010, there have been automated services that could complete these tasks with 100% accuracy, calling into question their validity as a security measure.

The study indicates that the true purpose of reCAPTCHA might be more about data collection for advertising purposes than user protection. It has been observed that these tests track cookies, browsing history, and other personal data, which can be exploited for advertising. Additionally, fake CAPTCHA pages have emerged that are used to spread malware, posing a significant risk to unsuspecting users.

CAPTCHA challenges have not only consumed time, but they have also generated a significant environmental impact, equivalent to 7.5 million kWh or 7.5 million pounds of CO2. It is estimated that Google could have generated between $8.75 and $32.3 billion for every sale of its labeled dataset.

Since it remains essential to verify whether a user is human or a bot to protect against DDoS attacks and other threats, the search for more effective and less invasive alternatives is necessary. An emerging option is "invisible challenges," which employ complex algorithms and behavioral analysis to discriminate between humans and bots without requiring direct user interaction. While this does not mean the end of CAPTCHAs, combining them with these new solutions could provide a smoother and safer experience for online users.